User Access Review: Audit Process, Best Practices & Step-by-Step Guide

As their role in your organization changes, users often receive more access to take on new tasks and responsibilities. But how do you ensure that access they no longer need is removed? Regularly auditing permissions through user access reviews is an essential safeguard against this kind of privilege creep โ€“ the gradual build-up of unwanted permissions. In this guide, you will learn everything you need to know about the benefits, challenges and process of user access reviews.

What Is a User Access Review?

A user access review, also known as a permission review, entitlement review or access certification, is a periodic audit of access rights granted to employees and external users. User access reviews are designed to identify and remediate unwanted access, such as permissions left active after an assignment has ended or a user switched to another department.

User access reviews help organizations limit who has access to critical data. This minimizes risks such as account compromise, insider threats or employee data theft. By removing outdated access, these audits ensure that users can only access apps and information that are absolutely necessary for their job. Because of this, access reviews allow organizations to adhere to a security best practice known as the principle of least privilege (POLP).

Importance of User Access Reviews

Without a review process to mitigate problematic access, organizations face increased risk of attackers or their own users exploiting excess privileges. There are three main issues that user access reviews address:

  • 1

    Privilege creep: As employees change roles or take on new projects, they receive more and more permissions. Without access reviews, this leads to a gradual buildup of IT privileges. These unnecessary permissions serve no function, but pose a risk to data security.

  • 2

    Privilege misuse: Users that have access to data they do not need may accidentally mishandle information. Even the fact that they have access can be a compliance issue. For example, an employee having access to personal information without a valid reason is a GDPR violation in itself.

  • 3

    Privilege abuse: Worst of all, employees with unnecessary privileges may intentionally exploit access for their own gain. This could include stealing or selling sensitive data, spying on their coworkers or using internal information as leverage when switching to a competitor.

The best way to prevent these problems is to deal with the root cause of the issue: privilege creep. By limiting which systems and information a user can access, organizations can safeguard against unwanted behaviors like privilege misuse and abuse.

User Access Reviews: Dangers of Privilege Abuse

Many organizations underestimate the risks associated with privilege creep and excess permissions. After all, if you trust your staff it can be hard to believe they would act against your interests or intentionally cause harm. However, there are many real life examples that show the dangers of failing to revoke access from employees.

  • Former admin deletes 180 servers: A disgruntled ex-employee of a Singapore-based IT firm used his admin access to delete all 180 of the company’s servers, causing $678,000 in damages. Despite being laid off in 2022, he was able to use his credentials from January to March of 2023.

  • 8 million Cash App users impacted by ex-employee data breach: In 2022, Cash App had to notify roughly 8.2 million users that their data may have been compromised. A former employee had used their access to IT systems to download internal reports containing the full names and brokerage numbers of users. The company later agreed to a 15 million dollar settlement for this breach.

  • Ex-employee deletes company data: A former credit union employee accessed the company’s computer systems and deleted more than 20,000 files as an act of revenge for being fired. This included sensitive financial documents like mortgage loan applications. In a text message to a friend, the ex-employee wrote: “They didn’t revoke my access so I deleted P:\ drive”.

As these examples highlight, organizations need to revoke access during offboarding and audit access regularly to ensure nothing slips through the cracks. While these specific cases made the news because they led to court cases and significant sentences, events like these often go unnoticed by the affected organization. And even when the guilty party can be identified and charged with a crime, fines and prison sentences cannot undo the damage to your reputation and IT operations.

Benefits of User Access Reviews

Now that we have covered the dangers without an effective access review process, what are the advantages of implementing regular privilege audits?

Improve Data Security

The more users have access to data, the more at-risk it is. All it takes is for one person to have their account compromised by phishing or social engineering. Now those attackers have access to everything the user could access. By limiting IT permissions to only what is absolutely necessary, regular audits help protect your data from unwanted access.

Ensure Regulatory Compliance

Limiting user access in accordance with the principle of least privilege is a best practice for a reason. Many security standards, industry frameworks and even laws and regulations have adopted this requirement. Access reviews are a necessary step to enforce the principle of least privilege. This makes permission audits an essential part of regulatory compliance.

Minimize Insider Threats

Insider threats are one of the hardest security challenges for orgs to address. After all, your staff needs IT access to do their job. However, minimizing access through periodic reviews limits the damage an angry or vengeful insider can cause. And for cases where the motivation is opportunistic, deleting unnecessary privileges can remove the temptation to exploit access for your own gain.

Which Standards and Regulations Require User Access Reviews?

User access reviews are a cornerstone of effective access governance alongside automated provisioning, role-based access control and in-depth access reporting. So it should be no surprise that regular auditing is requirement in many laws and security standards. These include:

  • GDPR: Under Europe’s General Data Protection Regulation, organizations must limit who can access personal data and implement appropriate safeguards to protect it from unauthorized access. Access reviews are essential to both maintaining and demonstrating GDPR compliance.

  • SOX: The SOX Act regulates internal controls in publicly traded companies. To provide a full audit trail and rule out tampering, businesses must regularly review access to data.

  • GLBA: The Gramm-Leach-Bliley Act covers safeguards for consumer financial information. Affected financial entities must implement access controls and limit users’ access to only information they need. Again, this can only be enforced through user access reviews.

  • HIPAA: To ensure the privacy and security of medical information, healthcare providers must safeguard patient data and minimize access to it. To effectively prevent unwanted access to healthcare data, organizations must regularly audit IT permissions.

  • ISO 27001: The widely used security framework ISO 27001 covers numerous controls, including strict access governance requirements and periodic access audits.

  • NIST CSF: NIST’s voluntary Cybersecurity Framework aims to give organizations a comprehensive reference point for information security. Under the framework’s Protect function, organizations must manage and review IT permissions and entitlements.

Tip: In our download library, you can find detailed compliance guides for many regulations and security standards, including hands-on instructions for effective access governance.

User Access Review Process: 5 Steps for Successful Audits

1

Identify IT Resources That Need Review

IT environments can look very different depending on the size of your organization, how it is structured and the field you operate in. You may be using a combination of cloud and on-premise infrastructure, ranging from very generalized platforms like Entra ID and Microsoft 365 to specialized software or even industry-specific and self-built apps.

Even widely-used solutions tend to have very limited reporting when it comes to permissions and entitlements. This can make it difficult to get a clear picture of who has access to what. At least, without a dedicated platform for data access governance.

So the first step in the access review process is to figure out what needs to be reviewed. Questions you should ask yourself are: Which apps and systems are in use across different departments? Which users have access to these resources? And who would be a good candidate to review access?

Tip: Reviewers should be familiar with the apps, data and users being audited, so it makes sense to pick reviewers from within the team or department rather than making your IT staff audit the entire organization.

2

Assign User Access Through Roles

While user access reviews are a great way to combat privilege creep, it is still better to prevent unnecessary permissions from being assigned in the first place. An accurate onboarding process means you will have fewer unwanted permissions to revoke through audits.

The second step of the access review process is to automate IT onboarding through permission roles. These predefined roles contain the exact privileges each user needs depending on their job function, department, location or other factors.

Implementing role-based access control means every user automatically receives the right permissions for their role in the organization โ€“ without the need for IT involvement or annoying checklists. More importantly (from a security perspective), role-based access control also means that users automatically lose access when their role changes. Entitlements are always updated to match their current role.

3

Track Changes to Access Rights

When it comes to managing user access, accountability is key. Maintaining a detailed record of changes to access rights helps you improve governance practices, ensure regulatory compliance and provide a full audit trail for external analysts or reviewers.

The third step of the access reviews is to implement change tracking for IT privileges and entitlements. For starters, your change tracking needs to record the outcomes of privilege audits: Who reviewed the access? Was it renewed or flagged for removal? What were the reasons given?

However, a comprehensive change log goes even further. It needs to track every change to permissions, from privilege audits to approval workflows, automated user lifecycle processes or external changes. The only way to collect all this data and provide detailed change tracking for every IT system is through the centralized reporting of an access governance solution.

Free Guide

5 Best Practices for Effective Access Reviews

4

Automate the Review Process

User access reviews are a necessary safeguard that help you protect sensitive data, minimize risk and ensure compliance. Despite their numerous benefits, however, access reviews do use up business resources: Your IT team needs to oversee the process and individual reviewers need to take time out of their day to complete their audit.

To streamline access audits and make them as seamless as possible, step four is to automate the review process. Privileges need to be evaluated by an employee who is familiar with the resources and team members in question, so there is no way to automate decision making.

That being said, there many other parts of the review process that can be automated. This way, your reviewers can focus on making decisions about user access and leave the rest to your review platform. For example, an access governance solution can help you with these stages of the review process:

  • Automatic Data Collection: Your review platform collects data about access rights in every connected system, so it knows exactly which privileges need to be audited.

  • Automatic Scheduling: Set your desired frequency for access audits to create a recurring event.

  • Automated Notifications: Reviewers are automatically notified via email when a new audit begins or they have pending items left to review.

  • Automatic Remediation: If a permission is flagged for removal by a reviewer, the governance solution automatically implements the change and revokes access for the user in question.

  • Automated Escalation: Set fallback actions if a reviewer does not finish their audit, such as reminder emails, switching to a secondary reviewer or automatically disabling permissions that are pending review.

5

Update Policies, Roles and Responsibilities

Maintaining secure, minimal access is an organization-wide commitment that requires consistent effort. Reviewing user privileges allows you to identify and remediate unwanted access before it becomes a problem. But to ensure effective audits, you also need to review your policies and governance model. This ongoing improvement is the fifth and final step of the access review process.

As we all know, information systems are not a static environment. They are constantly changing and evolving to adapt to your organization’s needs. This means that your access control policies likewise need to be updated to match changes in your organization or IT environment.

Did you roll out new apps in your organization? Then you need to include them in your role-based access control model. Did you add new teams to your organizational structure? You might have to add new permission roles to your access model. Was there a change in responsibilities? You may need to update who is assigned to review permissions.

Challenges of the Access Review Process

With hundreds of users and dozens of apps and systems, professional IT environments tend to be very complex. And they only become more complex over time. Without a dedicated governance platform, it can be challenging to even figure out who has access to which resources, let alone conduct regular reviews.

These are the biggest challenges for organizations conducting access reviews:

  • Limited visibility: To audit IT permissions, you need a clear picture of who has access to what. Unfortunately, even widely used systems like Active Directory offer very limited reporting out-of-the-box. Many orgs struggle with limited visibility into user access and rely on poorly implemented workarounds.

  • Integration of systems: IT environments are comprised of many different apps and systems. Integrating all these different applications to allow for centralized access reviews is a huge challenge considering the diverse technical foundations at play.

  • Time & effort: It takes time for reviewers to assess which entitlements are still necessary and which can be removed. But this is only a small step in the review process. By far the biggest time sink for access reviews is collecting up-to-date access information for your reviewers to audit.

  • Organizational changes: Access reviews need to reflect the current state of your organization and this means keeping up with all manner of changes: New staff, exiting staff, different roles and job functions, new IT systems, new projects, new external collaborations etc.

  • Balancing security & productivity: Reviewing user access should not occupy your staff endlessly, nor should it block important business processes. Your auditors need to be educated on what differentiates acceptable privileges from unnecessary access so they can make informed decisions.

Tip: These challenges make it impossible to review access without an access governance solution to provide the visibility, integration and automation you need to allow for quick and efficient reviews. Learn how tenfold solves these challenges below.

How to Automate Access Reviews with tenfold

Despite these technical and organizational challenges, the right tool can make reviewing access easy, fast and seamless. tenfold, our no-code IAM platform allows you to run automated access reviews for your entire IT infrastructure and tailor the review process to your needs.

Here is the step-by-step guide to automating access reviews with tenfold:

  • Step 1: Open tenfold and navigate to the tab Governance > Recertification. Here, you can see existing policies for your organization, and you can create a new recertification policy.

  • Step 2: Give your new recertification policy a name and choose when and how often this access review will be carried out.

  • Step 3: Choose which resources to review as part of this policy. To add a new resource to the review, simply add it to the Categories tab below. When adding a new resource, you can also choose its settings, including who will review access, which action to take when a resource is flagged by reviewers and which fallback action to take on a review timeout.

  • Step 4: Save your changes and the new access review is scheduled. It will start at the time you selected and repeat based on the frequency you chose. tenfold automatically notifies each reviewer and sends them a link to their personal review page.

  • Step 5: The results of the access review are automatically implemented by tenfold. The review process is fully documented and you can track progress through our central overview. Filtering options are available to help you limit your selection to specific reviews.

tenfold: Access Governance Simplified

Although user access reviews are part of our feature set, tenfold far more than just an audit tool. tenfold is a comprehensive access governance platform that takes the complexity out of managing identities and user access.

Conventional IAM solutions require months of custom scripting to set up. But not tenfold: Thanks to our off-the-shelf plugins and no-code interface, you can automate your access governance in just two weeks! Go from zero to a fully automated platform that offers:

That’s right, a full-featured access governance suite without the endless setup! But you don’t have to take our word for it: Sign up for a free 30 day trial and see for yourself how powerful, flexible and user-friendly tenfold really is.

Our trial installation includes 4 hours of free consulting for the basic setup (yes, it’s that quick) and unlimited access to our tech support (kept fully in-house and provided by expert technicians only). There’s a reason why over 80% of trial users go on to license our solution!

Free Trial

Easy User Access Reviews for AD & M365.
Try Our No-Code Solution Today!

About the Author: Joe Kรถller

Joe Kรถller is tenfoldโ€™s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.