Process - User Access Reviews

User Access Reviews are daunting, confusing, tiresome tasks to be completed by Managers for their direct reports. The mere fact of needing to validate and approve the particular access/permissions for the respective individual makes the Manager feel as if it costing them so much of money and time where they are unable to complete their assigned work in time.

Just to quickly get over with it, with that negeligence, nonchalant mindset and NOT choosing to act right at the given minute of their lives to ensure their direct reports are indeed assigned with the least privilege of permission during the Review Period WILL actually cause far more damaging situations in terms of monetary value, reputation & effort to contain & rectify the issue.

That's the gist of User Access Reviews (UAR). It's not that hard, actually.

It's an on-going learning journey with curisoity and awareness being increased during every User Access Review Period.

What is it exactly?

The underlying core foundation and fundamental is: User Access Review is Identity-Centric.

To elaborate slighlty further with 5W1H:

1. WHO is the user,

2. WHAT is the user's expected job functionalities,

3. WHY does the user requires this set of permissions to access this resource,

4. WHEN does the user have to access the resource & when was the user assigned to this resource?

5. WHERE is the user accessing the resource at, in which environment (production/developement)

6. HOW long does the user require the access for?

Whether it's:

1. A User Account

2. A Non-Human Identity

3. An Application

   
   

The one and foremost underlying question is: WHO?

• Who is the user of this account?

• Who is the developer/owner of this application?

• Who asked to create/approved this non-human identity?

This must be strongly reiterated to all Managers. At the end of the day, they will be held accountable and responsible when they did not complete a detailed review of their direct reports.

Inclusion of an AI Tool with the User Access Review Process

Usually during the Review Process, there are high chances of Managers not aware of what a particular Security Group is for? Or a particular Role Assignment? Or even what could be the permissions being assigned to the Security Group/Role to their direct report?

To clarify this understanding, Managers will begin to reach out to their Direct Reports and there will be high chances that they may not know either and begin reaching out to other departments to find out further. This 'finding-out' process begins to take time, effort and even the need to understand what is it all about on both sides, the manager & their direct report. Also not forgetting, the Manager MUST comply to the security standard of ensuring Least Of Privilege Permissions & Segregation of Duties Principles are assigned to their direct reports.

With the evolving of AI Technology, here comes the AI assistance to ease those worries away and help with our productivity. Although, I am anti-AI person, in good faith, I respect the positive capabilities that the AI can offer to an organization.

As such, in such cases when the manager & their direct reports will be stuck and may be provided with limited information, the AI can provide the following information to the Manager upon reviewing:

• The purpose of the Security Group/Role creation & it's assignment to their Direct Report

• Is it created for a short-term project/POC/troubleshooting purpose or is it part of a large-scale project/BAU operations?

• What are the permissions being assigned to the Security Group/Role?

With the above information, a manager must be able to conclude on the appropriate access are being assigned respectively following the Least Of Privilege Permissions Principle.

In the event, after obtaining the information and the manager is still unsure, he/she must reach out to their direct reports to create and gain awareness of the roles/permissions that are being assigned to the team.

This will introduce the understanding of the 'Security-First Mindset' and guiding the team to adhere to the Least Of Privilege Permissions & Segregtion of Duties Principles as part of IT Security Compliance.

A UAR that shows 'Approve ALL' - is a UAR that needs to be reviewed.

In this fast, busy, chaotic, unpredictable world, Managers will be on the rush, will be on the time clock to complete their tasks within datelines and as quick as possible.

They will apply the same methodology in the User Access Review and simply mark it as 'Approve ALL' --> This is a red flag UNLESS it's true with valid justification that it's indeed Approve ALL for all access/permissions. Otherwise it MUST be reviewed.

The help of an AI with Senior Management to review the above mentioned UAR

Rather than the manual daunting tasks by Senior Management to investigate further, the help of an AI will be tremendously helpful. How can it help?

In my mind, in a safe secure manner, although this could be extremely intrusive, but keeping good faith in the technology and to nab lazy managers, the AI must be able to retrieve this information:

1. When was the last login date of the direct report to access what resource using which particular role/permissions?
   

2. Even if there's a last login date stated recently, how long was the session active for and what time was it?

   1. What activities was exactly being carried out that perhaps, that particular direct report do not need it and can leave it to another team member to complete the tasks. - This shows a lack of delegation within the team.

   2. Redundancy/Backup, needs to be justified as well, otherwise the Manager can have access to it. Or the backup is able to raise it as a Just-In-Time Request.
      

3. If there are conflicting tasks within the team and this was not reviewed by the Manager, it means Least Of Privilege Permissions & Segregation of Duties was not followed. As one might usually say 'It's a tiresome task and need proper planning around it' which can no longer be accepted as a reason.
   

4. Need to analyse if this widen the area of surface attack within the team for attacks to occur easily?
   

5. Has there been discussions internally about no longer needing certain Security Groups/Roles yet the Manager did not follow up on it and did not provide the necessary comment as to why this particular role assignment is still required for their direct report?

   1. A comment on why certain access is required will represent that the Manager has indeed reviewed.

With the ability to retrieve all these information from the AI instantaneously, the Senior Management can then have a discussion to understand further why such a Review was being submitted.

During this discussion, it's important to let him/her to understand the seriousness of the nonchalant mentality & the consequences of not adhering to the Least Of Privilege Permissions & Segregation of Duties Principle as part of IT Security Compliance and emphasise such review MUST not be submitted anymore.

Type Of User Access Reviews

1. Privileged User Access Reviews: Every 3 months
   

   1. User Admin Accounts > Typically performing adminstrator-privileged activities

   2. Admin Non-Human Identities > Typically performing adminstrator-privileged activities (machine-based)
      

2. Service Accounts User Access Reviews: Every 6 months To ensure every Service Accounts has an ownership and reviewed.
   

   1. Admin Service Accounts > Typically performing adminstrator-privileged activities

   2. Standard Service Accounts > Usually establishing communications/connectivity between applications/softwares/servers to perform day-to-day activities
      

3. Application User Access Reviews: Every 6 months For Application Owners/Business Users to review the appropriate Security Groups/Roles/Permissions are assigned
   

   1. Critical Business Applications > Critical to business revenue & growth 24/7/365

   2. Standard Business Applications > Usually standard necessary applications for business users for daily operations
      

4. Guest User Access Reviews: Every 3 months For 3rd Party Guest Access

   1. B2B Guest Access (Azure)

   2. Guest User Access to 3rd Party Hosted Application/Software Platform

Embracing User Access Reviews as an Organizational Culture

User Access Reviews regardless how manual or automated, the due diligence & vigilance falls back onto the Manager who is completing it. We are all humans and tendency not to complete accurately will happen due to exhaustion or being short of time.

To enforce a positive, security-first mindset in them, we must take the time to appreciate their effort and time given to understand and respect the UAR rather than constantly penalizing them.

It's a suggestion from me, you guys are feel free to contribute your ideas.

By having the below implemented within the organization:

• A Points-Rewarding System - Who have completed on time with high accuracy
  

• An Annual Recognition Programme - The teams who have completed the UARs timely and being proactive in ensuring only required roles/permissions are being maintained with clear valid justifications & ensuring Least of Privilege Permissions & Segregation of Duties is followed.
  

• An Explemary Role Model of Completing All The UARs Accurately - A Manager who: 1. Completed all the UARs accurately, 2. Being on-top of every single Security Group/Role/Permissions being assigned to his/her Direct Reports, 3. Being actively involved in ensuring Least of Privilege Permissions, Segregation of Duties is being implemented within the team, 4. Involved in cleaning-up unwanted access and 5. Able to pass on the knowledge/skills to fellow colleagues/teams.

Each Manager, Direct Report, Team & Department, I believe in good faith will begin to participate actively and proactively rather than reactively.

It will take time but with consistency and preservance as the key and being genuine, honest, open, transparent about the rewards will motivate them, especially the Managers to practice extreme vigilance during the User Access Reviews Period and they can also help alot in ensuring ONLY the necessary accounts/roles/security groups/permissions are needed and push towards a clean-up/hygience activity by themselves with the respective teams keeping Security Team involved.

Lastly, this will slowly transition and transform into a positive, vibrant, Security-First Organizational Culture from the junior employee all the way up to the CEO of the ogranization.