It is impossible for businesses to stay ahead of every cyber threat; yet, organizations need to take some measures to protect themselves. While cyber-attacks may be inevitable, thoughtful preparation is an essential activity that sets resilient organizations apart from their peers in managing risk, minimizing damage, and recovering quickly. What is the best way to organize for sensible security? Preventing problems with a small, continuous effort is a smart strategy, and while this may be intuitively obvious, we find it difficult in practice. User access reviews are an example of a smart strategy that is a key component of any solid cyber hygiene program, where business managers and IT administrators conduct formal, periodic reviews of user access to ensure that unnecessary privileges are removed.
The access review process requires designated administrators within an organization to evaluate user access on a regular basis. Reviewers may be managers who validate access for their direct reports, application owners who audit access at the app level, or system owners who evaluate user access on their platform. Based on these evaluations, the Reviewers decide to either approve or revoke user privileges and then certify that they reviewed and approved the changes using an electronic signature process. The privileges being reviewed could be for any system or business asset ranging from on-prem applications, Directories, SaaS applications, Network appliances, databases, and servers.
Access reviews should be run on the assumption that everyone is a potential threat and because of that, they should only be granted the permissions they need to complete their job function. This concept supports the Least Privileges Model of access control, which is based on the principle that a user should only have the access they require to perform their job. The idea here is that by removing unnecessary access, we reduce the potential avenues of attack should an account be compromised.
Types of Access Reviews
Event-based reviews are those that are triggered for scenarios such as employee lifecycle changes such as termination, promotion, department change, etc.
Ad-hoc access reviews would be done in situations that aren’t necessarily associated with a user lifecycle nor can they wait to happen for a scheduled certification campaign, but require an administrator or manager to review, grant, revoke access for a targeted group of users.
Periodic Access Reviews can originate as either scheduled, event-based or ad-hoc items. Scheduled would be periodic manager reviews of access that a direct-reports possess or an organization-wide certification campaign that consists of individual access reviews assigned to administrators within departments.
While an access review is an artifact that is targeted to a single reviewer, a certification campaign is a term used when an organization runs multiple access reviews, organized by department, business unit, or class of applications. The Certification Campaign is a scheduled compliance procedure to review actual versus assigned access privileges and bring privileges into alignment with corporate security policies. When User Access Reviews are adopted broadly as part of a campaign, managers and IT administrators up and down the hierarchy apply their judgment to drive better access decisions.
In our next blog on this topic, we will look at the business benefits of conducting access reviews and certification campaigns.
To receive the IAM Strategy and Cybersecurity articles in your inbox every two weeks (Tuesdays 8 PM EST), subscribe to our Identity Management biweekly and/or our Healthcare Cybersecurity and IAM Digest.
Follow @Idenhaus on Twitter and subscribe to our YouTube channel.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us