GRC professionals often have a love-hate relationship with user access reviews (UARs). At the 2022 ISACA-GRC conference this August, I did a quick audience-participation survey to see how bad the problem is.
First I asked, “How many of you do user access reviews?” and all the hands went up.
Then I asked, “How many of you use automation to do them?” Most of the hands went down.
Last, I asked, “How many of you use spreadsheets and mail them around?” And most of the hands went back up. Kind of sheepishly.
Well, that explains it. Every public company in the US has to perform periodic user access reviews to comply with SOX audit requirements, but pretty much everyone continues to do them the hard way. The drudgery and time-suck associated with UARs make them a perennial problem in Compliance.
So let’s discuss some ways to make UARs better. Not perfect, maybe, but better.
A user access review is a control to periodically verify that only legitimate users have access—to systems, data, applications, etc. They’re a critical component of identity and access management (IAM), because when users who are not entitled to access end up having it, that poses a potential threat. The central role that user access reviews play in Compliance is reflected in the fact that SOX, PCI DSS, HIPAA, and SOC 2 all have mandatory UAR requirements.
The problem at the heart of conducting user access reviews is that there has to be at least some manual component in the way organizations perform IAM. For example, typically, if Ted works on my team, every quarter I’m going to receive an email that says, “Ted has these roles that give him privileged access to our systems. Should he still have that access?” Note that if Ted should still have access, he can’t simply retain his access by default; I need to positively assert that he can keep access. Multiply the number of people at the organization by the number of their possible roles, locations, special projects, seniority, and whatever other parameters figure into who is entitled to what level of access…and verifying that people have the right access gets complicated, fast. To the extent it’s often overwhelmingly a manual process, it’s tedious and time-consuming—meaning expensive.
I believe that making UAR less of a problem is possible by incorporating automation into the process. That doesn’t mean the entire UAR process can be automated, but it can generally be made much faster and more efficient by using automation where possible.
Role-based access control (RBAC) is one way access is determined. But you can’t “set it and forget it.” It’s too easy to make mistakes or not reflect correct access. A few examples:
What you need is a master scheme that tells the organization, as a rule, for every user, in every case, what access they should get—on all relevant bases, including geographical, departmental, project level, data access level, need-to-know level, and any other relevant bases—and then corrects any interim errors regularly (probably quarterly). But that kind of system requires an investment an organization has to be willing to make. Until an organization invests in that kind of project, user access reviews will require forcing people to manually review what access users have, based on all those different considerations.
Another problem is that for a public company in the US that needs to comply with SOX, auditors require active approval of access. So even if such a company had a system that automatically corrected access and only required human eyes to review cases outside the norm, that wouldn’t satisfy SOX’s requirement of quarterly UARs.
There are ways, however, to improve the process of IAM with partial automation. You can automate the edges of user access reviews. You can avoid getting tripped up on some of the common problems. Key questions: how much to invest, and how much of your UAR process can and should be automated?
Managers are the ones who have to review user access. Start to measure how bad the problem is by determining how many hours are being spent every quarter on UAR, by your users’ line managers, and the managers of those managers, and so on up the chain. Turn that number of hours into a dollar cost to the company by approximating the hourly executive salary of a manager spending those hours, then multiply by hours spent. Ask leadership if they really want to be spending that kind of money on UAR. Letting leadership know the extent of the pain, in currency, is meaningful to them and can help you get funding for IAM tools, including automation for UARs. (For more on presenting ROI in this and other contexts to leadership, see our recent thoughts here.)
Automating UAR to the extent possible will still leave manual work to be done. Managers will still have to be presented with a user list, and they’re going to have to click to indicate whether each user privilege is correct. But by adding automation to the process, you can give them more information, streamline their efforts, and make the process more reliable. Some examples:
I’d like to tell you that user access reviews are completely automatable and can be done by pressing a button. You know I can’t: Until the robots take over, UAR has to be done manually to some extent. But you can find some livable middle ground between hell and heaven. By determining how much managerial time—therefore the organization’s money—is spent on UAR, you can figure out how much pain relief is worth investing in. It’s an investment in using managerial time more productively and reducing error.