Before we get into what and how, let's clarify few terms. Access Review. Entitlement Review. Access Recertification. User Attestation. These are all different terms that IT and internal audit teams use interchangablity. Access reviews is way for organizations to maintain, uphold IT controls and comply with regulations. Not all companies have an internal audit team, but every company, no matter how small does some risk assessment. Many organizations are bound by regulatory requirements such as SOX, FFIEC, ISO 27001, PCI- DSS, HIPAA etc to undertake access reviews. When auditors review IT systems for compliance, they typically look for the proof of controls for following items :
- Access is created using principle of least privilege.
- Evidence for ongoing or periodic review of user entitlements (credentials and permissions)
- Ability to undertake remediation workflow and timely notification to application owners if access needs to be removed
- Generate proof of compliance reports for external auditors
How to do Access Recertification?
No matter the compliance standard, the process remains the same. Access reviews are an important part of a company’s security architecture when it comes to user account access to sensitive data. First step is to obtain the employees, vendor and contractor information from the system of record so it can serve as the single source of truth for identities. Second step is to extract different types of user accounts, service accounts and their entitlements across the systems, databases and folders in scope for the review. Privileged accounts need a special type of review treatment as their abuse can lead to significant damage. Thereafter, matched identities of users are send to their managers to review and attest. Any access remediation needs to happen post review.
What tools to use for Access Recertification?
Manual review is one way to do access reviews. However, enterprise application sprawl has expanded greatly. As per McAfee average enterprise has 464 custom applications deployed today. Okta’s research reveals an average of 129 SSO applications per company. Netskope has founds close to 1000 cloud services used per company. It takes weeks of data collection and then manual transformation followed by back and forth email communications asking managers to approve or reject access for their employees. Many companies use complex spreadsheets, SQL reporting and laborious manual cross-checking procedures but this is very time-consuming and often unreliable. Alternatively, companies can automate the entire process using either homegrown system or buying off the self governance software. Homegrown systems don’t scale well, get outdated pretty quickly and come at the expense of taking away development resources from revenue generating activities. The biggest advantages of going with off the shelf solution is it keeps up with standards and changes. Off the shelf software is a great way to go if organizations can plan around the total cost of ownership.
Customers across different industries are using SecurEnds SaaS product to automate access reviews. Outside of using connectors, our product an injest existing CSV files used in manual reviews. We have build a one size fit all connector that can extract data through SQL, script and API. These options help out customer achieve their common goal of building a high ROI solution that can mitigate risk and drive compliance efficiency. Many of our clients have already invested in Single Sign On (SSO) technologies like Okta or Azure AD, and are looking for a product that can be easily bolt-on to offer end to end identity management.
Abhi Kumar | LinkedIn