Recertifications - What's Possible Today, Limitations and the Future Potential for Access Governance

Recertifications are one of the established concepts in IAM today. However, you will rarely find any organization that is really happy with the way recertification works. Recertification initiatives cause a lot of work, friction, and frustration.

However, the biggest challenge of recertification is that it is more than questionable whether it delivers on its target, which is is risk mitigation, concretely access risk mitigation. By running regular recertification campaigns, organizations will identify some risks. However, many risks will be identified just months after excessive entitlements have been granted, after persons have moved their job, etc. Recertification is always late, and sometimes it may be too late.

On the other hand, regulators and auditors, even while they should know better, insist in organizations still performing traditional recertification campaigns. Thus, organizations must solve two challenges:

• What to do aside of recertification? How to identify all access risks? Here we talk on one hand about well thought-out processes for requesting and approving access, but also about access intelligence and user behavior analytics.
• How to reduce the pain of recertification? This might be done by simplifying recertification, at least from the perspective of the recertifier. It might be done by time-restricted entitlements and simple re-approvals instead of complex recertification campaigns. There are various ways to do this – time to rethink recertification (and don’t give up the hope that auditors and regulators someday start requesting organizations really mitigating the access risks).

In the first part of this session, Niels von der Hude will focus on both aspects in his talk and provide guidance on how to really mitigate access risks today, in an efficient and lean manner, while keeping the auditors happy anyway.

Presentation deck

Recertifications - What's Possible Today, Limitations and the Future Potential for Access Governance

Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.