I have been in and out of a lot of clients where there is much discussion about attestation. The question is, how do they define attestation and how does it apply to their needs? In many cases, I am seeing solutions that are more complex than may actually be required in practice.
A friend of mine, who is working as an auditor, told me that basically an auditor is responsible to hold one to their own standards and policies. Granted, this is true but omits the fact that the policies and controls must cover the appropriate governance requirements of the industry you are in (whether this be SOX, HIPAA, or other relevant policy requiring regular review of user access).
So, that said, what defines attestation for your organization is the first question you should ask before embarking on a large scale attestation and compliance project? Do you need to have ever user in a group attested to individually which is what the BHold and Omada suites have you do or can you simply have the group owner say that he reviewed the membership and check a box and record when he did that?
This is an important question to ask. In many organizations there are more groups than there are users. In those same organizations, there are few people who actually own or maintain groups and attesting to every member in every group is almost a full time job.
What if one of their groups contains 1000 people? Can you imagine having to click 1000 times to attest that all these users are certified for that access? If your audit policy demands it, then go for it, but I would suggest some secondary strategies for making it work.
1. Divide access groups into sub-groups that will allow you to share the attestation among many people. If the group is across business units, why have someone in the business unit who owns the app primarily responsible for the access? Can the supervisors in the other business units attest to their peoples need to be in the group? If yes, nest a group that can have the attestation delegated.
2. Can you share attestation tasks with multiple users from the application owners business unit? Instead of having one group owner, can you have multiple owners who share responsibility for doing the 1000 clicks? One owner responsible for people who have last names starting with A – M for example and the other taking care of the rest (granted that example is still a staggering 500 clicks per owner, but still better than 500 in my opinion!)
Attestation strategies can be creative. So long as they meet the requirement for the level of compliance you need to attain, you do not have to think fine grained attestation. You may be able to use something much simpler.