Top 10 Pain Points in User Access Reviews

User Access Reviews are painful.

In fact, organizing and executing user access and entitlement reviews to meet compliance requirements for HIPAA, FISMA, GLBA, PCI-DCC, and SOX are typically stressful and inefficient exercises that rely heavily on manual data collection and processing to complete.

The following list outlines the most common solutions for the top pain points found in user access and entitlement reviews.

 

#1. Show Accounts with Operating System Access

Scan Windows servers regularly to know which accounts have what level of access to the operating system. Active Directory can easily provide lists of computers, users, and groups, but it does not track which users and groups what level of access to computers.

 

#1. Show User Access Based on Active Directory Group Membership

Most Windows based access utilizes AD groups.  Having all the members of any given group shows the effective access provided by the group.  If members are added or removed to the group, the provisioned access to a given resource has not changed, but the effective access has changed.  This includes inherited access when a group is added as a member of another group (nesting).

 

#1. Identify Employee Account Ownership

The majority of attributes important for reporting are not available on the user account, but on the employee record of the user account owner.  By linking the account back to the employee, reporting can be done using the employee’s organizational and managerial hierarchies, or any other HR related attribute.  Example: What job titles should be allowed admin access on Windows Servers?

 

#1. Identify Terminated Employees with Active Accounts / Access

An employee’s entitlements are managed in various resources within the company.  NorthStar can aggregate access across all those resources in one place to easily identify stale access for a terminated employee.

 

#1. Identify Unowned Accounts / Service Accounts

Service/functional accounts are typically tied to an application instead of an employee.  These accounts should only have the level of access required by the application.  There are also “unowned” accounts that are not tied back to an application or employee that should be evaluated if they have access to important resources.

 

#1. Processing Standards for Spreadsheet Reporting

If you are still using spreadsheets, then breathe deep.

NorthStar has a flexible model for tracking privileges and a scheduler that will collect data in a consistent manner each day. Standard field translations are also easily adjustable to transform values in a consistent manner for reporting.  During the daily reporting build, deltas are tracked in history tables for trending over time.

 

#1. Show Which Entitlements are Privileged as it Differs by Data Source

What is considered “privileged” access varies from company to company as well from system to system within the company.

Field translations enable organizations to mark accounts as privileged in their own environment based on any attribute available or derivable from the data feeds.

 

#1. Show Multiple Heterogeneous Data Sources in a Single, Interactive UI

There are no limits on the types of access that can be tracked in NorthStar, and the results are displayed an easy-to-use interface.

 

#1. Remediation of User Access Issues

To remediate access, companies need to know what access exists in the environment. NorthStar provides a process that regularly collects what access exists in the environment and create dashboards based on the conditions that should be remediated.  These same dashboard conditions can be used to build trending charts to show remediation progress over time.  NorthStar feeds this data into attestation processes where effective access is approved by management on a regular basis.

 

#1. Incorporating Physical Access Data

Incorporating physical access privileges to the overall enterprise risk model is a struggle for many enterprises. With NorthStar, there are no limits on the types of access that can be tracked. NorthStar’s flexible model tracks any access-controlled resource.  Physical access, for example, is generally managed using a key card system.  Knowing which employee is assigned which key card – and the facilities that key card has access to – provides an employee’s effective access to facilities in the same privileges model.

 

No, those number ones weren’t typos – all of the items listed above are equally painful reasons you need NorthStar. NorthStar helps security teams, IAM teams, and auditors joyfully (it’s true!) automate the execution of user access reviews and sail through audits.

 

For questions about how NorthStar can help you please contact us via your favorite form of communication:

Free Trial: connect@northstar.io  |   Phone: 312.421.3270  | Privilege Tracking