Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Access Certification / Review

From: Chris Green <chrisgreen () GSU EDU>
Date: Tue, 27 May 2014 11:45:26 +0000
Peter:

You’ve hit the nail on the head that problem is is the IAM space.  You can get by with the spreadsheet review process 
but it’s often incomplete.  You also get approval fatigue (how many systems X managers X admin processes coded per app).

For most people, maintain access is the right answer.  The exceptions are terminations,  job transfers, or departmental 
responsibility changes.  In some sectors such as EDU where people are often shared between departments, you can also 
include the system owner/steward in the review cycles.   Generally, they know what data is there and often the best at 
identifying what is going on.    Without it, you generally miss part of reviews (e.g. you may get the ERP application 
right but might forget the underlying DB or Unix System OR Backup System OR Systems Management System).

I think the process tool is much more important than the automated integration.  The automated integration can be 
measured on a cost of connector/etc.

Measure time of the spreadsheet processes and identify gaps.  You’ll be well on your way to helping justify a tool.


On May 23, 2014, at 3:19 PM, Peter Lundstedt <peter.lundstedt () DRAKE EDU<mailto:peter.lundstedt () DRAKE EDU>> wrote:

Hello everyone,

We are working on an audit finding related to access certifications performed by our data custodians, as well as access 
certifications of the data custodians.  The consensus is that we should not be relying on email and spreadsheets to 
complete these reviews, however most of the systems I’ve seen are tied to Identity Management systems – we are close to 
starting an IAM project that would probably include access review but are not there yet.  On top of this, the systems 
I’ve worked with in the past simply presented the access to the reviewer, in most cases a superior who has no idea what 
the information means, mostly just clicking “Maintain”.

I’m interested in hearing what others have done for certifications – is an app required, have you built something 
internally, are you relying on the email/spreadsheet type of system that I mentioned above, how do you complete the 
review in a meaningful way?

Vendors may contact me on this – I’m in need of ideas.

Peter Lundstedt
SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES

<image001.png>
Previous By Date Next
Previous By Thread Next

Current thread: