Best Practices for User Access Reviews

Best Practices for User Access Reviews

Background

User access reviews are a requirement for most businesses. Regulations including SOX, HIPAA, PCI, and countless IT and financial regulatory audits require periodic review of user access rights to ensure all employees still maintain the appropriate level of access to critical systems. To learn more about entitlement reviews in general, you can see our white paper on user access reviews.
In another paper we review the business benefits of identity governance. In this paper, we will present some best practices for performing your periodic user access reviews. 

User access reviews can be "accomplished" in many ways. They are most commonly performed by sending out spreadsheets full of access rights and role to managers and business owners throughout the organization. These files are then returned via email and saved in an archive folder for audit evidence.

While the spreadsheet rodeo can meet the requirements of a user access review, it's not exactly a successful program. The five items presented below are essential to a succesful identity and access management program.

1) Automation

One of the most common phrases in the audit world is “completeness and accuracy”. User entitlement reviews must completely cover all access to in-scope system and must be accurately performed. As a result, doing user access reviews by hand with the spreadsheet rodeo is not only time-consuming but also presents a high potential of an audit deficiency or weakness due to human error.
To ensure completeness and accuracy an automated solution such as Access Auditor is essential. Automation also has very strong business benefits including:
  • Time Savings – both for IT/Security staff and reviewers across the company.
  • Consistency – reviews are same format.
  • Alerting – Automation allows for near real-time alerting on changes in sensitive access or terminated users.
  • Separation of Duties – Similarly, automation software should provide SOD monitoring to quickly conflicts.
  • Reporting – Evidence of compliance remains in one place and will never be lost. Logs exist to ensure completeness and accuracy.

2) On-Premise and Cloud

The move to the cloud brings a new set of governance requirements. Many customers still support legacy on-premise applications while new cloud-based solutions are being deployed. We need a single solution to span both the on-premise and cloud applications to automate user access reviews for everything with the push of a button.
To succeed with a comprehensive user access review program, we need to include privileges from ALL in-scope applications. Combining that with the goal of automation, we need to select user access review software that can integrate with ANY cloud system. Access Auditor has a universal REST API connector to deliver automated user access reviews for both cloud and on-premise applications in under a week.

3) Powerful Identity Mapping

In most companies we have a dizzying array of applications, each with their own login ID format. When we perform a user access review, we need to know who is who across every system. Linking of the user’s various identities is an often overlooked but vital component to success. Your user access review process or tool should include several considerations such as:
  • No single required source of truth: user data comes from a variety of places and an automation system should not force you to have a single source of truth but rather an easy to use dynamic linkage.
  • Linking users by multiple parameters: While we often share a login ID across several applications, sometimes another parameter such as email or employee ID can also provide the user context we need.
  • Fuzzy ID: Nearly all companies have some systems that just do not have an identity key. To avoid countless hours of manual effort, you need a Fuzzy logic algorithm such as the Fuzzy ID to build you user access repository in a matter of minutes.

4) Ease of Use

Any user access review process must be easy to use to ensure success. Because users across the enterprise will be performing the access reviews, we need a process that is simple, intuitive, and easy enough to learn without a training manual. Over the past 16 years of delivering success, SCC has identified several common features to optimize user experience.
  • Custom Descriptions: Many privileges contain cryptic names with little or no other explanation. The ability to easily customize descriptions is crucial to optimize the user experience.
  • Historical Context: We should provide the approvers context regarding their past reviews. Did they review this entitlement before and which privileges are new since the last review.
  • Robust Workflow: While sometimes we have a simple situation where a manager performs the entitlement review, we often have the need for a more customize workflow. Perhaps certain departments or applications are reviewed by specific people. What about service accounts, delegates, and third-party staff? We need a simple and powerful workflow engine.
  • Customizing Display: To optimize success, we want the ability to make simple customizations to the review display, including choosing which columns are shown, changing the sort order, requiring comments, disabling self-approval, and displaying custom attributes. We should be able to customize the review presentation with the click of a button.

5) Governance and Security Benefits

Automated user access reviews are the primary driving factor in implementing a tool like Access Auditor. With the consolidated user identity warehouse, we can also deliver several identity governance and security benefits to the company, including:
  • Single identity warehouse: Having a global repository of user access allows us to track who has access to what and identify active accounts from users no longer with the company.
  • Provide Consolidated Evidence: The evidence of compliance with user access review controls should be consolidated into a single reporting page.
  • Alerts and Separation of Duties: In addition to reviewing access rights, we should also monitor for changes to sensitive privileges and combinations of user access that provide elevated risk.

Conclusion

We identified several best practices for your user access review process. Access Auditor from SCC provides these key features and many more to ensure your success. After over 18 years of delivering success to every customer, Access Auditor provides the most advanced and easy to use solution for automating user access reviews.