Users come, they stay, they leave, they move around between departments and they collect privileges on the way. That’s OK, they need privileges to do their jobs. But do they need all the privileges they have, always? That’s a question you need to ask yourself, for every user, repeatedly.
This article covers what is meant by a user access review, why is it important for your business and how can you simplify the process and up your company‘s IT security and level of data protection at the same time.
OK, So What Is a User Access Review?
A user access review (sometimes also referred to as “access certification” or “access recertification”) is – or should be – an integral part of your access control strategy. Why? Well, be honest here – when was the last time you checked whether the people working at your company have access to data they shouldn’t have? … Been a while, hasn’t it? We’re not guilt-shaming here – we know you’ve had other important things to do. However, you should be aware that not knowing who has access to what is risky because outdated access rights can open the floodgates to data misuse and theft.
Plus, access rights that shouldn’t really exist anymore make your company more vulnerable to ransomware attacks. Read this post to find out why that is.
tenfold’s approach to reviewing user access rights eliminates all of the above-mentioned threats. In tenfold, you can put people in charge of objects who are then regularly obligated to review the permissions that fall within their purview and to either confirm or remove these. This way, an accumulation of unwanted or unnecessary access rights can be prevented.
Why Is It Important to Conduct User Access Reviews?
Have you heard the tale of the intern who has more access rights than the company executive? Well, it’s not as far-fetched as it seems. While most companies have well-structured processes for assigning access rights in place, they tend to neglect the fact that these rights need to be revoked once they have become obsolete.
Employees change departments, their fields of responsibilities within the organization change, they resign, go on parental leave, are given special rights, etc. – but if these changes are not properly documented, we end up with scarily chaotic access landscapes.
Back to our intern (let’s call him Harry): Harry gets to hang out in different departments (or all departments), since he’s supposed to learn stuff. But to learn stuff, Harry needs access. So, Harry is given access to all kinds of programs and systems.
By the end of his internship, if he’s done well, the company will keep him on – but he’s probably just going to work for one department, and what happens to all the permissions for other departments he collected on the way? That’s right: He keeps them.
Superfluous Permissions Lead to Security Holes
Now, we don’t want to accuse Harry of having evil intentions. Just because he has privileges he shouldn’t have does not automatically mean he’s going to use those against the company (he might do, though!). Anyway, data theft from within is not the only risk: The more privileges a user has, the more catastrophic the consequences of malware attacks and data breaches can be. And the longer obsolete permissions are retained, the worse it gets.
A reason for this is that many companies use so-called user templates. Essentially, this means that when a new person joins the company, an existing user profile (e.g. from someone in the same department) is simply copied, including all permissions, and assigned to the new person – regardless of whether the person needs these permissions or not.
Now, our new person is also going to collect more and more permissions along the line and, at some point, his or her user profile will be copied when the new guy joins, and so on. As you can see, it’s a never-ending horror story that worsens exponentially.
Regular User Access Reviews Prevent Security Holes
To minimize the risk of data misuse and theft, companies must have structured processes for granting, adjusting and removing permissions immediately when they are no longer needed. To correct errors in time, you must constantly monitor and re-evaluate the status quo of your access landscape, which, as you know, can be very challenging – and that is exactly where the user access review comes into play: You appoint data owners (e.g. department heads, managers) who are responsible for monitoring and controlling certain permissions. They do this by asking the following questions:
- Are there employees with special rights?
- Did anyone change departments?
- Did someone leave?
If data owners come across any outdated access rights, they can revoke them immediately. If the access rights are appropriate and still needed, they can reconfirm, i.e. recertify them.
Who Is Responsible for Performing the User Access Review?
Recertifying access rights is NOT the responsibility of the IT department – and for good reason: Whoever is in charge of reviewing access rights must be familiar with user tasks and roles involved and know exactly WHO needs WHICH rights. And who commonly has that kind of knowledge? Department heads, supervisors, professionals, specialists. It goes without saying (but we’ll say it anyway) that it is vital that reviewers have all the relevant data to make correct decisions.
How Does the User Access Review Process Work?
Every company will have a different understanding of or demand for what an access review process should involve. To keep costs and efforts to a minimum, it is wise to focus particularly on potentially high risk areas, which will usually be those where a lot of the work involves dealing with confidential information and/or sensitive data.
The privileges used in such systems should naturally be reviewed more frequently than those used in less critical systems.
How to Make Your Access Review Process Quick and Efficient
Most companies are fully aware that outdated and superfluous access rights are an issue – but without the right tools to help them gain a quick overview of who has access to what in the first place, they’ve already lost.
The second problem is time: Even if data owners are able to retrace and verify all assigned privileges, doing this manually is so time-consuming they’d have to start over as soon as they’ve finished the first time round.
That’s why it is essential to simplify the user access review process as much as possible, and the only way to do this is through automation. To recertify permissions quickly and efficiently, you must be able to obtain a quick overview of the situation – and our access management solution tenfold helps you do just that.
How Does User Access Reviewing with tenfold Work?
- With tenfold, you can easily adapt the access review process to your needs.
- Data owners can quickly obtain an overview of the situation.
- The system sends automatic reminders when a new review is due.
- Review intervals can be customized.
- Determine what (profiles, resources, file servers, etc.) should be reviewed.
- Define backup actions which are triggered in case of non-recertification.
- Reviewers can confirm or reject access rights easily using tenfold’s uncomplicated user interface.
- Configuration is super simple and the review function is immediately ready for use.