Two Certification Campaigns or One?

Recently I was reading a through a technical conversation on SailPoint’s community website regarding how to run a manager-based certification if some users’ manager data is either missing or invalid. This is an important topic because data is never 100% perfect. The IAM implementation team must ensure that the solution is configured in a way that allows for smooth handling of exceptions.

In this particular case, the engineers noted that there were two options:

Option A

Configure two certification campaigns. One for accounts owned by users with valid manager information and one for accounts owned by users without valid manager information.

Option B

Configure one certification campaign, but include code that dynamically handles the situation where a user does not have valid manager information.

Which of These Technical Choices Is Better For The Business?

Clearly choice “B” above is more technically complex to build; however, I think that choice “B” is better for the business for a variety of reasons.

First of all, the simpler and easier the ongoing operational procedures are for the periodic certification campaigns, the better it is for information security. Implementation teams must deliver as part of the implementation, a run-book that contains detailed and explicit instructions on how to maintain and operationalize the IAM solution. The easier these procedures are and the fewer the number of certifications in a given cycle, the greater the likelihood that each cycle will be executed flawlessly.

The second reason why choice “B” above is preferable is ease of reporting. Project sponsors want to know quickly and easily what the status is for each certification campaign. It is true that more and more IAM products ship with canned reports, but in the vast majority of cases, these reports will need at least some configuration to meet the needs of a given company.

What Program Sponsors Need To Know

  •  What applications were included in the review?
  •  How many accounts were reviewed?
  •  By application, what percentage were approved vs. denied? (too high a percentage indicates a likelihood of “rubber stamping”!)
  •  What percentage of managers completed their reviews on-time?

These and other data points need to be included in the requirements for any successful IAM implementation and are crucial for measuring the health of an access management program.

Built in dashboards that enable real-time viewing of the status of in-flight and historical certifications will only give you the information that you want to know if each certification’s scope matches the business need, as opposed to an engineering need. The higher the number of certifications that need to be run, the more complex it will be to run status reports for each cycle and to understand the status of a given campaign cycle.

This complexity will need to be handled somehow. I believe that it is better to put the complexity up-front rather than having to face ongoing complexities on a periodic, operational basis when reports are generated.