Access requests are requests made by users, or on behalf of a user, to gain access to specific resources or systems. These requests may be for access to data, applications, networks, or other digital resources. Access requests are typically made by employees, contractors, or authorized users of a request system who require specific resources in order to perform a job function.
Why are access requests necessary?
Access requests are necessary because they provide a way for organizations to grant incremental privileges and permissions outside of birthright access. They are a necessary control that gives IT teams the ability to ensure that team members are productive and have the necessary user accounts, entitlements, and permissions to do their job. From a security standpoint, access requests help companies move towards a great security posture by moving away from over-permissioning users when they join the company or a role.
Take an example: an engineer joins AcmeCo. Instead of granting significant permissions across the companies GitHub workspace and AWS production environment on day one, they can carve certain repository permissions and AWS production roles into a self service access request workflow. This decreases the data access that the user has on day one, thereby minimizing the risk of data breach, while still enabling the user to escalate privileges to that data if needed.
Important components of access requests
Access requests are typically handled by an access request process, which is a set of procedures and workflows that are used to manage and approve or deny access. The process typically involves the following steps:
- Request: A user or system makes an access request, typically by submitting a form or using an online portal. As a best practice, users should be authenticated by the IdP using typical authentication methods to verify their identity before allowing for a request.
- Approval or Denial: The access request is reviewed by relevant stakeholders (e.g. administrators, system owners, managers, and/or security teams) to determine if the request is valid and if the user or system should be granted access. If the request is deemed valid, the administrator approves the request. If the request is not valid, it is denied. Typically templates or policies are used to standardize the approval flows required for resources and apps based on various classifications.
- Provisioning: may come in various flavors. In an ideal world, provisioning happens automatically using system APIs and/or changes to the access management system. For certain systems and use cases, full automation may not be possible in which case manual steps or follow on tickets may be necessary.
- Audit and monitoring: The administrator audits the access request and monitors the access of the user or system.This makes it easier to identify and investigate any unauthorized access attempts which helps to prevent security breaches and other malicious activity. Access requests also help organizations keep up to date with compliance requirements as well as enforce the principle of least privilege. Staying up to date with the possible changes ensures the safety of sensitive data and information through the prevention of unwanted users gaining access.
Each of these components is an essential element to a strong access request regime that ensures only authorized users and get access to new systems and resources.
How are access requests and access controls related?
Access requests refer to the process of requesting access to specific resources or systems which typically involves a user making a request for access to a specific resource. The request is reviewed, approved or denied, and then provisioned.
Access controls is a broader term used to describe the overall technical and administrative set of controls that are used to manage access in an organization. Access requests may be a component of access controls, but access controls are broader. They may include, but are not limited to, user access reviews, usage based access revocation, just-in-time access, network level access policies, and more.
User experience best practices
Increasingly, users are working in diverse technology environments on the go. This means they use Slack and microsoft teams to collaborate. They use cloud services. They interact with their helpdesk. Best practices for end users are:
- Leverage collaboration suites: users are already in slack and microsoft teams, access requests should seamlessly integrate with these tools.
- Leverage helpdesk / service desk: most companies have existing portals and workflows built into their helpdesk for triaging and process access requests.
- Context for approvals: to prevent rubber stamping, approvers should be given context on what is requested and the implications of cost and data security to granting access.
While not exhaustive, this minimal set of capabilities will ensure that access requests are usable, accessible, and streamlined for employees.
Security considerations
Great access request systems and policies will allow users to discover which apps or entitlements they may want, and to request them directly. In this self service model, administrators need to be thoughtful to:
- Automate the lifecycle of access: automation of provisioning and deprovisioning reduces the likelihood of errors.
- Configure access policies: ensuring that the correct approvals take place before access is granted is paramount to enforcing appropriate security measures on any requested access.
- Capture full audit trails: attribution of approvals, provisioning steps, and justification is essential to ensuring that access grants can be inspected and justified.
- Limit time frame of access: not all access needs to be permanent. Supporting temporary access through just-in-time provisioning and deprovisioning can limit the footprint of sensitive access granted to employees.
- Perform certifications on access: user access review (UAR) certifications should be performed on entitlements that provide access to sensitive customer data, are important to security, and/or are in-scope for compliance.
Summary
Access requests are requests made by users to gain access to specific resources or systems. The workflow that occurs after each request is in place to ensure that access is only granted to the necessary users. Access requests help organizations to meet their security objectives, such as maintaining the confidentiality, integrity, and availability of the information, and to protect their reputation and assets.
Â