What are User Access Reviews?

User Access Reviews are a compliance and security control that mitigates over-privilege. The process requires managers and/or system administrators to periodically certify that users have the correct levels of access. The end result is that your workforce, contractors, partners, and service accounts have the correct permissions and that unnecessary access is removed in a timely fashion.

There is no standard frequency for running User Access Reviews. How often they are executed and what is reviewed is typically a consideration of external compliance requirements, internal security goals, and practical capacity limitations due to the significant effort required to orchestrate the reviews. In general, most companies do run user access reviews at least on a quarterly basis and/or on certain events, such as a change in job or role. A periodic cadence tends to be manageable for most companies and creates a consistent “train” onto which you can execute reviews.

While the mechanics, frequency, and in-scope systems and access will vary for every company, there are some best practices you can follow to make the process quicker and easier.

Access Review Best Practices

1. Document your system inventory & owners

Start by documenting the systems. You will need to work with internal security and external auditing teams to gain alignment on this. For external compliance frameworks such as SOX, PCI, and SOC2, you can be sure that any system that houses sensitive customer data, production infrastructure, financial information, identity information, or is otherwise essential to the function of your business is likely in scope for review.

Once you’ve defined which systems are in scope, identify the application or system owner for each of them. For modern enterprises, these systems are increasingly administered outside of IT. IT may be responsible for system uptime, procurement, authentication, and SSO configuration, but they may not own user lifecycle, permission management, or role definition for access. It’s not uncommon, for example, for R&D organizations to own source code repositories, a sales operations team to own the CRM, and the HR team to own the HRIS solution. System owners have the knowledge of what levels of access and discrete permissions are available in the system, who should have access, and why. Identifying the correct system owners will help downstream when performing reviews, coordinating data extracts, handling deprovisioning requests, and interfacing with engineering teams to build automation.

2. Identify critical permissions and entitlements

With a system inventory in place, you’ll need to go a level deeper and determine what access, permissions, entitlements, or group memberships will require review. Scale this effort by developing a schema to tag roles, groups, and permissions within applications. This schema should consider risk and compliance frameworks and is essential for quickly building user access review campaigns. When considering groups or teams in your applications, be sure to also document what permissions, access, or entitlements these memberships grant. This can be complicated, particularly if you are a heavy user of groups as group memberships can have complex authorization implications. The additional context of what is granted from a group or team membership is essential information when asking reviewers to evaluate whether or not a user should be in a group.

3. Automate application data collection

Automate as much of the process of collecting data for access reviews as possible. Without automation, you will have to manually build spreadsheets and stitch together identities and permissions across systems. Many modern applications support the download of identity and access data, which can help alleviate some of this burden. If you are fortunate enough to have security or IT engineering teams that can support automation efforts, engage them to develop data extraction automation scripts that can export the data into an easily consumable format.

Building data extract automation will require help from the system owners and/or from your IT team. System owners tend to have the administrative privileges required to either fulfill population report requests or to provide credentials to the automation engineering team for script development. There is no perfect answer for which systems to focus on first. Prioritize integrations based on the greatest time and effort savings, which is generally a combination of the pain to extract the data, volume of identity and permission information in the system, and frequency of the access reviews.

Use the extracted application data to build a database of identities, access, groups, and permissions that will be used as a source for the user access reviews. Time is of the essence on user access reviews. Inactive or removed accounts appearing in audit reports after their deactivation date creates headaches and auditor distrust of your business processes. There is a shelf life of data from applications and modern access reviews should be as close to real-time as possible.

4. Define your review policy

Modern user access reviews push decision making to those in the best position to make the decision. Increasingly, companies are moving away from direct manager review for all user access, and more towards leveraging app owner, resource owner, or entitlement owner for the reviews. If not overly onerous, you can also first require a self-review for certain types of access. Users can self-assert whether some types of access is still essential for their current job or if they are actively using the access on a regular basis. From an audit and security standpoint, another set of eyes is still needed for these access reviews. However, self-reviews can substantively slim the amount of work required for app and resource owners and lead to improved outcomes.

For each of the entitlements and systems identified as in-scope, GRC and security teams should identify the review plan. Considerations:

• Who are the reviewers and in what order should reviews take place
• If managers cannot be identified easily, who should provide the fallback review
• Is a justification required for on-going access
• Can reviewers delegate the review to another person, and if so, who

Generally, these rules can be pre-packaged into a set of common policies for access reviews and applied across the various systems.

5. Cross reference local accounts with directories

Identity is messy. Local accounts, non-SSO connected accounts exist everywhere. Applications can allow just-in-time identity creation from inbound federation. Permissions can be granted based on upstream groups or attributes. When running access reviews, it is essential to review all in-scope accounts within the applications. These accounts should be resolved, whenever possible, to a centralized directory. This can be your cloud Identity Provider (IdP), HR solution, or ideally, both should be rationalized.

Additional consideration should be given to non-human or service accounts, and to accounts that are local only. If missed by user access reviews, these accounts can present entry points for a malicious actor and therefore pose a significant security risk to organizations.

6. Provide context

One of the biggest challenges of user access reviews, particularly when performed by managers or non-system owners, is to understand the implications of the access, permission, or membership that is being reviewed. Almost all SaaS and cloud IdPs allow for the automated provisioning of access or permissions based on group membership. While a powerful tool for granting access, it can be painful when attempting to review the grant as the downstream authorization implications may not be clear. Conversely, when reviewing a grant of a granular permission, it can be challenging to understand why and how the user received that access in the first place. Ideally, access reviews provide context on the permission, group, or access and a deeper level of context on the identity as well.

7. Engage employees where they work

Modern workforces are spending less time in email and more time in real-time collaboration apps such as Slack. A campaign manager will need a communication strategy for reaching reviewers and answering any questions that arise. Ticketing systems can alleviate some of this work and many companies still rely on them heavily to federate out user access review work. Most ticketing systems provide due date and assignment functionality, which affords some useful out-of-the-box capabilities. However, ticketing can fall woefully short when it comes to collecting structured input and providing a forum for real-time collaboration and shared context building. Modern companies are leveraging tools such as Slack channels to create shared forums for reviewers. These forums provide real-time, two-way collaboration channels. Reminders should be sent as frequently as possible and augmented with on-going communication about the status of the reviews via email and Slack.

8. Define your review schedule and triggers

It’s important to define the schedule for user access reviews to ensure you are meeting your security and compliance goals, and to get buy-in from supporting teams so they can resource the effort appropriately. You will need to manage a schedule of when user access reviews should take place and what the scope of the reviews should be. Companies may choose to review certain types of access or identities on a particular schedule, to ensure full periodic coverage. If there is a compelling event for access reviews, such as a recent job change, ideally one-off user access reviews can be executed.

9. Educate your team

In a perfect world, access reviews are intuitive and user friendly enough to not require training. Regardless of your solution for user access reviews, you will want to build a knowledge base of questions, and consider providing basic directions to reviewers. An FAQ can usually do the trick. 1-pager and video tutorials go even further to provide context and a quick understanding of the process for employees.

10. Start with a goal in mind

User access reviews are a tool to help your company stay compliant and reduce standing privilege. As a tool, they can be used in many ways, so it’s important to consider what success looks like for your program.

From a compliance point of view, reporting and traceability is essential. Your auditors will want to see reporting on the reviews that were performed, a strong answer for completeness and accuracy of the data used for the reviews, and that non-certified access was deprovisioned in a timely fashion. They’ll want proof of application populations at the time of the access reviews to ensure that nothing was missed. There is a high level of rigor and paperwork that needs to be generated to ensure that your compliance driven access reviews meet the bar.

With all user access reviews, the ultimate goal is to review sensitive or high risk access in a timely fashion to ensure that it is removed, if unnecessary. Leadership will want to see that these access reviews are helping make the company more secure by lowering standing permissions for high risk access.