Why it’s Time to Democratize User Access Reviews

Why it’s Time to Democratize User Access Reviews

By Abhi Kumar, Head of Product at SecurEnds

Most organizations that undergo quarterly, bi-annual or annual user access reviews (UARs) do so to adhere to regulatory compliance or corporate governance requirements. But as the cybersecurity threat landscape continues to grow rapidly, the lesser-known benefits of UARs – such as minimizing ransomware spread, reducing insider threats, and adhering to IT security best practices – are becoming appealing to companies that haven’t historically embraced UARs due to a lack of regulatory or corporate requirements.

Conceptually, conducting UARs on employee, contractor, and partner access rights, privileges and permissions to various IT resources provides many benefits irrespective of company size. No organization can truly understand the breadth and depth of its cyber risk profile if it lacks complete visibility into network assets and ‘who has access to what.’

Unfortunately, the complexity and cost inherent to operationalizing UARs to date has hindered widespread adoption beyond companies in highly regulated industries and large-scale or publicly traded enterprises with extensive budgets and resources.

Complexity hinders ubiquity

Even for the most streamlined organizations, the process of collecting a list of users, roles, and permissions across all systems then correlating user identities to accounts, assigning reviews to managers or application owners, and resolving or remediating all violations is anything but easy. The process is further complicated by the sprawl across cloud, custom, and enterprise applications that the typical enterprise deploys today.

Making matters worse, organizations conducting UARs have traditionally relied on either manual processes, internally developed software that lacks scalability, or expensive Information Access Management (IAM) solutions which may include superfluous features and are costly to implement and manage. Such solutions all but make it impossible for smaller, non-compliance driven organizations to benefit from UARs.

However, the proliferating regulatory environment – both industry-specific and government-backed – combined with the prevalence of more frequent and sophisticated cyberattacks, has prompted a debate over whether user access reviews should become core to any organizations defense-in-depth strategy, regardless of size, revenue, and regulatory burden.

The cost benefit of democratization

Although democratizing user access reviews sounds reasonable in theory, convincing smaller and unregulated organizations to invest in UARs is not easy, especially when financial penalty for noncompliance may not be a factor. Even organizations open to the idea of adopting UARs might come to argue that the costs outweigh the benefits for their business or that limited financial resources are better spent on more specialized defenses such as email security or security awareness training.

While such arguments have some merit, they fail to acknowledge the utility of UARs beyond visibility into ‘who has access to what.’ Such lesser-known benefits of UARs include:

  1. Reduce ransomware impact – Continuous UARs can reduce the occurrence of ransomware stemming from the existence of orphan accounts (an account without a valid owner). By helping organizations remove terminated user accounts, including service accounts, UARs can reduce the potential spread and extent of ransomware across networks, applications, and devices. For example, were Colonial Pipeline to have had regular UARs in place, it is highly possible that the hackers who used a backdoor to access an orphan VPN account as an entry point to its systems could have been stopped before damages occurred.
  2. Relieve insider threats – Insider threats can be either malicious or non-malicious. A disgruntled employee with malicious intent and an over-privileged account can prove catastrophic to an organization from multiple perspectives (fraud or intellectual property theft to name a few). A non-malicious insider threat may involve an employee viewing data they should not have access to but without the explicit intention of damaging the organization. UARs address both by allowing organizations to enforce the principle of “least privilege” across all user and system accounts, ensuring users always have correct privileges.
  3. Adhere to security standards – ISO 27001 defines a set of standards and “best practices” for information security. Certification is highly advantageous for organizations to ensure appropriate security safeguards are in place for their data. UARs specifically enable organizations to achieve ISO 27001 conformity by meeting the policy requirements of domain A.9., which necessitate appropriate access controls to be established and routinely monitored.

It’s a disadvantage to continue to pigeonhole UARs as security safeguards only relevant to organizations within highly regulated industries or those that are publicly traded. The good news for businesses interested in UARs, but lack the time, money, and resources to implement with any regularity, is that recent innovations have helped automate the process. In doing so, much of the cost and manual-labor burden has been reduced.

In an era increasingly defined by cybercrime, the burden to reduce risk falls squarely on an organization’s ability to implement the most up to date safeguards. While the democratization of UARs certainly won’t eliminate cyber threats completely, doing so would represent significant progress in the right direction.

About the Author

Abhi Kumar authorAbhi Kumar is the Head of Product at SecurEnds, a cloud-native Identity Governance company, where he drives product strategy and execution. He has extensive experience scaling successful product and services teams and companies across the cloud ecosystem.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.