In our first post, we gave an overview of the User Access Reviews and Certification Campaign structure, the challenges it addresses, and guiding principles for implementing a successful program. In today’s blog, we will look at the benefits that organizations derive from implementing Access Reviews. As security teams evolve defensive tools and strategies to remove malware and strengthen cybersecurity capabilities, they also need to acknowledge the risk from insider threats and generally poor cyber hygiene. Access Reviews are critical to prioritizing employee education and awareness as the first line of defense; they should be integrated into an organization’s security strategy. By formalizing the review process, organizations can nudge their employees toward better cybersecurity practices. Technology often isn’t the biggest challenge to improving security; culture is.
Business Benefits of User Access Reviews
Assessing user accounts and rights through access reviews is a critical step to ensure organizational compliance and security. One of the key challenges is getting business users to invest the time to conduct the reviews and certify the access is correct. To that end, there are a number of ways technology can help the business manager accomplish reviews with less difficulty. The first is to identify when access was granted by a rule or a role because that does not require review and reduces the workload on the manager. Additionally, having an intuitive user interface and applying analytics to guide the access review process supports better outcomes.
Here are some of the benefits of building an effective access review process:
Compliance with industry standards
Organizations that implement periodic certification campaigns, scheduled, or event-based access reviews are not only building a good security practice that complies with audit standards but are also preserving a reputational legacy and brand reliability with their customers.
Keeping a check on entitlement creep
Entitlement creep is one of the main challenges organizations face with tenured employees. Entitlement creep occurs when a user is granted access to additional systems as they move through their career, changing departments and changing roles. After several years, users have access to many different applications that they don’t need or use. This increases the risk should that user’s account be compromised.
The best way to prevent entitlement creep is to use either scheduled or event-based user access reviews to remove access that is no longer needed. In this way, access is constrained and matched to the duration of the worker’s duties and the worker has the minimal privileges required to be effective without hampering productivity.
Lend context to the compliance process
Historically, access rights to applications have been provisioned by IT administrators, who were given little knowledge of the business context of the requesting user. In this situation, the IT administrator had to guess how much access to grant and was prone to cloning access from a similar user and/or enforcing policy inconsistently. This ambiguity creates a perfect situation where the IT administrator has broad discretion, little information, and an incentive to get the user provisioned and move on to the next request. In this scenario, the user would often end up with too much access. As organizations become more matrixed, complex and sometimes ambiguous command and control structure in how their businesses or services operate, it is highly beneficial that a nimble and adaptable access review process reflects that when managing or signing-off on access to its customers and users.
Such a process provides visibility to business or service owners, eliminates risk, and allows them the freedom to be able to provision and revoke access. In order to create targeted reviews, context must be assigned to what is being reviewed, for which users, as well as who the reviewers will be, and the timeline for the reviews.
Managing license costs
One of the consequent benefits that can be reaped from a sustained access review process, is being able to budget adequately for application license costs. Reports generated post-certification campaign reveal which users still maintain access to a specific application and that they can be matched with per-user application license costs to come up with accurate budget estimates for that period.
Separate privileged access from general access
Most software governance systems allow for filtering access reviews based on the types of access. The ceremony associated with the review of privileged access can be set up differently than that for general or non-privileged access. The downstream upside of this for an organization is the ability to split campaigns into manageable certification campaign sizes and preferably more frequent for privileged access vs non-privileged. This helps with not overwhelming reviewers with the unmanageable size of review campaigns, eliminates review fatigue, and prioritizes privileged access review in meeting compliance standards.
Final Thoughts on Access Reviews
The user access reviews process can only be effective if there is upfront investment in making sure organizations fulfill the following prerequisites:
- Purchase access governance automation system which satisfies requirements for certifications and access review
- Perform either a manual or automated role mining and come up with well-labeled, descriptive, context sensitive roles that reviewers can approve or revoke during certification
- Set up a model for reviewing access based on management and ownership of roles and systems
- Cadence for starting access reviews, reminders for reviewing administrators, duration of access reviews and consequence of incomplete reviews are some of the items to consider
SMEs in the field of Identity and Access Governance can definitely help an organization choose the best automation tools for your organization and help implement best-practices to become a more secure and compliant enterprise.
Click here to read Part One – Stay Ahead of Hackers with User Access Reviews
To receive the IAM Strategy and Cybersecurity articles in your inbox every two weeks (Tuesdays 8 PM EST), subscribe to our Identity Management biweekly and/or our Healthcare Cybersecurity and IAM Digest.
Follow @Idenhaus on Twitter and subscribe to our YouTube channel.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us
