Recertifications are one of the established concepts in IAM today. However, you will rarely find any organization that is really happy with the way recertification works. Recertification initiatives cause a lot of work, friction, and frustration.
However, the biggest challenge of recertification is that it is more than questionable whether it delivers on its target, which is is risk mitigation, concretely access risk mitigation. By running regular recertification campaigns, organizations will identify some risks. However, many risks will be identified just months after excessive entitlements have been granted, after persons have moved their job, etc. Recertification is always late, and sometimes it may be too late.
On the other hand, regulators and auditors, even while they should know better, insist in organizations still performing traditional recertification campaigns. Thus, organizations must solve two challenges:
In the first part of this session, Niels von der Hude will focus on both aspects in his talk and provide guidance on how to really mitigate access risks today, in an efficient and lean manner, while keeping the auditors happy anyway.
Very few companies, if any, are satisfied with the outcomes of their recertification efforts, because intelligence on risks come too late to be of real value. In this panel session we will discuss on how to get better and what possible alternative strategies are.