Dr. GRC: Stop Worrying and Love User Access Reviews (or Worry Less)

GRC professionals often have a love-hate relationship with user access reviews (UARs). At the 2022 ISACA-GRC conference this August, I did a quick audience participation survey to see how bad the problem is.

First I asked, “How many of you do GRC user access reviews?” and all the hands went up. 

Then I asked, “How many of you are automating user access reviews?” Most of the hands went down.

Last, I asked, “How many of you use spreadsheets and mail them around?” And most of the hands went back up. Kind of sheepishly.

Well, that explains it. To comply with the audit requirements of SOX, user access reviews have to be performed periodically by every public company in the US., but pretty much everyone continues to do them the hard way. The drudgery and time-suck associated with UARs make them a perennial problem in Compliance.

So let’s discuss some ways to make the UAR process easier. Not perfect, maybe, but easier.

User Access Reviews: You Need Them. You Wish You Didn’t.

What is a user access review? 

A UAR - user access review is a control to periodically verify that only legitimate users have access—to systems, data, applications, etc within a company. They’re a critical component of identity and access management (IAM), because when users who are not entitled to access end up having it, that poses a potential threat. The central role that user access reviews play in Compliance is reflected in the fact that SOX, PCI DSS, HIPAA, and SOC 2 all have mandatory UAR requirements.

So, We’ve Got the User Access Review Definition, Now What's The Problem? 

The problem at the heart of conducting periodic user access reviews is that there has to be at least some manual component in the way organizations perform IAM. For example, typically, if Ted works on my team, every quarter I’m going to receive an email that says, “Ted has these roles that give him privileged access to our systems. Should he still have that access?” Note that if Ted should still have access, he can’t simply retain his access by default; I need to positively assert that he can keep access. Multiply the number of people at the organization by the number of their possible roles, locations, special projects, seniority, and whatever other parameters figure into who is entitled to what level of access…and verifying that people have the right access gets complicated, fast. To the extent it’s often overwhelmingly a manual process, it’s tedious and time-consuming—meaning expensive.

I believe that making the process less of a problem is possible by incorporating user access review automation into the process. That doesn’t mean the entire UAR process can be automated, but it can generally be made much faster and more efficient by using automation where possible.

A Word on Why Role-Based Access Control Falls Short

Role-based access control (RBAC) is one-way access is determined. But you can’t “set it and forget it.” It’s too easy to make mistakes or not reflect correct access. Note the importance of user access review with these few examples:

• Forgetting to revoke RBAC. Jane works in the US, as a marketing analyst. Based on her role and location, she is automatically given access to certain systems. Then her role changes to a less privileged one. But her access is not automatically updated. 
• Granting too much access based on role. Sam transfers from another department to the same role as Roy. Roy has additional clearance to work on an ongoing M&A project. Sam is automatically given the same clearance as Roy because they have the same roles. Sam is inadvertently given the same special access as Roy.
• Failure to reflect complexity. Jamie works in marketing but is involved in a project with the finance department. He’s granted access to the finance department. A user access review raises red flags when Jamie’s access to finance shows up.

Enter the Master Scheme

What you need is a master scheme that tells the organization, as a rule, for every user, in every case, what access they should get—on all relevant bases, including geographical, departmental, project level, data access level, need-to-know level, and any other relevant bases—and then corrects any interim errors regularly (probably quarterly). But that kind of system requires an investment an organization has to be willing to make. Until an organization invests in that kind of project, user access reviews will require forcing people to manually review what access users have, based on all those different considerations.

Another problem is that for a public company in the US that needs to comply with SOX, auditors require active approval of access. So even if such a company had a system that automatically corrected access and only required human eyes to review cases outside the norm, that wouldn’t satisfy SOX’s requirement of quarterly user access reviews.

Making User Access Reviews Less Painful

There are ways, however, to improve the process of IAM with partial automation. You can automate the edges of user access reviews. You can avoid getting tripped up on some of the common problems. Key questions: how much to invest, and how much of your UAR process can and should be automated?

Consider: How Bad is the Problem, From an Hours-Spent Standpoint? 

Managers are the ones who have to review user access rights. Start to measure how bad the problem is by determining how many hours are being spent every quarter on user access review approval, by your users’ line managers, the managers of those managers, and so on up the chain. Turn that number of hours into a dollar cost to the company by approximating the hourly executive salary of a manager spending those hours, then multiply by hours spent. Ask leadership if they really want to be spending that kind of money on UAR. Letting leadership know the extent of the pain, in currency, is meaningful to them and can help you get funding for IAM tools, including automation for UARs. (For more on presenting ROI in this and other contexts to leadership, see our recent thoughts here.)

Consider Automatable Aspects of UAR

Automating user access reviews to the best extent possible will still leave manual work to be done. Managers will still have to be presented with a user list, and they’re going to have to click to indicate whether each user privilege is correct. But by adding automation to the process, you can give them more information, streamline their efforts, and make the process more reliable. Some examples:

‍

1. Use Automation to Provide Alerts—Even Between Scheduled UARs 

What if you could discover gaps before the user access review audit? If a key value of Compliance is to enhance security—and not just to pass an audit—you want an always-on UAR tool with real-time monitoring. This tool would collect evidence from an updated HR list weekly, compare actual user access to the privileges that users are supposed to have, and issue an alert to the appropriate manager about discrepancies. Example: You perform quarterly user access reviews. At the end of September, you did a review and approved all users. In October, between UAR cycles, your UAR tool detects unauthorized access and sends you an alert. From a security perspective, it’s much more valuable to know about these discrepancies soon after they happen, rather than waiting until the end of the quarter.‍

2. Configure and Automate Reminders to Reduce the Likelihood of Failing an Audit 

UAR has to happen every 90 days, throughout the year. Relying on manual tools as a reminder is a little scary. Someone can put a sticky note on their calendar, but what if that employee goes on vacation, or leaves, without updating anyone on UAR timing? (Yes. I’ve seen it happen. At big companies.) One way to avoid that particular failure, and implement user access review best practices, is to automate the calendering of the process. Configure the reminder any way you like, but make sure it begins automatically, on a recurring basis, without having to rely on any one particular person’s memory. ‍

3. Easily Scale to Deliver Up-to-Date Data on Organizational Structure  

Let’s say you have a systematic way to identify which data stores, systems, etc. rise to the level of being privileged enough so that every quarter, the right managers need to review user access. Someone has to create a spreadsheet showing the organizational structure, manually track changes to keep it current and get it to those managers. Not very scalable. Easier alternative: automating user access reviews that connects to your HR management system, pulls in the latest org structure information and sends it to the right people. ‍

4. Fine-Tune UARs to Meet Frameworks’ Credibility Requirements 

Automate the kinds of things that are easy to forget but are needed for a valid UAR. A manager reviewing a user access list also needs to validate that the list was pulled from the correct group—e.g., marketing, not finance. The solution: Make sure the list is credible by including information on how it was pulled (by including the SQL query or however the data was retrieved because it will show the reviewer what fields were selected).  If that’s automated, it’s one less thing to have to remember to avoid failing the control.

Smooth Sailing Ahead?

I’d like to tell you that user access reviews are completely automatable and can be done by pressing a button. You know I can’t: Until the robots take over, UAR has to be done manually to some extent. But you can find some livable middle ground between hell and heaven and make user access reviews a whole lot quicker and easier. By determining how much managerial time—therefore the organization’s money—is spent on UAR, you can figure out how much pain relief is worth investing in. It’s an investment in using managerial time more productively and reducing error.

And that pain relief you're after? With unparalleled Compliance automation solutions, anecdotes is the mega dose you're looking for. Now, I’m no doctor but implement this advice and I know you’ll feel a whole lot better next quarter.