User Access Review: How to Keep Privileges in Check

User access reviews, also known as permission reviews, privilege reviews or access recertification, are a periodic audit of the current access rights in your organization designed to spot and remove unnecessary or outdated permissions. Regular access reviews are essential to maintaining security and compliance: When users can access files or systems they do not need, it puts these resources at risk both through insider threats like employee data theft and outside attacks like account hijacking.

Consequently, it is a best practice of cybersecurity to keep IT privileges to a minimum and only assign permissions that are essential to a user’s role – also known as the principle of least privilege. Regular access reviews are the only way to enforce least privilege access by ensuring that nobody in an organization has unnecessary permissions. Which is why user access reviews are demanded by many regulations like HIPAA, the SOX Act, COBIT, PCI DSS, ISO 27001 and the NIST Cybersecurity Framework.

The problem? Many organizations have no process for auditing access rights, meaning that employees accumulate more and more permissions over time, an issue also known as privilege creep. Common problems that occur without user access reviews:

Have you heard of the intern who has more access rights than the CEO? Well, it’s not as far-fetched as it seems. While most organizations have policies in place for assigning new access rights, they tend to neglect the fact that these rights need to be revoked later on. This leads to employees accumulating more and more permissions as they change departments, take on extra responsibilities, are pulled in to support other teams, handle tasks for colleagues who go on vacation, go on parental leave themselves, etc. etc.

Back to our intern (let’s call him Harry): Harry gets to tour many different departments, since he’s supposed to learn about every part of the company. And wherever he goes, he gets access to all kinds of applications and systems. If Harry is lucky, the company will offer him a permanent position after his internship. Now Harry is a regular employee, but he still has all the permissions he collected along the way.

Now, we don’t want to accuse Harry of having evil intentions. Just because he has privileges he shouldn’t have doesn’t mean he intends to abuse them. But even if you ignore the risk of intentional misuse, excess permissions still carry significant risk: What if Harry clicks on a phishing link and his account falls into the wrong hands? The more privileges a user has, the more catastrophic the consequences of malware attacks and data breaches can be.

How often you should audit IT privileges depends on a number of factors. Some compliance frameworks stipulate a specific interval, such as annual or biannual reviews. Other standards allow organizations to define the frequency of user access reviews themselves. In this case, you should consider how sensitive the data or system in question is: Access to critical resources should obviously be audited more often than normal assets. In general, a good baseline to strive for is a full access review of the entire organization every three months.

Access reviews are a critical component of many IT laws, regulations and security standards. However, not all IT frameworks that mandate user access reviews reference them explicitly. The terms and language used in different standards may vary. Some regulations also make access reviews an indirect requirement by expecting organizations to implement safety measures, such as least privilege access, that can only be enforced through user access reviews.

Among IT standards that require access reviews, here are a few notable examples:

Managing IT permissions is traditionally the responsibility of IT staff like sysadmins: The IT department has the technical know-how and elevated permissions needed to adjust user access. But there’s a problem with this approach: IT admins do not know whether permissions are still needed. Figuring out which privileges need to be revoked leads to a lot of back and forth, delays and miscommunications.

For access reviews to be carried out swiftly and accurately, they need to be conducted by someone who is familiar with the users and resources in question. In other words, user access reviews should be carried out by data owners, i.e. the people in charge of the IT resources being audited: department heads, team leads, management and supervisords. Who better to assess whether a permission is still needed than the people working with the files in question? Unlike the IT team, data owners are know the people and permissions being reviewed, which gives them the context to make the right decisions about access.

Now that we’ve established why user access reviews are critical to compliance and information security, you may be wondering how to conduct access audits. After all, checking every single permission in your IT setup sounds like a huge task: In a typical, mid-sized business, we’re talking about hundreds of employees, each with access to dozens of systems and applications!

If combing through every single IT privilege in an average company network sounds impossible, that’s because it is. If your approach to auditing user access is to spend hours going through an endless list of accounts and access rights, you’ll never make any progress. That’s why an effective strategy for user access reviews is all about preparation: by laying the right foundations through an access management framework, you can reduce the scope of the audit, limit how many decisions each data owner must make and ensure the timely completion of each review.

Role-based access control (RBAC) is an access management framework in which organizations define permission sets for different roles in the company – such as Sales, Marketing, Design etc. – and new users automatically receive the IT privileges intended for their business role. This has the advantage of simplifying onboarding: Instead of assigning accounts and permissions individually, admins just have to add a person to the right role to grant them all IT resources that go along with it.

More importantly, role-based access control also means that staff automatically lose old privileges when their position in the company changes. When a user switches from Sales to the Support team, their old permissions are revoked and they gain new permission from the Support role instead. With RBAC, there is no need to manually audit default permissions. This means that access reviews have a much smaller scope, since you only have to review the custom privileges that employees sometimes receive.

Although tools for access management can assign permissions automatically using RBAC, it is still up to the organization to decide which privileges users need for different positions and departments. To do this, organizations need to create an access policy that documents the permissions for different user groups. Following the principle of least privilege, roles should only include permissions that are absolutely necessary for the job in question. Additional permissions for individual users can still be assigned and reviewed on a case-by-case basis.

However, it’s not enough to create an access policy and then stick to it forever: As your IT environment and the needs of users change, so too do you need to update your access policy to reflect these changes. Perhaps your dev team has moved to a new project management tool and no longer needs accounts for the one used by other departments. Maybe you’ve split event planning off into a new department and to establish new roles. The point is: companies change and so should access policies.

As we’ve discussed above, access reviews should not be carried out by IT admins since they lack the context to know which permissions are still in use and which are outdated and can be revoked. You can achieve faster and more accurate results by letting data owners in various departments review access themselves for any resources under their control.

This also means you need to choose data owners for different sections of your organizations (typically people like department heads, team leads and managers) and brief them on the review process. Tell them what they need to do, where they need to do it and why it’s important. Data owners know more about the people and assets they work with than IT staff, but generally have less technical know-how than admins. So the easier you can make the access review process for them, the better.

Once you have decided who will carry out access reviews and which privileges they need to audit, you need to schedule your user access review and choose how often they should be conducted. This decision should follow compliance requirements as well as security considerations: to act as an effective safeguard, access reviews need to be carried out regularly. Don’t forget that you can choose different review frequencies for different IT resources! For example, you could choose to audit sensitive financial data more often than other assets.

Documenting the results of access reviews is not only necessary to provide records of your compliance, but can also help you spot possible problems with the review process or the way you manage specific IT systems. If your team members often share cloud files with contractors and then forget to revoke access until the next review rolls around, perhaps you need a better process to track and manage shared files.

Many business applications, including the Microsoft 365 tools Teams, SharePoint and OneDrive, allow you to provide temporary access to users. The obvious benefit of this approach is that you don’t have to remember them – they just expire on their own. Whenever possible, you should instruct your staff to use temporary access instead of permanent permissions.

Most companies are fully aware that outdated and superfluous access rights are an issue – but without the right tools to help them assign roles, track permissions and audit access, the problem feels impossible to address. If you want to simplify the user access review process, the only way to do so is through automation.

The first step is a reporting tool that gives you an overview of current permissions across all systems. Next, a way to automate user lifecycles and default permissions through role-based access. Finally, a platform that helps you carry out user access reviews by notifying data owners, compiling pending audits into clear checklists and documenting the results of audits.

tenfold, our groundbreaking identity & access management platform, has you covered on all fronts. Our IAM platform assigns default permissions through roles, meaning they are automatically added and removed without the need for manual audits. For any additional permissions, such as access rights requested through our handy self-service platform, tenfold provides a central access review platform that tracks pending audits, notifies data owners, removes outdated permissions and documents all changes. In other words, tenfold offers swift and painless access reviews for all IT systems.