Manual User Access Reviews are Scary

Written By : Abhi Kumar

It’s that time of year again—Halloween! And what could be more frightening than a manual user access review? User access review is an essential component of the access management process. It helps organizations meet compliance mandates for SOX, FFIEC, HIPAA audit and reduces the risk of a data breach by ensuring every user account is maintained using the principle of least privileges. However, many companies continue to use manual User Access Reviews which have a high likelihood of failures. There is nothing more ghoulish than an external auditor finding a terminated user continuing to have access to a system. It is common knowledge that cyber-ghouls and cyber-goblins frequently attack financial institutions such as banks, loan services, investment and credit unions, and brokerage firms by taking over such terminated user accounts, dormant user accounts and over provisioned user accounts.

A masquerade ball is the pinnacle of every Halloween festivity where friends and family dress up in costumes and it’s anybody’s guess who is in the costume or behind the mask.  Manual Access Reviews are not much different. It is anyone’s guess if the employees, contractors, or third-party vendors have the right access controls. Let’s talk about additional reasons that make them scary.

1. They Consume Time 

Manual User Access Reviews are incredibly time-consuming for the resource who must collate the user data from different identity sources and applications, for the line managers or application owners who have to painstaking review if the said credential has the right access and for the internal team to create evidence for auditors who must review the results. On average, a manual user access review can take up to three days to complete—and that’s just for one application! If you have multiple applications in scope for annual SOX audit or ISO 27001, the process can quickly become unmanageable. 

They Are Not Scalable

Manual evaluations of user access do not scale effectively. As the number of applications in scope increases or the company inorganically grows through acquisition, so too does the amount of time and resources required to collect the data, map identities to credentials, and complete the review of user access in accordance with the best practices. Without a scalable access certification process in place, the security and compliance team will not keep up with the regulatory processes that the business must comply with as it grows.

3. They are vulnerable to Human Error 

Manual user access evaluations are susceptible to mistakes since they are done by people. This means that the results of a manual user access review can be inconsistent and may not accurately reflect the true access of different types of users and segregation of duty conflicts across today’s hybrid applications. It is common knowledge that manual user certification leads to certification fatigue which can in turn lead to rubber stamping. Rubber stamping happens when reviewers get inundated with repetitive user entitlement reviews that need to be done manually, without any checks and balance. To get through the reviews manually and get back to work, they simply grant approve the current entitlements for the users.  

4. They make it hard to Collaborate Across Different Stakeholders 

Excel is not designed for sharing data amongst users, but we find excel as one of the leading tools for doing reviews. When you are working on a typical campaign, the campaign owner first collects the applications and entitlement data from different application owners in various departments. Many times, the only way to get this information is to send files back and forth via e-mail or IM. The process of consolidating data from these different files is very slow. As the number of reviews grows, so do the number of Excel spreadsheets, which severely impacts the annual audit readiness as the audit evidence is spread over multiple sources.

5. They’re morale killers 

User Access Reviews require employees to do tasks that need to be repeated. People take pride in their skills and career experience. However, when an inordinate amount of time needs to be spent on mundane tasks, employees burn out.  Low productivity across organizations, high turnover, and the loss of the most capable talent are just a few of the drawbacks from manual user access reviews.  

6. They’re expensive

Organizations have a notion that because we already have employees on hand, they can use them to perform manual User Access Reviews. As the regulatory landscape expands, financial institutions are under greater pressure to be more expansive, more accurate, and maintain better proof of compliance.  Building this kind of visibility and oversight is way more expensive using employees.  

All in all, manual User Access Reviews are scary and let this Halloween be a perfect reminder that they don’t have to be. There are alternatives available that can automate the process and make it much easier to manage. SecurEnds SaaS Credential Entitlement Management is one such alternative. With SecurEnds, CISOs and security/compliance teams can easily manage applications with off-the-shelf integrations, create a centralized identity repository, build access certification of different types, automate the reviewer process, and create audit friendly reports for internal and external users. So, this Halloween, don’t be scared of manual user access reviews—be scared of what could happen if you don’t automate them!  

As the regulatory landscape expands, financial institutions are under greater pressure to be more accurate, maintain better documentation, and observe reconciliation. This requires the kind of visibility and oversight that only automated processes can offer.  User Access Reviews are an important part of maintaining compliance with SOX. By automatically reviewing user access on a regular basis, organizations can ensure that only authorized users have access to sensitive data. This not only protects the data from unauthorized users, but it also helps to prevent fraud and abuse. Automated user reviews can also help to improve the efficiency of the review process. By reviewing user access on a regular basis, auditors can identify and correct issues in a timely manner. As a result, automating User Access Reviews can help to improve compliance and the overall security of an organization. 

Thanks

Abhi