Dr. GRC: How You Can Learn to Stop Worrying and Love User Access Reviews (or Maybe Worry Less and Not Hate Them So Much)

GRC professionals often have a love-hate relationship with user access reviews (UARs). At the 2022 ISACA-GRC conference this August, I did a quick audience-participation survey to see how bad the problem is.

First I asked, “How many of you do user access reviews?” and all the hands went up. 

Then I asked, “How many of you use automation to do them?” Most of the hands went down.

Last, I asked, “How many of you use spreadsheets and mail them around?” And most of the hands went back up. Kind of sheepishly.

Well, that explains it. Every public company in the US has to perform periodic user access reviews to comply with SOX audit requirements, but pretty much everyone continues to do them the hard way. The drudgery and time-suck associated with UARs make them a perennial problem in Compliance.

So let’s discuss some ways to make UARs better. Not perfect, maybe, but better.

UARs: You Need Them. You Wish You Didn’t.

A user access review is a control to periodically verify that only legitimate users have access—to systems, data, applications, etc. They’re a critical component of identity and access management (IAM), because when users who are not entitled to access end up having it, that poses a potential threat. The central role that user access reviews play in Compliance is reflected in the fact that SOX, PCI DSS, HIPAA, and SOC 2 all have mandatory UAR requirements.

The problem at the heart of conducting user access reviews is that there has to be at least some manual component in the way organizations perform IAM. For example, typically, if Ted works on my team, every quarter I’m going to receive an email that says, “Ted has these roles that give him privileged access to our systems. Should he still have that access?” Note that if Ted should still have access, he can’t simply retain his access by default; I need to positively assert that he can keep access. Multiply the number of people at the organization by the number of their possible roles, locations, special projects, seniority, and whatever other parameters figure into who is entitled to what level of access…and verifying that people have the right access gets complicated, fast. To the extent it’s often overwhelmingly a manual process, it’s tedious and time-consuming—meaning expensive.

I believe that making UAR less of a problem is possible by incorporating automation into the process. That doesn’t mean the entire UAR process can be automated, but it can generally be made much faster and more efficient by using automation where possible.

A Word on Why Role-Based Access Control Falls Short

Role-based access control (RBAC) is one way access is determined. But you can’t “set it and forget it.” It’s too easy to make mistakes or not reflect correct access. A few examples:

• Forgetting to revoke RBAC. Jane works in the US, as a marketing analyst. Based on her role and location, she is automatically given access to certain systems. Then her role changes to a less-privileged one. But her access is not automatically updated. 
• Granting too much access based on role. Sam transfers from another department to the same role as Roy. Roy has additional clearance to work on an ongoing M&A project. Sam is automatically given the same clearance as Roy because they have the same roles. Sam is inadvertently given the same special access as Roy.
• Failure to reflect complexity. Jamie works in marketing but is involved in a project with the finance department. He’s granted access to the finance department. A user access review raises red flags when Jamie’s access to finance shows up.

What you need is a master scheme that tells the organization, as a rule, for every user, in every case, what access they should get—on all relevant bases, including geographical, departmental, project level, data access level, need-to-know level, and any other relevant bases—and then corrects any interim errors regularly (probably quarterly). But that kind of system requires an investment an organization has to be willing to make. Until an organization invests in that kind of project, user access reviews will require forcing people to manually review what access users have, based on all those different considerations.

Another problem is that for a public company in the US that needs to comply with SOX, auditors require active approval of access. So even if such a company had a system that automatically corrected access and only required human eyes to review cases outside the norm, that wouldn’t satisfy SOX’s requirement of quarterly UARs. 

Making User Access Reviews Less Painful

There are ways, however, to improve the process of IAM with partial automation. You can automate the edges of user access reviews. You can avoid getting tripped up on some of the common problems. Key questions: how much to invest, and how much of your UAR process can and should be automated?

Consider: How bad is the problem, from an hours-spent standpoint? 

Managers are the ones who have to review user access. Start to measure how bad the problem is by determining how many hours are being spent every quarter on UAR, by your users’ line managers, and the managers of those managers, and so on up the chain. Turn that number of hours into a dollar cost to the company by approximating the hourly executive salary of a manager spending those hours, then multiply by hours spent. Ask leadership if they really want to be spending that kind of money on UAR. Letting leadership know the extent of the pain, in currency, is meaningful to them and can help you get funding for IAM tools, including automation for UARs. (For more on presenting ROI in this and other contexts to leadership, see our recent thoughts here.)

Consider automatable aspects of UAR

Automating UAR to the extent possible will still leave manual work to be done. Managers will still have to be presented with a user list, and they’re going to have to click to indicate whether each user privilege is correct. But by adding automation to the process, you can give them more information, streamline their efforts, and make the process more reliable. Some examples:

‍

• Use automation to provide alerts—even between scheduled UARs. What if you could discover gaps before the access review? If a key value of Compliance is to enhance security—and not just to pass an audit—you want an always-on UAR tool with real-time monitoring. This tool would collect evidence from an updated HR list weekly, compare actual user access to the privileges that users are supposed to have, and issue an alert to the appropriate manager about discrepancies. Example: You perform quarterly UARs. At the end of September you did a review and approved all users. In October, between UAR cycles, your UAR tool detects unauthorized access and sends you an alert. From a security perspective, it’s much more valuable to know about these discrepancies soon after they happen, rather than waiting until the end of the quarter.‍
• Automate reminders, to reduce the likelihood of failing an audit. UAR has to happen every 90 days, throughout the year. Relying on manual tools as a reminder is a little scary. Someone can put a sticky note on their calendar, but what if that employee goes on vacation, or leaves, without updating anyone on UAR timing? (Yes. I’ve seen it happen. At big companies.) One way to avoid that particular fail is to automate the calendering of the process. So it’s begun automatically, on a recurring basis, without having to rely on any one particular person’s remembering. ‍
• Easily show managers up-to-date data on organizational structure.  Let’s say you have a systematic way to identify which data stores, systems, etc. rise to the level of being privileged enough so that every quarter, the right managers need to review user access. Someone has to create a spreadsheet showing organizational structure, manually track changes to keep it current, and get it to those managers. Easier alternative: automated Compliance that connects to your HR management system, pulls in the latest org structure information, and sends it to the right people. ‍
• Fine-tune UARs to meet frameworks’ requirements. Automate the kinds of things that are easy to forget but are needed for a valid UAR. A manager reviewing a user access list also needs to validate that the list was pulled from the correct group—e.g., marketing, not finance. The solution: Make sure the list includes information on how it was pulled (by including the SQL query or however the data was retrieved, because it will show the reviewer what fields were selected).  If that’s automated, it’s one less thing to have to remember to avoid failing the control.

Smooth Sailing Ahead?

I’d like to tell you that user access reviews are completely automatable and can be done by pressing a button. You know I can’t: Until the robots take over, UAR has to be done manually to some extent. But you can find some livable middle ground between hell and heaven. By determining how much managerial time—therefore the organization’s money—is spent on UAR, you can figure out how much pain relief is worth investing in. It’s an investment in using managerial time more productively and reducing error.