In light of the the recent hacks, especially the U.S. Massachusetts Air National Guardsman Jack Teixeira exfiltrating critical defense data – we felt the need to help remind the cyber community how YouAttest can and should be used to audit user permissions for security and privacy reasons.
First, Best Practices:
Your IAM tool is your data privacy and security friend. It is designed to help you organize and group you users and entitlements by roles.
Regardless the resource: SaaS, PaaS, SASE, Network, Applications, etc – individual users should NOT be assigned access rights. This practice does not scale. YouAttest details this in our 5 First Steps to a Secure and Sustainable IAM/IGA Practice.
To sum up:
- Organize your users to groups
- Assign a manager to these groups
- Identify Resources to secure
- Assign access to Resources based on Groups
YouAttest will allow you audit these entitlements to resources – REGARDLESS if the IAM is synced with the resource. We allow this audit via a feature called “Siloed Resource Audit”. E.G. there is no excuse to NOT organize your IAM to this “best practice” standard.
Secondly – Audit Your Roles/Groups:
The is where YouAttest – with its zero deployment time solutions comes into play. Whatever your resource YouAttest will allow you, the security manager, the risk manager, the MSP – conduct a UAR (User Access Review) of the group/role entitlements.
Once the security/risk manager initiates the group audit – YouAttest automatically message the users based with pre-written templates for simplifying messaging. The messages can be pushed out via email or slack.
The reviewers – be them “user managers” or “group managers” (your choice) receive the message and then are able to see ONLY the users that they are in charge of managing.
The YouAttest product then delegates OUT to the appropriate group owner or user manager w/ a message to audit their respective users. (see image #3)
Once the message is sent out to the user – the reviewer completes their small section of the audit. YouAttest simplifies this process by showing this reviewer just their section of the audit.
Lastly – You Can Audit the Individuals directly
If their is an individual you wish to determine the roles/rights – you can you use YouAttest to address individually:
Benefits of the YouAttest UAR Process
YouAttest is usually eliminates up to 80-90% the manual effort in conducting an identity audit. The real value is that conducting these reviews is so easy – it becomes standard practice for the security and risk manager to execute!