What Is A User Access Review?

Organizations evolve every single day. Some of the changes include the departure of an employee, the arrival of a new colleague, the implementation of an innovative application, and the launch of a project involving external service providers. Each event impacts the daily activities of an organization.

Whether minimal or structural, each of these changes has direct repercussions on the organization’s information systems (IS) which, in turn, can generate discrepancies and security flaws.

Employee access rights are no exception to this rule. Because they give access to data, applications and infrastructure, they must be a main focus of the company to both guarantee the protection of resources as well as the adherence to the regulatory compliance constraints to which every organization is now subject.  The user access review, or the control and monitoring of authorizations and permissions, contributes greatly to addressing this dual challenge of security and compliance. In order to carry out the review as efficiently as possible, the application of certain best practices, is essential and, for most, indispensable.

But for now, let’s go back to basics. This article will highlight the key points to consider when doing this crucial exercise, such as the definition of the user access review, associated issues and challenges, and existing campaign structures.

What is a user access review?

The user access review, a standard for securing logical access rights

The user access review is an integral part of any organization’s Identity and Access Management (IAM) strategy. It is an essential control function that many companies rely on to secure logical access rights.  Such is the case for the National Institute of Standards and Technology (NIST) document NIST SP 800-53 Rev. 5, including the definition of the AC-2 control that mentions the need to “review accounts for compliance with account management requirements.” Additionally, NIST CSF PR.AC-4 states that “access permissions are managed, incorporating the principles of least privilege and separation of duties.”

In concrete terms, what is the purpose of the user access review?

Reviewing authorizations and permissions is a process that ensures that all granted user access rights giving access to an organization’s information systems (IS) are appropriate and legitimate. The review precisely pinpoints:

• Who has access to what within the organization?
• What level of access each user has?
• Which access rights are authorized and approved?
• Which access rights are not?

The user access review applies to all existing access rights to data, applications and infrastructure) within a company, whether or not they have been granted to contractors, partners, interns, employees, managers or executives.

What are the challenges associated with the user access review?

The review of authorizations is an essential exercise to help a company control its access rights while addressing security, compliance and associated governance issues. These are some of the issues that we will discuss here.

#1: Security of assets through the detection of the risks associated with user access

The user access review ensures that each user has the access rights strictly necessary and sufficient to carry out his or her job functions. It is a fundamental aspect of corporate information security. An effective review establishes a list of all errors associated with the assignment of access rights and makes it possible to detect risky situations. Based on this, corrective actions can be taken and security breaches avoided, alleviating the threat of fraud or information leakage.

What’s more, the review exercise contributes to compliance with three core principles considered to be good cybersecurity practices in risk management and internal control:

• The principle of least privilege
• The principle of need-to-know
• The separation of duties

#2: Adherence to the regulatory constraints to which a company is subject

In the 2000’s, the financial sector saw the emergence of a number of regulatory constraints on security and access rights compliance. Today, the adoption of these regulations is widespread.  In addition to the finance sector, more and more organizations are being subject to them. As a result, security and compliance is a major concern for business leaders today. Access control has become an integral part of all security and compliance frameworks all over the world.

In addition to the need to control access rights and protect the organization’s assets, the user access review is now a mandatory control mechanism for most companies. This is particularly the case for all those subject to the following standards: ISO 27001, ISO 27002, ISAE 3402, SOC 1 and 2, SOX, CMMC, HiTrust, HIPAA, CRBF, and Solvency, among others.

In fact, the implementation of user access review campaigns is an essential prerequisite, both in responding to auditors and in adhering to the enforced security and compliance policies within organizations.

#3: Towards a governance of access rights and identities

In addition to the issues mentioned above, the review of authorizations is part of the implementation of true governance of access rights and identities. The involvement of managers at all corporate levels in access rights review campaigns is a major contribution to this. Thanks to their knowledge of the users and the scope of their functions, managers will be able to ensure the relevance and legitimacy of the access rights granted within their team. They will be responsible for approving or revoking assigned access rights.

These responsibilities not only ensure that the right access is granted to the right people, but that they provide better visibility into who has access to what. The creation of this inventory of access rights contributes to their deployment and governance.

How to effectively perform a user access review?

User access rights are implicated in a company’s data, applications, servers, and infrastructures. Depending on their location and the resources they allow access to, the nature of these access rights can change and the management of their life cycle can differ. Therefore, the chosen methodology must take into account the diversity of the perimeters to be reviewed, the volume of associated data and the objective that is being targeted.

Is it a bad idea to perform user access reviews manually?

Although a user access review can be carried out manually using Excel spreadsheets, for example, it is recommended to use an identity analytics tool designed for this purpose. The reason for this is that the review is a tedious and rigorous process that can quickly turn into a nightmare when the amount of data to be reviewed is substantial.  Rather than taking the risk of missing objectives and disappointing team leaders, it is better to aim for efficiency and serenity with an automated solution that helps to…

• Save time by automating the different tasks (including the triggering of corrective actions)
• Make the exercise easier by providing teams with user-friendly interfaces
• Respond easily to auditors with ready-to-use reports available within the tool

What type of user access review should I choose?

Two review strategies are possible: the periodic and the continuous user access review. Both have specific objectives and their own logic and delivery mechanism.

The periodic user access review

The periodic user access review is generally recommended if the objective is to achieve access rights compliance. This type of review makes it possible to ensure the proper management of the information system and is similar to quality control.  It involves regularly checking that the right access is being granted to the right people.

It is based on two fundamental steps:

• A comprehensive mapping of the access rights within the targeted scope
• The identification and correlation of the responsibilities of each employee and the permissions he or she has to access resources

This is a time-bound exercise that must be repeated. The timing of this type of review depends on the sensitivity of the access rights it targets.

The continuous user access review

As a complement to the periodic access rights review which focuses on compliance objectives, the continuous rights review has a completely different goal: to reduce the risks associated with access rights. It is based on the observation of movements within the organization (arrival or departure of an employee, internal job changes, newly assigned permissions, security deviations, unusual access, etc.) with the aim of detecting possible security breaches that these could cause.

Carried out on an ongoing basis, it is not subject to any time constraints and focuses on all atypical situations.  Fully anchored in the operational life of the organization, it is based on a logic of continuity and analysis of the risks associated with access rights.

Because they serve different purposes, these two review strategies should be viewed as complementary in nature and as distinctly different approaches to meeting regulatory compliance and security requirements in addition to identifying and reducing access rights risk.

The user access review is an essential control function to be implemented

As shown in this article, the review of access rights is an essential control mechanism for any organization wishing to control its access rights, whatever the reason.

Nevertheless, the fact that it is indispensable does not make it any less of a task that teams often dread. To make the exercise less painful and more efficient, the application of a certain number of best practices associated with user access reviews plus the implementation of a specialized tool can be particularly useful.

Are you considering automating user access reviews?