Compliance policies need to keep up with cybercriminals. Regulatory demands on companies are growing which in turn drives audit. Compliance audit makes IT staff nervous. You always hear of an audit as a fire drill for the IT team. If you are a typical enterprise, you probably have a combination of AWS, office 365, google drive, active directory, Sharepoint. The more the IT sprawl across cloud, custom, and enterprise application, the greater the risk profile for any IT audit as access control gets difficult to administer and manage. Internal and external auditors are looking for identifying compliance with controls to prevent security incidents.
One of the biggest issues that auditors discover is that application users are granted inappropriate access. This is due to multiple reasons. Most employees ask for more access than they need to do their job thus leading to excessive privileges. A typical product or service company is in a mad rush to innovate and deliver newer products and services. Unfortunately, oftentimes in hate to meet project timelines, managers lax the access governance rules. Most often then not these mistakes are attributed to the manager’s lack of understanding of organizational policies and procedures rather than willful omission. Cloning new employee’s user access after another employee is another anti-pattern. Say Jenna, a new hire, has her access modeled after Jody, who has been in the company for ten years. Unless Jody’s privileges have been right aligned to her current role, Jenna will have excess privileges into systems, file shares, etc. Poorly designed roles can also lead to access issues such as too much or too little access being granted. Roles should be aligned with business processes rather than specific users or jobs. Auditors have found situations where a contractor is assigned a role that should be only ready only. However, as a part of the annual SOX audit, this role was found to have write capabilities as well. Below are a few leading practices from Auditor’s point to view to help organizations implement better security, efficiency, and compliance.
Formalize Process For User Access Review:
Audit findings can lead to monetary loss and tarnish a reputation. Organizations must have a formal process — collect data across all applications periodically, application owners review user entitlements, and formal documentation of any remediation. Manual access review, though not ideal, is better than not having one.
Enforce Segregation of Duties (SOD) & Least Privileges: Every role and entitlement should be created with the least privileges and evaluated for SOD violation. Giving people the minimum level of access that they need to do their job ensures there is no policy violation down the road. Auditors are looking for evidence that SOD controls are in place to prevent fraud.
Special Treatment for Privileged Accounts:
Once a cybercriminal gets past the endpoint it is only a matter of time before they gain access to privileged accounts. Every organization must adopt a zero-trust mindset for these accounts. Privileged account creation, modification, and deletion should be codified as an automated process. Many auditors recommend creating a privileged account with a predefined expiry date. Above all access to these accounts should be evaluated periodically by user access review process to know “who has access to what”.
Manage Adhoc Privileges:
Users working on special projects may need evaluated privileges. Auditors recommend that such requests be thoroughly vetted in scope (read, write, etc) and duration for which the access is needed.
Maintain Proof Of Compliance:
Auditors require proof of compliance to finalize the audit. The organization needs to ensure documentation exists for audit trails etc. If there were any audit findings in the previous year and have not been remediated, auditors recommend organizations maintain this documentation.
Whether it’s a public company’s Sarbanes-Oxley (SOX), healthcare’s HIPAA, or the credit-card industry’s PCI, IT audits are complex. A good Identity Governance or User Access Review software takes out the complexity and helps enforcing IT controls while demonstrating compliance. SecurEnds is leading the market with its lightweight, highly configurable, and industry-first flex-connector product that keeps companies secure while meeting audit and compliance requirements. Our software allows you to load user data from multiple systems of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertifications and create proof of compliance for external auditors. In only 30 minutes we can demo why our SAAS software is now a leading choice for identity governance