Access Governance Vulnerabilities

  • TYPE: Combined Session DATE: Thursday, May 12, 2016 TIME: 14:30-15:30 LOCATION: AMMERSEE I


Recertifications are one of the established concepts in IAM today. However, you will rarely find any organization that is really happy with the way recertification works. Recertification initiatives cause a lot of work, friction, and frustration.

However, the biggest challenge of recertification is that it is more than questionable whether it delivers on its target, which is is risk mitigation, concretely access risk mitigation. By running regular recertification campaigns, organizations will identify some risks. However, many risks will be identified just months after excessive entitlements have been granted, after persons have moved their job, etc. Recertification is always late, and sometimes it may be too late.

On the other hand, regulators and auditors, even while they should know better, insist in organizations still performing traditional recertification campaigns. Thus, organizations must solve two challenges:

  • What to do aside of recertification? How to identify all access risks? Here we talk on one hand about well thought-out processes for requesting and approving access, but also about access intelligence and user behavior analytics.
  • How to reduce the pain of recertification? This might be done by simplifying recertification, at least from the perspective of the recertifier. It might be done by time-restricted entitlements and simple re-approvals instead of complex recertification campaigns. There are various ways to do this – time to rethink recertification (and don’t give up the hope that auditors and regulators someday start requesting organizations really mitigating the access risks).

In the first part of this session, Niels von der Hude will focus on both aspects in his talk and provide guidance on how to really mitigate access risks today, in an efficient and lean manner, while keeping the auditors happy anyway.


Paul is Fellow Analyst at KuppingerCole and the CEO of the Global Identity Foundation, as well as a consulting CISO and was previously the Global CISO for AstraZeneca, Global CISO for ICI, Head of Information Security with a high security web hosting provider and Global Information Security...

Very few companies, if any, are satisfied with the outcomes of their recertification efforts, because intelligence on risks come too late to be of real value. In this panel session we will discuss on how to get better and what possible alternative strategies are.  


Frank Boehm has been Managing Director at FSP since 2002. He started his professional career 1989 as a consultant for the financial services sector at Accenture and lead international projects  like SCOR USA, Gothaer, AXA, Kölnische Rück and Swiss Life.  

Christian Himmer is a Senior Analyst at KuppingerCole. He has more than 20 years of experience in the field of Identity Management in the German banking sector. During this time he has held a variety of positions; from Line-Manager IAM,  consultant to system architect to project manager -...

Andy Land is a security technology executive who runs worldwide product marketing at IBM Security for the Identity, Application, and Data Security segments. He has a successful background in leading marketing, product marketing/management, and strategy teams at start-ups and large enterprises....

Log in to download the presentation:  


Session Links


European Identity & Cloud Conference 2016

Registration fee:
€1980.00 $2475.00 S$3168.00 21780.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
  • May 10 - 13, 2016 Munich, Germany