A CISOs guide to UARs-II: What type of control is a User Access Review?

I. Introduction

A User Access Review (UAR) is a control to periodically verify that only legitimate and approved users have access to your corporate applications and infrastructure. For example, during a UAR, an application business or IT owner may discover that users that joined the company recently or transferred to another team within the company continue to have persistent access to applications or infrastructure that do not align with their roles or responsibilities. Further, former employees could still have access to the company system and related confidential files even after they have left the organization.

In today’s interconnected and cloud-first environments, access control risks can be exploited by insiders seeking to take advantage of over-permissioned access and outsiders seeking vulnerabilities in a company’s defenses. Both may result in potential financial and reputational losses for the company — thus making it imperative that companies continuously evaluate and test their system access controls. This blog post explains how technology regulations and related controls can help ensure transparency around user access and their associated roles/groups/permissions.s.

II. Is the UAR control mandated?

Reviewing user access rights is an industry best practice (NIST) technology regulatory requirement, such as HIPAA, PCI DSS, and SOX. So let’s dive into these various control frameworks:

• NIST is a non-regulatory agency of the United States Department of Commerce that provides cybersecurity guidelines and standards. Controls from AC-1 and AC-2 NIST Special Publication 800–53 require organizations to conduct periodic reviews of access rights and policies. An organization may create a review schedule and use any of the NIST-provided resources and tools to conduct an independent assessment.
• PCI DSS is a security standard for organizations that process credit card data and store cardholder information. Requirement 7 of this standard describes access control measures that include managing granular access, instituting the principle of least privilege, and periodic review of user roles and rights. As with NIST, the organization can determine the frequency and depth of reviews.
• HIPAA is a United States law that describes protection measures required for companies that manage healthcare data. Administrative safeguard 164.308 requires a periodic review of access policies and implementation of practices to establish, document, review, and update user access rights. HIPAA controls are audited by the US Department of Health and Human Services.
• SOX is a United States law that contains a set of requirements for public companies. Section 404 requires entities to assess and report on internal controls for financial reporting. SOX also indicates the need to enforce access control procedures for digital records, including user access reviews. SOX compliance is verified every year by an independent audit firm.

While some of the above requirements are industry specific, the risks related to permission sprawl are relevant across all sectors. Below, we will dive into specific UAR best practices to consider as you work to protect your assets from unauthorized access.

III. User Access Review Best Practices

a. Business User Access Reviews

Responsibility for the accuracy of business user access lies with the user’s manager or application owner. Further, this activity can be delegated, but the application owner is accountable for this control and any related violations. Best practices that application owners can follow to help ensure effective user access reviews include:

• When a new user joins the team, the user’s manager will attest and provide relevant role definition and access privileges for the user.
• When a user leaves the team or changes roles, the user’s manager works with application owners to validate the user’s access permissions for any updates or removal.
• A user access review is automatically triggered or manually initiated at predetermined intervals (pre-scheduled part of a calendar of activity).
• The application owner receives completed user access reviews for existing users, roles, and associated access privileges. Following this, the application owner takes action to remove or change any incorrect permissions.

b. Technology User Access Review

Technology users typically need elevated access permissions to perform their day-to-day tasks (support, engineering, operations, etc.) Technology users’ access privileges are dependent on their team and role. Both application and infrastructure owners are accountable for the effectiveness of the user access review control for technology users. The system owners will rely on the user’s manager to perform the user access review but are ultimately the final decision-makers on access to the assets they own.

Best practices that application owners can follow to help ensure effective user access reviews include:

• Create an onboarding template that provides user roles, tasks for each role, and required access for each task. The onboarding template role responsibilities are based on the segregation of duties (SoD) policy. The SoD assigns responsibilities and privileges to technology team members while ensuring that risk in the system is managed to an acceptable level. For example, a developer writes code and performs unit testing. A tech lead will then verify the code and test results and, when confirmed, will move the code to a higher environment. A developer cannot move code to a higher environment, while a tech lead cannot write code.
• Develop a calendar of activities to plan and initiate periodic user access reviews. This also includes frequency, scope, and stakeholders for all user access reviews based on asset criticality, associated environmental risk, and user change dynamics.
• Institutionalize automated processes for onboarding and offboarding IT users. For example, an onboarding script processes access requests and provisions access to systems based on the SoD, while an offboarding script executes access removal requests from various systems and tools.

IV. Conclusion

We are moving at a fast pace of change in how technology and business teams operate. Given this, enterprises expect security to keep up with the speed of delivery. The culture of DevOps promises an iterative approach to software delivery and implies that security is embedded throughout technology processes. To ensure access review efficacy, enterprises need to adopt automated tools and techniques to alert, prioritize and review access permissions in a just-in-time manner. More on this topic in the next blog!