Top User Access Review Best Practices

Without regular user access reviews, you’re creating the opportunity for significant data security disasters. Here’s a look at the issue and best practices to prevent them from happening… 

What is a user access review

Just because you can do something doesn’t mean you should, and user access reviews exist to make sure that most cannot.

User access review, which includes managing user access rights, involves a periodic inventory of access rights to certain network and systems. In a nutshell, it looks at who’s accessing what, what level of access they have, and if they have valid reasons for access rights. Without a handle on these three pivotal points, you’re opening the door to potential security disasters and possible reputational damage. That goes for all parties involved with an organization – employees and third parties or vendors – whether driven by ill intent or accident.

Let’s dive into the risks of not conducting user access reviews, the best practices that create a framework for success, an example of the steps involved in conducting a review, and the differences with privileged access reviews.

Risks of inappropriate user access

There are inherent risks introduced when a user has access to a system, program, app, or network that they shouldn’t.

  • Privilege abuse | Sometimes employees or third parties are given too much access and they can take advantage of that access – whether maliciously or unintentionally. In the 2021 Ponemon Institute report on third-party security, 74% of those surveyed cited the source of cyberattacks as granting too much privileged access to a third party. On the other hand, according to the Verizon 2021 Data Breach Investigations Report, 17% of data breaches are caused by miscellaneous human error. Either way you slice it, too much access can lead to a breach of private data and a breach of trust between an organization and its customers.
  • Employee or third-party termination | If an employee or third party is terminated but their access rights aren’t removed, they could still have access to large amounts of sensitive information, even after they’ve left the company. And if the departure isn’t pretty, a resentful grudge makes for great motivation for a former employee or vendor rep to take advantage of those active credentials during that termination gap.
  • Licensing costs | Organizations that don’t keep track of users who have access to certain systems are at risk of spending more money than they need to on system licenses and accounts. Depending on the type of system, one license could cost hundreds of dollars. So, if Sally in accounting doesn’t need an Adobe Photoshop license, she shouldn’t have one. Make sure the right people have access to the systems they need – and nothing more.

User access review best practices

To mitigate these risks and keep your access management routine efficient and secure, it’s in your organization’s best interest to conduct periodic user access reviews. And if you don’t have regular user access reviews in place already, here are five user access review best practices to help you set up an efficient process.

1. Develop a user access review policy and supporting procedures

Developing a user access review policy is crucial for any organization’s cybersecurity and compliance. A thorough policy can help save an organization time and money while mitigating security risks and protecting sensitive information. It’s best to consider policy development as the information-gathering stage of the process, with a lot of asking questions and finding answers. The main information to gather? Who has access to what, what is the most important information that needs protecting, who and what is most vulnerable to risk, and what software exists to mitigate those risks.The development of a user access review policy should always be geared toward achieving a Zero Trust policy, meaning a policy that allows users access to only the bare minimum needed for job duties. It’s a data-centric model that applies the concept of least privileged access to every access decision.

Once your organization has determined a user access review policy that’s best for both business and cybersecurity needs, the next step is to create a formalized user access review procedure. This procedure will need to involve regular audits of user access, so there is always a record. The best user access review procedures include:

  • A consistent review schedule
  • A consistent review of who has what user permissions
  • A record and ongoing document of all changes made within your organization’s system
  • A regular check on employee’s current permissions to ensure they are appropriate
  • A system that makes sure the right managers and administrators are handling these reviews

In addition, any formalized user access review procedure should implement both role-based access control and least privilege, or Zero Trust, access. While creating this procedure can seem like a lot, there are a variety of software programs that can guide an organization.

2. Implement role-based access control and least privileged access

One of the safest and most fundamental practices of cybersecurity is implementing least privileged access. This IT security design principle restricts access rights and program privileges to only those necessary for the required job. It’s the difference between having a key that works on every door and one that only opens certain rooms. When distributing those keys to users across your organization, you need to also practice role-based access control, meaning that the keys (or access permissions) should be given to users based on their role and responsibilities. For example, an employee in the accounting department likely needs access rights to programs like Microsoft Office, QuickBooks, and Salesforce – ones that are needed for the job at hand. While they also might also need access to Adobe Acrobat, they don’t need access to every program in the Adobe suite, like Photoshop. This is where least privileged access and role-based access control work hand-in-hand.

3. Grant temporary, not permanent, user access

Automatic access and removal of access based on user activity and employment is one of the best ways an organization can protect valuable and sensitive information. The Colonial Pipeline breach, which crippled the oil pipeline system and cost them almost $5 million, was caused by an old VPN and a hacked password. Crucial to implementing Zero Trust Architecture is utilizing only temporary access that stops after a given time has expired or after an individual has gathered only what information they need for a given task. Temporary access not only protects from the risk of internal users having too much access and possibly taking advantage of it, but it also protects from outsider threats that try to get into the organization through its employees. If you deny all access until it’s absolutely needed, you’re eliminating risk and protecting information from bad actors and inappropriate access.

4. Get the right people involved in access permission decisions

In most cases, the IT team is responsible for distributing system access to users. And while we’re grateful for that, we acknowledge that they aren’t always the best ones to make the call on which users should access what systems. Managers and supervisors will have a much better idea of which individuals need access to specific programs. A CFO will know that an accountant doesn’t need the full Adobe suite, and the marketing manager will know who exactly needs access to Photoshop. The network and system administrators aren’t mind readers – and they shouldn’t be responsible for assigning and reviewing user access. Make sure the correct managers are responsible for reviewing user access permissions and assigning them to individuals based on their roles.

5. Educate your staff about how to review access rights

It may be easy to overlook, but employee training to educate your staff on how to best review user access rights is essential. This involves implementing new practices of communication between teams, like timely turnover notifications, monthly access audits conducted by leaders, and updated user access reports to IT/systems administrators when changes need to occur. User access review tools, including programs built to automatically conduct these processes, save organizations the laborious manual work of auditing and reporting.

A user access review example: Key steps to take

With the earlier noted best practice of establishing a policy approach and procedures in place, organizations are well-positioned to conduct an actual user access review. Here’s a high-level look at the steps involved in making that happen:

  • Perform an inventory of all current technologies and cybersecurity measures, which will help identify gaps, weaknesses, and where investments need to be made
  • Conduct a user access review for all users – both internal and external, including access to privileged accounts, where the most potential damage can be inflicted on critical assets
  • Implement access controls and access monitoring, including access notifications, access approvals, time-based access, and multifactor authentication, as well as real-time monitoring
  • Be proactive, and plan ahead, because flexibility and adaptability are vital attributes in the ever-changing data theft landscape

Does a privileged user access review work any differently?

The short answer is “no.” The stakes are higher, due to the highly sensitive data in privileged accounts and the considerable damage that can be inflicted by an attack. And these accounts will have elevated access permissions for that reason. But the same approach to user access review applies, including focus on the three key points (who’s accessing what, what level of access they have, and if they have valid reasons for access rights), as well as the guiding policies and procedures. The good news is that privileged access management software and tools do the heavy lifting by managing this access. It accomplishes this by gathering the credentials of privileged accounts into a secure repository to isolate their use and log their activity. This separation – often with the help of a password vault – helps lower the risk of credentials being stolen or misused.

Establishing and incorporating these user access review best practices gets you one step closer to gaining back control over your access rights. Many companies have lost control over this, and it shows in their inability to meet audit requirements – and ultimately – in their inability to combat the cyberattacks they incur. While it may take time to break the current cycle of user access management, it’s worth the extra effort to protect your organization from the risks associated with a lack of control over user access rights. And if the effort seems too overwhelming for IT/security/systems teams (who already deal with hundreds of daily requests), user access review automation can streamline the task of managing access rights, while boosting productivity.

To learn more, check out our user access review checklist to keep as a handy reference.