What is User Access Review (UAR)?
User Access Review (UAR) is a process to review users' accesses/permissions and take the corrective action to ensure that they are appropriate. This process is also known as Access Recertification or Access Attestation. Typically, managers conduct the reviews but some organizations prefer to have permissions owners (entitlement/role owners or application owners or data owners) to take on this responsibility. The process, while essential, tends to be quite manual. The burden often falls on those executing the reviews, typically members of the Cybersecurity IAM team, and the reviewers themselves, who are responsible for verifying and confirming user access.
How Often Should UAR Be Conducted?
Organizations run UAR campaigns periodically as per their business needs - Quarterly, Semi Annually or Annually. Quarterly and Semi Annually are very common. While access reviews are important, it’s important to balance the frequency of these campaigns with the organization’s resources and needs.
Why Do Organizations Continue to Run UAR Campaigns Despite the Manual Work?
Reasoning: Simplest answer is "Privilege Creep". Whenever someone joins an organization, they are granted certain accesses/permissions. They request additional accesses that are needed to do their job duties. Users keep on requesting new accesses while working for the organization but never requests to remove accesses that they do not need anymore. Over time, these accesses get accumulated which is known as Privilege Creep. Over assigned privileges result into security risk (insider threats) for the organization, that's why it is important to revoke/remove unnecessary accesses from the users time to time. User Access Review process not only reduces the security risk but also saves money by releasing the costly licenses. It is also a mandatory regulatory requirement to review everyone's access periodically. Without regular reviews, an organization loses visibility over who has access to what resources, making it difficult to assess and manage risks effectively.
Challenges and Solutions in User Access Reviews
Though UAR is an essential process, it comes with its fair share of challenges. Let’s explore the most common obstacles organizations face and potential solutions to address them:
Manual Work Overload: UAR campaigns require a lot of manual effort by IT team and reviewers. While some of the automation tools are available in the market to support IT team, they do not provide full automation. Reviewers need to review users' accesses manually. Again, we have some additional tools to help the reviewers while making the decision like access recommendation feature of SailPoint, not all organizations have invested in tools to support the review process.
Solution: Automation is the key to alleviating this problem. Organizations should consider investing in automation tools to handle as much of the manual work as possible. Solutions like time-bound access, or Just-in-Time (JIT) access, can also help streamline the process by limiting the amount of access granted in the first place.
Lack of Awareness and User Resistance: One of the biggest hurdles is user resistance. Employees often see UAR campaigns as an inconvenience, particularly when asked to review hundreds of access permissions every few months. Resistance is also because of lack of awareness about the security risk associated with over assigned privileges.
Solution: User education is very important. User must be made aware of the security risks posed by privilege creep and understand how their participation in the review process contributes to the organization’s overall security and success.
Complexity in Scalability: There are often thousands of users across multiple systems and applications in large organizations. Reviewing access for every user, especially in environments with complex, multi-tiered access, can be time-consuming and overwhelming. This also leads to "rubber-stamping" problem where reviewers just approves everything without genuinely reviewing them.
Solution: Implementing frameworks like RBAC, ABAC, JIT, Time-bound can significantly reduce the no of items that need to be reviewed in each UAR campaign. These frameworks can also solve the problem of "rubber-stamping" to a great extent.
Time Constraints: Generally, UAR campaigns must be completed within a strict timelines else it can create issue during the audits. If entire campaign is for 4 weeks, 30% of reviews get completed within first week of campaign itself but the last 30% can be much harder to finish, especially, when reviewers go on leave without taking any action.
Solution: Educating users about the importance of timely reviews, along with implementing strict follow-up actions for those who fail to complete their tasks, can help address this issue. Users must be communicated clearly about the deadlines and consequences for not taking action on time.
Data Collection: Organizations use hundreds of systems and applications that means data comes from variety of sources. Sometimes data is extracted from these systems/applications with the help of automation tools and sometimes manually. Given that each system stores data in different formats, transforming and standardizing this data for UAR campaigns can be time-consuming and tedious.
Solution: To ease this burden, organizations should invest in automating the data collection and validation processes as this will not only simplify the processes but reduce errors and save repeated manual efforts.
User Access Review is an essential part of maintaining security and compliance. While it is a time-consuming and complex process, implementing the access control frameworks correctly, investing and prioritizing automation and user education can help in mitigating som of these challenges.
