A tedious requirement for companies
For any organization, the user access review, otherwise known as access recertification, is an important practice. As a critical component of your Identity and Access Management (IAM) strategy, this control mechanism ensures that your Information System (IS) users have legitimate and consistent access rights to your systems and applications.
For example, the user access review helps with:
- the security and protection of your applications, network and information systems,
- the respect of your company’s security policies, and
- the access rights compliance of all business and privileged users.
If you have ever undertaken a user access review, you know how tedious and difficult a task it can be. Luckily, there are a few best practices that can help make it easier, quicker and more efficient to accomplish.
Before starting, plan the review of permissions
Creating the parameters of your user access review is fundamental in optimizing each step of the process, determining who the key players will be and immediately identifying potential roadblocks.
1. Define your strategy
Start by taking the time to think about your strategy in order to streamline the processes and meet the objectives you have set. Ask yourself these simple but crucial questions based on your chosen strategy:
- What is the purpose of creating my review campaign? Who should be involved and what are their roles?
- What type of user access review, periodic or continuous, will meet my objectives?
- How frequently should it be done?
- How much time will I need?
- What deadlines will be applied?
- What corrective action strategy should I implement?
Addressing these points will allow you to define the policies and procedures linked to your user access reviews by analyzing each of the choices in an informed manner.
2. Define the scope of the permissions review
Once you have defined the overall strategy, target the scope of what is to be reviewed. Based on the volume of access rights to be considered, you can prioritize a risk-based approach, for example, by asking these key questions:
- What user access rights are associated with privileged accounts and sensitive systems?
- Which of these generate control issues and risks?
- Which ones have been affected by recent changes in users and groups?
- Taking into consideration both security and compliance policies, which ones should I review first?
- Who is going to review them and manage remediation?
Using this strategy usually reduces the number of user rights and accounts to be reviewed in priority by 80%, saving considerable time and allowing you to:
- manage deadlines,
- increase campaign frequency, and
- improve responsiveness and quickly correct uncovered gaps.
3. Enhance the reliability of your reviews
The Americans call this the principle of “Consistency and Accuracy.” In practice, this means checking the regularity and completeness of the reviews as they were created and prepared, just before their official launch. For example, all accesses within the scope shall be reviewed once and only once. Will this be the case?
Any mistake at this stage is likely to render the result of the review null and void. Based on this, you would better do the check before you involve dozens of reviewers! However, be careful, as managing and auditing this step is not always as simple as it may seem. An example of this is the turnover of personnel, as it is likely that some of the organization’s account users may no longer have a manager assigned to them at the time the review is created. For this reason, they must be identified and re-assigned to another manager for the review of their roles and associated accesses.
Additionally, this verification will also serve as evidence for auditors, demonstrating the reliability and integrity of the data with regards to the three steps of the process: the data sources, the scope of data being review and the outcome of the review (e.g. the list of the decisions made to approve or revoke accesses).
Motivate your teams for more effective reviews
To successfully complete your user access rights review, the engagement of all the stakeholders is essential. The business teams who manage data reviews play a key role. Get them involved in the process by communicating effectively and ensuring a high degree of shared information and supporting materials.
4. Pay attention to data quality
What could be more frustrating for your colleagues than having to comb through incomprehensible or outdated data? Do your best to keep them focused and on task in order to achieve the desired results for your campaign.
Before sharing data, make sure that it has been recently updated. For example, verify that former employees have been deleted from the files and that new hires have been included. In addition, be sure that all the information can be quickly understood and interpreted by the business managers. Otherwise stated, credentials and permissions should be explained in such a way that a detailed description of the actions and their scope is easily comprehensible.
For example, a description can be added to the technical identifier of a security group to indicate the access rights granted to the members of this group. This will make it easier and more relevant for reviewers to make decisions and will promote data security.
5. Alert the business teams to the challenges of reviewing permissions
The user review is a complex task that necessitates the responsibility of all those involved. Communication is key to getting teams motivated and engaged in the process. Each stakeholder in the campaign project must be identified and informed of the tasks that he or she will manage. Additionally, it is important to share any issues that could arise during the campaign cycle. Closely adhering to the process and the timing will help with the success of the campaign.
6. Making the review process more rewarding is possible
Using spreadsheets has its limitations, so it is time to move on to something else. Increase team productivity by providing a more user-friendly and ergonomic solution. Tools exist that allow information to be more readable and easier to handle with just a few clicks. In this way, data validation is quicker and more simple to carry out. This assists the campaign stakeholders in undertaking the tasks entrusted to them in a more active and efficient manner.
Combine your methodology with a specialized tool to automate campaigns
Once the campaign is created and the teams are in place, save time using solutions that help you to identify problems, speed up the review and meet deadlines.
7. Focus on automation
Eliminate risk due to laborious manual processes by automating and industrializing your access reviews using a specialized solution. With a single interface, workflows can be streamlined to better manage campaigns and reduce the time spent on them. Meet the objectives you have set by aiming for:
- data reliability and quality, removing the risk of errors linked to manual data handling,
- process traceability which enables you to effortlessly manage the campaign, track who reviewed what, and take action including reminders and escalations to ensure its full and on-time completion, and
- compliance of your user access rights. This derives from a closed-loop process that effectively improves the situation, a comprehensive audit trail and a detailed history of user reviews that can be presented to auditors.
8. Provide decision support tools
In order to make informed decisions, the reviewer needs access to contextual information, such as:
- account access details,
- application specifications and classification,
- detected discrepancies, and
- earlier decisions, among others.
Giving a reviewer quick access to this information helps to improve the quality of the decisions made. He or she can use this knowledge to take a closer look at the correlation between the scope of the employees’ job functions and roles and the access rights given to them, as well as control discrepancies that have already been identified, such as IT General Controls (ITGC).
The review history is particularly useful here because, as a recurring exercise, prior validated decisions probably remain valid in the absence of interim changes.
Answer the auditors at the campaign’s conclusion
The next step is to align the systems with the decisions made during the review process, ensuring compliance of the access rights involved.
9. Make sure key actions follow the conclusion of your campaign
To meet compliance requirements and recommendations from auditors, you must be able to demonstrate that corrective actions or compensatory controls have been implemented to resolve each identified issue. Corrective actions are most often requested from the IT Department via the usual channels (ITSM, IAM). Afterwards, their application must be verified.
Go beyond the audit regulations and compliance policy constraints to which companies are subjected. Following up on these points strengthens:
- your campaign, because real risks that are uncovered are met with quick and concrete remedies, and
- team effort, the actions of which have a direct impact in keeping the organization’s data secure and the user access rights compliant. The situation continually improves with each review.
10. Evaluate the time spent on access rights review
Far from being a detail, the time spent actively performing a review is a key indicator. Although seemingly counterintuitive, it is a task that can be completed quickly and efficiently and easily managed by the business teams.
A review that is too long can be an obstacle to reaching your goal, and for good reason:
- The deadlines set cannot be met, so the campaign remains unfinished.
- Poor decisions are made too quickly due to imposed time constraints.
Any way you look at it, the result is not acceptable because risks are not clearly identified, applications, networks and internal systems are in danger and compliance objectives are not met.
Once your campaign is complete, create a continuous improvement process for quick evaluation. Calculate the time spent with regards to the objectives as well as the scope of the project and analyze the effectiveness of this practice over time.
If you find your teams spending countless hours or never fully completing their access rights reviews of users and accounts, consider changing your approach. Using new and innovative solutions and specialized support can help you redefine your review strategy and carry them out in more optimal conditions.