In the past, companies were content to ignore access reviews. The believe was that providing the right access to the right people is sufficient. However, as access and identity theft, data breaches, and other security issues have increased, organizations need to rethink. Historically mostly large enterprises had to manage globally distributed teams and come up with secure operating procedures. Nowadays work from home and the remote-first culture introduced the same challenges to much smaller organizations. All of the sudden access security becomes a pressing topic for ventures of all sizes.
What is a user access review?
A user access review is the process in which an organization reviews which employee has access to which tools, including app specific user roles and permissions. These reviews have different names such as “entitlement reviews”, “user recertification” or simply “access review”.
Why should an organization invest all this time to review who has access to what?
Nowadays organizations are using more than 110 SaaS apps, in enterprises this number can be as high as 300-400. For a company of 500 employees this can quickly result in 200.000 accesses that need to be checked on a recurring bases. However, the challenge is not so much “who has access to what tool” but more so “who has access to what data inside of a tool” and should this person at this point in time still have access.
The term “privilege creep” is used to describe the trend for users to gather more and more permissions over time. When an employee changes their role within an organization or starts a new project they usually receive access to additional tools or further rights to fulfil the task on hand. In many organizations these tools and permissions are quickly granted but rarely revoked if the access is not justifiable anymore. This causes massive risks in case of identify theft or data breaches.
To mitigate this risk and follow the “least access principle” organizations do regular access reviews.
For some organizations access reviews might even be mandatory. Certifications such as SOC, ISO 27001, PCI-DSS, HIPAA require to always know who has access to what and at the same time follow the “least access principle”. One of the most transparent ways to proof compliance is doing recurring access reviews.
How does a user access review process work?
Access reviews are periodic reviews of user entitlements (such as roles and permissions). The resulting report about who has access to what is a proof of compliance for external auditors. Manual reviews are often done with long excel/airtable/notion lists of all users, reviewed tools and current permission and role. Based on the list the application admin or line manage needs to decide whether to keep, update or revoke the access. After a decision has been made this information needs to be relayed to the respective application admin. After the access has been updated a confirmation has to be added to the original list. If done manually it usually requires a project manager who pulls together all data for the status-quo, requests managers to review the accesses and follows up with all application admins.
How to automate Access Reviews with AccessOwl
Collecting the current source-of-truth, communicating the necessary steps to do a review and following through with any access changes can be tedious and time consuming.
AccessOwl takes away most of the manual tasks. Thanks to its Access Management capabilities it already knows who has access to what and can automatically ask line managers or application owners to review certain tools.
All the manager has to do is to confirm/revoke/update the access of the user in a simple user interface. Since AccessOwl is Slack based all change requests are immediately forwarded to the right application admins. No dedicated project manager is needed. And the report can be easily shared with auditors.
What might have taken hours or days to do can be done within minutes with AccessOwl.
