User Access Review: How to Keep Privileges in Check

Users come and go, they are assigned to new projects or switch to different departments. And at every step of the way, they collect new privileges. That’s OK, they need certain privileges to do their jobs. But do they really need all of their current privileges? What about permissions from their previous position, or access to a project that they left? These are questions you need to ask yourself constantly and for every user.

This article will explain what user access reviews are, why they are important for the cybersecurity and compliance of your company and how the right IAM solution can help you automate the access review process.

OK, So What Is a User Access Review?

User access reviews (sometimes referred to as “access certification” or “access recertification”) are a periodic audit of existing access rights in your organization meant to remove unnecessary or outdated permissions, which are a risk to both cybersecurity and compliance. Regular reviews are an integral part of successful access governance and implementing the Principle of Least Privilege, an IT security best practice demanded by many regulations like HIPAA, the SOX Act, COBIT, PCI DSS, ISO 27001 and the NIST Cybersecurity Framework.

Or at least they should be. Let’s be honest here: when was the last time you checked whether members of your team have access to data they do not need? If it’s been a while, you’re not alone. Many organizations have no real access control policy and no process in place to conduct the necessary audit. And that’s a problem. Not knowing which employees have access to what increases the risk of employee data theft and insider threats, as well as making it easy for hackers to exploit old accounts and permissions to gain access to your system. Read our article on ransomware protection for businesses to learn more.

tenfold’s approach to reviewing user access rights eliminates all of these threats. In tenfold, standard permissions are assigned through role-based access control, meaning that they are automatically adjusted when a user is moved to a different role, such as a new department or position. Additional privileges, such as access to resources for a specific project, can be granted by the data owner in control of that resource. The data owners you assign to objects are then sent periodic reminders to review permissions they have granted. This allows outdated privileges to be removed with just one click.

Why Are User Access Reviews Important?

Have you heard the tale of the intern who has more access rights than the company executive? Well, it’s not as far-fetched as it seems. While most organizations have policies in place for assigning new access rights, they tend to neglect the fact that these rights need to be revoked once they have become obsolete. Not only are excess permissions risky from a cybersecurity perspective, they can also violate compliance regulations. Many laws and security standards explicitly dictate that access to sensitive information must be kept to a need-to-know basis.

In reality, many organizations have no clear policy for managing access rights. Employees change departments, take on extra responsibilities, are pulled in to support other teams, handle tasks for colleagues who go on vacation, go on parental leave themselves, etc. etc. Without proper documentation for all of these changes, access rights soon become a tangled, chaotic mess.

Back to our intern (let’s call him Harry): Harry gets to hang out in many different departments, since he’s supposed to learn about every part of the company. But in order to learn, Harry needs access. So, Harry is given access to all kinds of applications and systems. If Harry is lucky, the organization will offer him a permanent position after his internship – but then he’s going to work for just department. So what happens to all the permissions from other departments he collected along the way? That’s right: He keeps them.

Employee with broad access to information and services he does not need.
That’s Harry. Like most users, he has too many access rights. Let’s hope he’s one of the good guys! Adobe Stock, (c) fizkes

Superfluous Permissions Are a Security Risk

Now, we don’t want to accuse Harry of having evil intentions. Just because he has privileges he shouldn’t have does not automatically mean he’s going to abuse them (though you can never know). However, data theft is far from the only risk created by unnecessary permissions: The more privileges a user has, the more catastrophic the consequences of malware attacks and data breaches can be. And the longer obsolete permissions are remain active, the worse it gets.

A common practice that contributes to the build-up of unnecessary privileges, also referred to as privilege creep, is the reliance on reference users. When a new employee joins a business, many organizations will simply copy the profile of an existing user (e.g. someone in the same department) and assign it to them. However, in doing so, they copy every permission that user has accumulated over time, including any obsolete or incorrect privileges.

Now imagine all the extra permissions our new employee is going to collect before, eventually, their profile might be copied for the next new hire. As you can see, without a secure process for assigning default permissions and regular audits of extra rights, unnecessary privileges just keep piling up.

Video Overview

Watch Our Demo Video to See tenfold in Action!

Regular User Access Reviews Prevent Security Holes

To minimize the risk of data misuse and theft, companies must have structured processes in place for granting new rights, adjusting existing rights and removing permissions as soon as they are no longer needed. This also requires an overview of existing privileges in your organization, something a lot of businesses do not have.

This is where the user access review process comes into play. Instead of asking your IT department to track permissions they do not know the context for, you appoint data owners (e.g. department heads, managers) who are both familiar with the information under their control and responsible for monitoring and controlling access to it. They do this by asking the following questions:

  • Are there employees with special rights?

  • Did anyone change departments?

  • Did someone leave?

If data owners come across any outdated access rights, they can revoke them immediately. If the access rights are appropriate and still needed, they can reconfirm, i.e. recertify them.

Who Is Responsible for Performing the User Access Review?

Recertifying access rights should NOT be the responsibility of the IT department: Whoever is in charge of reviewing access rights must be familiar with user tasks and roles involved and know exactly who needs which rights. And who better to assess whether a permission is still needed than the people working with the files in question: department heads, middle managers, supervisors. It goes without saying (but we’ll say it anyway) that it is vital that reviewers have all the relevant data to make correct decisions.

Reviewing User rights
Not reviewing the permissions in your organization might be a compliance issue. Adobe Stock, (c) Coloures Pic

How Does the User Access Review Process Work?

The exact approach to the access review process will vary from company to company and industry to industry. To keep costs and efforts to a minimum, it is wise to focus particularly on potentially high risk areas, which will usually be those where a lot of the work involves dealing with confidential information and/or sensitive data.

Access to this kind of information, as well as high-level permissions like admin rights, should naturally be reviewed more frequently than less critical privileges.

How to Make Your Access Review Process Quick and Efficient

Most companies are fully aware that outdated and superfluous access rights are an issue – but without the right tools to provide an overview of existing permissions, the problem feels impossible to address.

The second problem is time: Even if data owners are able to retrace and verify all assigned privileges, doing this manually is so time-consuming they’d have to start over as soon as they’ve finished the first time round.

That’s why it is essential to simplify the user access review process as much as possible, and the only way to do that is through automation. The first step is a reporting tool that gives you an overview of current permissions across all systems. Once all existing privileges have been dealt with, ensuring a smooth access review process for the future requires automatic reminders sent to data owners, with a fallback plan if they do not complete the audit. tenfold has you covered on both fronts.

User Access Reviews with tenfold

  • With tenfold, you can easily adapt the access review process to your needs.

  • Data owners can quickly get an overview of the situation.

  • The system sends automatic reminders when a new review is due.

  • Review intervals can be customized for different privileges.

  • You determine what should be reviewed: profiles, resources, file servers, etc.

  • You can define backup actions which are triggered if data owners do not take action.

  • Reviewers can confirm or reject access rights easily using tenfold’s intuitive user interface.

  • Configuration is super simple and the review function is immediately ready for use.

Video Overview

Watch Our Demo Video to See tenfold in Action!

About the Author: Nele Nikolaisen

Nele Nikolaisen is a content manager at tenfold. She is also a book lover, cineaste and passionate collector of curiosities.