Access Governance Vulnerabilities

  • TYPE: Combined Session DATE: Thursday, May 12, 2016 TIME: 14:30-15:30 LOCATION: AMMERSEE I

Recertifications - What's Possible Today, Limitations and the Future Potential for Access Governance

Recertifications are one of the established concepts in IAM today. However, you will rarely find any organization that is really happy with the way recertification works. Recertification initiatives cause a lot of work, friction, and frustration.

However, the biggest challenge of recertification is that it is more than questionable whether it delivers on its target, which is is risk mitigation, concretely access risk mitigation. By running regular recertification campaigns, organizations will identify some risks. However, many risks will be identified just months after excessive entitlements have been granted, after persons have moved their job, etc. Recertification is always late, and sometimes it may be too late.

On the other hand, regulators and auditors, even while they should know better, insist in organizations still performing traditional recertification campaigns. Thus, organizations must solve two challenges:

  • What to do aside of recertification? How to identify all access risks? Here we talk on one hand about well thought-out processes for requesting and approving access, but also about access intelligence and user behavior analytics.
  • How to reduce the pain of recertification? This might be done by simplifying recertification, at least from the perspective of the recertifier. It might be done by time-restricted entitlements and simple re-approvals instead of complex recertification campaigns. There are various ways to do this – time to rethink recertification (and don’t give up the hope that auditors and regulators someday start requesting organizations really mitigating the access risks).

In the first part of this session, Niels von der Hude will focus on both aspects in his talk and provide guidance on how to really mitigate access risks today, in an efficient and lean manner, while keeping the auditors happy anyway.

Log in to download the presentation:  


Paul is Fellow Analyst at KuppingerCole and the CEO of the Global Identity Foundation, as well as a consulting CISO and was previously the Global CISO for AstraZeneca, Global CISO for ICI, Head of Information Security with a high security web hosting provider and Global Information Security...


Session Links


European Identity & Cloud Conference 2016

Registration fee:
€1980.00 $2475.00 S$3168.00 21780.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
  • May 10 - 13, 2016 Munich, Germany