Attestation (aka Re-certification aka Periodic Review) is one of the latest must-have’s in the world of compliance-driven IdM (if you know of another name it goes by, please share). It essentially refers to the management practice of periodically checking and certifying that only the individuals who need certain access privileges have those access privileges. Here at Oracle, we have spent a considerable amount of time building the necessary tools into our provisioning product to ensure that our customers are able to meet their regulatory needs around attestation. Being an authoritative source for Who has What (and When, and Why) puts provisioning solutions in the unique place of being able to serve as the central vehicle for corporate attestation processes around user entitlements.
In developing our entitlement attestation offering, we found ourselves having to create two classes of attestation processes to address the different requirements that our customers presented to us.
The first one is User-centric attestation. Not to be confused as having anything to do with user-centric identity (which will be the subject of a separate post), user-centric attestation tackles the problem from a identity-centric perspective, where the focus is on looking at the user’s entitlement profile as a whole. In other words, looking at the entire set of entitlements that a user has. The most common attestation processes deal with managers (organizational, team, etc) needing to look at the entire set of entitlements for users they are responsible for, and certifying that user entitlement profile. This allows managers to identify privileges that may have been granted at some point for a valid reason, but are no longer needed, catching potential toxic combinations, etc. Reviewers can be asked to certify the entitlements of users who are members of a particular team, have a particular role, exist in a particular department, etc.
Resource-centric attestation tackles the same issue from an application perspective, where the focus is on looking at the accounts and privileges that users have on a particular system or application. This allows application owners to get visibility into who has what access to the systems that they own, and certify or reject that access. This has proven to be extremely helpful for owners of especially sensitive systems, where the number of users to be certified may not be large, but the significance of the system means that certification needs to happen much more frequently, and therefore needs to be optimized for operational efficiency.
I recently had the opportunity to validate the approach we have taken. I spent a full day with some folks from one of our financial services customers. They have been tackling their attestation problem for a few years now and have not been able to come up with a satisfactory solution. They came to us for help because they have only a few months left to their delivery deadline. We spent a whole day going over their requirements, digging through reams of analysis data. When we worked out that they could deliver the solution they needed almost entirely with the capabilities we have, they literally jumped up and down with joy. And, like almost everyone we have talked to, they had a need for both classes of attestation. The distinction between the two classes resonated with them in a big way, and the fact that we offered both was huge for them. While their most common use cases were centered around their organizational structure and manager attestation, they had some pretty sophisticated use cases for specific applications that looked at the users global location, system ownership and financial impact.
However, as it turns out, the biggest deal for them was the attention to operational efficiency that we had put into the design of our attestation screens. As they pointed out, a lot of reviewers only have the attention span of a few minutes, and cannot afford to be pulled away from their day jobs for too long. So useability and efficiency is extremely important when they are being asked to sit at a screen and re-certify 30-40 users with 10-15 accounts each (thats the potential equivalent of a 1000 line report, folks). The biggest obstacle that they see to the success of their project is making sure that the reviewers are not confounded with a complex and time-consuming UI to the point where they start certifying users without the proper due diligence, just to get the task over with. After all the internal debates and hours long sessions we had trying to get it right, getting props on that aspect of our work was hugely gratifying.
By no way am I saying that we have cracked the case on this one. We have a long slew of enhancements planned around this as we start exploring some of the finer nuances of attestation, and as we start moving beyond entitlement attestation to add controls attestation (certifying the policies and processes themselves instead of the results of their execution). It is an extremely interesting problem, because it is so simple to understand, yet so complex in its variations. So stayed tuned for more on this. There is more information about our attestation work on the Oracle IdM site at http://www.oracle.com/products/middleware/identity-management/attestation.html. A new white paper is going to be published there in a couple of weeks that goes into a lot more detail than I have covered. Feel free to ask me more about this, or share any interesting stories and insights you may have. Especially if you have seen the need for a new class of attestation process.