Best practices: Avoiding certification fatigue

Certifying user access is a critical component of good identity governance. But with dozens or perhaps hundreds of systems that your users have access to, running a thorough certification campaign can easily lead to certification fatigue. Certification fatigue happens when your reviewers, faced with hundreds or thousands of individual access line-items to review, become overwhelmed. Delays and mistakes can result - or worse, your reviewers may start rubber-stamping approvals on access items they don’t fully understand, or don’t have the time to examine carefully.

Follow these simple strategies to reduce certification fatigue, and ensure that your reviewers focus on what’s important in the review cycle.

Use meaningful names and descriptions for access

Access reviewers may be looking at lists of hundreds or thousands of individual roles or entitlements in the UI. Too often, reviewers don’t fully understand the access and entitlements they are asked to approve. Consistent, meaningful names for roles and entitlements help these users quickly grasp important information about the access under review.

Some common-sense tips for meaningful names include:

• Develop an enterprise-wide standard for names, and enforce it
• Keep names simple and consistent
• Names should be meaningful at a glance; if IT or vendor constraints require that entitlement names use acronyms or other wording that may not be intuitive to all users, add business-friendly descriptions for them
• Include business users in the review of names, descriptions, and naming conventions, to ensure that they are meaningful and intuitive to everyone in your organization
• Long names mean users may have to click a Details button to see the full description. Avoid putting essential or differentiating wording at the end of a long string of text

Quick tips on naming conventions for roles and entitlements.

Provide specific guidance to your reviewers

You can help your reviewers understand the review process and how to make the right access decisions by giving them instructions that are specific to your organization’s policies, practices, and UI. Keep in mind that if reviewers use the access reviews UI only occasionally, they may not retain important information about what to do, and how to use the UI.

You may want to create your own documentation, screen shots, and/or video clips, to reflect the look and feel of your own instance of IdentityIQ, your organization's policies, and the specific options you configure for your certifications and access reviews. SailPoint offers an access review guide for end users for IdentityIQ, that you can use as a template for developing your own custom end user training.

Encapsulate access into roles

Because roles can include many entitlements, a good role model can help reduce the number of individual access items a reviewer needs to process. You can include user-friendly descriptions with your roles to help reviewers understand what access is appropriate for and granted by the role.

Here are some resources to help you learn more about implementing roles:

Identity services

• Managing roles
• Create an access profile
• Access modeling

IdentityIQ

• Role management in IdentityIQ  
• Role based access control
• 8.1 IdentityIQ role and group management guide
• Best practices: Tips for creating roles
• Identity University eLearning Course: IdentityIQ Business Administration: Roles 

Certify roles before certifying user access

In IdentityIQ, the Role Composition certification helps ensure that roles include the right permissions and entitlements. Roles should be certified by business experts, to validate that they comprise the correct, expected access. Making sure that roles are accurate and up-to-date lets you be confident that your reviewers are evaluating correct access information in their reviews.

Learn more about how to certify the contents of a role.

Flag high-risk access

It’s a given that some access carries higher risk than others. Elevated administrator privileges and access to sensitive financial or personal data are common examples of high-risk access. This is the type of access you want to be very sure your reviewers pay particular attention to - but how do you protect against high-risk access getting overlooked in a long list of access items?

Flagging high-risk access is a simple way to alert reviewers to which access items need an especially close look.

The tagging feature in Identity Services lets you apply your business's well-known terms to important governance items, providing a simple and user-friendly way to identify high-risk access. Learn more about tagging in IdentityNow.

IdentityNow also supports access flags that can alert reviewers to privileged access. Learn more about access flags in IdentityNow.

In IdentityIQ, release 8.1 offers a new classifications feature that provides a simple, lightweight way to flag roles and entitlements. You can implement your own custom classifications, import them from an outside system, or integrate with File Access Manager to use its classifications. You can configure access reviews (as well as access requests and approvals) to flag classified access with a special icon, so that the users responsible for making access decisions can quickly and easily see which entitlements allow potentially risky access. Learn more about classifications in IdentityIQ 8.1.

With IdentityIQ 8.1, users of File Access Manager can integrate IdentityIQ and File Access Manager to aggregate classification data from File Access Manager and associate it with roles and entitlements. Learn more about integrating IdentityIQ with File Access Manager.

If you’re using an older version of IdentityIQ, you can use extended attributes (in other words, adding your own custom attributes) for roles or entitlements, to add custom attributes that track risk level. You can use these attributes for searching and filtering in your certifications and access reviews. Learn more about extended attributes in IdentityIQ.

Certify high-risk access more frequently than low-risk access

To minimize risk, high-risk access should be monitored more frequently than low-risk access, and with particular care to avoid the rubber-stamp approving that can come with certification fatigue.

In Identity Services, tagging helps you flag high-risk access, so that you can identify which access may need more frequent certification.

In IdentityIQ, you can use classifications or extended attributes to flag entitlements or roles that are especially high-risk items, and schedule certifications for these more frequently than for low risk-items. You can also use IdentityIQ's Advanced Analytics feature to create populations of users that you know have higher risk profiles than the norm -  based on criteria such as risk score, department, type, or job title - and schedule certifications for these populations on a more frequent cadence.

Use recommendations and automatic approvals

SailPoint’s Predictive Identity Recommendation Engine uses artificial intelligence (AI) and machine learning to give you deeper visibility into managing risks associated with user access. When you’re certifying access, AI-based recommendations appear as a thumbs-up or thumbs-down icon to help reviewers determine whether it’s safe to allow access.

Recommendations are made based on peer group analysis, identity attributes and access activity. Recommendations can help you identify outliers to the norm and therefore potential points of risk, and predictive modeling helps surface abnormal access that can be hard to identify with a manual approach. Learn more about using recommendations in IdentityIQ and how to include campaign recommendations in IdentityNow.

In IdentityIQ, you also have the option to automatically approve low-risk access based on recommendations. Automated approvals help your reviewers process access reviews more efficiently by taking easy decisions out of the way, so that they can focus on exceptional and high-risk items. Learn more about automatic approvals in IdentityIQ.

Stagger certifications to manage workload

It's a good practice to stagger your certifications, to reduce the burden both on people and on the system. Consider grouping certifications by department, by population (such as specific geographies, risk profiles, or management levels), or roles, then schedule the certifications so that the workload for your reviewers is spread out in a manageable way.

Certification campaigns can be scheduled to run on specific cadences - daily, weekly, monthly, quarterly, and yearly. It's important to work with your business experts to understand the best schedule for certifying access. Do you need to certify all access every quarter? Is once a year enough for certain low-risk access? Do some teams have a higher risk profile than others in terms of their access? Should managers certify all their team's access at the same time? Understanding the business needs for certifying different types of access and different groups will help you plan a sensible and realistic schedule for certifying.

Use sunrise and sunset dates to manage temporary access

IdentityIQ users can set sunrise and sunset dates for roles and entitlements, to more easily manage temporary access. Sunrise and sunset dates determine when access becomes active, and when it is automatically deactivated. Automating temporary access this way can be an efficient alternative to relying on certifications to remove access.

You can use sunrise/sunset dates both for roles themselves (to activate and deactivate a role on specific dates), and for role and entitlement assignment (to automatically assign and revoke roles or entitlements for individual users on specific dates). Sunrise and sunset dates are set when the access is requested, not when it is reviewed.

Learn more about using sunrise and sunset dates in IdentityIQ.

Understand what you may not need to certify

Most organizations have some kind of “birthright” access – access that every employee has simply by virtue of being an employee. An email address with an account on the company’s email system, a login to the payroll application, or a standard Active Directory account are all examples of common birthright access.

In the real world, birthright access may not be so simple. You might have one set of birthright access for permanent employees, and a different set for contractors or seasonal workers. Different job families or departments may have unique birthright access profiles – perhaps all your remote workers have VPN access as a birthright, or all your engineers have access to a code repository by birthright. Learn more about birthright access.

In any case, having a clear understanding of the default access your employees should have can help reduce certification fatigue. You can exclude birthright access from certification, or simply certify birthright access less frequently than other access. The key is to be able to clearly identify which access is considered birthright, and for whom. In IdentityIQ, you can use classifications or extended attributes to flag birthright access. Then you can use filters or rules to exclude this access from any given certification.

Additional resources

Identity services

• Starting a certification campaign from search
• Reviewing a certification
• Training course: IdentityNow Implementation and Administration: Essentials - ELEARNING

IdentityIQ

• 8.1 IdentityIQ certification access review guide
• Managing large certifications in IdentityIQ versions
• Lifecycle of a certification
• Testing certification reminders and escalations
• Targeted certifications
• Training course: IdentityIQ Business Administration: Certification v8.0 - ELEARNING