User access reviews (UARs) are a security and compliance driven tool for reducing standing privileges and ensuring that users retain the appropriate levels of access. User access reviews may incorporate many SaaS applications, but most companies limit the scope of these reviews to critical systems and resources that contain customer data and are essential to running the business. Access reviews are typically executed on a regular basis, such as quarterly or semi-annually, to ensure information security.
Why run UARs?
The ultimate goal of UARs is to enhance security. UARs ensure that accounts and privileges are reviewed and corrected in the case of inappropriate access, over privilege, or unused access. Accurately assessing the company’s access can ensure that only essential access is retained for each individual employee. This reduces the security risk associated with insider threats or identity centric breaches. The latter is particularly concerning as an identity can be compromised, and unauthorized personnel can be granted access to sensitive systems or resources.
How do you run UARs?
User access reviews start by identifying accounts and levels of access within sensitive systems. The reviews themselves may be scoped to specific account types, for example service accounts. They could also be broad and more encompassing, like evaluating all accounts within the system. Once the correct, in scope accounts are identified, the access rights and permissions associated with the user are gathered. This may include roles, group membership, repository permissions, and so forth. Ultimately the type of permission or access reviewed is a judgment of the company’s security and compliance teams and is catered specifically to the system in question.
With accounts and access rights compiled, the list is generally augmented with additional data that may assist reviewers in making determinations about the appropriateness of access. This includes, but is not limited to:
- HR data related to the person associated with the account including job title, department, manager, employment status
- Risk based analysis about appropriateness of access based on sensitivity of access, commonality of the level of access based on job function, department, or team
- Access history and general usage of the specific resource or application
- Justifications for the access such as working with a customer, project based access requirements, and so forth
The individual reviews are executed once the UAR data is assembled. Reviewers for UARs may vary depending on the company’s security policy. These can include, but may not be limited to: specific individuals, a team of people, the user’s manager, the application owner, the resource owner, or the app business owner. In some cases, it may be appropriate to first ask the account owner if their access is still necessary before proceeding through the review process.
Once the UAR process is complete, the results and access changes should be captured for audit purposes, and changes executed in the systems accordingly. These changes may be federated to application owners or helpdesk, with evidence captured after changes to ensure that all access changes were made appropriately. All of this information is typically captured and stored for future regulatory or compliance purposes to satisfy audit requirements.
When do you conduct user access reviews?
At a minimum, broad based and general UARs should be run on a quarterly basis for sensitive systems and resources. This depends on the difficulty of extracting data and on the limitation of human resources to conduct reviews. Less frequent reviews may be necessary for many organizations depending on their access and security needs.
User access reviews may also be conducted just in time (JIT) for important events such as, but not limited to:
- Changes to job, department, employment status, or role for a user
- Changes to teams or project work
- In response to a security event for a system
In the above examples, a targeted access review can ensure that only appropriate levels of access are permitted throughout the company. In response to a security incident, a broad UAR can be used to identify potential compromised accounts. These targeted reviews are essential to ensuring that the compromised standing privileges do not grow.
Summary
User access reviews are an essential security tool and best practice. They are mandated by most security frameworks, such as SOC 2, and are simply a powerful and effective security tool to ensure that users only retain the access they need for as long as they need it. All companies, small and large, should conduct regular user access reviews to prevent unauthorized access and protect against data breaches.
