Access Reviews: Protecting Against needless Internal Security Vulnerabilities

Time to ReviewOur Compliance Consultant, Joe Dylewski of ATMP Solutions, was telling us recently about an often unrecognized or forgotten internal security vulnerability that occurs at many companies. When employees change positions or leave the company entirely, the access they require to systems and applications also changes. But, too often, and especially when an employee changes positions within a company, previous access rights are not changed. Each failure to keep access privileges current introduces a risk.

While this blog isn't sexy and may seem like common sense, you'd be surprised at how many companies allow this risk to grow unchecked.

To help alleviate these risks, Joe recommends conducting periodic Access Reviews.

What are “Access Reviews”?

Over time, as workforce members leave the company or move to other positions within the same organization, they no longer need access to certain systems or they require access to new systems. Periodically, it is important to review the access of current and terminated employees to ensure that their access still adheres to the “least privilege” principle or should be deactivated. There are three general types of access reviews that should be conducted:

  1. Roles and Responsibilities: Access is typically setup using groups, roles, and responsibilities. Not considering the specific individuals who are members of these groups, the entitlements should be reviewed by asset owners to ensure that what is being granted is still reasonable and appropriate.
  2. Group Membership: Group owners should periodically review the rosters of individual groups to ensure the membership is still reasonable and appropriate.
  3. Privileged Access: Administrators are often given elevated privileges to carry out installations, maintenance, and other tasks that the standard user does not need to perform. On a frequent basis, the access for individuals with elevated privileges should be reviewed. Often times, this review is more frequent than standard user reviews.

Why are access reviews important?

While policies and procedures are in place and followed to the best of everyone’s ability, sometimes items are missed. Additionally, we experience a condition referred to as “Access Creep”. This access creep occurs mostly when individuals change roles within the company and their former access is not deactivated. This leads to individuals having more access than is required for their jobs and roles.

What should You do to conduct access reviews?

  1. Conduct standard access reviews quarterly. The groups and the respective memberships should be examined to make sure the access is still reasonable and appropriate. These reviews should be performed by the owner of the application or asset. Often times, these reviews are completed by the Information Technology team and not by the individual or team that knows the environment best.
  2. Conduct access reviews for elevated access. It is recommended that privileged access be reviewed every 30-60 days.

When was the last time your company conducted an access review? If you don't know the answer to that question, you could have a lot of unnecessary risk. Take the time to evaluate your policies and procedures, conduct reviews and don't forget about Access Creep.

 If you'd like to know more about keeping your data safe and your operations secure, contact CloudSAFE.

Ask an Expert

CloudSAFE thanks Joe Dylewski of ATMP Solutions for contributing this guest blog.

← How Virtual Desktops Ensure Continuous Operations
Why growing businesses need a cloud roadmap →

About this Blog

How can you leverage The Cloud? How will you get there? What will protect you from disaster? Your cloud journey can start anywhere and evolve. CloudSAFE can help you no matter where you start or where you want to go.

Everyone says you need to be in The Cloud. But why? And how? CloudSAFE can help you determine what that means to your company and the best way to get there. The Cloud can be a powerful tool. It provides flexibility, security, capacity and it’s cost effective, enabling you to avoid capital investment. But the question remains, what is right for your company? Contrary to popular opinion, The Cloud is not one size fits all. CloudSAFE has a broad range of solutions and services focused on IT Business Continuity and Infrastructure as a Service.

CloudSAFE believes The Cloud is not “One Size Fits All”. Follow us on our blog and see what else we believe in, and be sure to share your feedback with us.

Subscribe to Email Updates

Recent Posts