Our Compliance Consultant, Joe Dylewski of ATMP Solutions, was telling us recently about an often unrecognized or forgotten internal security vulnerability that occurs at many companies. When employees change positions or leave the company entirely, the access they require to systems and applications also changes. But, too often, and especially when an employee changes positions within a company, previous access rights are not changed. Each failure to keep access privileges current introduces a risk.
While this blog isn't sexy and may seem like common sense, you'd be surprised at how many companies allow this risk to grow unchecked.
To help alleviate these risks, Joe recommends conducting periodic Access Reviews.
What are “Access Reviews”?
Over time, as workforce members leave the company or move to other positions within the same organization, they no longer need access to certain systems or they require access to new systems. Periodically, it is important to review the access of current and terminated employees to ensure that their access still adheres to the “least privilege” principle or should be deactivated. There are three general types of access reviews that should be conducted:
- Roles and Responsibilities: Access is typically setup using groups, roles, and responsibilities. Not considering the specific individuals who are members of these groups, the entitlements should be reviewed by asset owners to ensure that what is being granted is still reasonable and appropriate.
- Group Membership: Group owners should periodically review the rosters of individual groups to ensure the membership is still reasonable and appropriate.
- Privileged Access: Administrators are often given elevated privileges to carry out installations, maintenance, and other tasks that the standard user does not need to perform. On a frequent basis, the access for individuals with elevated privileges should be reviewed. Often times, this review is more frequent than standard user reviews.
Why are access reviews important?
While policies and procedures are in place and followed to the best of everyone’s ability, sometimes items are missed. Additionally, we experience a condition referred to as “Access Creep”. This access creep occurs mostly when individuals change roles within the company and their former access is not deactivated. This leads to individuals having more access than is required for their jobs and roles.
What should You do to conduct access reviews?
- Conduct standard access reviews quarterly. The groups and the respective memberships should be examined to make sure the access is still reasonable and appropriate. These reviews should be performed by the owner of the application or asset. Often times, these reviews are completed by the Information Technology team and not by the individual or team that knows the environment best.
- Conduct access reviews for elevated access. It is recommended that privileged access be reviewed every 30-60 days.
When was the last time your company conducted an access review? If you don't know the answer to that question, you could have a lot of unnecessary risk. Take the time to evaluate your policies and procedures, conduct reviews and don't forget about Access Creep.
If you'd like to know more about keeping your data safe and your operations secure, contact CloudSAFE.
CloudSAFE thanks Joe Dylewski of ATMP Solutions for contributing this guest blog.