What is Attestation?

Attestation or access certification is the process of an object or resource owner “asserting” that a given account should still exist, is still active and being used, and that the access levels are correct. It could be as simple as responding to an email stating the resource is still used or could be automated by infrastructure management tools that regularly scan and track resources. Many legal and regulatory compliance guidelines enforce attestation, and it is also good practice for organizational identity management.

Why is Attestation important?

Attestation is an important tool for verifying that user access is appropriate and being well managed, and so improves the organization’s security posture and mitigates compliance risks. It can be used to verify various aspects of identity for employees, devices, and other resources:

• People managers should periodically attest that users exist and have the valid group or role access to the relevant resources.
• IT should verify and attest that each user group and role has the appropriate membership and access to appropriate resources.
• Resource owners should review that the relevant roles and groups are granted relevant and appropriate access to them.

Given the size of networks and the large user base of today’s modern organizations, attestation is challenging to manage manually. Automated identity and governance tools can help by creating policies that manage it all at a higher level. Manual intervention is only required to set up the policies and guidelines, and the tool handles the monitoring, enforcement, and alerting based on them.