Entitlement review is an essential step in business management. It consists of verifying the compliance of user accounts with the rights granted to them according to the company's rights policy.
The entitlement review is also mandatory in many cases and provides security for all companies.
However, this task can be tedious and time-consuming for IT teams, who have to sift through hundreds or even thousands of user accounts. Automating this task could provide an effective solution for companies.
In previous articles dealing with entitlement management, I touched on the subject of automation without detailing it.
The risks associated with not conducting an entitlement review.
Entitlement management in 10 points.
Entitlement management - Entitlement reviews
Entitlement management, often called rights management or access management, is a crucial aspect of IT security and information systems management. It involves controlling and regulating access to IT resources, ensuring that each user has only the rights necessary to perform their tasks.
The entitlement review is a lengthy and tedious task in which an IT person must identify all employees and users in order to form a single list that will be the unique user repository. Then, they must identify all applications and accounts and link them to users in order to create an account repository.
Finally, to clean these files of various anomalies such as departed users with active accounts, rights granted that do not comply with company policy.
However, by the time this lengthy data collection and cross-referencing work is completed, changes have occurred within the company, and the information is already obsolete and needs to be redone.
This review of accounts is often carried out within a legislative framework, but the security aspect is much more important.
The observation is that few IT departments have the courage to conduct regular account reviews, and errors accumulate, leading to security vulnerabilities.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
Manual account review
With the expansion of the use of applications and software, it is becoming increasingly difficult to manage the identities and access of all users of the system.
The proliferation of accounts, SaaS and On-premise tools, makes it difficult to consolidate and unify data.
- Identify HR collaborators.
The information will need to be retrieved from the HRIS or HR file, which serves as the HR source of truth. It is important not to forget peripheral collaborators who do not have employment contracts with the company but are within the company with accounts and access.
- Consolidate users
A list of users will need to be extracted to reconcile it with the complete list of collaborators (with and without contracts).
It will be important to keep departed users in order to subsequently correct all active accounts linked or not to these users.
- Clean up these files
It is important to regularly review inactive or newly created but never used accounts. User accounts that are no longer needed should be deleted to avoid the risk of intrusion.
- Verify the rights for each account
Ensure that rights policies are enforced for all user accounts.
- Document
Finally, it is recommended to document all account reviews performed, including identified anomalies and the measures taken to correct them. This documentation can be useful in the event of regulatory review or internal audit.
Performing a manual IT account review requires a rigorous method, good organization, and close attention to detail.
Often carried out using an Excel file, this inexpensive method is very time-consuming and, above all, unreliable because it requires absolute rigor. As I mentioned before, movements occur at the same time as it is carried out.
Isn't there an automation solution to perform this review of entitlements?
A review of accounts is therefore necessary. It is difficult to outsource it because it requires knowledge and the participation of the HR and IT departments, as well as managers.
It is, as we have seen, unavoidable because the security of the company depends on it.
Who is going to manage this?
Primarily, the Information Systems Security Manager (ISSM) and then the Information System owner will manage this account review. Then, the application manager (assignment) and management will need to be integrated.
Managers are essential for validating permissions. They are the ones who, in conjunction with the IT department, have defined rights and will be able to validate or not the access and rights of their team.
Intelligent automation thus makes perfect sense: it will be able to analyze anomalies and highlight them. In this case, your account review would go from a month of work to a few days.
In this case, an IAM solution offers several advantages:
- Time savings for IT teams, who no longer spend a month performing this review, freeing up time for other projects.
- Improved quality of account reviews and reduced risk of error.
- Data centralization for improved visibility and decision-making.
- Mass management of actions.
- Highlighting anomalies.
- Centralization of various HR sources for employees with and without contracts.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
Automate internally
IT teams can develop their own IT account review automation tools using programming languages such as Python, Java, or Ruby. The advantages of this option are the customization of the tools to the specific needs of the company and the possibility of adapting them according to the evolution of the needs.
Developing tools in-house takes time and mobilizes significant resources. In addition, development teams must be competent in IT security and regulatory compliance to ensure the effectiveness of these tools.
And to further dissuade you from choosing this solution, the company becomes extremely dependent on a technology that is often home-grown and on a single employee who alone has the knowledge.
Automate with an IAM solution
An IAM solution facilitates and accelerates implementation, ensures the reliability of tools, and provides advanced features such as continuous monitoring of regulatory compliance.
Moreover, an IAM solution, in SaaS mode, allows for a version that is always up-to-date and relevant evolutions based on the changing needs of customers.
The reason I have so precisely defined the execution of a manual account review is because IAM automates all of these steps.
The validation of accesses and rights of each user, generally carried out by the managers, remains the responsibility of the users of the solution.
It will be necessary to clearly define upstream which applications will be concerned. IAM makes your job easier, since you can find the list of applications on which each user has an account. Then, in the IAM solution, you will find the list of all the managers. The latter will have the list of collaborators they manage with the list of software and applications attached to them.
Without an IAM solution, you will need to list all the applications used by users, with the risk of forgetting some. You will need to have a list of managers, a list of employees for each manager, a list of applications for each user for each manager... It's almost a bottomless pit.
Then, you will have to send each file to each manager via mail merge.
The purpose of an entitlement review
In addition to the regulatory aspect that we have already discussed, the review of accounts mainly allows you to secure your information system.
This allows you to realign your users' rights and clean up your IS, therefore not granting too much access and consequently limiting intrusions on administrator accounts.
This also allows you to clean up your user file: duplicates, orphaned accounts, which are all risks of intrusion with ransomware.
It also accelerates decision-making. When you have an up-to-date and clean repository of your IS, decisions are easier and faster to make, for both human resources and IT.
