A recent study by CoreSecurity showed 75 percent of organizations who use identity and access management solutions saw a reduction of unauthorized access incidents. This statistic is a good reminder that User Access Review programs are an essential part of every risk management strategy.
Let’s take a look at some highlights from BARR’s discussion with ConductorOne.
What are User Access Reviews, and how should companies manage them?
“User Access Reviews are a compliance and security control that mitigates over-privilege and help companies achieve least privilege. Managers and system administrators periodically certify that users have the correct levels of access, and the end result is your workforce, contractors, partners, and service accounts have the correct permissions, removing any unnecessary access,” said Bovee.
“We think companies should be able to manage access reviews efficiently, in real-time, without compromising on completeness, accuracy, and an overall improved security stance.”
Here are some best practices ConductorOne recommends for managing access reviews:
- Automate application data collection
- Cross-reference local accounts with directories
- Educate your team on the process
- Engage stakeholders, making it as easy as possible to complete a review on time
How often should companies execute User Access Reviews, and what information is typically reviewed in this process?
“There really is no standard frequency for running User Access Reviews. How often and what information is reviewed is typically a consideration of external compliance requirements, internal security goals, and capacity limitations,” said Bovee.
“In general, most companies run User Access Reviews at least on a quarterly basis and for certain events, such as a change in job or role. A periodic cadence tends to be manageable for most companies.”
“For external compliance frameworks such as SOX, PCI, and SOC 2, any system that houses sensitive customer data, production infrastructure, financial information, identity information, or is essential to the function of your business is most likely in scope for review.”
What does a typical User Access Review process look like?
While the details may vary, here are some steps ConductorOne suggests every company follow:
- Document your system inventory and owners. It’s important to realize ownership may not always be with IT. For example, it’s increasingly common for research and development to own source code repositories or sales operations teams to take on the Customer Relationship Management (CRM).
- Determine what access, permissions, entitlements, or group memberships will require review. Group memberships can have complex access control implications, so you should capture additional context of what is granted from a group or team membership.
- Try to automate as much of the process of collecting application data. Many modern apps allow you to download identity and access data. Use this to build a database of identities, access, groups, and permissions that will be used as a source for the reviews.
- Define your review policy. Who are the reviewers and in what order should reviews take place? Who should provide the fallback review? Is a justification required for on-going access? Try to push decision making to those in the best position to make the decision, and consider self-reviews as a first-step.
- Review all in-scope accounts within the applications. Make sure you also cross reference non-human, service, and local accounts with a centralized directory.
- Run your access review. You should engage employees where they work as much as possible. Nowadays, that’s typically in real-time collaboration tools like Slack. Define your review schedule so you can send out reminders to stay on track and ideally provide context on the permission, group, or identity to each reviewer so they have the information they need to make timely decisions.
Who is responsible for User Access Reviews, and how can organizations create internal accountability around this process?
Stakeholders in the access review process include:
- The campaign manager
- System owners
- Potentially IT and engineering teams in the setup process
- The reviewers, who can be the direct manager, app owner, resource owner, or entitlement owner
“Creating accountability before the campaign starts is really important,” said Bovee, adding, “You can do this by communicating expectations and timelines so stakeholders can resource the effort appropriately and provide educational materials like an FAQ, one-pager, or video tutorial.”
“Ideally the review is as intuitive and user-friendly as possible, and you’ll also need a communication strategy for reaching reviewers and answering any questions that arise. We recommend doing that in real-time collaboration apps such as Slack.”
What are the most common mistakes organizations make when conducting User Access Reviews?
Here are three common mistakes ConductorOne has noticed when organizations conduct access reviews:
Overlooking or not contextualizing the details of group memberships
The automated provisioning of access-based, on-group membership is a powerful tool, but it can cause issues when reviewing the grant because downstream authorization implications may not be clear.
Bovee suggests to “Provide as much context as needed to the reviewer so they can understand the implications.”
Overlooking local, non-human, and service accounts in the review
Additional consideration should be given to non-human or service accounts and to accounts that are local only. If missed by User Access Reviews, these accounts can present entry points for a malicious actor and pose a significant security risk to organizations. Local accounts should be resolved to a centralized directory such as your cloud identity provider, HR solution, or ideally, both.
Not running reviews in as near-real time as possible
Time is of the essence on User Access Reviews. Inactive or removed accounts appearing in audit reports after their deactivation date creates headaches and auditor distrust of your business processes. There is a shelf-life of data from applications, and modern access reviews should be as close to real-time as possible.
How can automation improve the User Access Reviews process?
“Without automation, most companies rely heavily on processes and tools that don’t scale well, such as spreadsheets, tickets, and constant high-touch follow-up and communications,” said Bovee.
“We suggest modern workforces use modern solutions to automate identity and permission management. With automation, you should be able to connect all of your applications with off-the-shelf integrations, build and apply access certification policies, automate the reviewer process, present it with rich context and risk based analysis, and report back to auditors with a one-click download—all in at least half the amount of time it’d take you to do these things manually.”
How do User Access Reviews help companies have a smooth audit process?
“From a compliance point of view, reporting and traceability is essential,” said Bovee. “There is a high level of rigor and paperwork that needs to be generated to ensure that your access reviews meet the bar for compliance.”
Generally, your auditors will want to see the following:
- Reporting on the reviews that were performed
- A strong answer for completeness and accuracy of the data used for the reviews
- Assurance that non-certified access was deprovisioned in a timely fashion
- Proof of application populations at the time of the access reviews
“With all User Access Reviews, the ultimate goal is to review sensitive or high risk access in a timely fashion to ensure that it’s removed, if unnecessary. Leadership will want to see how these access reviews are helping make the company more secure by lowering standing permissions for high risk access,” concluded Bovee.
“If approached correctly, ideally with automation and some of the best practices, User Access Reviews help your company achieve least privilege and move one step closer to zero trust.”
Interested in learning more about access reviews for your organization? Contact us today for a free consultation.