Micro-certification: the Foundation for Continuous Compliance

Access Risk Management Blog | Courion

Nick BerentsAt a recent industry conference, I sat in on an analyst presentation covering Access Certification, aka Attestation.

The analyst defined Access Certification as “the ongoing review of people's access (accounts, entitlements, roles) to identify inappropriate access. It is a regulatory requirement in some cases, but ideal in all situations.” This is a fairly standard definition.

But what really caught my attention was what she said next, calling it “the single best administrative task to reduce access-related risks.”

I got excited about that statement because at Courion we have just released a new version of our governance product to provide exactly that, continuous compliance. Currently available as version 8.3, the release includes “micro certifications” that continually validate people’s access against business policies.  If violations are found, notifications are immediately sent along with a review cycle that enables the appropriate parties to quickly take remedial action.Continuous Compliance

Why is this important? Many current governance and compliance solutions facilitate and automate quarterly compliance reviews, but are typically only able to provide periodic or interval audit checks. But how much can go wrong between checks, say in 90 days? Consider for a moment how many applications your organization activates and de-activates in 90 days, or how many new users have been added to the enterprise or have been transferred or promoted, requiring a different access profile. How many users have been terminated, yet their access privileges have not been revoked and deleted?

In this release, we also updated our award-winning identity and access intelligence solution, Access Insight.  Our Access Insight customers now have enhanced configuration control that enables them to align risk assessment parameters directly with their business conditions and practices. We have also updated the suite’s user interface, making it more intuitive.

So how evolved is your access certification process? With so much changing on a daily and weekly basis, can you afford to wait 90 days until the next access certification review? What about evaluating identity risk, do you see it as aspirational or imperative? With this release, we hope you are more likely to see all of these benefits in your environment.


Leave a Reply