Overview of Recertification
Given the sensitive nature of many organizational IT resources, and the complexity of current regulatory and oversight initiatives, maintaining the transparency of "who has access to what, where, and when" in a readily available format requires more than just following the path of an audit trail layered with page after page of reports. Although these are indispensable to any compliance strategy, employing an "after-the-fact-only" approach to resource security can prove to be disastrous, as many recent insider breaches have shown. EmpowerID provides a powerful Attestation and Recertification platform that gives any organization the ability to take a more proactive approach to rectifying potential security issues before they occur through the crafting of Recertification policies and Audits. These work together during a recertification campaign to create a snapshot of the current access users have to IT resources and how they were given that access. From this snapshot, EmpowerID generates recertification tasks, which are routed for review to authorized personnel, such as line managers, role owners, or data owners. The review process allows reviewers to examine the access and make a decision as to whether the access is valid or if it should be revoked. Based on the outcome of the review process, EmpowerID automatically fulfills review decisions and marks the recertification task as completed. Once all tasks are completed, the recertification campaign is closed. EmpowerID maintains an audit trail of these access snapshots, as well as the decisions made by reviewers during the recertification campaign. A discussion of these policies, the role they play in creating a recertification campaign, as well as the other components involved, follows below.
Automatic revocation of access only occurs in systems to which EmpowerID is connected. In the case of disconnected systems, EmpowerID generates "fulfillment tasks" and routes those tasks to the owners of those systems. Owners must certify that they have completed those tasks before they can be closed.
Recertification Policies
In a recertification campaign, the first step is to define what should be recertified. What access to resources needs to be reviewed and acted upon? You do that with Recertification policies. Recertification policies create the snapshots of data that reveal the access to resources users have and how they got that access. Snapshots can show the access granted to people and to roles, the assignments of people to roles, and the security assignments that have been made against protected resources like Exchange mailboxes, applications, and groups. In order to facilitate these snashots, EmpowerID categorizes Recertification policies by type. Each type creates a specific kind of snapshot, as shown in the below table.
| Recertification Policy Type | Creates a snapshot of |
|---|---|
| Account Validity | |
| Business Role and Location Membership | |
| Direct Reports | who reports to whom. |
| Exchange Mailbox Permissions | who currently has what type of access to a given Exchange mailbox. |
| Folder Permissions | who currently has what type of access to a given Windows folder. |
| Group Membership | who currently has membership in a given group. |
| Group Owner | |
| Group Validity | |
| Management Role Access Assignment | |
| Management Role Membership | current assignees of a Management Role. |
| Management Role Validity | |
| Person Access Summary | |
| Person Direct Entitlements | |
| Person Validity |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID Query-Based Collections (SetGroups). SetGroups are comprised of Sets, which are LDAP or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people or resources based upon queries written against the EmpowerID Identity Warehouse or even external systems in a customer's environment. The use of Query-Based Collections for recertification provides a rich and flexible access review mechanism by which organizations can selectively collect the objects they want to incorporate within a given policy and then schedule that policy to create review tasks in a manner that best meets the security requirements of the organization. As an example, with SetGroups you could create one Recertification policy that targets high security groups only, scheduling that policy to run more frequently, and create another Recertification policy for lower security groups with a less frequent run schedule.
Additionally, each Recertification policy runs against resources within a specific location. This allows for even greater flexibility in that a policy could include as many or as few objects as desired, such as all Exchange Mailboxes within an organization or only the people assigned to a specific office room, depending on how your location hierarchy is mapped within EmpowerID. While it is possible to create a Recertification policy that runs against every resource item in your inventory, such a policy could yield potentially millions of objects, creating a daunting and unnecessary workload for your recertification team if access to those objects have no significant security impact.
Audits
While Recertification policies specify the particular resources involved with recertification campaigns, Audits serve as the engines that drive those campaigns. Each Audit is a logically named user-defined and configurable object for identifying or grouping attestation tasks and running the Recertification policies that generate them. Depending on a particular audit's configuration, it can trigger a single campaign or a series of repeatable campaigns and be scheduled to compile Recertification policies periodically, such as on a quarterly or monthly basis, as well as weekly, daily, or even at will. This flexibility allows authorized staff in an organization to review the access to resources that people within the organization have at any given time, and how that access came about, whether by a direct assignment to a specific resource or through being delegated membership in a role or group with multiple Access Level assignments.