A first step to secure identities is an access discovery. This is an inventory of who has access to what. For outsiders – this sounds obvious. To identity professionals involved in the “real world” – after months and years of access grants, access escalations, privilege creeps and non-removed ghost and orphan accounts – they know identities can get out control.
This is where Access Discovery becomes a requirement for a secure enterprise.
What is Required in an Access Discovery
An access discovery must quantify many key components in the enterprise. Most professionals agree the best way to start an access discovery is start from the relevant data and work your way out. Determine where the PHI (Personal Healthcare Information), PII, (Personal Identifiable Information) and CUI (Controlled Unclassified Information) is residing. Then from there figure out who has access to the resources (servers, databases, applications) that have access to this data.
As can be guessed – this is a lot of work – and thus tools that automate this discovery and attestation of this access are of big help.
Access discovery is best performed with an IGA tool that helps:
- Automate the discovery process
- Automate the attestation process
- Eliminate the excess privileges
- Create evidence (document the identity cleanup)
The benefit of an access discovery includes:
- Reduce security vulnerabilities from excess privileges
- Remove stale user accounts
- Address privilege creep
- Execute on the Principle of Least Privilege (NIST 800-53 AC-6)
- Enforce role based access (for zero trust access) and general security
Most enterprises have a matrix of access challenges. There are the standard variety of applications, cloud, on-premise and mobile and a variety of users: employees, contractors and partners.
It is easy for this matrix of entitlements to get out of alignment with the intended access privileges originally designated by the enterprise.
And what is the usual process that most enterprise take to try to rectify these wandering entitlements? A menagerie of manual processes including emails, spreadsheets and help tickets. A process that has been documented to be fraught with up to 60% of errors – given the chaotic nature of downloads, the manual effort of group assignments, emails and role correlation.
The review process should be automated to enable an enterprise to not only conduct a thorough access discovery but to continue the process with regularly scheduled access reviews.
What are Regulatory Drivers for Access Discovery?
Enterprise data, especially user information, is under regulation as is overall cybersecurity, especially for specific verticals.
Data regulations include:
- CCPA/CCPR – California regulations on user data
- GDPR – EU regulation on user data w/ quantified fines for mishandling
- GLBA – US federal law on consumer financial services
- HIPAA – US federal law on patient information
Cybersecurity regulations and guidances include:
- CMMC – Overview on security for D.o.D. suppliers
- SOX – US law quantifying controls to address financial fraud
- NERC – A standard to protect critical infrastructure
- SOC – A standard for commercial enterprises to demonstrate cyber responsibility
- PCI-DSS – A standard for the handling of credit card information
All of these data and cybersecurity regulations have wordings and expect controls to be in place to quantify the access to relevant data. Most require that audit “evidence’ be provided in the filing to show compliance to the standard.
YouAttest for Access Discovery
Access discovery, as stipulated requires the gathering of various data sets and thus the involvement of many resources in both materials and personnel. It is not an effort that should be taken lightly – and for any organization of over 250 users a project that should be taken on without automation.
This is where YouAttest comes in.
YouAttest is the quickest time-to-value IGA solution – that simplifies the access discovery process through a set of pre-built cloud based connectors. The tool includes:
- SSO for admins and reviewers
- Auto-Delegation to managers and/or resource owners
- Support for IAM, HR and and siloed resources
- Ability to reviewers to certify, revoke or delegate
In simple the YouAttest solution:
- Simplifies the initial Access Discovery process
- Offers an on-going mechanism of “continual review”, eliminating the need for a future (cumbersome) access review process.