Users come and go, they are assigned to new projects or switch to different departments. And at every step of the way, they collect new privileges. That’s OK, they need certain privileges to do their jobs. But do they really need all of their current privileges? What about permissions from their previous position, or access to a project that they left? These are questions you need to ask yourself constantly and for every user.
This article will explain what user access reviews are, why they are important for the cybersecurity and compliance of your company and how the right IAM solution can help you automate the access review process.
OK, So What Is a User Access Review?
User access reviews (sometimes referred to as “access certification” or “access recertification”) are a periodic audit of existing access rights in your organization meant to remove unnecessary or outdated permissions, which are a risk to both cybersecurity and compliance. Regular reviews are an integral part of successful access governance and implementing the Principle of Least Privilege, an IT security best practice demanded by many regulations like HIPAA, the SOX Act, COBIT, PCI DSS, ISO 27001 and the NIST Cybersecurity Framework.
Or at least they should be. Let’s be honest here: when was the last time you checked whether members of your team have access to data they do not need? If it’s been a while, you’re not alone. Many organizations have no real access control policy and no process in place to conduct the necessary audit. And that’s a problem. Not knowing which employees have access to what increases the risk of employee data theft and insider threats, as well as making it easy for hackers to exploit old accounts and permissions to gain access to your system. Read our article on ransomware protection for businesses to learn more.
tenfold’s approach to reviewing user access rights eliminates all of these threats. In tenfold, standard permissions are assigned through role-based access control, meaning that they are automatically adjusted when a user is moved to a different role, such as a new department or position. Additional privileges, such as access to resources for a specific project, can be granted by the data owner in control of that resource. The data owners you assign to objects are then sent periodic reminders to review permissions they have granted. This allows outdated privileges to be removed with just one click.
Why Are User Access Reviews Important?
Have you heard the tale of the intern who has more access rights than the company executive? Well, it’s not as far-fetched as it seems. While most organizations have policies in place for assigning new access rights, they tend to neglect the fact that these rights need to be revoked once they have become obsolete. Not only are excess permissions risky from a cybersecurity perspective, they can also violate compliance regulations. Many laws and security standards explicitly dictate that access to sensitive information must be kept to a need-to-know basis.
In reality, many organizations have no clear policy for managing access rights. Employees change departments, take on extra responsibilities, are pulled in to support other teams, handle tasks for colleagues who go on vacation, go on parental leave themselves, etc. etc. Without proper documentation for all of these changes, access rights soon become a tangled, chaotic mess.
Back to our intern (let’s call him Harry): Harry gets to hang out in many different departments, since he’s supposed to learn about every part of the company. But in order to learn, Harry needs access. So, Harry is given access to all kinds of applications and systems. If Harry is lucky, the organization will offer him a permanent position after his internship – but then he’s going to work for just department. So what happens to all the permissions from other departments he collected along the way? That’s right: He keeps them.
Superfluous Permissions Are a Security Risk
Now, we don’t want to accuse Harry of having evil intentions. Just because he has privileges he shouldn’t have does not automatically mean he’s going to abuse them (though you can never know). However, data theft is far from the only risk created by unnecessary permissions: The more privileges a user has, the more catastrophic the consequences of malware attacks and data breaches can be. And the longer obsolete permissions are remain active, the worse it gets.
A common practice that contributes to the build-up of unnecessary privileges, also referred to as privilege creep, is the reliance on reference users. When a new employee joins a business, many organizations will simply copy the profile of an existing user (e.g. someone in the same department) and assign it to them. However, in doing so, they copy every permission that user has accumulated over time, including any obsolete or incorrect privileges.
Now imagine all the extra permissions our new employee is going to collect before, eventually, their profile might be copied for the next new hire. As you can see, without a secure process for assigning default permissions and regular audits of extra rights, unnecessary privileges just keep piling up.