What is Access Review? How to do Access Review?

Many organizations are bound by regulatory requirements such as SOX, FFIEC, ISO 27001, PCI- DSS, and HIPAA etc to undertake User Access Reviews. When auditors review IT systems for compliance, they typically look for the proof of controls for following items:

Access is created using principle of least privilege.

Evidence for ongoing or periodic review of user entitlements (credentials and permissions)

Ability to undertake remediation workflow and timely notification to application owners if access needs to be removed

Generate proof of compliance reports for external auditors.

How to do Access Recertification?

No matter the compliance standard, the process remains the same Access Reviews. are an important part of a companys security architecture when it comes to user account access to sensitive data. 

First step is to obtain the employees, vendor and contractor information from the system of record so it can serve as the single source of truth for identities. 

Second step is to extract different types of user accounts, service accounts and their entitlements across the systems, databases and folders in scope for the review Privileged accounts. need a special type of review treatment as their abuse can lead to significant damage. Thereafter, matched identities of users are sending to their managers to review and attest. Any access remediation needs to happened post review.

What tools to use for Access Recertification?

Manual review is one way to do access reviews. However, enterprise application sprawl has expanded greatly. As per McAfee average enterprise has 464 custom applications deployed today. Okta's Research reveals an average of 129 SSO applications per company. Netskope has founds close to 1000 cloud services used per company. It takes weeks of data collection and then manual transformation followed by back and forth emails communications asking managers to approve or reject access for their employees. Many companies use complex spreadsheets, SQL reporting and laborious manual cross-checking procedures but this is very time-consuming and often unreliable. Alternatively, companies can automate the entire process using either homegrown system or buying off the self governance software. Homegrown systems dont scale well, get outdated pretty quickly and come at the expense of taking away development resources from revenue generating activities. The biggest advantages of going with off the shelf solution are it keeps up with standards and changes. Off the Shelf Software is a great way to go if organizations can plan around the total cost of ownership.

Read More: 

https://medium.com/@SecurEnds/what-is-access-review-how-to-do-access-review-217174f8859

https://www.securends.com/how-to-automate-user-access-reviews/