Most managers in most big companies will be familiar with periodic access reviews. Once a quarter an email arrives telling you to review all staff access. You have an hour before your next meeting to review 10 team members, each of whom have access to about 50 systems and none of the systems has a name you recognise. Your heart sinks; it’s a time consuming task and you have no evidence that what you’re doing is correct or even useful. Well, based on Idax’s research you’re right – about 15% of all reviewed access rights are removed and the effectiveness is no better than random. So what should you do?
- Focus on high risk individuals. You need a method of identifying staff members who pose the biggest threat. Spend the majority of time on them. In the Idax world we identify high risk outliers in any group, but failing that longer service staff and staff who have recently moved are likely to have the highest risk.
- Compare staff to their role profile. If you’re using Role Based Access Control (RBAC) then compare staff to that role. There are lots of shortcomings with RBAC that identity analytics can overcome, but if it’s the best you have then use it.
- Find who else has that access. It’s obvious, but context helps. If you can see that the only other staff members that have access to that system are in your guy’s old department, then chances are the access rights are a hangover from them. Unfortunately, most companies do not make this context available.
- Look at the importance of the system. Again, context helps. There’s little value in spending most of your time agonizing over access to a system that doesn’t control access to anything important. Better to spend time on critical, SOX and high risk systems. Ask the application owners for that information.
- Recognise that you’re going to fail. Access reviews in their current form are not very effective. It’s hard for a manager to improve on the 15% random rule, so anything better is an improvement. Of course, at Idax we recommend an analytic approach to the data to give real decision making authority. But at a minimum you should be working to get a handle on your teams access rights throughout the cycle, not just four times a year.
The bottom line is that all of these activities are much more effective when you have a solid analytic platform like Idax for periodic reviews. As a security organisation this is the kind of information you need to be providing managers, as a manager it’s the information you should be demanding to do your job effectively.
If you want to see how Identity Analytics can cut your periodic reviews by 80% come and see us at Infosec 2015