cyBARR Chats Episode 15: Best Practices for User Access Reviews

By September 6, 2022Videos

In this cyBARR Chat, we’re joined by Alex Bovee, CEO of ConductorOne, to discuss best practices for user access reviews.


[00:00:00] Claire McKenna: Hello everyone. And welcome to today’s episode of cyBARR Chats. I’m Claire McKenna, senior writer and researcher with BARR Advisory. And today we’re joined by Alex Bovee, CEO and co-founder of ConductorOne, to discuss best practices for modern user access reviews. A recent study by core security showed that 75% of organizations that use identity and access management solutions saw a reduction of unauthorized access incidents.

With that statistic in mind, a user access review program is an essential part of every risk management strategy for companies to stay both secure and compliant. So Alex, you’re our expert today let’s get started. What are user access reviews and how should companies manage them? 

[00:00:48] Alex Bovee: Yeah, absolutely. User access reviews are a compliance and security control that helps, uh, security teams and GRC teams, uh, reduce the standing privileges of employees and contractors and users broadly in the organization to achieve least privilege.

Uh, it’s a super important. Part of that security program, because what it means is that it decreases the overall attack footprint for your organization and makes sure that accounts and identities in your organization have the right level of access and really no more access than they need to do their job.

[00:01:22] Claire McKenna: Awesome. Thank you for that explanation. How often should companies execute these user access reviews and what information is typically reviewed in that process? 

[00:01:32] Alex Bovee: Yeah, we, we see, uh, it across the board in terms of the timeframe, uh, that, uh, companies use to, to perform user access reviews, kind of worst case scenario is something like a, a yearly user access review.

Best case scenario is, a very timely user access review where it may be is contextually driven based on, uh, role change or someone rolling off a project. Um, but what we see is also a lot of companies in between there. Um, if companies have really done a good job of, of operationalizing user access reviews, and they have a lot of automation in place, they can usually, uh, hit a monthly user access review train, where they’re kind of breaking up what they’re actually reviewing on a monthly basis and, and making sure that.

Um, you know, consistently access is being reviewed in the organization to, uh, I’d say probably the most frequent we see is quarterly user access reviews. Um, in terms of what information is reviewed, it really depends on what your goals are. If your goals are completely security driven, uh, you may review just sensitive access to infrastructure systems within your, your environment to make sure that no one is overprivileged and that users have been, uh, correctly decommissioned.

If, if they’ve been, uh, uh, deactivated in the organization. Um, and then from a compliance, external compliance framework standpoint, uh, different frameworks have different requirements in terms of what you review. So if it stocks, usually that’s a little bit more financially oriented. And so those systems are in scope, uh, versus something like SOC too, which really cares about the holistic business, uh, how that business is run.

And, uh, you see everything from source code repositories to infrastructure, to your sales systems, being a scope for stock. Great. 

[00:03:20] Claire McKenna: Thank you for that. Um, you already touched on this a little bit, but could you give a brief overview of what a typical user access review process should look like? Maybe what some of the most important steps are.

[00:03:32] Alex Bovee: Yeah, definitely. Um, you know, generally speaking, every company does it a little bit differently, uh, but we do see a set of sort of standard steps that, that most companies follow in this process. Uh, the first is to, to really understand your system inventory, if you will, what are the different systems that are in scope?

Uh, who owns those systems, who are the different resource owners within those systems and, and kind of collecting and, and managing that list in, in the organization. Um, we see, uh, a lot of automation around these steps. Um, so trying to make sure that you’re pulling. All the data out of those systems in a consistent way.

And putting that into some sort of a format that you can use to conduct your user access reviews. Um, once you’ve got that data in place, uh, you wanna identify who the actual reviewers of those different entitlements and permissions and access are. Usually that’s, you know, that’s mapped into the tool or the spreadsheet or whatever it is that you’re using.

Um, and then conducting that process is, is really fundamentally about collaboration. So making sure that you’re reaching out, you’re pinging the correct people to do those user access reviews. You’re getting the feedback that you need on the different levels of access, and then following up as quickly as possible to make sure that you’re revoking or removing access or changing access, if, if that’s necessary.

[00:04:52] Claire McKenna: Great. Let’s dive in there a little further who is responsible for access reviews and what should organizations do to create internal accountability around such an important process? 

[00:05:06] Alex Bovee: This is one of the things that I, I love the most about user access reviews is they’re fundamentally a very cross-functional and collaborative process.

If you think about the different, uh, constituents in place, you have, uh, usually your GRC teams, your GRC personas, responsible for. Probably conducting and running the overall user access review process. You have security teams, uh, that are gonna be informing the requirements. Um, and the inputs that go into those user access reviews, uh, you have the individual system owners or the resource owners or managers who are gonna be providing that feedback into the user access reviews and making the decisions on as to whether or not access should be retained or changed.

um, and that, you know, really requires, I think a, a lot of collaboration across those different teams, making sure, uh, to make sure that that is as, as simplified and as streamlined as possible. Um, in terms of setting expectations, you know, it’s really about just being clear on timelines and goals, uh, getting that buy-in early on, uh, if, if it’s your first time conducting user access reviews, getting that buy-in early on in terms of the expectations of the different parties involved in them.

And then if you’re doing it on an ongoing basis, making sure that you’re just communicating front in terms of, uh, what’s gonna be reviewed during a user access review, who’s gonna need to provide input and setting and getting clarity on the expectation in terms of, uh, timeline and when you need that input.

[00:06:30] Claire McKenna: That’s great. So you’ve touched on what organizations really need to be doing. What do you see as the most common mistakes that organizations make when they’re conducting these access reviews? 

[00:06:43] Alex Bovee: Yeah, there’s a handful of, I think foot faults that we see companies making one is candidly, just not investing enough in automation. If you really wanna achieve that, that security outcome of least privilege access control, uh, it necessitates that you move those user access reviews as, as near real-time as possible. Um, which you really just cannot. Without some level of automation. So automation in terms of being able to ingest the data from the different systems and actually run the access review, get the, get the inputs and then do the revocation.

So I think that’s one place. Um, another place is not providing enough context to reviewers. Um, so, uh, you know, a lot of times, uh, access reviews might be conducted, let’s say, on a group membership, but that group membership might grant ground, uh, might grant downstream access or entitlements potentially even across different systems.

It’s really important for the reviewers that are making these decisions to understand the context of the access. That’s what’s being asked of them to review in order that they can, they can make the right decision. Uh, and so it, it needs to have a little bit of security context. It needs to have a little bit of context in terms of what the implications of the access is.

Um, and I think the third mistake is really around the timeliness of it. Um, a lot of times, particularly if you don’t have automation in place, you might be pulling data out of systems, uh, creating the user access reviews and then running them. And there’s a, a lag time there. And what that can create is you know, an opportunity in a window with which your environment can actually change.

Users can be off boarded users can be onboarded. Um, and so if you get too much of a window there of, of lag time it can really create some issues, particularly from a compliance and audit perspective. When you have external auditors looking at the results of those reviews and they find discrepancies, uh, in, in what was reviewed versus what your environment looked like at that time.

[00:08:37] Claire McKenna: Got it. Thank you. Uh, you talked a lot about automation in that answer. Let’s keep talking about that. How else does automation improve the access review process? 

[00:08:49] Alex Bovee: Automation just really helps streamline that whole manual process from being potentially. Weeks of set up time, aggregating data weeks to run the reviews and collect the feedback.

Um, and then, you know, days, if not weeks to actually attenuate and remove the access to, uh, ideally just a few clicks in a, in a software tool you can use software tools for that. You can build some of this automation yourself but as much as you can you know, automation helps at the front end because it allows you to.

Pull in that application, uh, population data and the roles and groups and permission assignments and the applications, and centralize that into a single place that cuts a lot of time out of that effort. Um, automation helps you in terms of streamlining and collecting the feedback and, and the actual results of these user access reviews.

And then automation can also help you with the revocation processes as well. So all of those processes can be run with spreadsheets it ticket. Uh, lots of emails and reach out, uh, but as much as possible, if you can automate that process, it, it really reduces the time to run the user access review to be, uh, to pretty near real time.

Thank you. 

[00:10:01] Claire McKenna: Uh, switching gears a little bit, how do you access reviews? Help companies have a smooth audit process. 

[00:10:08] Alex Bovee: Yeah. Um, I mean, from our perspective there’s really two objectives of user access reviews. There’s the security objective. And you know, that security objective is about reducing again, your standing footprint and privileges and making sure that privileges are right side, right size based on what people need to complete their job.

Um, and then your, uh, there’s the compliance outcome, which is really, you know, achieving and meeting your controls from a compliance framework perspective. Um, and so we see, uh, you know, on the latter side in particular, uh, the need for a lot of traceability, You really need to prove that the application population data that you pulled out of those applications, uh, was up to date at the time that it wasn’t tampered with that.

When you ran the user access reviews, it was ran across that entire population of data. Um, and that the, uh, The results were acted on in an, uh, appropriate and timely fashion. Um, that’s important from a security perspective as well. Uh, but really from a compliance perspective, I would say that that auditability is the main thread there where you wanna make sure that you’re meeting that auditability threshold.

[00:11:19] Claire McKenna: That’s great. Thank you for that. My last question for you, you’ve provided so much great insight so far. Is there anything else you want our audience to know about user access? 

[00:11:31] Alex Bovee: Um, you know, I think that the main piece is that user access reviews are, uh, just a, a it’s an ingredient to a security and compliance program.

Um, I think, and it’s a very valuable and important tool into helping companies achieve least privilege access. Uh, there are other elements to that, but, but we really do. I think as an industry view this as a, uh, is one of the most effective tools you can use to make sure that you are achieving your security and compliance objectives and, uh, getting, getting closer to least privilege and zero trust-based access to your environment.

[00:12:08] Claire McKenna: Great. Thank you. That’s it for today, Alex. Thank you so much for sharing all of this valuable information on the importance of user access reviews. This information will absolutely help our clients and our partners to stay secure and compliant. We really appreciate you joining us on cyBARR Chats and we look forward to seeing everyone next time.