Identity is everything now. Every chief information security officer should be asking themselves questions like “do you know who you’re trusting?” and “when did you last validate?”
Jay Gazlay, CISA Technical Strategist

It is a fact: the notion of identity is a major issue for the preservation and security of resources. Access rights reviews, in particular, help to meet this challenge by:

● controlling the risks related to access rights,
● optimizing data quality, and
● protecting the organization’s resources from potential risk and security breaches.

Most security specialists are familiar with the periodic access review. Whether manual or automated, it needs to be performed in order to demonstrate compliance to access rights as well as to the regulatory policies to which the organization is subject. But what about continuous access review? When used in conjunction with its periodic access review counterpart, it can be a powerful tool for identifying access risks.

The following questions shed some light on these two distinct approaches.

● What are the specifics and objectives of these two types of reviews?
● Are these processes complementary?
● When should one be used instead of the other?

Learn how to use both the periodic and continuous access review effectively with Brainwave GRC.

Periodic Access Review: Mapping and Compliance

 

How and why to perform a periodic access review?

The periodic review of access rights is one of the foundations of internal access control. In most cases, it is implemented for compliance purposes. Examples include ISO 27002, NIST and financial regulations such as Sarbanes Oxley (SOX).

The principle is simple. It consists of verifying, at regular intervals, that accurate rights are granted to the correct people and entities. This approach is part of a “dead cleaning” process: once the “photograph” has been taken, it is a matter of correcting anything that appears out of line.

To do this, it is necessary to consolidate all available information by:

● establishing a complete map of access rights in order to identify each employee in the company, as well as the different access accounts associated with him or her, and

● identifying the links of responsibility for each employee, based on the accesses granted and the true business functions involved.

Once this exercise is completed, the next step is to confirm with the various stakeholders that the rights and access accounts have been granted in a relevant manner with regards to the duties and responsibilities of each employee.

Periodic Access Review: A Rigid Process with Targeted Objectives

The periodic review of accesses can be considered as a compliance process that is similar to quality control, with the objective being the proper management of the information system. If necessary, corrective actions can be initiated, such as reducing access rights or the closing of certain accounts.

This is a tedious, time-consuming process, carried out at different times depending on the degree of sensitivity of the resources. Regardless of the frequency, the periodic access review is performed according to:

● a given scope of compliance,
● a specified target, and
● a rigorous workflow.

Periodic Access Review

Periodic Access Review

What are the limitations of a periodic access review?

 

Periodic Access Review: A Tedious, Time-Consuming Task

Although it is based on a systematic decision-making process, periodic access review remains a complex exercise. It can be a real challenge for the organizers who have the responsibility of participating in the end-to-end review process. Their mission is to collect, format and transmit all the information required to perform the review in order to ensure its accuracy and to enable the reviewers to make the right decisions regarding corrective actions. During these different steps, certain difficulties can arise, such as these:

● The periodic review of accesses is carried out manually despite the large number of rights to be reviewed. Compliance deadlines are quickly compromised using this method.

● An error is detected, but the reviewer has difficulty identifying the source. An investigation must be launched to find and resolve the issue.

● The data collected is of poor quality. In order to understand and review each access, the teams possessing the technical and functional knowledge must be individually contacted.

These difficulties, whether observed separately or in combination, can cause delays in the review process and can lead to errors linked to time constraints or missing information. Additionally, they can be indicative of a more strategic error. Periodic access review is not the best way to detect and identify certain security flaws.

After compliance is met, what about risk?

Periodic access reviews are essentially based on a scope of compliance that varies according to the type of review being performed (SOC 2, Sarbanes Oxley (SOX), etc.). However, this compliance objective does not encompass all of the risks to which an organization’s resources may be exposed.

In this way, the protection of intellectual data, for example, does not fall under a compliance logic, but rather under a logic of operational risk with direct business impact. In this specific case, the execution of a periodic access review would be deemed inappropriate.

It is important to remember that this type of review is usually done on a quarterly, semi-annual or annual basis. Some of the problems detected can be several weeks to several months old. However, it would be best that they be identified much earlier in order to be resolved as soon as possible. Compliance is the specific objective of the periodic access review in accordance with its formal framework, fixed aspect and deadline-based nature. As soon as the objective goes beyond these factors, changing to a continuous access review process may become particularly relevant.

Continuous Access Review: Event Analysis and Risk Detection

A Flexible Process Based on Field Experience

Unlike the periodic access review, the continuous access review is based on an operational approach. The continuous access review focuses on events observed in the information system to ensure that they do not constitute a potential security breach. This process requires the involvement of various stakeholders (application, resource and other types of managers) to verify the legitimacy and relevance of the granted accesses as well as the observed behaviors.

Continuous Access Review and Flow Logic: An Alternative to Periodic Access Review?

The continuous access review is part of a flow logic that analyzes movements and situations over a continuous period of time, including the possibility of daily versus real-time analysis used in security operation centers. Alerts make it possible to create a “basket of tasks,” namely, situations that need to be dealt with and decisions that need to be made. This approach, based on the principle of continuous improvement, is the ideal complement to the periodic access review because it helps to reduce risks. Continuous access review is a way of “keeping clean” on a daily basis with its focus being on unusual or atypical situations.

Unlike the periodic access review, the continuous access review it is the result of a collective effort. For example, an entire team may be asked to take a position on a situation that arises. It can be considered a continuous management process where each decision calls for action and remediation.

Continuous Access Review

Continuous Access Review

Periodic and Continuous Access Review: Two Approaches with Distinct but Complementary Objectives

Two Types of Journals with a Common Set of Constraints

Although these two types of reviews meet different objectives, they share the same constraints. A certain number of common prerequisites must be considered:

● a complete inventory of accesses (accounts, groups and permissions). Most of the time, this information comes from multiple and varied data sources and then must be centralized and homogenized,

● the management of the distribution of tasks (reminders, reviewer contributions, etc.) for which additional tools may be useful, and

● the automation of decisions to be made and actions to be taken via external systems (ticketing, identity management, etc.).

Periodic and Continuous Review: An Effective Combination

The need for periodic access review and/or continuous access review depends on the objectives of the organization. In reality, these two approaches should be considered as complementary. It is precisely this aspect that helps to protect a company’s resources from risk and to make the review process effective overall.

The control offered by these different review mechanisms helps with the identification and legitimacy of the rights granted to an organization’s employees. The photographic nature of the periodic access review is favored to evaluate the overall quality of the rights that are granted, ensuring data compliance, while the continuous access review addresses risky situations, individually or globally, through the involvement of the business teams. The synergy of these two approaches, based on the same data and a common technology, guarantee that internal resources are optimally protected.

Conclusion

Whether they be personal or technical accounts, entities, third parties, partners, or system applications, the notion of identity is more than ever at the heart of cybersecurity issues. The fundamental need to adopt an approach that combines different methods of control has been proven. Companies who implement a hybrid approach by combining periodic and continuous access reviews will take control of the access to their most important resources and protect themselves from unforeseen security risk.

Privileged Access Governance: Challenges and Best Practices.

Privileged accounts are the keys to the kingdom!

They are the ones that control your systems and resources. But privileged accounts are also quite often the target of cyber attacks for this very reason.
This is why strong and effective governance of privileged accounts is so essential.

Join us! Thursday, May 6, at 11:30 am EST / 17:30 CET to learn more. Click here

Can’t make it? Register for access to the replay.