Why it’s Time to Democratize User Access Reviews

This article was originally featured on Cyber Security Magazine.

Most organizations that undergo quarterly, bi-annual or annual user access reviews (UARs) do so to adhere to regulatory compliance or corporate governance requirements. But as the cybersecurity threat landscape continues to grow rapidly, the lesser-known benefits of UARs – such as minimizing ransomware spread, reducing insider threats, and adhering to IT security best practices – are becoming appealing to companies that haven’t historically embraced UARs due to a lack of regulatory or corporate requirements.

Conceptually, conducting UARs on employee, contractor, and partner access rights, privileges and permissions to various IT resources provides many benefits irrespective of company size. No organization can truly understand the breadth and depth of its cyber risk profile if it lacks complete visibility into network assets and ‘who has access to what.’

Unfortunately, the complexity and cost inherent to operationalizing UARs to date has hindered widespread adoption beyond companies in highly regulated industries and large-scale or publicly traded enterprises with extensive budgets and resources.

Complexity hinders ubiquity

Even for the most streamlined organizations, the process of collecting a list of users, roles, and permissions across all systems then correlating user identities to accounts, assigning reviews to managers or application owners, and resolving or remediating all violations is anything but easy. The process is further complicated by the sprawl across cloud, custom, and enterprise applications that the typical enterprise deploys today.

Making matters worse, organizations conducting UARs have traditionally relied on either manual processes, internally developed software that lacks scalability, or expensive Information Access Management (IAM) solutions which may include superfluous features and are costly to implement and manage. Such solutions all but make it impossible for smaller, non-compliance driven organizations to benefit from UARs.

However, the proliferating regulatory environment – both industry-specific and government-backed – combined with the prevalence of more frequent and sophisticated cyberattacks, has prompted a debate over whether user access reviews should become core to any organizations defense-in-depth strategy, regardless of size, revenue, and regulatory burden.

The cost benefit of democratization

Although democratizing user access reviews sounds reasonable in theory, convincing smaller and unregulated organizations to invest in UARs is not easy, especially when financial penalty for noncompliance may not be a factor. Even organizations open to the idea of adopting UARs might come to argue that the costs outweigh the benefits for their business or that limited financial resources are better spent on more specialized defenses such as email security or security awareness training.

While such arguments have some merit, they fail to acknowledge the utility of UARs beyond visibility into ‘who has access to what.’ Such lesser-known benefits of UARs include:

1. Reduce ransomware impact – Continuous UARs can reduce the occurrence of ransomware stemming from the existence of orphan accounts (an account without a valid owner). By helping organizations remove terminated user accounts, including service accounts, UARs can reduce the potential spread and extent of ransomware across networks, applications, and devices. For example, were Colonial Pipeline to have had regular UARs in place, it is highly possible that the hackers who used a backdoor to access an orphan VPN account as an entry point to its systems could have been stopped before damages occurred.
2. Relieve insider threats – Insider threats can be either malicious or non-malicious. A disgruntled employee with malicious intent and an over-privileged account can prove catastrophic to an organization from multiple perspectives (fraud or intellectual property theft to name a few). A non-malicious insider threat may involve an employee viewing data they should not have access to but without the explicit intention of damaging the organization. UARs address both by allowing organizations to enforce the principle of “least privilege” across all user and system accounts, ensuring users always have correct privileges.
3. Adhere to security standards – ISO 27001 defines a set of standards and “best practices” for information security. Certification is highly advantageous for organizations to ensure appropriate security safeguards are in place for their data. UARs specifically enable organizations to achieve ISO 27001 conformity by meeting the policy requirements of domain A.9., which necessitate appropriate access controls to be established and routinely monitored.

It’s a disadvantage to continue to pigeonhole UARs as security safeguards only relevant to organizations within highly regulated industries or those that are publicly traded. The good news for businesses interested in UARs, but lack the time, money, and resources to implement with any regularity, is that recent innovations have helped automate the process. In doing so, much of the cost and manual-labor burden has been reduced.

In an era increasingly defined by cybercrime, the burden to reduce risk falls squarely on an organization’s ability to implement the most up to date safeguards. While the democratization of UARs certainly won’t eliminate cyber threats completely, doing so would represent significant progress in the right direction.

Learn more about automating user access reviews – Get Started.