What Are User Access Reviews
User access reviews (UARs) are a process used to evaluate and validate the access rights and permissions granted to employees, contractors, or other users within critical systems and infrastructure. Helping to enforce the principle of least privilege, access reviews ensure that users have appropriate access to resources based on their roles and responsibilities.
User access reviews may include reviewing numerous SaaS, IaaS, and on-prem systems, but most admins limit the scope of these reviews to their critical infrastructure containing their most sensitive internal and customer data due to manual processes and bandwidth limitations. Reviews are typically executed on an ongoing basis, such as quarterly or semi-annually, to ensure information and identity security. Because they only provide a look at one point in time, they should ideally be run on a more frequent basis.
User access reviews are intended to pinpoint and evaluate:
- Who has access to what
- What level of access each user has
- Which user’s access are authorized and approved
- What needs to be remediated or removed
Overall, access reviews are conducted to increase security posture while ensuring that the right people have access to the right resources.
User Access Reviews: Security & Compliance Implications
The ultimate goal of access reviews is to enhance security. UARs make sure all user permissions are reviewed and corrected in the case of inappropriate access, over privilege, non-usage, or orphaned accounts.
Accurately assessing a company’s access ensures that only essential access is retained for each individual employee and account. In the case of sensitive infrastructure, just having visibility and understanding of access rights can significantly reduce the security risk associated with insider threats or identity centric breaches. The latter is particularly concerning as an identity can easily be compromised, and unauthorized users can be granted access to sensitive systems or resources.
During an access review, administrators and managers review and verify the access privileges assigned to each user account. This typically involves examining the user’s access rights, such as permissions, privileges, group memberships, and other entitlements, across various systems and applications. The objective is to identify any excessive or inappropriate access that may have been granted, and to remove or modify the access rights as needed.
Access reviews are also a core component to achieving compliance – whether compulsory or voluntary. Some common compliance and security frameworks include:
- SOX: The Sarbanes-Oxley Act is a federal law enacted to establish new requirements for public companies and firms, including provisions for financial reporting and internal access controls.
- SOC2: System and Organization Controls reports are used to evaluate the effectiveness of a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy.
- HI-TRUST: Health Information Trust Alliance is a certification framework for managing and protecting sensitive healthcare information through a standardized approach to managing security and compliance.
- ISO 27001: ISO 27001 is an international standard for information security management systems (ISMS) which provides a framework for organizations to establish, implement, maintain, and continually improve their information security practices.
- GLBA: The Gramm-Leach-Bliley Act is a US federal law which requires financial institutions to ensure the privacy and security of their customers’ personal information.
- PCI DSS: The Payment Card Industry Data Security Standard aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information and credit card transactions.
Compliance regulations, such as these, dictate how often organizations are required to perform access reviews and enforce the principle of least privilege to secure a company’s critical systems.
The Problem with Manual UARS
Access reviews play a critical role in ensuring that access to systems, applications, and data is appropriate, authorized, as well as aligned with regulatory requirements and organizational security policies. The problem is that without automation, UARs are manual, time consuming, and oftentimes unscalable. Cloud forward companies today run on countless SaaS and IaaS applications, and each app has its own set of users and permissions – this further increases the complexity of UARs.
According to Zippia, an average of 110 SaaS applications are used per organization in 2021, up from an average of just 8 in 2015. When you consider the growing number of applications, your employee user base, and multiple roles or permissions available per app, you’re left reviewing upwards of one hundred thousand access grants.
The manual access reviews process can be broken down into four major steps, taking up to or over 12 weeks total.
The process starts out with manually building spreadsheets and stitching together data from your HR system, identity SSO provider (IdP), and each application to map users, identities, and permissions. The spreadsheet can be duplicated and separated out to send off to each manager or application owner who needs to review access. Using a ticketing system helps with organization at this step, but you’ll still need frequent high-touch, follow-up communications with each reviewer to get complete and accurate information. Reviewers might have trouble understanding the data if there is a lack of context, and ticketing often falls short when it comes to collecting structured input and providing a forum for real-time collaboration. The data must be reconciled back together in one central location and changes must be made manually by each application admin – leaving a lot of room for human error.
Overall, without automation, you have to rely heavily on processes and tools that don’t scale well. Typically, the level of effort required forces most companies to prioritize reviewing access for only the most sensitive applications, and only a few times a year.
Running User Access Reviews with Automation
Automation is key to reducing the effort and time it takes to complete access reviews. Automating access reviews allows you to connect in real time to your identity provider(s), HRIS, SaaS, IaaS, on-prem, and custom applications to manage and review all identities, accounts, and access grants from one central location. With automation, the user access review process can take an average of one to two weeks.
At ConductorOne, we provide this deep level of automation to help our customers quickly and accurately run user access reviews. On average, ConductorOne is able to save 90% of the time and effort companies previously spent on manual reviews. By eliminating manual efforts for data collection, certification compilation, notifications, access changes, and access change verifications, ConductorOne customers reduce UARs to an on-line, certification workflow for end users. Because the effort required to run UARs is so minimal, they can move to more “just in time” access reviews that are smaller and more incremental.
How to Get Started with User Access Reviews
Whether you’ve fully embraced automation or you’re just starting on the journey, here are a few resources to help you get started.
- User Access Review Toolkit: Best for those who are just starting the manual UAR process, this toolkit provides email and spreadsheet based templates for streamlining and conducting your user access reviews in an organized manner.
- 10 Best Practices for User Access Reviews: If you want to get deeper into the do’s and don’ts of user access reviews, follow these 10 simple best practices for a more successful campaign.
- Product Tour for Full Automation: Thinking about investing in a purpose-built tool for automating user access reviews? Check out the interactive product tour to walk through the process of creating, scoping, running, and reporting on a user access review campaign with ConductorOne.
A user access review program is an essential tool for companies to stay compliant and secure. The proliferation of SaaS and IaaS applications, and permutations of permissions and access, can make managing them unwieldy. Without automation, most companies rely heavily on processes and tools that do not scale well – such as spreadsheets, tickets, and constant high touch follow up and communications. At ConductorOne, we believe modern workforces require modern solutions for identity governance. We help companies meet their compliance and security objectives with a quick time-to-value, and an experience that user’s love and understand.
Want to learn more about our identity security platform for modern workforces? Chat with us.