Overview
Access certification (also known as Access Reviews or Attestation) is the mandatory validation process where business owners, managers, or application owners confirm that users still require their current access rights. It is a primary defense against "access creep"—the accumulation of privileges over time as users change roles.
For many organizations, this is a compliance checkbox (SOX, HIPAA, SOC 2). However, a mature certification process is a security control that detects unauthorized access and enforces least privilege. The challenge is balancing risk reduction with "reviewer fatigue," where approvers blindly click "Approve All" to finish the task.
Architecture
Reference Pattern: Campaign-Based Certification
The architecture involves extracting entitlements, mapping them to owners, generating review items, and processing decisions.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Review Strategy | Manager, App Owner, Role Owner | Hybrid | Managers review user roles; App Owners review privileged accounts/roles. |
| Frequency | Annual, Quarterly, Continuous | Risk-Based | High-risk (Admin/Finance) = Quarterly. Low-risk (Birthright) = Annual or None. |
| Revocation Logic | Auto-remove, Ticket creation | Auto-remove (where possible) | Manual ticketing leads to "revocation lag" where access remains after certification. |
| Scope | All Access, Exceptions Only | Exceptions + High Risk | Reviewing birthright access (e.g., "All Employees") wastes time. Focus on the delta. |
| Non-Response | Auto-approve, Auto-revoke, Escalate | Escalate then Disable | Never auto-approve. Auto-revoke is aggressive but effective after warnings. |
Implementation
Phase 1: Compliance Baseline
- Identify "in-scope" applications for audit (e.g., SOX apps).
- Launch manual or spreadsheet-based campaigns if tool is immature.
- Ensure 100% completion for auditors.
- Goal: Pass the audit.
Phase 2: Automation & Remediation
- Ingest access data into IGA tool.
- Automate campaign generation.
- Implement "closed-loop" remediation (auto-removal of revoked access).
- Goal: Eliminate spreadsheets and manual removal tickets.
Phase 3: Risk-Based & Continuous
- Filter out birthright access from reviews.
- Implement "micro-certifications" triggered by events (e.g., Manager Change).
- Add risk scoring to highlight dangerous entitlements.
- Goal: Reduce reviewer fatigue and focus on high-risk access.
Risks
- Rubber Stamping: Reviewers approving everything without looking. Mitigate by seeding "trap" errors or requiring justification for approvals.
- Revocation Failure: Access is marked "revoked" but the ticket is lost, and access remains.
- Reviewer Assignment: Sending reviews to the wrong manager (or a terminated manager).
- Context Gap: Reviewers don't know what "Group_AX_99" does. Descriptions must be human-readable.
KPIs
- Completion Rate: Percentage of certifications completed by the deadline (Target: > 98%).
- Revocation Rate: Percentage of access items revoked (Target: 2-5%; 0% implies rubber stamping).
- Remediation Time: Time between "Revoke" decision and actual removal (Target: < 24 hours).
- Reviewer Accuracy: Measured by spot checks or "trap" accounts inserted into reviews.