Authorization review is an essential step in corporate management. It consists of verifying the conformity of user accounts with the rights granted to them according to the company's rights policy.
The review of authorizations is also mandatory in many cases, and safe for all companies.
However, this task can be tedious and time-consuming for IT teams, who have to go through hundreds or even thousands of user accounts. Automating this task could provide an effective solution for companies.
In previous articles on authorization management, I touched on the subject of automation without going into detail.
Risks associated with not carrying out an authorization review.
10-point authorization management.
Authorization management - Authorization review
Authorization management, often referred to as rights management or access management, is a crucial aspect of IT security and information systems management. It involves controlling and regulating access to IT resources, ensuring that each user has only the rights required to perform his or her tasks.
The review of authorizations is a long and tedious process in which an IT person has to identify all employees and users, in order to create a single list that will serve as a unique user repository. Then all applications and accounts must be listed and linked to users to create an account repository.
Finally, to cleanse these files of various anomalies such as users who have left with active accounts, or rights granted that do not comply with company policy.
However, by the time this time-consuming gathering and cross-checking has been carried out, the company has undergone a number of changes, and the information is already out of date and needs to be redone.
This review is often carried out within a legislative framework, but the security aspect is far more important.
The fact is, few IT departments have the courage to carry out regular account reviews, and errors accumulate, leading to security breaches.
Manual account review
As the use of applications and software expands, it becomes increasingly difficult to manage the identities and accesses of all system users.
The multiplication of accounts, SaaS and On-premise tools, makes it difficult to consolidate and unify data.
- Identify HR employees
This information should be obtained from the HRIS or HR file that is the authoritative source of HR information. Don't forget peripheral employees who don't have employment contracts with the company, but who are within the company with accounts and access.
- Consolidate users
A list of users will need to be produced to be reconciled with the complete list of employees (with and without contracts).
It will be important to keep users who have left so that any active accounts linked or not to these users can later be corrected.
- Clean up these files
It's important to regularly review accounts that are inactive or have been created but never used. User accounts that are no longer needed should be deleted to avoid the risk of intrusion.
- Verify rights for each account
It will be necessary to ensure that rights policies are applied for all user accounts.
- Document
Finally, we recommend documenting all account reviews carried out, including any anomalies identified and the measures taken to correct them. This documentation can be useful in the event of regulatory control or internal audit.
Carrying out a manual IT account review requires a rigorous method, good organization and attention to detail.
Often carried out using an Excel file, this inexpensive method is very time-consuming and, above all, unreliable, as it requires absolute rigor and, as I mentioned earlier, movements take place at the same time as it is carried out.
Isn't there an automated solution for this review of authorizations?
A review of the accounts is thus necessary to carry out. It is difficult to outsource, as it requires the knowledge and participation of HR and IT departments, as well as managers.
As we've seen, it's inevitable, because the company's security is at stake.
Who's going to manage it?
In the first instance, it's the CISO, then the IS owner, who will manage this account review. Then it's up to the application manager (allocation) and management.
Managers are essential for validating authorizations. They are the ones who, in conjunction with the IT department, have defined the rights and will be in a position to validate or not the access and rights of their team.
This is where intelligent automation comes into its own: it can analyze anomalies and bring them to light. In this case, your account review would be reduced from a month's work to just a few days.
An IAM solution in this case has several advantages:
- Time savings for IT teams, who no longer spend a month carrying out this review, freeing up time for other projects.
- Improved quality of account review and reduced risk of error.
- Centralize data for better visibility and decision-making.
- Mass share management.
- Highlighting anomalies.
- Centralization of various HR sources for employees with and without contracts.
Would you like to receive our white paper on identity and access management?
Automate internally
IT teams can develop their own tools for automating IT account reviews, using programming languages such as Python, Java or Ruby. The advantages of this option are that the tools can be customized to the company's specific needs, and can be adapted as requirements evolve.
In-house tool development is time-consuming and resource-intensive. What's more, development teams need to be skilled in IT security and regulatory compliance to guarantee the effectiveness of these tools.
And to further dissuade you from choosing this solution, the company becomes extremely dependent on a technology that is often in-house, and on an employee who alone has knowledge of it.
Automate with an IAM solution
An IAM solution facilitates and accelerates implementation, the reliability of tools and the provision of advanced functionalities such as continuous monitoring of regulatory compliance.
What's more, a SaaS-based IAM solution means you always have an up-to-date version, with relevant upgrades as customer needs evolve.
The reason I've been so specific about manual account reviews is that IAM automates all these steps.
Solution users are responsible for validating access and rights for each user, which is generally carried out by managers.
You need to define in advance which applications will be affected. IAM makes your job easier, since you can find the list of applications on which each user has an account. Then, in the IAM solution, you'll find the list of all managers. Managers will have a list of the employees they manage, along with a list of the software and applications attached to them.
Without an IAM solution, you'll have to list all the applications used by users, with the risk of forgetting some. You'll need to have a list of managers, a list of employees for each manager, a list of applications for each user for each manager... It's almost a bottomless pit.
Then you need to send each file to each manager via direct mail.
The purpose of a clearance review
In addition to the regulatory aspects we've already touched on, the accounts review is above all a way of securing your information system.
This allows you to realign user rights and clean up your IS, so you don't grant too much access and therefore limit intrusions on administrator accounts.
It also allows you to clean up your user file: duplicates and orphaned accounts are all risks of intrusion by ransomware.
It also speeds up decision-making. When you have an up-to-date, clean repository of your IS, decisions are quicker and easier to make, both for human resources and for IT.
