Check Off Your Next IT Access Review Audit Without Expensive Tools

A core component in a strong security operations program is a recurring, documented, and auditable security access review and deprovisioning process.  This helps to protect a business from over credentialed employees that may have picked up and retained too much access through temporary assignments or role changes within the company.  For the large enterprise with unlimited cash resources, there are plenty of tools that will provide and automate recurring access reviews, and integrate into your HR systems to provide deprovisioning.  But what about the other 95% of companies out there, with staff limitations and budget restrictions?  Building a strong program is still within reach with a few simple steps and core attributes listed below, without lots of paid add-on tools.

The key element of a strong access review and deprovisioning program is consistency.  I recommend performing a full access review at least once per year, ideally exercised quarterly.  The quarterly frequency helps to make this a memorable practice, and enables more control for group owners to know who has access to their data and systems.  The first review will be the toughest, and no doubt take the longest as attributes are built into the LDAP (Active Directory will be assumed for this article) that will help to facilitate the process in the future.

For data extracts, PowerShell can perform the heavy lifting.  Begin by taking an extract of all groups in your Active Directory.  Export the members of the group, as well as the specific permissions that they have.  Identify business owners for each group, and record these owners in the “Managed By” tab on the group object.  If you want to use this for tracking only, ensure the “Manager can update membership list” checkbox is unchecked.  

We want to leverage the business owners to help to maintain a separation of duties between Information Technology and the Business.  IT should be the shepherds and the keepers of the data, helping to enforce security, facilitate access, and maintaining the information and backups while the business is ultimately responsible for the use and content.  

In the extract, provide the group owner with the description of the group as well (what it is and how it is used).  Remember, these folks may be non-technical people.  Keep the descriptions in the group object up to date and accurate, as this assists in the access review process.  When providing the extracted content to group owners, an Excel spreadsheet can be utilized to communicate the group membership.  Add a column for “Revoke Access”, and another column for “Access is appropriate” for the business owners to record their responses.  

Request responses and changes via email.  Even if the group membership is correct, you still will need an affirmative response from the group owner, as recorded in the “Access is appropriate column” of the spreadsheet.  Save these email responses for audit purposes.  Make any requested changes to the group membership.  Once the review has been completed by managers, audit the list again to ensure the requested changes have been made.  Take screenshots of the completed group membership (include the system clock in the screenshot to show a complete audit trail).

Now for some additional key policy and practice elements.  Security groups should be named for what they do, or what they protect.  This may create a larger than desired amount of security groups, but administration of the groups will be significantly reduced as a result.  Also, disable unused accounts after a predefined period of time (a strong password policy with expiration can help this).  With respect to deprovisioning, find a way to tap into payroll systems - generally companies are very good at stopping pay and benefits when an employee terminates.  Latch onto this feed or process, regardless of who manages it to ensure a fairly robust termination process.

In closing, a strong and auditable Access Review and Deprovisioning process does not need to be costly and complex.  Auditors, regardless of the industry or compliance to which your company is held, will look for these key elements in their review.  Start early, and this process will become routine and easier with time, and will help to protect your firm from the possibility of overly and inappropriately credentialed employees, and help to ensure compliance in your next IT audit.