Access rights are the permissions granted to a user or application for accessing a file, modifying configurations/settings, or adding or removing an application. For file systems, access privileges will include read, write, modify, and delete. As a matter of general practice, most of the organizations have some form of access rights practice in place. For example, the CEO will have access to all the information. On the other hand, the same does not hold true for an entry-level employee. If your company complies with a standard such as ISO 27001:2013, it shall have a document outlining who can access what. At this point, one might believe that documenting access level privilege is sufficient.
Recently, a company got in touch with us and shared that certain important documents are missing from their cloud environment. Upon further investigation, we found that an ex-employee continued to have access even after two months of employment termination. Our Digital Forensics team further concluded that this employee had downloaded a total of 17 documents related to their IT architecture. After downloading, these documents were eventually deleted. Another crucial finding led us to the fact that access to these resources was granted temporarily; however, it was neither revoked nor reviewed.
Containing a threat or an event is the first step in the mind of cyber professionals, but gathering information and evidence to pursue legal action typically follows immediately afterward. Our Digital Forensics Services specialize in getting to the bottom of every case with deep science and industry experience.
Why should you perform access rights review?
The above incident is one of the possibilities that might occur if you do not perform access reviews regularly. In medium and large scale enterprises, employees are likely to enter and exit a company. Besides, they will also shift from one department to another. Moving to a new department changes the information requirement and accordingly, user access needs. At times, a system administrator might miss an employee termination email. As a result, a former employee would be able to gain remote access to your organization’s email, applications, and network. In some cases, we have also noticed misuse of dormant but active administrative accounts. Performing access rights review helps in the identification of:
- User accounts with excessive privileges
- Accounts not reflecting job position changes
- Accounts given an exception from the organization’s security policies
- Dormant accounts
- Active accounts belonging to former employees
Types of users within an organization
There is a general acceptance on types of users within an organization. A user can be of two types: business user and IT user. The former covers users who use applications and tools to fulfil their key responsibility areas (KRAs). For example, a secretary will use a calendar application to schedule the meetings. Another example can be a marketing analyst who will utilize data analysis tools to discharge their responsibilities.
IT users are responsible for developing, testing, deploying, and providing operations management support to a business. The extent of access depends on the type of the team and an individual’s role within the said team. Although one cannot ignore insider’s threat, IT users have direct access to an organization’s sensitive information. Accordingly, you will need to perform an access rights review for them more frequently than business users.
Is that all?
Apart from your business and IT users, your third-party vendors would have access to your information and systems. Most often, this access is temporary, and it may range from a few weeks to a few months. Irrespective of the duration, they may continue to have access after the conclusion of your contractual relationship.
Who should perform an access rights review?
The ideal candidate to perform an access rights review would be an employee operating independently of your system administrators. Such an employee would be able to check if an administrator is:
- Assigning excessive privileges
- Creating hidden accounts
- Granting access privileges without business use case and documentation
LIFARS Recommended Best Practices
Implementing best practices for access rights review can surely help your organization in minimizing or eliminating the associated risks. In this section, we categorize best practices in three areas: for business users, for IT users, and general.
For Business Users
- Identify the business processes of your organization and identity their process owners.
- A business process owner should specify the minimum possible access privilege level required for a new user.
- A business process owner should perform access rights review of user access for their business process bi-annually. In the case of sensitive business processes, the duration can be quarterly.
For IT Users
- Team leads/managers should ensure that minimum possible access levels are granted to their team members.
- There should be clear segregation of duties in IT teams, and it must be documented.
- The team lead must produce an on boarding document while providing access privilege to an IT user.
- The recommended duration to perform periodic reviews is quarterly. However, critical assets, potential risk, and user dynamics play a decisive role in deciding the frequency.
- The team lead must procedure an off boarding document while revoking access privilege for an IT user.
- Your access control policy and procedure should be free from ambiguity and vagueness.
- Your policy and procedure should be in line with your business needs and risk posture.
- It would help if you preferred the deny all approach. This means that no employee gets access to a resource unless they especially need it. For small scale enterprises, this approach may be cumbersome due to overlapping job profiles.
- You should communicate to business process owners and team leads that access management is their responsibility.
- Regularly review your employee on boarding and off boarding procedures.
User access to systems, applications, and information cannot remain a static document. Access rights review forms an integral part of the user account management life cycle. You must implement organization-wide access rights review process to ensure that least privileges are assigned. Depending on your location, industry, and size, there will be laws and regulations that mandate user access rights review. Did you find anything interesting while reviewing access rights for your organization? Please write to us on Twitter at @LIFARSTechDiary and let us know.