Access Certification is the process of certifying employee, contractor and vendor access to applications and is often mandated by a number of industry regulations such as SOX, NIST, FDA 21, GDPR, PCI-DSS etc.

The user access certifications require approvers who range from application owners to reporting managers to review and approve/revoke access and privileges for each user/identity. Access Certifications are effective in helping organizations navigate the ever evolving threat landscape by removing orphaned accounts. Up until recently, SMB organizations could either do access certifications manually or buy enterprise level products mentioned on Gartner Magic Quadrant for Identity Governance and Administration (IGA). The issue with the manual access certification is that it is prone to errors such as rubber stamping. On the other hand, enterprise products are expensive and come with long implementation cycles. As it turns out, Moores Law, which was mostly related to hardware computing, is driving innovation in software. Emerging technologies such as containers, AI/ML are driving innovations in Identity Governance & Administration space. New vendors are emerging with lightweight cloud ready products that can automate access certifications effectively without breaking the bank.

The focus on this article is to present a roadmap that SMB can use on their automation journey.

Understand Current State:

It is hard to develop a roadmap for access certifications without understanding existing capability. People and Process play a big role in the current state. Understand the current policies and procedures for certifying employees, contractors and vendors. Review previous years audit findings to develop an understanding of risks. Understand the on boarding and off boarding requirements for Joiner, Mover and Leavers. Knowing workflow gaps at this stage is critical as well and will drive the RFP process.

Define Future State:

This encompasses creating the user access certification process of the future. If the company expects to grow by way of acquisitions, the future state IGA should have a robust centralized access requests and approvals. Risk factors for data breaches as well as compliance requirements for protecting data should be considered. One must also understand security and compliance controls (e.g., segregation of duties, unauthorized access permissions). The team must validate the Future State with designated stakeholders. By going through a check list of questions with the stakeholders picture of the future state will emerge that accommodates the complexities of the computing environment across the enterprise.

Conduct Proof of Concept (POC):

Once companies have a clear understanding of future state and goal, it is time for a Proof of Concept (POC). The ultimate objective of the POC is to mitigate the risk of a purchase by ensuring that the product has all the features that are needed for the future state. As a best practice, non-functional considerations such as connectors should generally be ignored. Focus should be on trying out the access certification workflow.