Systems Periodic User Access Review

Overview:

 

Every organisation has employees that have been employed from the start and have probably worked within a number of different departments in a number of different roles. They would know a considerable amount about the company’s systems and processes, which makes them valuable employees.  However, as they may have access to sensitive data, it also makes them a potential security threat.  A periodic user access review can help mitigate this risk.

Reviewing user access from time to time should be an essential part of access management.  If the systems in use record and capture important and sensitive information, then it is a prudent policy to review user access rights and may be imperative due to IT security compliance regulations.

A user access review is part of the user account management and access control process, which involves a periodic review of user accounts, account access rights and privileges.  This may include a review and/or re-evaluation of User Access Roles, their access rights and privileges and the login credentials provided to users of the system. During the review, it’s important to pay special attention to user accounts of employees who have worked in the organisation for a long time, recently changed their position, acquired new responsibilities, or left the company.

Reviewing user access mitigates a wide range of cybersecurity issues:

  • Excessive access privileges (privilege creep)
  • Mistakes with user role and account configuration
  • Access abuse and misuse
  • Outdated security policies
  • And more…

Why is it important to review access rights?

The purpose of a user access review is to reduce the risk of a security breach by limiting access to critical data and resources. The lack of a periodic review can expose the sensitive data contained within a system to possible abuse which can be exploited (for example) by a disgruntled ex-employee. Preventing situations like this is one of the reasons to conduct a user access review. It also mitigates threats such as the following: 

Privilege creep. This can happen when employees obtain access to lots of sensitive data during the time they work for an organisation.  New privileges appear when employees gain new responsibilities and access rights, but privilege creep happens when old access rights aren’t revoked.  During an access review, a system administrator or dedicated security officer, brings user access rights into sync with users’ current roles.

Excessive privileges. In a perfectly secure world, access privileges can be granted only to users that need them only to do their jobs. In reality, permanent access is often granted when an employee needs access just once or may (or may not) need it in the future. A timely review helps to revoke unneeded user access rights.

Access misuse and employee mistakes. According to Verizon’s 2019 Data Breach Investigations Report, 15% of data breaches happen because of access and data misuse. Unintentional mistakes by employees were the cause of 21% of security threats in 2018. A user access review helps to limit access and, therefore, reduce the possibility of a costly mistakes. 

Insider threats. The key danger of ‘insiders’ comes from the fact that they have access to sensitive data and know about security measures implemented within the organisation.  An insider threat is: 

“the potential for an individual who has or had authorised access to an organisation’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organisation”.

Insider threats can be partially mitigated by revising and restricting access according to the principle of least privilege.

Apart from mitigating cybersecurity threats, conducting a user access review is also an essential step in complying with most IT requirements. These might include:

  • Identifying, monitoring, and authenticating administrator and 3rd party access
  • Access via the authentication system, which includes two-factor authentication, one-time passwords and assigning a unique ID to each person with computer access
  • Monitoring and controlling all privileged user access
  • Monitoring and logging all users’ access
  • Monitoring and tracking all access to sensitive data
  • Providing an access policy and report tool to get the evidence to forensics and investigators if needed
  • Enabling authentication on servers and monitoring remote access sessions
  • Logging backdoor sessions
  • Logging all user activity and activity on servers and monitoring USB ports
  • Providing incident response via session replay, event logs, user blocking, and USB device blocking
  • Providing the possibility to view monitored data in offline mode via export to a protected file (without installation of additional software)

Best practices for reviewing user access

  • Create and update an access management policy        • Provide temporary access instead of permanent
  • Create a formalised review procedure                            • Involve employees and management
  • Implement role-based access control                             • Explain the goals & importance of the review
  • Implement the principle of least privilege

1. Create and update an access management policy 

An access management policy is a must for any organisation and should include:

  • a list of data and resources you need to protect
  • a list of all user roles, levels, and their types of access
  • controls, tools, and approaches to secure access
  • administrative measures and software used to implement the policy
  • procedures for granting, reviewing, and revoking access

Creating a policy is a one-time activity, but updating it as your organisation grows is equally important. Make sure you document any changes in protected data, user roles, and access control procedures.

2. Create a formalised review procedure

A written procedure is part of an access management policy. This procedure should:

  • establish a schedule for reviews
  • identify responsible security officers
  • set a period for notifying employees
  • define a period for reporting and contents of the report

Formalising all those aspects helps you make access review a continuous process and maintain standards.

3. Implement role-based access control (RBAC)

This access control model allows for creating user roles for positions instead of configuring each user’s account individually. Each role is assigned a list of access rights. RBAC speeds up a user access review because, with this model in place, you can review roles instead of separate profiles.

Role-based access is easy to set up and manage: you can add users with similar privileges to groups and manage their privileges in a few clicks.

4. Implement the principle of least privilege

This principle dictates that users should have access to data only if they absolutely need it. The fewer privileges a user has, the less time you need to spend reviewing them. The principle of least privilege is required by IT security standards.

This principle is easily implemented: new users have a minimum number of access rights or privileges by default. An administrator can assign a user to a privileged user role by adding them to a specific group or can provide constant or temporary access to resources.

5. Provide temporary access instead of permanent

How often do you provide access to a user who needs it only once or twice?  During an access review, revoking such access rights takes a lot of time. Whenever possible, it’s best to use features like one-time passwords instead of assigning a user a new role or granting permanent access rights.

Another option for providing temporary access is to implement just-in-time privileged access management (PAM). This approach is based on granting access only when users need it to complete their jobs and revoking it when the task is finished.

FileMaker Systems can implement both approaches and allows for manual or automated provisioning of one-time passwords. The manual procedure requires administrator approval. This helps to secure the most protected data and verify each access attempt. The automatic procedure allows you to define hours when a temporary password can be generated without approval (for example, during working hours).

Lightweight PAM functionality helps to manage privileges of users or user groups according to their needs. With PAM functionality setting up, configuring, and reviewing a user profile takes only a few minutes. 

6. Involve employees and management

Employees usually see cybersecurity measures as interfering with their daily work. By involving employees in the review, you can speed up the process and show them why it’s important. For example, you can send out lists of access rights to users and their managers and ask them to point out what resources they no longer need to access.

7. Explain the goals and importance of a review

Communicating with employees is vital for cybersecurity. If employees don’t understand why it’s important to implement a certain practice or use a specific tool, there’s a high chance they’ll find a way not to comply. That’s why you need to communicate the principles and importance of access management to your employees during cybersecurity training.

Conclusion

Conducting a user access review is an essential component of the access management process.  It reduces the risk of a data breach and mitigates a wide range of security issues, but the review itself can be time-consuming and slow down work processes.  However, you can take your access management to another level, as this solution provides:

  • role-based access control to configure user roles instead of configuring each account
  • an access request and approval workflow to ensure granular and secured access
  • control over privileged accounts and sessions to secure remote sessions
  • continuous monitoring and alerts to respond to security violations in real time

 

2021 ADS|IJP| PeriodicUserAccessReview_ 20211122