User Access Review: How to Keep Privileges in Check

As employees join an organization, switch departments or are assigned to projects, they collect new IT permissions needed to tackle these additional responsibilities. But what about the permissions from their previous role? Removing old IT privileges through periodic user access reviews plays an essential role in stopping data breaches, privacy violations and privilege misuse. In this guide, we will explain what user access reviews are, which compliance standards require them and how to conduct access reviews efficently. Additionally, you will learn how tenfold can help you automate user access reviews in your organization!

What Is a User Access Review?

User access reviews, also known as permission reviews, privilege reviews or access recertification, are a periodic audit of the current access rights in your organization designed to spot and remove unnecessary or outdated permissions. Regular access reviews are essential to maintaining security and compliance: When users can access files or systems they do not need, it puts these resources at risk both through insider threats like employee data theft and outside attacks like account hijacking.

Consequently, it is a best practice of cybersecurity to keep IT privileges to a minimum and only assign permissions that are essential to a user’s role – also known as the principle of least privilege. Regular access reviews are the only way to enforce least privilege access by ensuring that nobody in an organization has unnecessary permissions. Which is why user access reviews are demanded by many regulations like HIPAA, the SOX Act, COBIT, PCI DSS, ISO 27001 and the NIST Cybersecurity Framework.

The problem? Many organizations have no process for auditing access rights, meaning that employees accumulate more and more permissions over time, an issue also known as privilege creep. Common problems that occur without user access reviews:

  • An employee switches to a new department, but keeps the permissions from their prior role.

  • A team member leaves a project, but can still access sensitive project files.

  • A third-party contractor receives guest access, but the account is never closed.

The best way to address scenarios like these is through an automated identity and access management solution. IAM tools like tenfold can help in multiple ways: First, by automating user onboarding and assigning default permissions through role-based access control. Second, by automating the user access review process, notifying stakeholders and breaking audits down into a clear checklists.

Why Are User Access Reviews Important?

Have you heard of the intern who has more access rights than the CEO? Well, it’s not as far-fetched as it seems. While most organizations have policies in place for assigning new access rights, they tend to neglect the fact that these rights need to be revoked later on. This leads to employees accumulating more and more permissions as they change departments, take on extra responsibilities, are pulled in to support other teams, handle tasks for colleagues who go on vacation, go on parental leave themselves, etc. etc.

Employee with broad access to information and services he does not need.
That’s Harry. Like most users, he has too many access rights. Let’s hope he’s one of the good guys! Adobe Stock, (c) fizkes

Back to our intern (let’s call him Harry): Harry gets to tour many different departments, since he’s supposed to learn about every part of the company. And wherever he goes, he gets access to all kinds of applications and systems. If Harry is lucky, the company will offer him a permanent position after his internship. Now Harry is a regular employee, but he still has all the permissions he collected along the way.

Now, we don’t want to accuse Harry of having evil intentions. Just because he has privileges he shouldn’t have doesn’t mean he intends to abuse them. But even if you ignore the risk of intentional misuse, excess permissions still carry significant risk: What if Harry clicks on a phishing link or falls victim to social engineering and his account falls into the wrong hands? The more privileges a user has, the more catastrophic the consequences of malware attacks and data breaches can be.

How Often Should You Conduct User Access Reviews?

How often you should audit IT privileges depends on a number of factors. Some compliance frameworks stipulate a specific interval, such as annual or biannual reviews. Other standards allow organizations to define the frequency of user access reviews themselves. In this case, you should consider how sensitive the data or system in question is: Access to critical resources should obviously be audited more often than normal assets. In general, a good baseline to strive for is a full access review of the entire organization every three months.

Which IT Standards Require User Access Reviews?

Access reviews are a critical component of many IT laws, regulations and security standards. However, not all IT frameworks that mandate user access reviews reference them explicitly. The terms and language used in different standards may vary. Some regulations also make access reviews an indirect requirement by expecting organizations to implement safety measures, such as least privilege access, that can only be enforced through user access reviews.

Among IT standards that require access reviews, here are a few notable examples:

  • ISO 27001: By design, ISO 27001 gives organizations a lot of freedom to choose the scope and controls of their information security management system (ISMS). However, a periodic review of access rights (5.18) is one of the recommended controls in Annex A that organizations need to consult per 6.1.3 c).

  • GDPR: Europe’s General Data Protection Regulation puts safeguards on the collection, storage and processing of personal data. As specified in article 25, this includes limiting the number of persons who can access personal data to those with a legitimate interest. In effect, this requires organizations to audit who can access personal data. If too many people can access personal data, businesses risk significant fines of up to 4 percent of their annual revenue.

  • NIST: The NIST Cybersecurity Framework and special publications SP 800-53 and 800-171 all include requirements to audit accounts for compliance and revoke access when it is no longer needed. While NIST CSF is a voluntary standard that companies can use as a cybersecurity guideline, NIST 800-53 and 800-171 are mandatory for organizations that work with government networks or data.

  • PCI DSS: The payment card industry‘s digital security standard requires strict access control to ensure that card holder data can only be accessed by authorized individuals. Access management requirements are covered in chapter 7 of PCI DSS and cover the principle of least privilege, as well as mandatory access reviews every six months (7.2.4).

  • HIPAA: The Health Insurance Portability and Accountability Act governs the privacy and security of healthcare data in the united states. §164.308 specifies various administrative safeguards, including policies and procedures to review users’ access rights (section 4).

  • SOX: The Sarbanes-Oxley Act is a piece of US legislation designed to enforce accurate financial reports in publicly traded companies. To assess the effectiveness of the required internal controls, companies must regularly review access to financial data. Businesses must prove their SOX compliance through annual audits and failure to ensure adequate controls carries fines or possible prison sentences for a company’s CEO and CFO.

Reviewing User rights
Not reviewing the permissions in your organization might be a compliance issue. Adobe Stock, (c) Coloures Pic

Who Should Carry Out User Access Reviews?

Managing IT permissions is traditionally the responsibility of IT staff like sysadmins: The IT department has the technical know-how and elevated permissions needed to adjust user access. But there’s a problem with this approach: IT admins do not know whether permissions are still needed. Figuring out which privileges need to be revoked leads to a lot of back and forth, delays and miscommunications.

For access reviews to be carried out swiftly and accurately, they need to be conducted by someone who is familiar with the users and resources in question. In other words, user access reviews should be carried out by data owners, i.e. the people in charge of the IT resources being audited: department heads, team leads, management and supervisords. Who better to assess whether a permission is still needed than the people working with the files in question? Unlike the IT team, data owners are know the people and permissions being reviewed, which gives them the context to make the right decisions about access.

How to Perform Access Reviews: A Best Practice Guide

Now that we’ve established why user access reviews are critical to compliance and information security, you may be wondering how to conduct access audits. After all, checking every single permission in your IT setup sounds like a huge task: In a typical, mid-sized business, we’re talking about hundreds of employees, each with access to dozens of systems and applications!

If combing through every single IT privilege in an average company network sounds impossible, that’s because it is. If your approach to auditing user access is to spend hours going through an endless list of accounts and access rights, you’ll never make any progress. That’s why an effective strategy for user access reviews is all about preparation: by laying the right foundations through an access management framework, you can reduce the scope of the audit, limit how many decisions each data owner must make and ensure the timely completion of each review.


Implement Role-Based Access Control

Role-based access control (RBAC) is an access management framework in which organizations define permission sets for different roles in the company – such as Sales, Marketing, Design etc. – and new users automatically receive the IT privileges intended for their business role. This has the advantage of simplifying onboarding: Instead of assigning accounts and permissions individually, admins just have to add a person to the right role to grant them all IT resources that go along with it.

More importantly, role-based access control also means that staff automatically lose old privileges when their position in the company changes. When a user switches from Sales to the Support team, their old permissions are revoked and they gain new permission from the Support role instead. With RBAC, there is no need to manually audit default permissions. This means that access reviews have a much smaller scope, since you only have to review the custom privileges that employees sometimes receive.


Create and Update an Access Policy

Although tools for access management can assign permissions automatically using RBAC, it is still up to the organization to decide which privileges users need for different positions and departments. To do this, organizations need to create an access policy that documents the permissions for different user groups. Following the principle of least privilege, roles should only include permissions that are absolutely necessary for the job in question. Additional permissions for individual users can still be assigned and reviewed on a case-by-case basis.

However, it’s not enough to create an access policy and then stick to it forever: As your IT environment and the needs of users change, so too do you need to update your access policy to reflect these changes. Perhaps your dev team has moved to a new project management tool and no longer needs accounts for the one used by other departments. Maybe you’ve split event planning off into a new department and to establish new roles. The point is: companies change and so should access policies.


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.


Involve Data Owners and Stakeholders

As we’ve discussed above, access reviews should not be carried out by IT admins since they lack the context to know which permissions are still in use and which are outdated and can be revoked. You can achieve faster and more accurate results by letting data owners in various departments review access themselves for any resources under their control.

This also means you need to choose data owners for different sections of your organizations (typically people like department heads, team leads and managers) and brief them on the review process. Tell them what they need to do, where they need to do it and why it’s important. Data owners know more about the people and assets they work with than IT staff, but generally have less technical know-how than admins. So the easier you can make the access review process for them, the better.


Define Review Intervals

Once you have decided who will carry out access reviews and which privileges they need to audit, you need to schedule your user access review and choose how often they should be conducted. This decision should follow compliance requirements as well as security considerations: to act as an effective safeguard, access reviews need to be carried out regularly. Don’t forget that you can choose different review frequencies for different IT resources! For example, you could choose to audit sensitive financial data more often than other assets.


Document Audit Results

Documenting the results of access reviews is not only necessary to provide records of your compliance, but can also help you spot possible problems with the review process or the way you manage specific IT systems. If your team members often share cloud files with contractors and then forget to revoke access until the next review rolls around, perhaps you need a better process to track and manage shared files.


Replace Permanent Access With Temporary Access

Many business applications, including the Microsoft 365 tools Teams, SharePoint and OneDrive, allow you to provide temporary access to users. The obvious benefit of this approach is that you don’t have to remember them – they just expire on their own. Whenever possible, you should instruct your staff to use temporary access instead of permanent permissions.


Choose the Right Access Management Platform

Most companies are fully aware that outdated and superfluous access rights are an issue – but without the right tools to help them assign roles, track permissions and audit access, the problem feels impossible to address. If you want to simplify the user access review process, the only way to do so is through automation.

The first step is a reporting tool that gives you an overview of current permissions across all systems. Next, a way to automate user lifecycles and default permissions through role-based access. Finally, a platform that helps you carry out user access reviews by notifying data owners, compiling pending audits into clear checklists and documenting the results of audits.

tenfold, our groundbreaking identity & access management platform, has you covered on all fronts. Our IAM platform assigns default permissions through roles, meaning they are automatically added and removed without the need for manual audits. For any additional permissions, such as access rights requested through our handy self-service platform, tenfold provides a central access review platform that tracks pending audits, notifies data owners, removes outdated permissions and documents all changes. In other words, tenfold offers swift and painless access reviews for all IT systems.

What really sets our solution apart, however, is just how quick and easy it is to start using tenfold. While other identity management tool often take months or years to set up and connect to various applications, tenfold can be set up and fully operational in just a few weeks. The secret is our plugin library: These standardized interfaces allow you to integrate a wide range of IT systems without custom scripts or programming. Our visual, no-code configuration makes setup a breeze! Not convinced? See for yourself with a free trial.

User Access Reviews with tenfold

  • With tenfold, you can easily adapt the access review process to your needs.

  • Data owners can quickly get an overview of the situation.

  • The system sends automatic reminders when a new review is due.

  • Review intervals can be customized for different privileges.

  • You determine what should be reviewed: profiles, resources, file servers, etc.

  • You can define backup actions which are triggered if data owners do not take action.

  • Reviewers can confirm or reject access rights easily using tenfold’s intuitive user interface.

  • Configuration is super simple and the review function is immediately ready for use.

Free Trial

Our No-Code Solution Makes IAM Easy. Sign Up Now and Test It Yourself!

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.