Question 1: Who has access to what?
We have all heard about the necessity of doing user access reviews. Some companies do them to meet internal or external security requirements and regulations, such as Sarbanes-Oxley, SOC 1/2, HIPAA or even ISO 2700X. But did you know that some organizations use such reviews of access to data, applications, shared files, servers and networks as a way of answering one, simple question: which employees have access to my company’s resources and what exactly does that give them the right to do?
Question 2: How can I discover changes in access over time?
Organizations are constantly changing, whether through the hiring and firing of employees or even moves between departments within a company. Also to be taken into consideration is the rapid flux of external contractors and third parties, such as partners and distributors, who are here one day and gone the next. So what is the best way to keep track of changing access permissions? The most effective way of monitoring these changes is by systematically running access certification campaigns that include all the people, employees or others, who have access to a company’s assets and resources in order to perform their job.
At Brainwave GRC, we refer to this as the “Get Clean, Stay Clean” approach. This means that the data, once originally scrubbed for errors, is maintained in a state of accuracy and completeness through the use of access reviews and other features of our Brainwave Identity Analytics solution. Details on this can be located further below in this article.
User Access and Corporate Breaches
Cybersecurity threats have become rampant throughout the world, with some major corporations such as Uber and T-Mobile falling victim to breeches that cost millions of dollars and equally as many man-hours to repair. Business data was lost or compromised, financial systems were infiltrated and dismantled, and IT systems and servers were taken partially or entirely offline. But one thing is rather evident: how do you know what you lost if you are not sure that you had to begin with?
The answer is quite simple. By making periodic and continuous user access reviews a part of a company’s cybersecurity strategy, knowing who has access to what resources and assets is always readily available to managers, auditors and C-level stakeholders.
User Access Reviews with Brainwave GRC
Brainwave GRC is a market leader in helping you answer that age-old, IT question: Who has access to what within my information system and overall organization as a whole? Companies call us to take control of the identities linked to user access, trying to better understand:
- which employees listed in the Human Resource (HR) repositories have been given access to company resources,
- if an employee’s user access to applications, files and data is legitimate and relative to his or her job functions,
- if accesses which appear to be active are linked to employees who no longer use them or even who have left the company, and
- if accounts, especially those with sensitive privileges, have been lying dormant and unused for long periods of time.
Although it might sound like a simple task, keeping track of this monumental amount of information can daunting, very often done using unwieldy spreadsheets and a number of manual processes. The biggest request we have is, “Please get us out of this paperwork nightmare! Do I have to do this manually forever? What are the best practices associated with this user access exercise related to rights, permissions and entitlements?”
User Access Review: Essential Steps to Ensure Accuracy
Phase I: Prepare the Review
1. Outline the review strategy.
Key parameters, including the objective, the type of review, the frequency of execution, the timelines and the corrective action strategies, help to frame the campaign and uncover any possible obstacles.
2. Define the area to be reviewed.
Only review the access rights that are relevant to your strategy, such as privileged access, changes to access and control anomalies. Identify the users who should be granted the associated access.
3. Make sure that the review is error-free.
Apply the principle of consistency and accuracy to ensure that the campaign is coherent, exhaustive and closely adheres to the defined perimeters to meet the targeted objective.
4. Inform the business managers of the campaign’s challenges.
Be sure to communicate with review owners, highlighting in detail the objectives and tasks, the mission they are responsible for and the importance of their role.
Phase II: Launch the Review Campaign
5. Pay attention to data quality.
Be sure that the data is up-to-date, understandable and easily interpreted by the business teams involved. In this way, their decision-making will be facilitated and will be all the more relevant.
6. Make the user access review an enjoyable exercise.
It is time to move on from spreadsheets. Offer a more user-friendly and ergonomic review experience with a specialized solution. The information will be more readable and easier to handle, and data validation will be simplified.
7. Combine methodology with an effective tool and automate campaigns.
Automate and streamline user access reviews with a specialized solution. Processes will be simplified and will help teams to better manage campaigns and save precious time.
8. Provide decision-making elements.
Make it easier for the reviewer to access account details, applications, detected anomalies and historical review decisions made over time. With this information, the quality of the decisions being made will be improved.
Phase III: Gather the Results for your Auditors
9. Make sure review campaigns take place.
Corrective actions regarding user access rights and permissions are necessary to demonstrate compliance. Because of this, the teams’ effort will be appreciated, and the review exercise will be perceived as useful and beneficial by all.
10. Estimate the time spent on your user access review.
It is time to take stock and see how much time was spent regarding the deadlines that were set as part of the objectives. Did the campaign take more than an hour? If so, it may be worth reconsidering your strategy and using new and more effective tools such as Identity Analytics from Brainwave GRC.
Automated Access Certification with Identity Analytics
The good news is that Brainwave GRC’s Identity Analytics platform can automate these processes for you, from the agnostic ingestion of data from every source imaginable, including Active Directory, HR files, applications, data bases, shared folders and flat files, to the output in the form of a cartographical display of who has access to what, how they got it and what they can or cannot do with it. It looks like this:
Within the Brainwave GRC solution itself, each of these icons can be clicked on to drill deeper into the supporting data for further detail linked to each individual access, account, permission or entitlement. Of course, for those who prefer to read the data in table format, cross tables offer another way to visualize access from many angles, including by employee, department manager, application owners, groups, divisions and roles. Again, the data can be drilled into with clickable entries that list additional information, as seen below.
User Access Reviews: Get Clean, Stay Clean
During this process, there is also a step included that targets the cleaning of the data. This means that accesses that are dormant or still assigned to departed employees or account owners are revoked. Permissions given to staff members who have changed departments are modified or updated. Any segregation-of-duties (SoD) risks based on a compliance policy matrix are addressed and remediated. Once this task is undertaken, the data can then be:
• fed into an IAM or IGA tool for use in other processes,
• shared with department heads and IT managers for validation, or
• given to the Human Resource manager to update employee records, if necessary.
Once this work is done, it begs the question of how to keep the data clean moving forward. We refer to this as our “get clean, stay clean” approach. What exactly does that mean? Read on.
Snapshots of User Access for Auditing Purposes
The customers who ask us to use our identity-analytic magic to shine a bright light into the recesses of their user access then ask us for step two: to maintain a handle on the accuracy of this data over the long-term. Luckily for them, we have the answer.
Brainwave works with snapshots of the data as it is ingested into the Identity Analytics platform. These snapshots are time-and date-stamped and are referred to in comparison with future user access reviews or even as a way of answering questions from internal or external auditors that may pop up periodically.
These snapshots are especially practical when there is an audit or a request to see where things stand after organizational changes of any kind, including employee departures, arrivals, changes in job responsibilities or functions and transfer to another department altogether. At the time of the request, a comparative report can be done with the preceding snapshots. In this way, delta changes between snapshots can be easily verified to highlight anomalies, inconsistencies or even risk to internal rules and policies.
These delta changes can then be reviewed by resource owners for approval, revocation or modification, keeping the scope of the access review itself to just those changes that have happened since the last review.
Some companies do prefer, however, to review the entirety of the user access across the company each time it is reviewed. Once Brainwave GRC’s automated processes are set, this is a very simple task that becomes easier and more efficient each time a new review is performed.
Choose Brainwave GRC for Your User Access Reviews
So, there you have it. The two most asked questions based on internal and external users from inquiring customers answered for you:
- Who has access to what?
- How can I discover changes in access over time?
Would you like to learn more? Please use the Contact Us or Demo Request form on our website. We will be happy to walk you through a simple exercise to show you how Brainwave GRC’s Identity Analytics Platform is the right tool for you and your automated user access review needs.