Access Certifications Enhance Identity Governance & Administration Implementations

Challenge

A public sector organization recognized there were additional benefits to be gained from implementing a process for reviewing data and application access and in issuing access certifications. Access certifications are a review of a user’s IT access privileges (i.e., entitlements) throughout the organization and recertifying that the access is still required for the user’s job responsibilities.

The organization utilized their Identity Governance & Administration (IGA) solution to manage hundreds of periodic reviews and recertifications of user access. As an important part of the process, the organization reviews data and application access certifications and reauthorizes only persons and entities (both internal and external) that meet certain criteria. For example, the organization will maintain various levels of access for applications that change over a person’s career, corresponding to each new role. This methodology is based on a modern security approach of granting users the least privileged access needed to perform an individual’s job responsibilities.

Common challenges performing access certifications included: an inconsistent approach to performing the review and tracking the status of application and user entitlements. These challenges may result in insufficient data access controls, potential security risks due to unauthorized access, improper identity lifecycle management, and compliance and audit findings for user access management.

To address these issues, the organization had the following goals:

• Maintain compliance within the existing access management policy
• Implement consistent reporting on application access
• Upgrade the overall security climate and improve the security posture
• Monitor access to applications
• Reduce security vulnerabilities and decrease risk
• Centralization of application access governance across a complex IT landscape

Solution

Guidehouse utilized a commercial off-the-shelf IGA solution to manage over 350 access review certification campaigns per year, across users and applications.

Our approach included:

• Reviewing application access on a regular basis and provision or de-provision the privileges accordingly
• Generating targeted certifications for privileged employees and contractors who have elevated access to specific applications and platforms
• Developing access review criteria for roles, entitlements, and group memberships
• Performing access certification-related data analysis

Impact

The IAM solution has improved access governance overall, including the ability to implement organized certification campaigns to grant or remove user access based on status and job requirements. As a result, only the least privilege access is granted to users, in alignment with the least privilege access philosophy.

Access certifications aid the offboarding of employees and contractors in a more streamlined process. Additionally, with periodic certification campaigns, the organization is more compliant with regulatory guidance and prepared for security audits. Plus, application accounts are now more secure, lowering the potential risks associated with the organization’s access management.