How to conduct a user access review?
Payal Wadhwa
Jun 05, 2024On May 2023, a disgruntled Tesla ex-employee used his privileges as a service technician to gain access to data of 75,735 employees, including personal details and financial information. The breach attracted a $3.3 billion fine under GDPR.
While breaches due to external and unknown factors are not under an organization’s control, such incidents can be easily minimized by taking care of internal contributors. In this case, the internal factor was access permissions that could have been managed with proper user access reviews.
Regular user access reviews help organizations streamline access controls and oversight and proactively spot behavioral anomalies. This ensures security, helps maintain compliance, and safeguards an organization’s reputation in the long run.
This blog covers the importance of conducting user access reviews and the key steps in implementing the process.
What is a user access review?
A user access review is a process where access rights of employees and third-parties and their privileges to systems, applications, and data are periodically reviewed to ensure that access is granted appropriately. User access review aims to minimize the chances of unauthorized access or insider attacks.
Why do you need to review user access?
User access review is essential to uphold critical data and systems’ security, privacy, and integrity and minimize risks resulting from excessive privileges.
Access and identity-related incidents such as stolen credentials (56%) and social engineering attacks (48%) occur due to excess privileges and human error. Next, there are insider attacks. According to a Cybersecurity insiders report 74% of organizations are moderately vulnerable or worse to insider threats.
Here is why you must conduct user access reviews:
Minimizing security breaches
Excess access privileges can increase the probability of unauthorized access and malicious insiders exploiting permissions to cause threats. In the case of third-party data access, access permissions beyond contractual obligations can cause security breaches. User access reviews ensure that only authorized users have the minimum necessary permissions and minimize such occurrences.
Ensuring compliance
Periodic user access reviews help pinpoint any violations of access permissions, segregation of duties, etc. They also help ensure access requirements are met for compliance standards such as PCI DSS, HIPAA, GDPR, etc., which mandate access reviews to ensure data security and privacy.
Get compliant faster with automation
Cost savings
Several software licenses charge organizations based on the number of users accessing the software. User access reviews ensure that no users have more than the necessary level of access and that no resources are wasted due to over-provisioning.
Reducing privilege creep, misuse, and abuse
User access reviews ensure proper user access management and minimize the chances of the following:
Privilege creep is a situation in which new rights are granted without revocation of previous access rights, leading to an unwarranted accumulation of permissions. It can happen during a change of roles and responsibilities.
Privilege misuse is when users try to use their access permissions inappropriately or with malicious intent. This can be intentional or out of negligence. An example could be a customer service representative using their access permissions to check a customer’s account details for a personal motive.
Privilege abuse is the intentional misuse of rights. An example could be an IT executive using their permissions unethically to steal an organization’s sensitive data.
Key steps to implementing user access review (UAR)
The UAR process requires you to identify roles and mapped permissions and review and remove unnecessary privileges. These are the 6 steps to implementing the user access review procedure:
1. Define the scope of the review
To streamline the process, start by defining the scope of user access review. This includes identifying the critical systems that must have restricted access, data, and data classes that require protection, and users that need to be reviewed. Identify the individuals (for example, functional leaders) who will review access and define the frequency of reviews.
The frequency of reviews is decided based on the following:
- Risk assessments: High-risk systems are reviewed more frequently as compared to low-risk low impact systems
- Compliance requirements: Depending on the applicable standards, different compliance frameworks may have varied guidelines for the frequency of access reviews
- Industry best practices: If the industry best practice is to conduct access reviews every quarter, then these must be considered.
- Special events: Special events include access-related incidents, infrastructure changes, employee promotions or termination, etc.
2. Create a user access review policy
Establish a clear access review policy and ensure it is distributed across the organization. The policy must outline the responsibilities related to acceptable usage of organizational assets, the conditions for granting access, request evaluation guidelines, notification rules in case of employee termination, etc. Employees must be communicated about the policy and access control procedures along with the repercussions in case of any violations.
3. Review access rights
An effective user access review process involves the following:
- Review users and mapped permissions: Ensure that the permissions are mapped to roles based on job functions (role-based access controls)
- The principle of least privilege: Ensure that no user is granted any unnecessary permissions that do not pertain to their current role.
- Check conflicting roles: Verify proper segregation of duties and pinpoint any conflicting roles and permissions that could lead to error or fraud.
- Review access requests and approvals: Any access requests made must be legitimate and the approvals must be appropriate.
- Evaluate audit logs: Check audit trails to go through login attempts and spot any unsuspicious activity.
- Review vendor permissions: Evaluate if the third-party vendors have any permissions beyond the contractual requirements.
- Check for any other misconfigurations or changes in user policies, etc.
4. Remove unnecessary permissions
The next step is to remove any unnecessary permissions identified above.
- Revoke access permissions for employees who have left the organization
- Look for and eliminate any shadow admin accounts. These accounts are granted admin-level access to systems without the organization’s knowledge.
- Remove any unnecessary permissions that can lead to privilege creep. This will require removing permissions from previous job roles for employees who have been promoted or shifted to a new role. It also involves removing excessive permissions granted to vendors.
- Replace ‘permanent access’ with temporary access when the need expires.
5. Document the findings
Document the review findings with details of the violations, any unnecessary approvals granted, etc. Identify the risks and vulnerabilities these could have brought to train the workforce for future instances. Next, note the steps taken to remove any extra permissions. Present the user access reports to the top management for any key decisions.
6. Improve processes
Based on the findings and meeting with the leadership, make the necessary changes to improve processes continuously. Start training the workforce, update any policies if required, set up continuous user activity monitoring etc., to ensure proper access management and compliance with regulations.
The steps mentioned above are for manually conducting user access reviews. Using automation tools like Sprinto can make the process quicker and more streamlined. Here’s how you can automate the process:
- Choose critical assets from the Sprinto directory or add your own.
- Sprinto automatically maps critical systems to access controls, policies, and other compliance criteria.
- Sprinto supports role-based and ticket-based access controls and helps simplify the review process.
- You can track access-related controls in real time. Continuous monitoring helps notify in case of any deviations.
- Automatically collect evidence for access control practices and breeze through audits.
Continuous compliance is the next big thing! Get there first with Sprinto
Laws and regulations that require user access reviews
Laws that ensure data privacy and protect information systems require access reviews. Some examples of these laws include:
General Data Protection Regulation (GDPR)
GDPR is a data protection law that regulates the collection and processing of personal data of EU residents by any organization regardless of location. Several articles in the GDPR emphasize data security and protection, and although not directly, they do underscore the importance of access reviews.
For example, Article 24 discusses the controller’s responsibility to implement technical and organizational measures. Access reviews are one such measure. Similarly, Article 32 talks about auditing the processed data and the people with access to personal data.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. federal law that establishes standards for protecting patient health information by covered entities such as healthcare providers and their business associates.
HIPAA’s administrative safeguards, specifically 45 CFR § 164.308 require covered entities and business associates to review security policies, including access-related. It also requires these organizations to establish, document, review, and modify access rights to ensure confidentiality, integrity and availability of ePHI (electronic protected health information)
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology at the U.S. Department of Commerce is a non-regulatory federal agency that provides guidelines and best practices to enhance cybersecurity for businesses and promote innovation. NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization, has ‘access control’ under the family of control domains. AC-1 requires organizations to review and update access control policies. Similarly, AC-2 requires organizations to conduct periodic reviews of user accounts for checking privileges.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a global security standard for merchants and businesses that collect, store, and process cardholder data. It has 12 key requirements, of which requirement 7 specifically addresses access control, including reviews. The requirement emphasizes restricting access to cardholder data on a need-to-know basis. It also advocates the principle of least privilege and regular review of user access rights.
International Organization for Standardization (ISO 27001)
ISO 27001 is an international standard for establishing and maintaining an effective Information Security Management System (ISMS). Annex 5.18 under ISO 27001:2022 requires organizations to ensure that access rights are in accordance with the access control policy, which emphasizes the need for periodic access reviews. For ISO 27001:2013, the requirement for access reviews was underscored under A.9.2.3.
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act is a U.S. federal law that establishes requirements for financial reporting and public accounting and aims to protect investors against corporate fraud. Requirement 404 under the SOX Act addresses internal controls over financial reporting and discusses access control for digital records. This reinforces the need for access reviews.
Best practices for user access review
Best practices for user access review enable the organization to maintain sustainable processes for access management and make continuous compliance a default stage. The following are the best practices for user access review:
1. Ensure segregation of duties
A clear segregation of duties (SoD) is considered a best practice as it minimizes the chances of conflicting roles and reduces the risk of fraud. Additionally, it enhances accountability because of a clear definition of job responsibilities. In the event of unauthorized access, clear segregation makes it easier to identify the malicious insider.
2. Implement role-based access control
Role-based access control ensures that individuals are granted minimum necessary access based on their job functions. It helps implement the principle of least privilege and simplifies the provisioning and de-provisioning of access based on roles. It is a scalable method to ensure granular access control and is convenient as the organization expands.
3. Conduct role-specific training
Ensure that each role understands the importance of using the granted permissions appropriately and the purpose of access reviews. Offer role-specific training to the reviewers, i.e., the functional managers and the IT admins, so they can review the access rights correctly.
4. Documentation is essential
Documentation of the access review process, policies, findings, audit logs, etc. is crucial for transparency and as a training tool to refine processes. Additionally, it serves as a historical record in case of an incident and as evidence during compliance audits.
5. Regularly review and update policies
Regular policy reviews and updates are essential to keep up with the digital landscape and organizational changes. It ensures that the policy is aligned with the business context and effectively keeps the organization resilient by incorporating improvements.
Challenges in conducting user access review
Access reviews, especially when done manually, can be slow and tedious, presenting immense challenges. Let’s look at some of the common challenges faced by organizations when conducting manual user access reviews:
Scope creep
Scope creep in access reviews means an increase in the scope of items under review over time due to the addition of systems, new permissions, increasing user roles, etc. It can happen due to poor planning, an urge to include everything under the scope and changing requirements. This can create inefficiency in conducting reviews.
Time and resource-extensive processes
Manual access reviews are time-consuming and resource-intensive. Creating new roles, mapping permissions to each, and verifying them individually can be an intensive exercise. The process can be demanding in organizations with large numbers of systems or complex set of permissions.
Rubber stamping
Again, in the case of manual access reviews, rubber stamping can be another common challenge. It involves granting access permissions without verifying if the access is necessary and appropriate. This happens when there are time constraints, lack of context, inadequate training, etc., and leads to an ineffective access review program.
Employee discontent
Frequent access changes without any justification, lack of clarity, insufficient training, or overly restrictive access controls can dissatisfy employees. This can further create organizational challenges by hampering productivity and causing employees to leave.
Meeting various compliance requirements
If an organization is subject to various compliance standards, keeping up with varying access review requirements can be difficult. This can also increase the burden on engineering and compliance teams to ensure adherence and lead to continuous bandwidth issues.
You can solve all of these challenges associated with manual processes using an automation solution like Sprinto.