What is User Access Review?
User Access Review or
certification campaign is a process of re-evaluating the appropriateness of
user access in a periodic manner. It is an important step of the user account
management life cycle. Its an important feature in most of the IDM or IAG
tools available in market.
Why User Access Review is
performed?
· Identity
and Access Governance process suggests to implement User Access Review
processes to ensure that in an organization, users (employees, contingent
workers, contractors, vendors etc.) are given correct access (often least
privileges based on security guide line) to access critical systems based on
their job function.
· Helps
to achieve segregation of duties (SoD).
· Mandatory
requirement for audits like SOX, PCI- DSS etc.
· To
make sure there is no unwanted access to anyone.
· Helps
to find the gaps in the request approval workflows or any human error in manual
approvals.
Does it solve the
purpose?
There are few known issues
with User Access Review in general.
· Point-in-time data:
o User
access review (UAR) is a process executed on point-in-time data. if anyone
knows the kick-off date, he can avoid the process (by raising a revoke request
of his access and request again just after kick-off).
o If
anyone requests any access for a short time for a critical system and its
between two UAR cycle, the review will not capture that.
o Many
systems work on JIT access (just in time). the access is given for a particular
time frame, those access are also will not be covered under review.
· Completeness
and accuracy: There are always questions on data which is
reviewed, if the completeness and accuracy is not guaranteed, the review will
not be meaningful. Majorly two questions come here.
o If the
scoping is correct?
o If the
date under the campaign in accurate?
· Lack of Metadata: Often
its observed that there is lack of meta data for the review line items, such as
good description, different flags (e.g Risk Score) which categorize the
data etc.
· Rubber Stamping: Since
the reviews are heavily human dependent, its often become just an extra work to
the reviewer and an obligation to him, and it can become just a rubber stamping
or incorrect removal of access sometime.
How to make this process
effective?
· Reduce
manual request and approval: The access request process should be
automated based on birthrights, ABAC, RBAC, Or PBAC that will help to reduce
the scope of certification since the access is only given by some rules.
· Good
orphan/ rogue monitoring process: Need to ensure there is no access is
granted outside the defined process, and there should be automated removal for
orphan or rogue access.
· Analytic
based approach: Machine learning should be used to find the outliers
and only generate review for outliers.
· Strengthen
completeness and accuracy checks.
· The
review should consider all access which the user has/had during the cycle
including removed access. If any user has any removed access which he should
not have, then perform the analysis to strengthen request/approval process.
