Blog

Access Recertification Project Best Practices

It used to be that role management was all the rage – niche products entered the marketplace and seemed to provide a mysteriously straight-forward and stream-lined method to tackling the overwhelming and seemingly unmanageable problem with roles and role management. More mature corporations had accumulated thousands of roles; many of which were redundant, overlapped with other roles, or were simply “empty” containers with no link to actual access, or without any true business context to anchor themselves against. No one thought the problem could be solved in any reasonable way, but these technologies were claiming they could: there was a frenzy.

As consumers soon discovered, role mining (the process which cleans and defines IT roles within a business context), was a burdensome task even with advanced analytics to help along the way. It became obvious that cleaning up roles and building a true enterprise role model was not a straight-forward or easy endeavor. The frenzy turned into more of a dull roar.

Organizations tried their best to deal with the problem, even as the market trend shifted more towards a consolidation of business entities (i.e., mergers and acquisitions), which only compounded the problem. Roles from Organization A combined with Organization B and C created a pure cacophony of meaningless access rights. Internal audit findings were alarming, but internal access violations were rare, or at least they rarely seemed to impact the business.

Enter: Sarbanes-Oxley in 2002. Compliance gains meaningful attention for the first time. Other regulations soon follow and truly begin to gain teeth– no longer was it just a pain to not know what a role meant in terms of “access,” it became a potential fine or worse: a publicized event that would ruin the reputation of a company, and actually impact the bottom line. The technology market recognized this need and role management took a dramatic shift: suddenly, the focus was on regulating entitlements and user access from a compliance standpoint. And compliance boiled down to access certification. Role models were trumped by the need to simply cover oneself during an audit, and suddenly access certification tools became a known and viable entity in the Identity and Access Management (IAM) space.

Today, with SOX, HIPAA, GLBA, FERC, NERC CIP, PCI, as well as a plethora of state-specific regulations that are only becoming more stringent with more tangible consequences, many organizations are analyzing and adopting Access Certification (also known as Access Governance) tools to accurately monitor the entitlements certification process for users and use that process to more organically develop a role model that can be utilized dynamically within the organization to enable RBAC (role based access controls). As business line managers begin to finally understand what entitlements they are approving in a business context, suddenly the task of building a role or role model doesn’t seem so daunting.

Many of our customers are now using Oracle Identity Analytics 11g to automate and streamline both the access certification and recertification processes, and also create an RBAC model for provisioning and de-provisioning users into and out of system resources.

APTEC’s approach to deploying Oracle Identity Analytics is rooted in an understanding of both the technology and business needs that drive these projects. APTEC follows a proven methodology for access certification implementations that are tailored to each organization’s industry-specific objectives and project goals.

Below is a summary of some of the key project success factors that we recommend when we engage with our clients in an Oracle Identity Analytics implementation project:

• Create a Centralized Program with Key Business Stakeholder Support - The project needs to be centrally coordinated with strong executive stakeholder support, so other initiatives that might be running in parallel and have an influence on the access certification/role management project can be aligned to overall project goals and objectives. This is typically done through regularly scheduled steering committee meetings and periodic progress demos that demonstrate configured certification reports and workflow for access certification.
• Resource Scheduling is Paramount- The appropriate business and IT resources must be made available during the requirements gathering and design phase, as well as during training and knowledge transfer in order to keep the project on track and ensure the solution aligns with expectations and all critical compliance and business requirements.
• Tightly Manage Risk and Change Control Measures- Issues must be immediately identified, tracked, and resolved, so milestones are met on schedule, and Go Live is not impacted. To keep expectations aligned, the future state vision must be clearly and consistently communicated to all relevant parties, and change control processes must be managed throughout the entire program lifecycle.

 

Our customers are finding that Phase One Oracle Identity Analytics projects that focus on access certification and defer role mining/RBAC in subsequent phases, provides a relatively quick time to value and fulfills their goals for achieving automation of the access certification process in time for critical re-certification periods. The audit reports that result from these re-certification periods provide a clear trail for auditors, and paves the road for role mining exercises that will be based upon relevant data that emerges from the access certification process itself. The “win” to the business as a result of these projects is visible across every line of business and positively impacts business users: a clear victory for any Risk Management or Security department.