Periodic or Continuous Review of Access Rights : A Comparison of Use Cases

In a previous article on user access review, we highlighted the differences between periodic and continuous access reviews and how to use each one. The conclusion was that the two approaches serve different purposes and should be seen as complementary. They do not replace each other.  When used together, they are the most successful form of access review available.  

When an organization is subject to one or more compliance regulations such as ISO 27002, NIST or Sarbanes Oxley (SOX), a periodic review of access rights is essential. Whether manual or automated, it is one of the cornerstones of the internal control process and allows an organization to demonstrate its access compliance to auditors.

Continuous access review is based on a hands-on approach. The hiring of a new employee, a job change within the company, the granting of additional access rights, security gaps and unusual permissions are all events that the continuous access rights review detects in order to trigger the necessary remediation and reduce security breaches which can lead to the theft or alteration of data.

For this second article, these explanations will be put into practice. Three use cases will illustrate the different ways to capitalize on the potential of both the periodic and continuous review of access rights to respond to the multiple issues found within organizations.

Use Case #1: Periodic Access Reviews And SOX Compliance

The Periodic Review Applied to Financial Systems

In this specific case, the organization must meet a compliance objective and prove this compliance by showing the control processes and the correct management of access rights within the financial scope.  To meet these requirements, a quarterly or annual review of access rights is best.

Objective : Validate User Authorizations

• business applications related to financial transactions as well as their underlying infrastructures, and
• SOX-sensitive permissions, or permissions that have “write” access to data or that can modify a configuration system.

The next step is to process all remediation requests that result from these validations.  In the case of this organization, any revocation decision triggers a service ticket (ITSM).

The periodic review of access rights is used here to demonstrate the compliance of the granted authorizations. The auditors will comment once they are sure that all the necessary controls have been carried out in a timely manner, and that a certain level of completeness has been reached. This is very important, and even more important than the validation of the data itself.  For example, if all the data is validated without being reviewed first, the auditor will not take into consideration the fact there are no revocations, his objective being only to ensure that the control processes themselves have been performed.

Period Access Reviews with Tight Deadlines

1. The campaign is prepared, and the scope of the review is defined, all of which takes a total of two to three days.
2. The lists created during the scope definition phase are distributed to the reviewers through the workflow engine. In this case, there are a total of 1,000 reviewers who have exactly 30 days to complete the review.
3. The results are then consolidated, and remediation actions are initiated during the following two weeks to solve the problems identified during the review.

Compliance requires a complete review of the targeted scope, which is an integral part of the periodic access review process.

NOTE:  During these three steps, Brainwave’s solution helps the reviewer with the functionalities listed below.

• Because read-only access is not considered sensitive within the context of Sarbanes-Oxley compliance, it can be pre-approved by default.  Within the tool, the reviewer can automatically detect all accesses approved by default.
• Certain problems, such as control deviation, can be highlighted and suggested actions offered to the reviewer.
• Unusual or atypical situations that lead to revocation can be handled automatically without the intervention of the reviewer.
• Access to previous reviews that provide historical content can help with current decision-making tasks.

Use Case #2: Using Continuous User Access Review to Tag Technical Accounts

Better Identification of Technical Accounts for Relevant Allocations

• nominative accounts assigned to individuals who have exclusive use of them, and
• shared accounts to which access is generally granted to a group of employees.

In addition to named accounts, many employees have access to technical, service or administrative accounts. Just like with named accounts, it is important to keep track of who has access and is responsible for them to be sure that the access granted is always relevant. 

In this use case, the software publisher has several various and outdated Unix-Linux system accounts, within which many local accounts have been created.

Taking this into consideration, access reviews have two main objectives: 

• to list all system and technical accounts and to ensure that each one is assigned to the right person, namely, the system administrators and users who are responsible for these accounts from a compliance perspective, and 
• to eliminate any ambiguity in the identification and use of accounts due the fact that the naming conventions for these accounts may not have been applied.

Choosing Continuous Access Rights Reviews for Address Identified Issues

The continuous access rights review is like the queue of a ticketing system, as seen below.  

• More than 10,000 unknown accounts whose history has been lost or is uncertain are put a queue.
• Each account is reviewed to determine ownership, usage, proper assignment and validity.
• Depending on the answers obtained, a remediation process will be triggered to correct the information and the details of the account, or, if necessary, to revoke it if it is no longer in use. The progress is measured using key performance indicators and traditional flow measurements, such as the number of accounts processed per week or the number of accounts remaining to be processed.

Once these accounts have been tagged and categorized, they can be reintegrated into the compliance process via the periodic access rights review. The objective of this review will be to ensure that these accounts are still pertinent with regards to the organization’s compliance framework.

Use Case #3: From Micro-Certification to The Continuous User Access Review

This last use case is based on an organization’s need to do reviews on a large volume of data.

The Principles of Micro-Certification

To be effective, micro-certifications: 

• must be frequent, of short duration and focus on changes, 
• must be perfect in their execution to avoid backlog accumulation, and
• are most effective when performed within a mature organization.

Micro-certification can be considered a highly optimized periodic certification with continual frequency that meets compliance objectives. When dealing with sensitive resources, it is advantageous to do monthly micro-certifications between periodic reviews, as these will focus only on any changes that may have occurred in the meantime.  By combining micro-certifications with periodic reviews, compliance and risk-reduction objectives are efficiently met.

Periodic vs. Continuous Access Rights Review: When to use a combined approach?

• All resources are subject to a semi-annual periodic review.
• Sensitive resources with a specific level of confidentiality are reviewed on a quarterly basis.
• The highly sensitive resources are subject to a weekly micro-certification process, the objective being to identify changes to avoid security breaches.  In this example, this refers to administrative groups giving access to the organization’s core business systems.

At the same time, a continuous access rights review is also performed. This consists of reviewing incidents such as deviations on high-risk controls, for example. Each incident is subject to an alert that can occur at any time, in which case it becomes necessary to take immediate action.

• The compliance objective is met through the implementation of periodic reviews complemented by the micro-certification process, optimizing the overall review process.
• Risk management is ensured with the help of continuous access rights review in addition to an effective alert system.

It is interesting to note how complementary the different review approaches are in terms of regaining control of accesses. While periodic reviews and micro-certification will demonstrate access compliance to auditors, continuous access reviews will contribute to considerable risk reduction. All of this is based on an analysis of all the organization’s resources. 

Any organization looking to protect its resources and infrastructure from security risk and meet compliance objectives should carefully consider the best review methodology prior to putting it in place. As demonstrated by these case studies, one approach is no more secure or effective than another. Risk mitigation and compliance is all about developing the right review strategy and may include, as shown here, a combination of several review practices for the best and most effective results.