Before we get into what and how, let’s clarify a few terms. Access Reviews. Entitlement Review. Access Recertification. User Attestation. These are all different terms that IT and internal audit teams use interchangeability. Access reviews are a way for organizations to maintain, uphold IT controls, and comply with regulations. Not all companies have an internal audit team, but every company no matter how small does some risk assessment. Many organizations are bound by regulatory requirements such as SOX, FFIEC, ISO 27001, PCI- DSS, HIPAA, etc to undertake access reviews. When auditors review IT systems for compliance, they typically look for the proof of controls for the following items :
- Access is created using the principle of least privilege.
- Evidence for ongoing or periodic review of user entitlements (credentials and permissions)
- Ability to undertake remediation workflow and timely notification to application owners if access needs to be removed
- Generate proof of compliance reports for external auditors
How to do Access Recertification?
No matter the compliance standard, the process remains the same. Access reviews are an important part of a company’s security architecture when it comes to user account access to sensitive data. The first step is to obtain the employees, vendor, and contractor information from the system of record so it can serve as the single source of truth for identities. The second step is to extract different types of user accounts, service accounts, and their entitlements across the systems, databases, and folders in scope for the review. Privileged accounts need a special type of review treatment as their abuse can lead to significant damage. Thereafter, matched identities of users are sent to their managers to review and attest. Any access remediation needs to happen post review.
What tools to use for Access Recertification?
Manual review is one way to do access reviews. However, enterprise application sprawl has expanded greatly. As per McAfee average enterprise has 464 custom applications deployed today. Okta’s research reveals an average of 129 SSO applications per company. Netskope has founds close to 1000 cloud services used per company. It takes weeks of data collection and then manual transformation followed by back and forth email communications asking managers to approve or reject access for their employees. Many companies use complex spreadsheets, SQL reporting, and laborious manual cross-checking procedures but this is very time-consuming and often unreliable. Alternatively, companies can automate the entire process using either a homegrown system or buying off the self-governance software. Homegrown systems don’t scale well, get outdated pretty quickly, and come at the expense of taking away development resources from revenue-generating activities. The biggest advantages of going with off the shelf solution are that it keeps up with standards and changes. Off the shelf, the software is a great way to go if organizations can plan around the total cost of ownership.
Customers across different industries are using SecurEnds SaaS products to automate access reviews. Outside of using connectors, our product an ingest existing CSV files used in manual reviews. We have to build a one size fit all connector that can extract data through SQL, script, and API. These options help out customer achieve their common goal of building a high ROI solution that can mitigate risk and drive compliance efficiency. Many of our clients have already invested in Single Sign-On (SSO) technologies like Okta or Azure AD, and are looking for a product that can be easily bolt-on to offer end to end identity management.
