User Access Review Best Practices

Why are User Access Reviews Essential?

According to a report by Centrify (now Delinea), 74% of data breaches start with privileged credential abuse. Hence, user access reviews are essential for minimizing the risk of cybersecurity threats. To be more precise, user access reviews can help in the following areas:

Privilege creep, misuse, and abuse

User access reviews are essential to mitigate security threats like privilege creep, privilege misuse, and privilege abuse. Privilege creep occurs when employees obtain access to more sensitive data than required, leading to unauthorized access to data, which may lead to a security breach. Privilege misuse is when privileges are used in a way that goes against company policy. On the other hand, privilege abuse involves fraudulent activity, leading to malicious actors accessing, exfiltrating, or corrupting an organization’s data.

Secure off-boarding

In the event of an employee or third-party termination, it is imperative to revoke access rights to prevent access to sensitive information. Failure to remove access rights will give the former employee the ability to access vast quantities of confidential data even after they have left the company. This can lead to potential security breaches if the departing party is resentful and motivated to exploit their active credentials during the period of termination.

Reduced licensing fees

Failure to monitor and restrict user access to specific systems can result in excessive spending on system licenses and accounts. The cost of a single license can be quite high, ranging in the hundreds of dollars for various systems. For instance, if an employee from the accounts department doesn’t need an Adobe Photoshop license, they shouldn’t be granted access to systems running the software.

Regulations that Require User Access Reviews

User access reviews are required by many international IT security standards, including NIST, PCI DSS, HIPAA, GDPR, and SOX. For instance, NIST requires organizations to conduct periodic reviews of access rights and policies, while PCI DSS requires organizations to review their access control policies at least once a year. Similarly, HIPAA requires a periodic review of access policies and implementation of procedures to establish, document, review, and modify user access rights. Moreover, GDPR requires organizations to audit the data they process and people with access to it, while SOX indicates the need to enforce access control procedures, including via user access reviews.

User Access Review Best Practices

To ensure the effectiveness of user access reviews, it is essential to have a checklist that outlines the process. Below are some of the key steps to take in order to effectively review user access:

Define the scope of the user access review

Defining the scope of the user access review process is crucial, as it will help you conduct the audit in a more structured, timely, and efficient manner. It is a good idea to prioritize the accounts that have the highest risk profiles, as this will speed up the process and make it more efficient. You should ensure that your user access policy includes:

• An inventory of all data and resources that need to be protected;
• A list of user roles, responsibilities, and categories of authorization;
• Documentation about the controls, tools, and strategies used to ensure secure access;
• The administrative measures in place, including the software used, to apply the policy;
• The procedures for granting, revoking, and reviewing access.

Revoke permissions of former employees

When conducting user access reviews, it is essential to pay close attention to whether accounts of ex-employees are still active within your network. It might be advisable to maintain a record of resigned workers since the last user access review, in order to guarantee that their access is terminated.

Watch out for shadow admin accounts

Shadow admin accounts are user accounts that have administrative access permissions, but are not typically included in privileged Active Directory (AD) groups. Malicious attackers can target these accounts, escalating and exploiting their privileges if they are not monitored carefully. It is recommended to either remove shadow admin accounts altogether or to add them to monitored administrative groups.

Don’t transfer access permissions from one job role to the next

When employees shift roles in the company, their access rights may increase over time, leading to an escalation of privileges. While conducting a user access review, it’s important to verify that employees’ access rights align with their current duties.

Strictly adhere to the “least privilege” access methodology

The principle of least privilege (PoLP) plays a critical role in conducting user access reviews. This principle ensure that users, such as employees and vendors, are only granted access to the resources they need to perform their duties. This measure not only helps to mitigate insider risks but is also a requirement of the previously mentioned security regulations. Additionally, it’s imperative to determine exactly who needs permanent privileged access rights. For those who require only occasional access to sensitive data, consider implementing one-time passwords (OTP) or just-in-time (JIT) access.