Without such a review, employees who have long left the company, voluntary or otherwise, may still have access to key systems, which is a serious security risk. In addition, as existing employees move around the company, changing job roles, their access requirements should change as well. Specifically, they need to be denied access to systems they no longer need.
Regular auditing of user access can also prevent "access creep," which is when employees accrue more access than they need as they change jobs.
The first rule for an access review is to have a centralized access management system. Standard directory services, like Active Directory (AD) for Windows and LDAP for Unix, are used in most companies. Though these services offer a lot of features, and can do some reporting, they may not be sufficient. If a corporation needs to produce regular reports for auditors and regulators, it will need something with more features.
There are a lot of high-quality identity management products on the market that augment traditional access management and provisioning with reporting and auditing capabilities. BMC Software has a suite of identity management products, such as its BMC Audit and Compliance Management and BMC Identity Compliance Manager 5.5 products. These two products provide customized reporting capabilities for compliance purposes and can demonstrate not only who has access to what, and at what level, but also that their access privlidges match corporate IT security policies.
Other products offering similar reporting and auditing capabilities include CA Inc.'s Identity Manager and Entrust Authority Security Manager. There are many companies offering identity management products. Whichever you choose, make sure it has centralized auditing and reporting capabilities.
This was first published in January 2008