Everyone is moving their apps, infrastructure and services to the cloud – but what does moving to the cloud mean for your access reviews?
For organizations moving their technology to the cloud, the NIST has identified three cloud service models that your organization may fall under; Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS). These types differ based on where responsibilities of implementing and managing controls are placed, either on the organization or the cloud service provider (CSP).
SaaS models rely on the CSP’s infrastructure and applications are made accessible to the user through an online interface. This YouAttest main benifit – plugging into your existing SaaS infrastructure and providing user access reviews.
In PaaS models, the CSP deploys customer-created applications using their tools and infrastructure. Lastly, in IaaS models, the customer can run software such as operating systems and applications but does not manage the underlying cloud infrastructure. With these different cloud service models in mind, how do they affect your organization’s access reviews?

If moving to a SaaS model, users typically rely on the IT staff of the CSP to make changes to the cloud infrastructure or any maintenance required. In both PaaS and IaaS models, the customer has more responsibilities regarding the configuration and provisioning of the cloud software, along with additional roles. However, in all cloud service models, the customer is responsible for access management and user access. This means that access reviews are still a critical component of securely managing cloud systems and applications.
With cloud infrastructures, account access should be regularly reviewed and updated. Since they can be accessed from around the world, cloud applications can be extremely vulnerable to hackers since they are not required to be in a specific physical location. To combat this threat, the NIST recommends the principle of least privilege, NIST PR.AC-6, meaning users only have access to the minimum amount of resources needed to carry out their duties. This prevents hackers from being able to access all information contained within an organization’s cloud systems if they discover a user’s login credentials.
(NOTE: YouAttest enforces the principle of least privileges with an trigger system that can take identity alerts on Okta and AD directories and force an attestation from relevant business and system parties: announcement, webinar.)
Regular Access Reviews
Additionally, regular access reviews can identify if unusual account activity is taking place. If a user typically accesses their account during work hours, suspicious activity in the middle of the night may signify a threat. Alternatively, if a particular user always accesses their account from the same location, a sudden location change may point to someone else accessing the account. YouAttest provides an auto-scheduling feature for the purpose of insuring that the right people are reviewing the relevant changes on a regular basis.
Without conducting regular access reviews, it can be difficult to determine whether unusual account activity is taking place. By following NIST recommendations to at least conduct access reviews on a semi-annual basis, you can better secure sensitive information from hackers and cybercriminals looking to gain access.
To conduct these NIST recommended access reviews, YouAttest, being cloud-based and deploying in minutes – is the obvious choice. YouAttest has a host of enterprise features included, Okta API integration, .CSV upload, auto-delegation, auto-scheduling and event trigger attestation. Schedule a meeting with YouAttest to learn how to address your acces review needs, including identifying ghost accounts.
—
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. Register for the December 9th YouAttest webinar on SOX 404B mandates for User Access Reviews.