User Access Reviews - Best Practices for Success
A user access review is the review and approval of permissions granted to users within an organization's critical business applications.
What Is a User Access Review?
A user access review is the review and approval of permissions granted to users within an organization's critical business applications. This review ensures that individuals have appropriate access levels to perform their job responsibilities effectively while mitigating the risk of unauthorized access to sensitive information. Conducting regular user access reviews is vital for maintaining data security, compliance with regulations such as SOX, PCI, GDPR, or HIPAA, and reducing the potential for insider threats. By implementing robust user access review practices, organizations can enhance their overall cybersecurity posture and protect valuable assets from potential breaches or misuse.
Many companies create a user access review checklist for the IT security team to follow. Teams review user access rights and privileges to ensure that they are appropriate and aligned with the organization's policies and procedures. The review also involves identifying any potential risks related to unauthorized access to information systems.
A user is typically a person, such as employee or contractor, but might also be a system or application that has certain access rights. A proper access review will involve all types of accounts, both human and machine.
Why Do We Perform User Access Reviews, What Are the Business Benefits?
We perform user access reviews to ensure that users have appropriate access to computer systems, applications, and data resources. These reviews help us identify any access rights that may no longer be necessary or may pose a security risk to the organization. By regularly reviewing user access, we can mitigate the risk of inappropriate access and protect sensitive data. From an IT governance perspective, user access/entitlement reviews provide benefits to the business in several ways:
Improved IT Security
User access reviews help prevent unauthorized access to sensitive data or systems, reducing the risk of data breaches, insider threats, and cyberattacks. Some examples include:
Ensure user access rights are appropriate for their role: The primary audit function of a user access review is to certify that access rights are appropriate for the employees job function. As we progress down our Identity and Access Management Roadmap, step 2 involves defining business roles by position or job title. When we include these roles into our user access review, the excess permissions are quickly spotted as exceptions to the job role.
Identify orphaned user accounts left behind: When users leave the company, did we remove their access rights? We need to ensure that terminated users no longer have access to sensitive systems and information. By comparing with HR records and including managers in the process, the user access review can ensure all accounts are removed.
Detect and mitigate access rights creep: As users change positions in the company, they often collect access to many more applications than needed. A periodic review of access rights will help spot excess privileges no longer needed. We recommend also including automated Separation of Duties monitoring.
Compliance
In addition, user access reviews are a critical part of our overall security strategy and help us to comply with industry regulations. Many compliance regulations and frameworks require a periodic review of user access rights. Some of these include:
ISO 27001: Annex A, section 5 of the ISO standard recommends a periodic user access review. The frequency should be based upon a risk analysis, but at least annually, sometimes quarterly.
Payment Card Industry Data Security Standard (PCI DSS): The Payment Card Industry Data Security Standards (PCI DSS) must be followed by any organization that processes or stores payment card information. A key tenet of the PCI standards is to restrict access to cardholder data to only those requiring access. Requirement 7 has two requirements around limiting access to cardholder data:
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
These requirements are met by conducting periodic user access reviews, typically every 3-6 months.
HIPAA and HiTrust: HIPAA and HITRUST mandate the control and review of user access rights to protected health information (PHI). 45 CFR § 164.308(a)(3)(ii)(B) states that organizations must perform user access reviews:
“Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”
Sarbanes-Oxley Act (SOX): The Sarbanes-Oxley Act of 2002 was established to protect shareholders from accounting errors and fraud by public companies. Among other requirements, the Act created auditing and control requirements, including IT controls around user access rights. One of the most challenging SOX 404 requirements is the periodic review of user access rights. Also known as a user entitlement review, companies must review access to systems that materially affect a company’s financial records.
Reduce License Costs
By identifying and revoking unused or unnecessary access rights, organizations can reduce expenses associated with maintaining excessive permissions. Many applications require a per-user license fee. If a person has not used an application in many months, a periodic review can flag that as no longer needed and the license cost can be recovered.
Risk Mitigation
Regular reviews help mitigate risks associated with unauthorized access, privilege escalation, and misuse of resources. According to the 2024 Verizon Data Breach Investigations Report, two-thirds of all data breaches involved the “human element”, typically where an intruder compromises a user’s credentials, then uses those elevated access rights to achieve the data breach. A regular review of access rights can ensure users have only the minimum necessary to perform their job.
Similarly, separation of duties conflicts can be monitored and reviewed as part of the regular user access review process to ensure no single person has the ability to materially impact financial controls.
Best Practices for User Access Reviews
User access reviews can be "accomplished" in many ways. They are most commonly performed by sending out spreadsheets full of access rights and role to managers and business owners throughout the organization. These files are then returned via email and saved in an archive folder for audit evidence.
While the “spreadsheet rodeo” can meet the requirements of a user access review, it's not exactly a successful program. The five items presented below are essential to a succesful identity and access management program.
1) Automation
One of the most common phrases in the audit world is “completeness and accuracy”. User entitlement reviews must completely cover all access to in-scope system and must be accurately performed. As a result, doing user access reviews by hand with the spreadsheet rodeo is not only time-consuming but also presents a high potential of an audit deficiency or weakness due to human error.
To ensure completeness and accuracy an automated solution such as Access Auditor is essential. Automation also has very strong business benefits including:
1) Time Savings
Automating user access reviews saves valuable time and resources, empowering organizations to focus on strategic initiatives. Time savings are gained through:
Streamlined Processes: User entitlement review systems follow predefined workflows, eliminating the need for manual intervention at each step. They facilitate streamlined access certification, approvals, and revocations, reducing the time spent on administrative tasks.
Efficient Reporting: Automation generates comprehensive reports that highlight access privileges, unused accounts, and potential risks. These reports are readily available and can be accessed on-demand, eliminating the need for manual data gathering and analysis.
Timely Reviews: Identity governance systems schedule and trigger user access reviews at regular intervals or based on specific events. This ensures that access privileges are monitored and adjusted in a timely manner, reducing the risk of outdated or unnecessary access.
2) Completeness and Accuracy
By automating the discovery and consolidation of the access review data, manual errors are eliminated ensuring the data is complete and accurate for every review.
3) Consistency
Automation ensures a consistent approach to user access reviews, applying predefined rules and criteria consistently across all users and systems.
4) Alerting
Automation allows for near real-time alerting on changes in sensitive access or terminated users.
5) Separation of Duties
Identity solutions perform comprehensive SoD analyses, identifying conflicts where a single user possesses conflicting permissions. This helps organizations prevent fraudulent activities, maintain accountability, and ensure proper separation of duties.
6) Reporting
Evidence of compliance remains in one place and will never be lost. Logs exist to ensure completeness and accuracy.
2) On-Premise and Cloud
The move to the cloud brings a new set of governance requirements. Many customers still support legacy on-premise applications while new cloud-based solutions are being deployed. We need a single solution to span both the on-premise and cloud applications to automate user access reviews for everything with the push of a button.
To succeed with a comprehensive user access review program, we need to include privileges from ALL in-scope applications. Combining that with the goal of automation, we need to select user access review software that can integrate with ANY cloud system. Access Auditor has a universal REST API connector to deliver automated user access reviews for both cloud and on-premise applications in under a week.
3) Powerful Identity Mapping
In most companies we have a dizzying array of applications, each with their own login ID format. When we perform a user access review, we need to know who is who across every system. Linking of the user’s various identities is an often overlooked but vital component to success. Your user access review process or tool should include several considerations such as:
No single required source of truth: user data comes from a variety of places and an automation system should not force you to have a single source of truth but rather an easy to use dynamic linkage.
Linking users by multiple parameters: While we often share a login ID across several applications, sometimes another parameter such as email or employee ID can also provide the user context we need.
Fuzzy ID: Nearly all companies have some systems that just do not have an identity key. To avoid countless hours of manual effort, you need a Fuzzy logic algorithm such as the Fuzzy ID to build you user access repository in a matter of minutes.
4) Ease of Use
Any user access review process must be easy to use to ensure success. Because users across the enterprise will be performing the access reviews, we need a process that is simple, intuitive, and easy enough to learn without a training manual. Over the past 16 years of delivering success, SCC has identified several common features to optimize user experience.
Custom Descriptions: Many privileges contain cryptic names with little or no other explanation. The ability to easily customize descriptions is crucial to optimize the user experience.
Historical Context: We should provide the approvers context regarding their past reviews. Did they review this entitlement before and which privileges are new since the last review.
Robust Workflow: While sometimes we have a simple situation where a manager performs the entitlement review, we often have the need for a more customize workflow. Perhaps certain departments or applications are reviewed by specific people. What about service accounts, delegates, and third-party staff? We need a simple and powerful workflow engine.
Customizable Display: To optimize success, we want the ability to make simple customizations to the review display, including choosing which columns are shown, changing the sort order, requiring comments, disabling self-approval, and displaying custom attributes. We should be able to customize the review presentation with the click of a button.
5) Governance and Security Benefits
Automated user access reviews are the primary driving factor in implementing a tool like Access Auditor. With the consolidated user identity warehouse, we can also deliver several identity governance and security benefits to the company, including:
Single Identity Warehouse: Having a global repository of user access allows us to track who has access to what and identify active accounts from users no longer with the company.
Provide Consolidated Evidence: The evidence of compliance with user access review controls should be consolidated into a single reporting page.
Alerts and Separation of Duties: In addition to reviewing access rights, we should also monitor for changes to sensitive privileges and combinations of user access that provide elevated risk.
Conclusion
We identified several best practices for your user access review process. Access Auditor from SCC provides these key features and many more to ensure your success. After over 18 years of delivering success to every customer, Access Auditor provides the most advanced and easy to use solution for automating user access reviews.