Audits and Attestation Policies

Given the sensitive nature of many organizational IT resources, and the complexity of current regulatory and oversight initiatives, maintaining the transparency of "who has access to what, where, and when" in a readily available format requires more than just following the path of an audit trail layered with page after page of reports. Although these are indispensable to any compliance strategy, employing an "after-the-fact" only approach to resource security such as this can prove to be disastrous, as many of the more recent insider breaches have shown. EmpowerID provides a powerful Attestation and Recertification platform that gives any organization the ability to take a more proactive approach to rectifying potential security issues before they occur through the crafting of EmpowerID Attestation Policies.

Attestation Policies are snapshots of data that reveal the access to resources granted to people and to roles, the assignments of people to roles, and the security assignments that have been made against protected resources like Exchange mailboxes, applications, and groups. These snapshots are routed for review to the appropriate authorized personnel whether they are managers, role owners, or data owners. The review process allows the reviewer to verify the access and to certify if it is valid or not. Internal processes can use this data to remediate and rectify exceptions or to certify the exceptions as permitted. EmpowerID maintains an audit trail of these access snapshots as well as the decisions made concerning the access. This combination of Attestation Policies with EmpowerID’s robust reporting capabilities allows organizations to create a more thorough and effective resource management strategy.

EmpowerID Attestation Policies come in the following types:

  • Assignee Granted Security - This Attestation Policy type creates a snapshot of the Access Level Assignments (Resource Roles) and Management role assignments to an assignee as an actor.
  • Management Role Membership - This Attestation Policy type creates a snapshot of current assignees of a Management Role.
  • Management Role Access Granted - This Attestation Policy type creates a snapshot of current Resource Roles assigned to a Management Role, allowing you to quickly glean the resultant access to resources people have by virtue of their assignment to the Management Role.
  • Resource Granted Security - This Attestation Policy type creates a snapshot of who currently has access to any given resource object for which the policy is created. 
  • Direct Reports - This Attestation Policy type creates a snapshot of who reports to whom.
  • Group Membership - This Attestation Policy type creates a snapshot of who currently has membership in a given group.
  • Folder Permissions - This Attestation Policy type creates a snapshot of who currently has what type of access to a given Windows folder.
  • Exchange Mailbox Permissions - This Attestation Policy type creates a snapshot of who currently has what type of access to a given Exchange mailbox.

Each Attestation policy is targeted or scoped to apply only to specific people, roles, or resources using query-based EmpowerID SetGroups. EmpowerID SetGroups are comprised of Sets, which are Ldap or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people or resources based upon queries written against the EmpowerID Identity Warehouse or even external systems in a customer’s environment. The use of SetGroups for Attestation policies provides a rich and flexible access review mechanism by which organizations can selectively collect the objects they want to incorporate within a given policy and then schedule that policy to create review tasks in a manner that best meets the security requirements of the organization. As an example, with SetGroups you could create one Attestation Policy that targets high security groups only, scheduling that policy to run more frequently, and create another Attestation Policy for lower security groups with a less frequent run schedule.

Additionally, each Attestation policy runs against resources within a specific location. This allows for even greater flexibility in that a policy could include as many or as few objects as desired, such as all Exchange Mailboxes within an organization or only the people assigned to a specific office room, depending on how your location hierarchy is mapped within EmpowerID. While it is possible to create an Attestation Policy that runs against every resource item in your inventory, such a policy could yield potentially millions of objects, creating a daunting and unnecessary workload for your recertification team if access to those objects have no significant security impact.

EmpowerID Attestation Policies can be scheduled to run periodically, such as on a quarterly or monthly basis, as well as weekly, daily, or "at will." When a policy is run manually or at its scheduled time, an Attestation Review task is created for each object in the SetGroup. This allows authorized staff in an organization to review the access to resources that people within the organization have at any given time, and how that access came about, whether by a direct assignment to a specific resource or through being delegated a Management Role with multiple Resource Role assignments.

To maintain the integrity of Attestation Reviews, users cannot attest to themselves. In other words, a user who has the ability to create an Attestation Policy cannot certify that policy. By virtue of this feature, the EmpowerID Admin user is prohibited from participating in the review process.