Most established organizations have employees who have been there forever, or at least, many years. During that time, these individuals have managed to work in every department. These employees know just about everything about the organizations’ processes, making them very valuable employees. However, the caveat being, they also tend to have access to sensitive data, and that makes them, and their user access entitlement, potentially dangerous and a threat to information security.
On a fixed or regular schedule, entitlement reviews can effectively help to mitigate this danger. Reviewing users’ access is a critical part of access management. In this blog, we explore the value and significance of regular entitlement reviews. Further, we will review the entitlement review best practices an organization can adopt to ensure the process is easy and efficient.
Defining Entitlement Review
An entitlement review is part of a standard access control process and user account management. The entitlement review involves a recurring review of access rights, or permissions, for all of an organization’s employees and vendors. Typically, an entitlement review will include a review of user roles, access rights and privileges.
During an entitlement review, it’s critical to pay extra attention to user accounts of employees who have worked in the organization for a long time, recently changed roles, acquired additional responsibilities, or recently left the organization.
Reviewing user access mitigates an extensive range of cybersecurity issues, including, but not limited to:
- Access abuse and misuse
- Insider threat
- Excess Privileges
- Employee Error
- Privilege creep
Unfortunately, conducting an entitlement review generally takes a lot of time and effort. That’s why skipping a review may seem tempting — especially if you’ve already implemented the principle of least privilege (PoLP). That said, there is value in this process that extends beyond PoLP, especially with respect to the concerns listed previously. Next, we will deep dive into the specific implications of each of the listed cybersecurity issues.
The Importance of Entitlement Review
The ultimate goal of an Entitlement Review is an overall improvement in the security posture of an organization, by limiting access to critical data and resources. By neglecting regular entitlement reviews, an organization leaves itself unnecessarily vulnerable to a security breach, that can cost it both financially & reputationally.
- Access Abuse & Misuse: As reported in Verizon’s 2019 DBIR, over 15% of data breaches occur as a direct result of user access and data misuse.
- Insider Threat: The primary concern of insiders stems from the fact that they have privileged access to confidential company data and they are generally aware of the organization’s security practises. Much of these threats can be remedied by the implementation of the principle of least privilege, however, that is not to say mistakes and oversights do not happen. A regular review of employee access acts an additional layer in any business’s security practice.
- Excess Privileges: Ideally, access privileges are granted only to those users’ who need them to perform their jobs. In actuality, permanent access is frequently permitted when an employee requires access only once. A regular entitlement review helps to revoke unnecessary user access privileges.
- Employee Error: According to Verizon’s 2019 DBIR, some 21% employee errors were the direct cause of a security event in 2018. Regular entitlement review aids to reduce the potential for a costly error by limiting employee access.
- Privilege Creep: Privilege creep occurs when an employee acquires access to an excess of sensitive data during the time they work for an organization. New privileges appear when employees gain new responsibilities and access rights, however, privilege creep occurs when old access rights are not removed. During an entitlement review, the users’ access is synced with users’ current roles and no more.
The Process of Entitlement Review
In order to conduct a successful Entitlement Review, there are several key factors that must be in place. Below, we review several of those in brief:
- Develop and maintain an access management policy. An effective access management policy for an organization should include the following details:
- A complete list of resources and the data that requires protection
- A complete list of all users, user roles, and the nature of their access
- Details regarding tools, controls in place, and process
- Procedure for providing, assessing and withdrawing access
- Develop a formal review process. To maintain standards and process, an entitlement review requires a formal written procedure for access management, it should include the following:
- Defined period for reporting
- A period for notifying staff
- Identification of security officers
- An established schedule to follow, for reviews
- Apply Role-Based Access Control. RBAC implicates creating user roles for positions instead of assigning each user’s account, individually. Each role is assigned a list of permissions. This process speeds up an Entitlement review because, with this standard in place, an organization may review roles instead of separate, individual profiles.
- Apply Principle of Least Privilege. PoLP principle prescribes that users should only have access to data they require to perform their job. The less privileges a user has, the less time you will require to review.
- Assign Temporary Access. Where possible, it’s ideal to use functions like temporary passwords, rather than assigning a user additional roles or providing permanent access rights.
When it comes to information security, performing regular Entitlement Reviews is an integral piece of the access management process. An Entitlement Review not only reduces the risk of a data breach but they also aid to prevent an extensive range of information security issues. While the reviews can be time-consuming, the value they provide an organization cannot be overstated. If you would like to learn more about Entitlement Reviews, or anything else related to the security posture of your organization, please do not hesitate to contact us!