Access Governance Vulnerabilities
- TYPE: Combined Session DATE: Thursday, May 12, 2016 TIME: 14:30-15:30 LOCATION: AMMERSEE I
Recertifications are one of the established concepts in IAM today. However, you will rarely find any organization that is really happy with the way recertification works. Recertification initiatives cause a lot of work, friction, and frustration.
However, the biggest challenge of recertification is that it is more than questionable whether it delivers on its target, which is is risk mitigation, concretely access risk mitigation. By running regular recertification campaigns, organizations will identify some risks. However, many risks will be identified just months after excessive entitlements have been granted, after persons have moved their job, etc. Recertification is always late, and sometimes it may be too late.
On the other hand, regulators and auditors, even while they should know better, insist in organizations still performing traditional recertification campaigns. Thus, organizations must solve two challenges:
- What to do aside of recertification? How to identify all access risks? Here we talk on one hand about well thought-out processes for requesting and approving access, but also about access intelligence and user behavior analytics.
- How to reduce the pain of recertification? This might be done by simplifying recertification, at least from the perspective of the recertifier. It might be done by time-restricted entitlements and simple re-approvals instead of complex recertification campaigns. There are various ways to do this – time to rethink recertification (and don’t give up the hope that auditors and regulators someday start requesting organizations really mitigating the access risks).
In the first part of this session, Niels von der Hude will focus on both aspects in his talk and provide guidance on how to really mitigate access risks today, in an efficient and lean manner, while keeping the auditors happy anyway.
Very few companies, if any, are satisfied with the outcomes of their recertification efforts, because intelligence on risks come too late to be of real value. In this panel session we will discuss on how to get better and what possible alternative strategies are.
- Registration fee:
- Contact person:
Mr. Levent Kara
+49 211 23707710
- May 10 - 13, 2016 Munich, Germany