Whether for auditors, the CISO, or for the proper management of the entitlement scope, it is necessary to regularly conduct entitlement reviews.
What is an accounts or entitlements review?
An account review can mean several things. Generally, we talk about account review when we want to be sure that the active accounts in the different applications are legitimate accounts. This account review is often cumbersome because it often requires manually processing HR lists of employees and comparing them with the list of open accesses on each of the company's applications.
Account review (or entitlement audit) is requested by auditors (internal or external) or by the CISO. This process can be carried out by the CISO himself or a responsible person in the IT team. It is an engaging operation (the person who validates the account review can engage his responsibility because it falls within the framework of legal audit procedures), meticulous, and tedious. For a company with several thousand accounts, the processing of 80% of these accounts is relatively easy, but it is the remaining 20% that must be processed manually on a unit basis.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
What is the purpose of an account review?
Account review potentially concerns 2 areas of the company:
- Legal: In the context of legal audits, auditors are often required to verify that access is tracked by the IT department. This was not the case a few years ago, but with the increasing number of applications (SaaS or on-premise), data leaks can be significant legal issues and can undermine the stability of a company. Traceability is also at stake here to be able to trace an audit trail and monitor the various access modifications on applications.
- Cybersecurity: At the initiative of the CISO, this account review is necessary to limit the attack surface. Nothing is more dangerous than an account of a departed user whose access has not been terminated.
Overall, this entitlement review serves to identify several things:
- that departed users no longer have access to their old accounts: to prevent data leaks if, for example, the former user has left to join a competitor.
- that all accounts are clearly identified and associated with at least one user. In the context of shared accounts (see our article on accounts shared between users), these must be limited, and this will certainly be a negative point raised by the auditor.
- that privileged accounts are correctly identified and closely monitored
- that access rights (security groups in Active Directory, for example) are exactly what they should be for users (for example, no administrator access for all users)
- that modifications to the various accounts are properly tracked to be able to go back in time and know when a possible security breach occurred.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
How to carry out this review of authorizations?
For this account review, everyone has their own method, placing the cursor where they want between the time spent and the accuracy of the results.
There are 2 major difficulties for account reviews: retrieving data, managing rapid variations.
It is very difficult to retrieve the exhaustive list of all users and all accounts. For example, most user data comes from the HRIS (from which information must be extracted with the HR department), but not only: temporary staff, external service providers, etc. are considered users but not employees because they do not have a payslip. However, they have accounts on different applications and must therefore be entered in a user directory in order to carry out the accounts review.
On the other hand, between the moment when you have gathered the lists of users and the lists of accounts, movements have taken place and can disrupt the reconciliation between the users and their accounts.
Once you have these 2 lists, simply determine the associations and detect any anomalies (or note that everything is correct, which never happens).
With Youzer, you can export the list of associations with a single click, providing auditors with proof that you are properly monitoring the various accounts using a dedicated tool.
