Access Reviews Done Right
Access reviews are considered important risk management controls in many organizations. They are intended to ensure that each user, process and system has always only the minimum amount of access rights, which are necessary to perform associated tasks. In light of compliance, governance and the organizations's internal commitment to protecting itself from unwanted access, concepts are in demand that take account of the transition from compliance to risk-based operating models. This development focuses on ensuring that the Principles of Least Privilege are part of a company's DNA and that Access Reviews are effective risk management controls.
1 Executive Summary
Even though role concepts have lost much of their fascination since their heyday and enthusiasm has given way to disillusionment in many cases, the use of roles and their management has become daily practice in many organizations. Access Governance is a mandatory, complementary building block for today’s Identity Management and Access Management Infrastructures.
Protecting an organization’s vital assets from unauthorized access and providing evidence for that protection is an increasingly important discipline for information security, for governance and compliance.
Access Reviews are a detective control that, when implemented appropriately, provide an opportunity to evaluate and adjust digital, and occasionally, physical access. Typically, reviews are completed periodically (e.g. semi-annually) or triggered by events making a review necessary (e.g. re-organization of teams, changing job positions or actual incidents). Both provide a ‘point in time’ opportunity for stakeholders to align with the Principle of Least Privilege, assuring every user, process and system has only the minimal amount of access required to perform its tasks.
The continuously increasing number of authorizations and authorized persons (Not only human users but also processes, devices or systems operate today with their own identity and associated authorizations) demand a high degree of automation of Access Review processes. In any case, the necessity of human interaction during the verification of assigned authorizations must be reduced to a minimum.
Common weaknesses and misconceptions in the Access Review procedure (and in upstream processes) can be mitigated or eliminated by observing practical recommendations. These are derived and described below.
Full article is available for registered users with free trial access or paid subscription.
Register and read on!
Sign up for the Professional or Specialist Subscription Packages to access the entire body of the KuppingerCole research library consisting of 700+ articles.