Given the sensitive nature of many organizational IT resources , and the complexity of current regulatory and oversight initiatives, they are maintaining the transparency of "who has access to what, where, and when" in a readily available format requires more than just following the path of an audit trail layered with page after page of reports. Although these are indispensable to any compliance strategy, employing an "after-the-fact-only" approach to resource security can prove to be disastrous, as many recent insider breaches have shown. EmpowerID provides a powerful Attestation and Recertification platform that gives any organization the ability to take a more proactive approach to rectify potential security issues before they occur through the crafting of EmpowerID Audits and Recertification Policies.
Recertification Policies are snapshots of data that reveal the access to resources granted to people and to roles, the assignments of people to roles, and the security assignments that have been made against protected resources like Exchange mailboxes, applications, and groups. These snapshots are routed for review to authorized personnel such as managers, role owners, or data owners. The review process allows the reviewer to verify the access and to certify whether it is valid. Internal processes can use this data to remediate and rectify exceptions or to certify the exceptions as permitted. EmpowerID maintains an audit trail of these access snapshots as well as and the decisions made concerning the access. This combination of Recertification Policies with EmpowerID's robust reporting capabilities allows organizations to create a more thorough and effective resource management strategy.
...
Recertification Policy Type | Description |
|---|---|
Account Validity | Account validity recertification policy is to certify whether an account should exist or not. Possible decisions are: certify, disable and delete. |
Business Role and Location Membership | Business role and location membership policy is are to certify the membership of a business role and location. Possible decisions are: certify or revoke the member. |
Direct Reports | The direct reports recertification policy is to certify who reports to whom. To certify a manager’s direct reports. |
Exchange Mailbox Permissions | The exchange mailbox permissions recertification policy is to certify the mailbox permission. Possible decisions are: certify or revoke permission. |
Folder Permissions | The folder permission recertification policy is to certify the folder permission of a windows folder. Possible decisions are: certify or revoke permission. |
Group Membership | The group membership recertification policy is used to certify group membership, including user and nested groups. Possible decisions are: certify, revoke or convert to just-in-time membership(pre-approved). |
Group Owner | The group owner recertification policy, is to certify the group owners. |
Group Validity | The group validity recertification policy is to certify whether a group should exist or not in the group. Possible decisions are: certify, disable and delete. |
Management Role Access Assignment | The management role access assignment recertification policy is to certify the access granted to the management role, including any RBAC assignment. |
Management Role Membership | The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location. |
Management Role Validity | The management role validity recertification policy is to certify the current validity of a management role. This recertification determines if the management role should exist, be "disabled",” or deleted. |
Person Access Summary | The person access summary recertification policy is used to certify all the access assigned directly to a person. |
Person Direct Entitlements | The person direct entitlements recertification policy is used to certify all the entitlements given directly to a person. |
Person Validity | The person validity recertification policy is used to certify the a person should exist or not. Possible decisions are: certify, disable and delete. |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID Query-Based Collections (SetGroups). These are comprised of Sets, which are LDAP or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people or resources based upon queries . They can be based on questions written against the EmpowerID Identity Warehouse or even external systems in a customer's environment. The use of Query-Based Collections for Recertification policies provides provide a rich and flexible access review mechanism by which organizations . Organizations can selectively collect the objects they want to incorporate within a given policy and then schedule that policy to create review tasks in a manner that best meets meet the organization's security requirements of the organization. As an For example, with SetGroups, you could create one Recertification Policy that targets high-security groups only, scheduling that policy to run more frequently, and create another Recertification Policy for lower security groups with a less frequent run schedule.
Additionally, each Recertification policy runs against resources within a specific location. This allows for even greater flexibility in that a . A policy could include as many or as few objects as desired, such as all Exchange Mailboxes within an organization or only the people assigned to a specific office room, depending on how your location hierarchy is mapped within EmpowerID. While it is possible to create a Recertification Policy that runs against every resource item in your inventory, such a policy could yield potentially millions of objects, creating a daunting and unnecessary workload for your recertification team if access to those objects have has no significant security impact.
EmpowerID Recertification Policies can be scheduled to run periodically, such as on a quarterly or monthly basis, as well as weekly, daily, or at will. When a policy is run manually or at its scheduled time, a Recertification Review task is created for each object in the SetGroup. This allows authorized staff in an organization to review the access to resources that people within the organization have at any given time , and how that access came about, whether by a direct assignment to a specific resource or through being delegated a Management Role with multiple Resource Resources Role assignments.
| Note |
|---|
To maintain the integrity of Recertification Reviews, users cannot recertify themselves. In other words, a user who has the ability to can create a Recertification Policy cannot certify that policy. By virtue of this feature, the The EmpowerID Admin user is prohibited from participating in the review process by this feature. |
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|