Experts David Cline and Ryan Babbitt discuss how Zero Trust Security…
If you work in security and access for a publicly-traded company, I can guess what time of year you dread the most…security audit time. It never fails, when you have a million other things that you’d like to focus on, the auditors settle into the conference room right outside your office, making it their home for weeks in order to evaluate how your organization is doing from a security perspective. The questions never seem to end.
- Who has access to what applications?
- Should this person have access to that?
- Was the access for terminated employees removed in a timely manner?
- Who has administration rights in your applications?
- Who approved access for this person?
- Who provisioned that access?
- Where is your policy documented?
- Are you following the written policy?
- When did you last certify access?
To ensure that your company is not cited for significant deficiencies, you scramble to comply with anything and everything the auditors ask for. You create spreadsheets (so many spreadsheets), take screenshots of applications to prove who has administrative rights, run queries, send numerous emails asking for help to compile information, try to get data owners and/or managers to certify access to applications from a spreadsheet, engage your coworkers to help you remove access in applications manually when a data owner or manager has deemed it unnecessary. This process, when disparate and manual, can honestly make you feel like you’ve run a marathon. It’s exhausting and feels like it will never end. If you relate to what I have described above, keep reading.
SailPoint’s IdentityNow Capabilities
I’ve been helping clients implement Identity Governance solutions for 10+ years, and I am here to say I am thoroughly impressed with the capabilities of SailPoint’s SaaS solution, IdentityNow. I strongly encourage you to take a look at IdentityNow to address anything above that struck a chord. IdentityNow provides many Identity Governance capabilities (which I briefly summarize at the beginning of this blog post, and I also share how to justify an Identity Governance solution here), but in this post, I want to narrow in specifically on the certification feature.
Let me describe for you, at a very high level, what implementing certifications (from scratch) would look like using a product like IdentityNow.
Step 1: Load “People” Data
The first step in any Identity Governance project is almost always going to be loading the “people” who have a relationship with your organization and require security access. This can be employees, contractors, vendors, or even external users. Employee data, for example, is typically brought in through a direct connection with your HR system or can be done using a flat-file. The “people” are the central component of any Identity Governance implementation, and from there, you can start associating their security access. One of my favorite benefits of IdentityNow is how simple it is to onboard a new system and map that data in. Even if you are thinking “we’ve had 100 salespeople tell us the same thing about their product”, I promise you it’s true for IdentityNow! I do not consider myself a deeply technical person, but I have truly enjoyed being able to configure IdentityNow myself….as a business analyst.
Step 2: Bring in Security Access and Associate it to the “People”
After your Identity Governance solution has the “people”, you would connect to your organization’s applications and start to read in all existing access using flat files or a direct connection to the application, if available. Correlation rules are built so that when an account in an application is read in, it knows who is the owner, and properly associates the access to the “person”. The end goal is that your Identity Governance solution becomes a single, centralized source for people who have a relationship with your organization, the security access they have, how they got the access, who approved the access, etc.….basically many of the things that auditors ask you and you have to do research to provide an answer.
Step 3: Create Certification Campaigns
An administrator can create certification campaigns, which will allow someone like an application owner or a manager to review existing access and determine whether or not it’s appropriate. Many organizations have policies regarding how often to certify SOX access and privileged access versus how often they are required to certify all user access. The certification campaigns can be scheduled (e.g. annually, bi-annually, quarterly), triggered by something like a job transfer, and even on-demand! The access that is included in a certification campaign is also configurable. The starting point for a certification can be based on a person(s), access items (role, entitlement, application, etc), or even certification of role composition (i.e. what’s included in a role and who has access to a role). It’s truly as simple as a search. If you are used to writing reports, or queries today, you can essentially do the same thing in IdentityNow…search for what you want to certify and then start your certification campaign. IdentityNow has a multitude of choices you can make when configuring your certification campaigns and will allow you to certify as much or as little as you need. Watch this 2 minute video to see how easy it is to generate a certification campaign in IdentityNow.
Step 4: Complete the Certification
A certifier is assigned a certification and makes decisions to “approve” or “revoke” each access item that was included in the certification campaign. If the certifier chooses to “revoke” access, it will be automatically deprovisioned if it’s related to a connected application or will produce a manual task if it was an application that was brought in with a flat file. SailPoint has implemented the certification functionality in IdentityNow with a lot of thought and put the certifier’s experience as a top priority when architecting. A few of my favorite features they have recently introduced are:
- Flagging new access so the certifier can tell whether it is new since last certified
- Flagging birthright access so you know the user has access, but you are only allowed to acknowledge, and not revoke
- Allowing a certifier to toggle the view of their outstanding decisions by person or by access
- As the certifier makes decisions, the line items disappear leaving only what is left to certify
Watch this 2 minute video to see how easy it is to complete a certification, but keep in mind that because SailPoint adds new features frequently, some of my favorite features are not demonstrated in the video.
Pair SailPoint’s Capabilities with Zirous Expertise
Gartner has named SailPoint as the leader in Identity and Governance Administration for the 6th year in a row, and after working with the certification feature in their SaaS product, IdentityNow, I’m confident that they will continue the trend. To learn more about certifications, or Identity Governance in general, visit this page and contact us! I would love to chat with you.