security 101 — it’s a compliance necessity. Sarbanes-Oxley Act, PCI DSS, HIPAA and GDPR all have mandatory user access review requirements, which could land your company in hot water if not reviewed regularly.
Many enterprises use a variety of identity and access management (IAM) mechanisms, such as role-based access control (RBAC) or the principle of least privilege (POLP) to secure privileged access in their systems. But, once these are in place, then what?
Think about the number of employees that have quit or been terminated at your company in the past year. Then, add in the number of current employees who have changed roles or departments. If you work for a large organization, this number could be in the hundreds or even the thousands.
Now, consider the data, applications and systems those employees had or have access to. Terminated employees may still hold the keys to some of the company’s most valuable information. Current employees with user privilege account accumulation present just as big a risk.
To counter these problems, it’s critical to conduct user access reviews.
What is a user access review and why is it important?
A user access review is the process of periodically assessing the rights of anyone who has access to enterprise systems and data. Users can include employees, partners, third parties, service providers and vendors.
Performing user account reviews, also known as account recertification, account attestation or entitlement review, is critical to monitor, manage and audit the user account lifecycle from creation to termination — and everywhere in between.
User access reviews should coincide with a well-defined user access review policy. Reviews should be done on a regular basis to prevent potential security problems.
Common user access risks
The wrong access rights can result in malicious attacks or internal mistakes that could be detrimental to the company’s brand and its bottom line. Common access risks include the following:
Users can become overprivileged for a number of reasons — for example, changing roles in a company and not having their access rights adjusted to their new role, quitting or being fired yet retaining access rights, mergers and acquisitions, and more.
How to conduct a user access review
Step 1. Define your access management policy
At minimum, a user access management policy should include the following:
An inventory of enterprise assets. List which assets users can be granted access privileges to across your enterprise. Document all databases, applications, systems, networks, OSes, data centers, rooms, buildings, etc.
A list of owners for each asset. Identify the owner(s) of each asset. This could be a manager, administrator or IT team, among others. Owners should then provide a detailed list of the types of data and accessible content in their assets, which will map to access levels and roles.
Descriptions of user access levels and roles. Assign job roles and responsibilities and their access requirements down to a granular level. For example, some employees will need read-only access to data to perform their job functions, while some require editing capabilities, and others will need permission to delete data. Providing the least privilege necessary for a job function is critical to eliminating user ID security gaps.
Reporting frequency and types. Different types of user access audits can be put in place. Trigger-based account reviews are one-off updates initiated by predefined rules, such as when an employee changes departments or is terminated. Other reviews are scheduled on a regular basis.
User access reviews may be conducted per system, per employee or as a combination of the two. A per-system review will audit access controls based on who has access to each system, while a per-employee review examines privileges based on the systems an employee accesses.
Deciding how often to conduct reviews will vary by organization. Smaller companies may be able to review the entire policy more frequently than large corporations, which may only assess one system at a time or test a sampling and conduct a full review only when discrepancies occur. Depending on the system, reviews can be run monthly, quarterly, biannually or annually. Audit high-risk assets more often, while lower-risk systems can be assessed less frequently.
When defining frequency, consider how to administer your next review. Some businesses work from previous reviews and follow the same processes, but this isn’t advisable for all organizations, especially those that have changed a lot in a given time period. For example, a company that has undergone a reorganization, adopted new applications or systems, or been involved in a merger or acquisition should revisit its review processes and schedules.
Deprovisioning processes. An enterprise user access review policy should also detail corporate provisioning and deprovisioning processes. Provisioning, the first step in the user account lifecycle, explains how access privileges are assigned to a new hire. Deprovisioning outlines how user IDs are revoked when an employee changes roles or is terminated. Removing access rights to enterprise assets is part of the deprovisioning and offboarding process, but it can be overlooked. Regular access reviews will notify managers and owners of issues in offboarding, enabling the company to update its processes and remediate any changes necessary.
Training and instructions on when to enlist others’ help. An entitlement review is an enterprise-wide project. While a CISO or security admin may own the task, other C-level staff and managers should help define and review access controls. Remember, an effective team requires effective, easily digestible data. Many business systems classify user IDs and access controls in their own formats. Combining data from multiple systems can become complicated and confusing. Collate and simplify the data for owners. If data is difficult to read, owners may sign off on the report without conducting a thorough analysis.
Managers should also be aware of the access rights they’re providing employees. Giving access for the sake of giving access opens an enterprise to risk. Security awareness training can help prevent managers from providing too many access privileges to employees, as well as help them understand the risks associated with various roles and their level of access to enterprise assets.
Account attestation can be manual or programmatic. Manual user access reviews are often considered time-consuming and cumbersome. Programmatically, software helps with the task. For some organizations, directory services are sufficient, such as Active Directory for Windows or Lightweight Directory Access Protocol for Unix. These tools may not offer the granular-level account recertifications needed by all businesses, however. IAM tools, such as Hitachi ID Identity Manager, IBM Security Identity Governance and RSA SecurID Access offer reporting options for user access reviews. Machine learning algorithms can also help streamline the process.
Step 2. Conduct the review
Once a clearly defined policy is in place, create a report of all databases, applications and systems, and determine who currently has access to them. Include all employees and third parties, such as vendors, service providers and consultants.
Send a copy of the report to each asset owner, who should then audit the list to verify who has access, at what level and whose access privileges should be changed or revoked. Sometimes, this is based on role, department or responsibility, while a more granular approach is needed at other times. For example, responsibilities and privileges can vary for people in the same role.
In some reviews, owners may approve or reject whole departments. Department managers then must verify or reject whether specific employees from their respective departments should be allowed access. If an asset owner rejects a department’s access privileges, the owner should notify the department manager, who then should be given time to negotiate the case for access, if necessary.
Make sure owners sign off on the report by deadline.
Step 3. Remediation and reporting
Once you receive all user account access reviews, execute changes based on the owners’ reviews. Remove any revoked access, and update employees’ privileges as needed. Generating a new user access report will verify changes have gone into effect.
Finalize, print and store the report. Finalized reports should include previous and current roles, access rights, who approved them, the names of the systems’ owners and any notes or further actions. This report provides an audit trail and evidence of access recertification compliance.
Now is a good time to assess security gaps. For example, if a number of user IDs get revoked due to a specific policy from the provisioning process, it might be time to rethink corporate provisioning practices. The report can also measure how well security policies and IAM strategies are working, as well as whether access policies during hiring, transferring or termination are efficient and still in line with the security model of your business.
Also, take time to assess your review process. What went well? Are there steps that could simplify the process next time? What ways could you make user access review more efficient?
Best practices for user access reviews
The access review process is a critical component of any enterprise security program:
- Create an access control policy, and update as needed.
- Adopt a formal access review process.
- Perform regular audits.
- Encourage and require involvement from employees and management.
- Use access control software features in IAM products, or consider deploying such products and features.
- Review access controls not only when an employee is hired or terminated, but also when roles change within the organization.
- Define and document the segregation of duties, which involves splitting tasks and privileges for a specific process among two or more people.
As with everything in security, expect the unexpected. Be sure to have a process in place for unforeseen issues, such as if segregation of duty violations are detected or if a job function has been changed and needs to be updated in the master list of access levels and roles.
Some general IAM and access best practices include the following: