Identity is everything now. Every chief information security officer should be asking themselves questions like “do you know who you’re trusting?” and “when did you last validate?”
Jay Gazlay, CISA Technical Strategist
It is a fact: the notion of identity is a major issue for the preservation and security of resources. Access rights reviews, in particular, help to meet this challenge by:
● controlling the risks related to access rights,
● optimizing data quality, and
● protecting the organization’s resources from potential risk and security breaches.
Most security specialists are familiar with the periodic access review. Whether manual or automated, it needs to be performed in order to demonstrate compliance to access rights as well as to the regulatory policies to which the organization is subject. But what about continuous access review? When used in conjunction with its periodic access review counterpart, it can be a powerful tool for identifying access risks.
The following questions shed some light on these two distinct approaches.
● What are the specifics and objectives of these two types of reviews?
● Are these processes complementary?
● When should one be used instead of the other?
Learn how to use both the periodic and continuous access review effectively with Brainwave GRC.
Periodic Access Review: Mapping and Compliance
How and why to perform a periodic access review?
The principle is simple. It consists of verifying, at regular intervals, that accurate rights are granted to the correct people and entities. This approach is part of a “dead cleaning” process: once the “photograph” has been taken, it is a matter of correcting anything that appears out of line.
To do this, it is necessary to consolidate all available information by:
● establishing a complete map of access rights in order to identify each employee in the company, as well as the different access accounts associated with him or her, and
● identifying the links of responsibility for each employee, based on the accesses granted and the true business functions involved.
Once this exercise is completed, the next step is to confirm with the various stakeholders that the rights and access accounts have been granted in a relevant manner with regards to the duties and responsibilities of each employee.
Periodic Access Review: A Rigid Process with Targeted Objectives
This is a tedious, time-consuming process, carried out at different times depending on the degree of sensitivity of the resources. Regardless of the frequency, the periodic access review is performed according to:
● a given scope of compliance,
● a specified target, and
● a rigorous workflow.
Periodic Access Review
What are the limitations of a periodic access review?
Periodic Access Review: A Tedious, Time-Consuming Task
● The periodic review of accesses is carried out manually despite the large number of rights to be reviewed. Compliance deadlines are quickly compromised using this method.
● An error is detected, but the reviewer has difficulty identifying the source. An investigation must be launched to find and resolve the issue.
● The data collected is of poor quality. In order to understand and review each access, the teams possessing the technical and functional knowledge must be individually contacted.
These difficulties, whether observed separately or in combination, can cause delays in the review process and can lead to errors linked to time constraints or missing information. Additionally, they can be indicative of a more strategic error. Periodic access review is not the best way to detect and identify certain security flaws.
After compliance is met, what about risk?
Periodic access reviews are essentially based on a scope of compliance that varies according to the type of review being performed (SOC 2, Sarbanes Oxley (SOX), etc.). However, this compliance objective does not encompass all of the risks to which an organization’s resources may be exposed.
In this way, the protection of intellectual data, for example, does not fall under a compliance logic, but rather under a logic of operational risk with direct business impact. In this specific case, the execution of a periodic access review would be deemed inappropriate.
It is important to remember that this type of review is usually done on a quarterly, semi-annual or annual basis. Some of the problems detected can be several weeks to several months old. However, it would be best that they be identified much earlier in order to be resolved as soon as possible. Compliance is the specific objective of the periodic access review in accordance with its formal framework, fixed aspect and deadline-based nature. As soon as the objective goes beyond these factors, changing to a continuous access review process may become particularly relevant.
Continuous Access Review: Event Analysis and Risk Detection
A Flexible Process Based on Field Experience
Unlike the periodic access review, the continuous access review is based on an operational approach. The continuous access review focuses on events observed in the information system to ensure that they do not constitute a potential security breach. This process requires the involvement of various stakeholders (application, resource and other types of managers) to verify the legitimacy and relevance of the granted accesses as well as the observed behaviors.
Continuous Access Review and Flow Logic: An Alternative to Periodic Access Review?
Unlike the periodic access review, the continuous access review it is the result of a collective effort. For example, an entire team may be asked to take a position on a situation that arises. It can be considered a continuous management process where each decision calls for action and remediation.
Continuous Access Review
Periodic and Continuous Access Review: Two Approaches with Distinct but Complementary Objectives
Two Types of Journals with a Common Set of Constraints
● a complete inventory of accesses (accounts, groups and permissions). Most of the time, this information comes from multiple and varied data sources and then must be centralized and homogenized,
● the management of the distribution of tasks (reminders, reviewer contributions, etc.) for which additional tools may be useful, and
● the automation of decisions to be made and actions to be taken via external systems (ticketing, identity management, etc.).
Periodic and Continuous Review: An Effective Combination
The control offered by these different review mechanisms helps with the identification and legitimacy of the rights granted to an organization’s employees. The photographic nature of the periodic access review is favored to evaluate the overall quality of the rights that are granted, ensuring data compliance, while the continuous access review addresses risky situations, individually or globally, through the involvement of the business teams. The synergy of these two approaches, based on the same data and a common technology, guarantee that internal resources are optimally protected.