User Access Reviews

Access Reviews

cloud-based access reviews
for all resources

YouAttest is a cloud-based tool designed to enable enterprises to conduct compliance and security access reviews at a fraction of the time and cost.

Required by compliance measures such as:

SOX SOC2 HIPAA/HI-TRUST ISO 27001 GLB CMMC

YouAttest enables an enterprise to conduct an access review of all of their cloud and on-premise resources.

Using the YouAttest console the auditor, in a single console, can automate the access reviews process and disseminate attestation campaigns for certifying, revoking, or delegating the review of the enterprise entitlements. Designed from scratch by interviewing both IT Security and external auditors – YouAttest has quantified and automated the Access Review process.a single console, can automate the access reviews process and allow reviewers to certify, revoke, or delegate the viewed entitlements in their Azure AD enterprise directory.

YouAttest has been shown to:

reduce the time needed by all personnel involved by up to 80%. No more spreadsheets, emails, snapshots – the purpose-driven GUI solves the compliance problem and adds security by being a more accurate accounting of identity roles and privileges.

Best Practices for User Access Reviews

For any organization, maintaining strict information security is an essential part of cybersecurity – following best practices for user access reviews are a big part of this process.

For employees to complete their duties, access to sensitive information is often required. However, this necessary ability to access secure information can create vulnerabilities that can be used by hackers and cybercriminals, which makes access reviews a critical line of defense in cybersecurity.

Organizations face an array of threats that can be mitigated by access reviews, such as privilege creep, excess privileges, insider threats, access misuse, and employee mistakes. By following best practices for conducting access review, organizations can reduce the potential of these threats and strengthen their security posture.

First, organizations can begin by creating and updating an access management policy. This policy should be comprehensive, including a list of resources that need to be protected, a list of all users and their access types, procedures for granting and revoking access, and controls necessary to prevent cybersecurity threats. While this only needs to be done once, the policy should get updated as changes within the organization occur.

Once an access management policy is in place, organizations should create a separate access review policy to ensure that access reviews are both scheduled and conducted on a regular basis. The NIST recommends that access reviews get completed at least semiannually, during which inappropriate access privileges should be revoked or changed.

Ekran System recommends that organizations should implement role-based access control (RBAC). With RBAC, user privileges are granted corresponding to roles rather than each individual account. Roles are assigned a set of privileges that can be reviewed more efficiently than reviewing each account’s access permissions. YouAttest has RBAC as part of YouAttest 2.0.

In another recommendation from the NIST, they suggest that organizations should implement the principle of least privilege (NIST PR.AC-6). Least privilege means that when it comes to access permissions, accounts are granted the minimum access required for that employee to carry out their duties. This reduces the potential that hackers gain access to sensitive information through these accounts. YouAttest delivers on the Principle of Least Privilege by enabling key personnel to be alerted to changes in key roles/permissions and to enforce an auto-attestation of the IAM event.

For effective access reviews, ISACA recommends that access reviews occur when a new user joins the team, when a current user changes roles, when a current user leaves the team, and when any changes to the application business owner are made. ISACA always recommends that the reviewer identify the (2) types of users: Business Users and System/IT users. Business users are the actual consumer of the application, System Users are the users/accounts that perform maintenance and service to the application. Both of these users must be reviewed for proper permissions.

User Changes and Best Practices for User Access Reviews

ISACA also recommends that the following types of user changes are recognized and quantified in your review as roles that should be diminished:

User leave a team, but still retain legacy permissions
User change roles, but still retail legacy role privileges
User leave the enterprise, but still retain a valid identity and/or access to resources
User’s approving manager migrates to another team but still has validation/approval powers over legacy users

When implementing an access review policy, it should incorporate the recommendations discussed above to ensure that it effectively protects sensitive information from unauthorized access. Data breaches can have a damaging effect on an organization’s reputation or finances, which makes preventing them a critical concern.

How Does an Access Review Relate To Your Identity Audit?

Access reviews play directly into an organization’s identity audit, whether internal or external. To ensure compliance with identity governance regulations, such as HIPAA/HITRUST, SOX, PCI-DSS, SOC 2 Type 2, ISO 27001 and others – identity audits analyze user accounts within an organization’s system. During an identity audit, companies want to make sure that those accessing sensitive information are authorized and maintaining compliance with information security protocols and regulations. Those who are not compliant with regulations can face steep fines and penalties that their organization will have to pay. Conducting regular access reviews and identity audits ensures that there are no violations of regulations before information gets into the wrong hands. If data is breached, it can severely impact a company, whether it garners them fines, the loss of business, or a negative reputation in their industry. Without the combination of the two processes, companies cannot gain a true understanding of the information they are allowing their employees to access. Keeping sensitive information safe and secure from malicious actions and threats is a key responsibility of organizations that require their employees to access the information to perform their responsibilities. Access reviews allow the organization to ensure access to the information is controlled so that breaches can be prevented and they maintain compliance with the regulations that they are required to follow.