What are User Access Reviews ?
- Access Review.
- Entitlement Review.
- Access Recertification.
- User Attestation.
These are all different terms IT and internal audit teams use interchangeably. Conducting access reviews allows organizations to maintain, uphold IT controls and comply with regulations. Not all companies have an internal audit team, but every company, no matter how small does some risk assessment. Many organizations are bound by regulatory requirements such as SOX, FFIEC, ISO 27001, PCI- DSS, HIPAA etc. to undertake access reviews.
When auditors review IT systems for compliance, they typically look for proof of controls from the following items:
- Access is created using principles of least privilege.
- Evidence for ongoing or periodic review of user entitlements (credentials and permissions)
- Ability to undertake remediation workflow and timely notification to application owners if access needs to be removed
- Generate proof of compliance reports for external auditors
How are User Access Reviews done?
No matter the compliance standard, the process remains the same. Access reviews are an important part of a company’s security architecture when it comes to user account access to sensitive data.
First step is to obtain the employees, vendor and contractor information from the system of record so it can serve as the single source of truth for identities.
Second step is to extract different types of user accounts, service accounts and their entitlements across the systems, databases and folders in scope for the review.
Privileged accounts need a special type of review treatment as their abuse can lead to significant damage; therefore, matched identities of users are sent to their managers to review and attest. Any access remediation needs to happen post review.
What tools are used for User Access Reviews?
Manual review is one way to do access reviews. It takes weeks of data collection and then manual transformation followed by back-and-forth email communications asking managers to approve or reject access for their employees. Many companies use complex spreadsheets, SQL reporting and laborious manual cross-checking procedures. This is very time-consuming and often unreliable. Alternatively, companies can automate the entire process using either homegrown system or buying off the self-governance software. Homegrown systems don’t scale well, get outdated pretty quickly and come at the expense of taking away development resources from revenue generating activities. The biggest advantages of going with off the shelf solution is it keeps up with standards and changes. Off the shelf software is a great way to go if organizations plan around the total cost of ownership.
Customers across different industries are using SecurEnds SaaS product to automate User Access Reviews. Outside of using connectors, our product can ingest existing CSV files used in manual reviews. We have build a one size fit all connector that can extract data through SQL, script and API. These options help our customers achieve their goal of utilizing a high ROI solution that can mitigate risk and drive compliance efficiency. As a SaaS product, updates are easily pushed into instances and additional applications can be added for review automation, making scaling easy. Many of our clients have already invested in SSO like Okta or Azure AD, and are looking for a product that can be easily bolt-on to offer end to end identity management.
SecurEnds Credential Entitlement Management (CEM)
Identity Repository: CEM includes a database that serves as the single primary data source of Users. SecurEnds can connect with multiple disparate system of records to streamline user management across employees, vendors and contractors.
Match Users: Build in pattern matching using fuzzy logic to map identities with user credentials across enterprise applications, cloud applications and custom applications.
Identity Mind Map: A visual representation of identities, applications, credentials and entitlements. This layout gives an identity centric view across applications and entitlements. Enable administrators or auditors to search by individual users to see all associated applications and permissions within each on a single page with the option to export.
Entitlement Mind Map: A graphical representation of identities, applications, credentials and entitlements. This layout gives an identity centric view across applications and entitlements. Search by entitlement name to review all end points that include that specific entitlement name and all credentials that have access to the entitlement, with the option to export.
Campaign Workflow: Schedule periodic or one-time or delta reviews. A multi-tier approval process across single application or groups of application. Manage campaign lifecycle including delegation.
Automated Reminder Email: Emails are sent automatically at specified frequency to reviewers who have pending reviews
Escalation Email Templates: Automated email escalations for outstanding incomplete reviews will be sent to the reviewer and reviewer’s manager as deadline approaches at desired frequency.
Email Audit: All emails sent to and from the SecurEnds platform will be tracked, stored and accessible with a date and timestamp. All communication can be viewed and filtered by user, date etc.
Campaign Report: Visibility into historical review campaigns, filterable by timeline, application, campaign or compliance scope. Reports can be created, configured and presented in auditor approved format. Reports will include the names of associated campaigns, usernames, user emails, manager names, manager email, reviewer name, reviewer email, result of review, date and time of review, credential reviewed, entitlement reviewed, all notes associated with review, and the ticket ID auto generated post review.
Campaign Effectiveness Report: Automated reconciliation of requested and executed access changes resulting from User Access Reviews. Drill down to provide visibility into all pending reviews, changes requested, and changes executed.
Modern User Interface: Allow business owners to create and manage certification campaigns and send notification to appropriate parties.
Access Fulfillment: Post review access fulfillment through email notification and direct integration with standard service ticketing systems.