Four Common Mistakes to Avoid When Running User Access Reviews


With the increased adoption of SaaS and IaaS applications and a growing mobile and distributed workforce, maintaining security and compliance through periodic user access reviews has become a priority for most companies. The ultimate goal is to review sensitive or high risk access in a timely fashion to lower standing permissions and achieve least privilege, but there are few common mistakes that have setback many companies on that journey.

Here are four common mistakes made when running user access reviews that you should try to avoid:

1. Overlooking Local Accounts and Service Accounts

Local accounts and shared service accounts can present a significant security risk when they’re missed in a user access review. These accounts are frequently overlooked, especially if access is only being inspected through the SSO provider. Yet, they can have significant privileges as they are commonly used to perform maintenance, to integrate systems, or for other sensitive administrative tasks. These accounts are also frequently targeted by cyber criminals as they allow attackers to gain sensitive access and they are not always well monitored.

To mitigate cybersecurity attacks, these accounts should be resolved to an account owner in the HR or IdP directory to allow for appropriate monitoring.

2. Not Running Timely Reviews

When collecting application data in preparation for user access reviews, time is of the essence. These snapshots have a shelf life: employees join, change jobs, or leave all the time. When inactive accounts appear in audit reports after their deactivation date, it creates auditor distrust of your business processes. Avoid this mistake by using automation to collect data in as near real-time as possible.

3. Not Providing Security Context

User access reviews may be performed by a diverse set of users, technical or non-technical, throughout your company. The more context these individuals have during user access reviews, the more likely you will achieve your desired security outcomes.

Group memberships present a challenge because it’s hard to tell why a group was created, for who, what it’s being used for, and what the downstream access implications are. The same is true for permissions and roles within an application. It may not be clear why and how the user received access in the first place. To avoid confusion or multiple back and forth conversations, context on the permission, group, and identity should be provided to each reviewer up front so they can understand the scope and justification for re-approving access.

4. Not Using Automation

Without automation, you will have to manually build spreadsheets and stitch together data from your HR system and each application to map users, identities, and permissions. You’ll also have to find each manager who needs to review, create a separate spreadsheet for them, and follow up constantly. You could use a ticketing system to help you reach reviewers, but this still results in frequent high-touch, follow-up communications and the need to reconcile all of the data into one location. Ticketing can also fall short when it comes to collecting structured input and providing a forum for real-time collaboration and shared context building. Overall, without automation, you have to rely heavily on processes and tools that don’t scale well and weren’t purpose built for user access reviews

To avoid this mistake, consider using an automation tool. With automation, you should be able to connect all of your applications with off-the-shelf integrations, build and apply access certification policies, automate the reviewer process, present it with rich context and risk-based analysis, and report back to auditors with a simple download — all in less than half the time it takes you to do it manually. It’s important to make sure that the automation experience is as user-friendly and intuitive as possible, so every stakeholder can participate effectively and efficiently.

Automating the access review process enables you to save time and reduce effort, but the end goal is to achieve a state of least privilege, meet compliance requirements, and improve security.

Now that you can avoid these common mistakes, learn more about the best practices of running a user access review in this guide.

10 Best Practices for Conducting Modern User Access Reviews

Download Guide