A CISOs guide to UARs-III: How can we make User Access Reviews more effective?

I. Introduction

Modern organizations are dynamic with distributed workforces and various types of systems (on-prem/cloud-native/SaaS). As companies grow in size and complexity, IT and security teams struggle with maintaining appropriate user access levels across their environment. The resulting sprawl is typically managed by defining access control policies and mandating activities like user access reviews (UARs). The steps required to initiate and complete a campaign (a collection of UARs) include:

• Collecting entitlement data across various source systems (IAM providers, SaaS applications, etc.)
• Aggregation and mapping of users and system accounts to their appropriate connections (roles, groups, and fine-grained entitlements)
• Managing the certification lifecycle of delegating, approving, or denying access while driving to a specific deadline
• Disabling or deleting user IDs and their associated access permissions
• Creating custom reports to meet audit/compliance requirements

The end-to-end UAR process can be tedious and time-consuming for large organizations with many applications and potentially thousands of users. To solve this problem at scale, intelligent discovery and machine learning can help security and IT teams quickly organize, prioritize and inform end customers with risk-based recommendations for access reviews.

II. Intelligent Discovery

To make your UARs more effective, consider the following avenues to discover and empower your end-customer (i.e., access reviewer) with data to make good decisions. Below are chronological steps to execute this strategy:

(a) User and Account Behavior

• Analyze user access data to identify actual permission usage.
• Identify users who have not logged in for three months or more, and investigate why they are no longer using the account (HR system has them on leave, etc.)
• Identify admin accounts that are not being used and either help identify a new owner or recommend de-provisioning them from your system.
• Identify orphan accounts with no known owner and are not being used, such as deleted old marketing accounts.

(b) User Outlier Analysis

• Analyze the trends in user access requests and approvals by department, job title, team, etc., over time.
• Confirm if certain users have more or different roles, groups, and permissions than their peers (either by job title or department)
• Provide insights to the reviewer so they can understand the context of differential access permissions.

(c) User Role or Job Change

Does the user have new permissions related to a change in role or job? If so:

• Consider if legacy permissions are still assigned to the user and highlight them for the reviewer’s attention.
• Consider if new permissions assigned to the user are in-line with their new job roles/responsibilities.

(d) Data Access

Consider risk rating permissions and associated groups/roles based on the data exposed. This capability can be a powerful mechanism to help access reviewers understand the risk of what they are certifying, especially if the user is an outlier or has irregular behavior. To start:

• Work with your system owners to ensure data repositories have been tagged with the appropriate classification rating.
• Understand environment differences (Dev, test, prod, etc.) to further delineate between production and non-production data access

III. ML-Driven Recommendations

Once the exercise of discovery and analysis has been completed, the next step is to use the above insights to provide recommendations so that access reviewers make informed decisions. Better yet, we can use machine learning to make decisions automatically and save the reviewer precious time from performing mundane, low-value tasks.

(a) Machine Learning as an enabler

UARs are effort-intensive and require multiple interactions between various stakeholders, increasing the complexity (and often cost) of performing these activities. For example, system owners have to interact with many different stakeholders to know which user accounts need to have which exact permissions deleted or changed. Often, application or system owners fail to provide relevant details in a timely manner, putting the organization at risk of potential unauthorized user access.

Machine learning can help security teams model users, their behavior, and the downstream impacts of those behaviors. Additionally, with context like system environment and data classification, the model can be further refined to provide a relatively accurate prediction that can result in an automated action being executed.

(b) Decision Making

The user risk models should help security teams make better decisions, which can help reduce UAR efforts significantly. Example criteria we can use to enable decision-making:

• If the environment is not important (dev) and the prediction accuracy is greater than 75 percent, the application owner can decide to delete the user ID and look at any exceptions if users revert back.
• If the environment is important (prod-backup), the application owner should delete the user ID only if the prediction accuracy exceeds 95 percent.
• If the environment is critical (prod), application owners might decide to use manual methods and disregard the information provided by the models.

These example criteria can help reviewers determine how to take action (automated or manual) without necessarily having to consult with application owners and security/IT teams on risk and impact.

IV. Conclusion

Intelligent discovery and an ML-driven approach to UARs are a means to an end, not an end in itself. These approaches should be analyzed and tested regularly, both statistically and functionally, to determine their relevance to your specific environment. It is, however, a proven fact that machine learning has helped organizations stretch their resources and improve decision-making across diverse industries and use cases. If you’d like to learn more about how we at BalkanID are helping our customers automate and use machine learning to solve UAR gaps, don’t hesitate to contact me at sameer@balkan.id.