Whether for auditors, for the CISO, or for the proper management of the authorization perimeter, it is necessary to carry out regular authorization reviews.
What is an account or authorization review?
An account review can mean several things. Generally speaking, an account review is when you want to be sure that the accounts active in the various applications are legitimate accounts. This account review is often cumbersome, as it often involves manually processing HR lists of employees and comparing them with the list of open accesses on each of the company's applications.
The account review (or clearance audit) is requested by auditors (internal or external) or by the CISO. This process can be carried out by the CISO himself or by a responsible member of the IT team. It's a time-consuming, meticulous operation (the person who validates the account review may be held liable, as it falls within the scope of legal audit procedures). For a company with several thousand accounts, it's relatively easy to process 80% of them, but it's the remaining 20% that have to be processed manually.
What's the point of an accounts review?
The review of accounts potentially concerns 2 areas of the company:
- legal : as part of legal audits, auditors are often asked to check that accesses are monitored by the IT department. This was not the case a few years ago, but with the growing number of applications (Saas or on-premise), data leaks can be a major legal issue, and can jeopardize a company's solidity. Traceability is also at stake here, so that an audit trail can be built up and the various modifications to application access tracked.
- cyber-security : initiated by the CISO, this account review is necessary to limit the surface area of exposure to the risk of attack. There's nothing more dangerous than a user account that's gone AWOL.
Overall, this audit of authorizations serves to identify several things:
- users who have left no longer have access to their old accounts: to avoid data leaks if, for example, the former user has gone to a competitor.
- all accounts are clearly identified and associated with at least one user. In the case of shared accounts (see our article on shared accounts between users), these must be limited, and this will certainly be a negative point raised by the auditor.
- that privileged accounts are correctly identified and monitored like milk on the fire
- access rights (e.g. Active Directory security groups) are exactly as they should be for users (e.g. no administrator access for all users)
- that modifications to the various accounts are properly tracked, so that we can go back in time and find out when a security breach occurred.
Would you like to receive our white paper on identity and access management?
How do you carry out this review?
For this review of accounts, everyone uses their own method, putting the cursor where they want it between the time spent and the precision of the results.
There are 2 main difficulties for account reviews: retrieving data, and managing rapid variations.
It is very difficult to obtain an exhaustive list of all users and accounts. For example, most user data comes from the HRIS (from which information must be extracted in conjunction with the HR department), but this is not all: temporary staff, external service providers, etc. are considered users but not employees, as they have no pay slip. They do, however, have accounts in different applications, and must therefore be entered in a user directory in order to perform the account review.
On the other hand, between the time you put together the user lists and the account lists, movements have taken place that can disrupt the reconciliation between users and their accounts.
Once you have these 2 lists, all you have to do is determine the associations and detect any anomalies (or find that everything is correct, which never happens).
With Youzer, in just one click you can export the list of associations and provide auditors with proof that you are correctly tracking the various accounts with an adhoc tool.
