Security practitioners are no strangers to long, manual processes - especially the kind that are neglected for so long that they end up in the abyss of the backlog.
Recent news has put more companies in the security hot seat, facing scrutiny over this exact situation. From poor security practices to continued use of overlooked, outdated software, companies may inadvertently and easily leave their digital doors open to cyber criminals. One of the most fundamental, yet often challenging tasks, is managing a potentially overwhelming number of access to critical information and production infrastructure.
While it’s easy to point the finger, it’s harder to solve the problem. The number of neglected access reviews are probably more common than anyone would care to admit. In fact, one study shows that 83% of employees continue to access their former employers' digital accounts and 74% of employers have been negatively impacted by an employee breaching their digital security.
In the spirit of security and safety, it’s time we change that.
What is an access review?
Security Boulevard defines access reviews as “periodic reviews of who has access privileges to the digital assets in your organization.” They also look at what level of access they have and if they have a good enough reason to have it.
By performing consistent, frequent reviews, you are taking preventative measures to reduce your attack surface, protect vital information, and ensure temporary or excessive access privileges (known as “privilege creep”) are revoked. So, where do companies typically go wrong?
For the most part, companies are pretty good at performing an access review for a “Leaver,” AKA someone leaving the company.
Here’s where it gets muddy: imagine your manager assigns you a task and grants you access to the tools you need to complete it. You finish the task and everyone moves on. Now multiply that by many similar tasks, assigned across teams, over time. If your organization does not complete periodic access reviews to revoke excess access, you’ll likely end up with a large chunk of employees with access to central controls.
With such massive potential consequences, you’d think an access review would be a more common occurrence.
Why aren’t they happening?
The trouble with access reviews is that they’re often hard to perform.
- Heavy manual effort: The person leading access reviews is in for a lot of manual, time-intensive work. In addition to manually coordinating the request and receiving data across teams, the leader will need to manually review each set of data from each team and ensure the process is completed within a reasonable time frame. This means they will have to continuously follow up with team leads that are lagging behind to ensure they are able to complete the entire process.
- Quality and quantity of data: Too much data, and there’s a lot to sift through. Too little, and you’re stuck with an incomplete view of the big picture and an inability to make an informed decision about whether the access is needed or not.
- Timeliness: After reviewing the data, it’s important that the access is actually revoked. It’s not uncommon for this part of the process to be delayed, overlooked, or deprioritized in favor of seemingly more critical security matters.
- Alignment with auditor expectation: Compiling all your data and how it was collected in a format that your auditors expect and are happy with can be quite a challenge.
- Misleading results: If done incorrectly with incomplete or error-ridden data, your access review can lead you to have a false sense of security, only to be exploited down the line.
In the end, the compliance frameworks and audits can only do so much — only the business can know who and who does not deserve access, if they remain diligent about maintaining it. The key is to create a process that mostly maintains itself.
3+1 best practices for effective access reviews
- Set a standard for frequency and detail that works for your organization: At a minimum, you should be conducting access reviews once a year. Some organizations choose to conduct quarterly reviews, some choose to conduct them monthly or even weekly. Either way, finding a frequency that balances sustainability and security is unique to you.
Part of establishing a frequency is creating an inventory and description of all the information you need to conduct your review. This could include an inventory of your assets, a description of access levels, or the level of detail you expect to see.
- Involve managers and communicate the importance of access reviews: The best way to ensure your managers are diligent about conducting reviews is to communicate the importance of them. Involving your employees in the review cycle can also start a dialogue that they feel comfortable with and surface common issues or roadblocks to consistent reviews.
- Create event-based processes: Whether an employee is leaving your company or a vendor is being added, creating a default, repeatable process for conducting reviews and expectations is crucial to ensuring they get done.
Executing these three best practices ensures a solid foundation for your organization’s access review. However, we have a bonus one: automation. By automating where possible, you’re maximizing productivity and efficiency while reducing the possibility of human error and time/effort needed.
Access reviews at the speed of light with JupiterOne
While access reviews are notoriously cumbersome, they nonetheless need to be a priority. JupiterOne tackles your access review woes in two ways:
- Visibility: Quickly understand how many people have access and who they are with the Insights Dashboard for User Access
- Criticality: Use aforementioned visibility and context to your advantage and prioritize alerts by access level to production and/or customer data
As stated above, having a repeatable and accurate access review process starts with having comprehensive visibility into your cyber asset universe. This context is critical for understanding which assets and systems face the most scrutiny, which assets are a priority if compromised, and even which users hold the most risk.
If you don’t know something, just ask JupiterOne! The Questions feature in JupiterOne allows you to understand your asset configurations and user access in natural language. Choose from out-of-the-box questions like the ones shown below or create your own custom query to fit your desired level of detail, IAM systems, and more.
- Who has admin access to production resources? Of those users, who has access to customer data or other critical data?
- Did we remove all access from employees that left?
- Which non-active Okta users have other active accounts?
For continuous monitoring and automated review, configure your queries as an alert to get notified of access changes.
Use the out-of-box User Access Insights Dashboard or create your own dashboard to get an up-to-date snapshot of access to production, admin users by account, team, system, and more. We even have reporting views specific to individual users, managers, and business units!
Ditch the manual coordination and conversation. With JupiterOne, you can streamline your access review process by quickly querying your data from one central location and receiving comprehensive results within seconds.