Sikov -

Problem solve Get help with specific problems with your technologies, process and projects.

Best practices to conduct a user access review

User entitlement reviews ensure employees only have access to essential systems and unauthorized employees -- or miscreants -- don't. Learn how to conduct an audit of user privileges.

Controlling and regularly reviewing who has access to what isn't just Enterprise Security 101 -- it's a compliance...

necessity. Sarbanes-Oxley Act, PCI DSS, HIPAA and GDPR all have mandatory user access review requirements, which, if not reviewed regularly, could land your company in hot water.

Many enterprises use a variety of identity and access management (IAM) mechanisms such as role-based access control or the principle of least privilege to secure privileged access in their systems. But once these are in place, then what?

Think about the number of employees that have quit or been terminated at your company in the past year. Add in the number of current employees who have changed roles or departments in the same time period. If you work for a large organization, this number could be in the hundreds, or even the thousands.

Now, consider the data, applications and systems those employees had or have access to. Terminated employees may still hold the keys to some of the company's most valuable information. Current employees with user privilege account accumulation, also referred to as privilege creep, present just as big a risk.

Conducting user account reviews, also known as account recertification, account attestation or entitlement review, is critical to monitor, manage and audit the user account lifecycle from creation to termination -- and everywhere in between. Adopting a well-defined user access review policy and running it on a regular basis is instrumental to prevent malicious attacks or internal mistakes that could be detrimental to your brand and your bottom line.

The user access review cycle

Step one: Define your policy

At minimum, a user access review policy should include:

  • An inventory of enterprise assets
  • A list of owners for each asset
  • Descriptions of user access levels and roles
  • Reporting frequency and types
  • Deprovisioning processes
  • Training and instructions on when to enlist others' help

An inventory of enterprise assets

List which assets users can be granted access privileges to across your enterprise. Document all databases, applications, systems, networks, operating systems, data centers, rooms, buildings, etc.

A list of owners for each asset

Identify the owner(s) of each asset. This could be a manager, administrator or IT team, among others. Owners should then provide a detailed list of the types of data and accessible content in their assets, which will map to access levels and roles.

Access levels and roles

Assign responsibilities down to a granular level. These are usually defined in a corporate security policy. With data, for example, some employees will need read-only access to perform their job functions while some require editing capabilities. Others will need permission to delete data.

Providing the least privilege necessary for a job function is critical to eliminating user ID security gaps.

Reporting types and frequency

There are different types of user access audits. Trigger-based account reviews are one-off updates initiated by predefined rules, such as when an employee changes departments or gets terminated. Other reviews are scheduled on a regular basis. Real-time account certification features are available in some IAM software.

User access reviews may be conducted per system, per employee or a combination of the two. A per-system review will audit access controls based on who has access to each system, while a per-employee review examines privileges based on which systems an employee accesses.

Determine how often to conduct your review. This will vary by organization; smaller companies may be able to review their entire policy more frequently than a large corporation, which may only assess one system at a time or test a sampling and conduct a full review only when discrepancies occur.

Depending on the system, reviews can be run monthly, quarterly, biannually or annually. Audit high-risk assets more often, while lower-risk systems can be assessed less frequently.

When defining frequency, consider how to administer your next review. Some businesses work off previous reviews and follow the same processes, but this isn't advisable for all organizations, especially ones that have changed a lot in a given time period. For example, a company that has undergone a reorganization, adopted new applications or systems, or been involved in a merger or acquisition should revisit their review processes and schedules.

Be sure to have a process in place for unforeseen issues, such as if separation of duty violations are detected or if a job function has been changed and needs to be updated in the master list of access levels and roles. Expect the unexpected.

Separation of duties

A separate -- but important -- IAM best practice is to ensure separation of duties among employees is well-defined and documented.

Separation of duties, also referred to as segregation of duties, involves splitting tasks and privileges for a specific process among two or more people. This inhibits any single person from completing a task -- in turn, preventing privilege abuse, fraud or error.

Potential separation of duty violations can be identified during a routine user access review.

Deprovisioning processes

An enterprise user access review policy should also detail corporate provisioning and deprovisioning processes. Provisioning, the first step in the user account lifecycle, explains how access privileges are assigned to a new hire. Deprovisioning outlines how user IDs are revoked when an employee changes roles or is terminated.

Removing access rights to enterprise assets is part of the deprovisioning and offboarding process, but it can be overlooked. Regular access reviews will notify managers and owners of issues in offboarding, enabling the company to update its processes and remediate any changes necessary.

Training and when to enlist others' help

An entitlement review is an enterprise-wide project. While a CISO or security admin may "own" the task, other C-level staff and managers should help define and review access controls.

Remember, an effective team requires effective, easily digestible data. Many business systems classify user IDs and access controls in their own formats. Combining data from multiple systems can become complicated and confusing. Collate and simplify the data for owners. If data is difficult to read, owners may sign off on the report without conducting a thorough analysis.

Managers should also be aware of the access rights they're providing employees. Giving access for the sake of giving access opens an enterprise to many risks. Security awareness training can help prevent managers from providing too many access privileges to employees, as well as help them understand the risks associated with various roles and their level of access to enterprise assets.

Account attestation can be manual or programmatic. Manual user access reviews are often considered time-consuming and cumbersome. Programmatically, software helps with the task. For some organizations, directory services are sufficient, such as Active Directory for Windows or Lightweight Directory Access Protocol for Unix. However, these tools may not offer the granular-level account recertifications needed by all businesses. IAM tools such as Hitachi ID Identity Manager, IBM Security Identity Governance and RSA SecureID Access offer reporting options for user access reviews. Machine learning algorithms can also help streamline the process.

Step two: Conduct the review

Once a clearly defined policy is in place, create a report of all the databases, applications and systems, and determine who currently has access to them. Include all employees and third parties such as vendors, service providers and consultants.

Send a copy of the report to each asset owner, who must then audit the list to verify who has access and at what level, and whose access privileges should be changed or revoked. Sometimes this is based on role, department or responsibility, while other times a more granular approach is needed. For example, responsibilities and privileges can vary for two people in the same role.

In some reviews, owners may approve or reject whole departments. Department managers then must verify or reject whether specific employees from their respective departments should be allowed access.

If an asset owner rejects a department's access privileges, they should notify the department manager. The department manager should then be given time to negotiate the case for access if necessary.

Stay on top of owners to ensure they sign off on the report by deadline.

Step three: Remediation and reporting

Once you receive all access attestation, execute changes based on the owners' reviews. Remove any revoked access and update employees' privileges as needed. Generating a new user access report will verify changes have gone into effect.

Finalize, print and store the report. Finalized reports should include previous and current roles, and access rights, who approved them, the names of the systems' owners and any notes or further actions. This report provides an audit trail and evidence of access recertification compliance.

Now is a good time to assess security gaps. For example, if a number of user IDs get revoked due to a specific policy from the provisioning process, it might be time to rethink corporate provisioning practices. The report can also measure how well security policies and IAM strategies are working, as well as whether access policies during hiring, transferring or termination are efficient and still in line with the security model of your business.

Also take time to assess your review process. What went well? Are there steps that could simplify the process next time? What ways could you make user access review more efficient?

Additional reporting by David Griffeth.

This was last published in July 2019

Dig Deeper on Privileged access management