Author
Ken Foster, VP of IT Governance, Risk and Compliance, FLEETCOR
Venkat Raghavan, Founder and CEO, Stack Identity
The Conventional User Access Review Process
User Access Review processes are a foundational aspect of Identity and Access Governance used to manage the risk of access to information systems. User Access Reviews are typically conducted on a quarterly basis, and till recently, typically based on a human identity. The conventional user access review process is as follows:
- The process is initiated with the objective of access controls. Typically, each quarter, the process is kicked off by a compliance or IT or business team.
- The process generates an access review list – a list of users along with their current access and entitlements to resources, along with a list of approvers. The reviewers are typically managers of users or the resource owner.
- Access is verified and action is taken by the reviewer to approve or reject the access. This process is typically done in a manual and ad hoc way using spreadsheets, emails, and screenshots.
- IT GRC leverages Access Review findings to test against security, compliance, and audit controls and deliver risk assessment against control objectives.
Challenges with the Conventional Access Review Process
Conventional access reviews are challenged for multiple reasons, including being a manual and reactive process that relies heavily on spreadsheets, emails, and screenshots, is of limited frequency, and has a strong dependency on approvers who may lack the necessary technical or security knowledge as access control is easily buried behind layers of cryptic groups, subgroups, nested groups, and roles.
With the introduction of the cloud, there are now a prolific number of identities and this causes scalability challenges, introduces convoluted access permissions and entitlements processes, and results in a lack of visibility of who really requires access privileges and who does not. Compounding the challenge further is the growth of data applications and contextual data about identity security that is difficult and onerous to find. All these factors make it impossible to maintain a strong access risk management position and make it challenging to demonstrate compliance and pass audits.
How To Meet Cloud and AI Challenges?
To be more effective at managing risk, the User Access Review process needs to be transformed from a reactive process to a proactive one, and utilize the power of automation and AI to ensure continuous and comprehensively informed decision-making. The following outlines a recommended access review process required to alleviate the challenges of the current user access review process and consists of four crucial and transformational approaches of being continuous, informed, automated, and integrated.
Four Transformative Approaches: Continuous, Informed, Automated, Integrated
Transformation #1: Make Access Reviews Continuous
Instead of a process that is periodic and calendar-based, create a proactive process by assessing risk before taking action. Determine what are the risks and gaps in controls by implementing a continuous monitoring system that tracks user activities, user security posture, and access changes in real time. This system can proactively identify unusual access patterns and automatically trigger access reviews when necessary, reducing the need for infrequent quarterly reviews.
Transformation #2: Ensure Access Reviews are Informed
Correlating, connecting, and contextualizing the data from continuous monitoring can help automate access review decisions. This can be achieved by leveraging analytics and machine learning to analyze access patterns and identify outliers or potential risks. This contextual analysis provides the necessary intelligence for properly informed decisions about access approvals or revocations. At the same time, this can support timely contextual notifications to managers and resource owners about access changes to ensure decisions are made with the most current information and without unnecessary delays.
Transformation #3: Automate Access Reviews
Implementing an automated and adaptive access review process adjusts the frequency of access reviews from discrete calendar or audit-based timelines, and transfers it to a just-in-time model based on risk profiles and user behavior. For example, high-risk users or those with frequent access changes might undergo more frequent reviews. To further automate the process and reduce administrative delay and overhead, it is recommended to create self-service portals through which users can request access to resources, implement role-based access control (RBAC) and attribute-based access control (ABAC) and Just-in-Time (JIT) models, as well as create an automated approval process for routine access requests that meet predefined criteria
Transformation #4: Integrate Access Reviews with GRC Processes
Integrating access review findings directly into the IT Governance, Risk, and Compliance (GRC) processes ensures that access reviews contribute directly to assessing security, compliance, and audit controls. An integrated system supports more auditable, detailed records of access review actions, including approvals, rejections, and any associated documentation, and enhances transparency, accountability, and auditability.
By reimagining the Access Review process with these principles in mind, organizations can better manage identity security risk, adapt to the dynamic digital landscape, and enhance overall security and compliance measures.
Learn how Stack Identity enables continuous risk-based governance here.