Access reviews shouldn't take hundreds of thousands of hours. If they do, it's time to look at a better risk-based approach.
Access reviews have become a topic of fear-mongering:
I’m yet to work with a company that can confidently answer those three questions. But before you throw a team at the task, try to automate it, or give up completely, let’s put it into perspective.
If you’re a startup with less than 50 apps -> skip to the bottom to see how we manage our own access in 15 minutes per quarter.
Access reviews are one part of the broader topic of access management. They are a check, often quarterly or annually, to confirm your access control is working correctly so the right people, have the right access, to the right systems.
We’ve seen clients conduct access reviews and notice access rights that are wrong. They conclude they need to invest more time in those access reviews. But that’s missing the point of it. Instead, ask what went wrong to cause that incorrect access and fix it at the source. For example, why wasn’t that access removed when the person was terminated? Or modified when they changed roles? Or was it set up incorrectly when they were onboarded? Did they only need temporary access?
If things are working well, the access review should just be confirming the access is correct.
How to manage access effectively
Step 1: identify the purpose
As a starting point, be clear on what you’re trying to achieve. This is really important, otherwise you’ll waste your time and miss the point with the rest of it.
The way you implement things from there can be very different.
For example; if your immediate goal is to achieve SOC 2 - the scope of apps to focus on is usually between 3-15 total. That may be a very small subset of the total you actually use. That’s the ones your customers directly rely on and the critical infrastructure supporting those. If your goal was to reduce costs, you probably wouldn’t spend much time on the apps that don’t have licensing costs per user.
Often it’s multi-purpose, but when you know what those goals are you can get better outcomes, with less effort.
Step 2: catalog your systems
Create a list of your apps. That may be focused solely on your purpose from step 1. Or if you’re really diligent, go for a full list from the start. It’s probably going to make your life easier in the long run. But if you do go for a full list; highlight, classify, or rank those you’re immediately focused on so you get the best results from your efforts.
It’s helpful to capture information that supports various access management processes and monitoring. Access reviews are one part of that. You might track:
There are a lot of other details you might capture. But it’s important to be pragmatic and realistic about it. If you try to track everything for the sake of more data, you’ll probably end up with a messy, unreliable, and incomplete register of systems. Keep in mind how this will be maintained, and ensure the relevant processes are connected, like adding an item to this list when a new system is approved or used.
Optional Step 3: Strategise and lay foundations
There’s different strategies you can take to support access management at scale. Whether they’re worthwhile will depend on your goals, your scale, and the way your team works. For us with 20 people and 15 material systems, we haven’t needed any of these (yet):
Once you’ve classified those risks, you might say the access reviews should be monthly/quarterly for AWS, annual for Trello, and you don’t need to do them at all for Uber Eats. That can also influence whether you enforce MFA, review those providers’ SOC 2 reports, and various other security practices.
As it relates to access reviews, you can go a step further if you’ve tracked the information above. If the systems are authenticated with Okta for example, it might reduce the need or frequency for access reviews, or just allow you to centrally complete those reviews within Okta. Same idea for systems where Google accounts have to be used, but that may have a dependency on your team setting it up that way individually.
Step 4: Design your access management practices
This is where the above steps come together into a practical method of access management. Firstly, set up good onboarding, role change, and terminations processes, as these are the best way to ensure access is correct at all times (not just retrospectively fixed in access reviews).
Then think about your access reviews. If you’ve classified the risks, think pragmatically about how to address those risks.
One important consideration is contextualisation. That is conducting reviews where you’re focused on whats important and why you’re doing it. If you use Drata, for example, your connected infrastructure, code repository, and workspace software will have automated data feeds to monitor that access.
When that’s set up to know who your admins are, who should have developer access, and the full list of who’s employed, it can automatically test where user access varies from what’s expected. For example; when we gave our pen testers access to our environment, Drata flagged they’re not part of our organisation and aren’t supposed to have elevated access to our code repository. Of course then we can confirm they should, but only temporarily, which is important to track for that sort of higher risk access.
Contextualisation may be less important for your lower risk apps. If it’s a system that your whole company has access to, or there’s limited sensitive data in that system, you may only be checking that access is assigned to active employees. In that case you could simplify the review by a script that compares to your Active Directory, or even just check any employees terminated since the last access review no longer have access.
If you’re spending a long time on access reviews, that’s where you may want to get more advanced with the risk based approach. As a rule of thumb, if your team are overwhelmed with it and lost in the user listings, it’s probably not going to be as effective. You can "tick and bash" user listings but human nature will result in oversights, so best to prioritise focus and efforts on the access that really matters.
Reduce the frequency for lower risk apps, or even de-scope them. Focus on specific goals like checking any terminated users have been removed, or reviewing only the higher levels of access like administration rights. Having different approaches for each system can add complexity, but if you “bucket” the systems and apply a clear strategy, it can save a lot of time without creating confusion.
How we manage access in 15 minutes a quarter
If you’ve a list of less than 50 apps and less than 50 employees, the post above probably sounds like madness. It is. You can keep things really simple.
We have a checklist of 15 apps that covers everything important for us; our Google Workspace, Airwallex expense cards, our product and development tools, our ESOP, and internal systems. That list is part of the onboarding checklist, exit checklist, and what we review on a quarterly basis. Each line in the checklist is linked to the access management page of the respective apps, so it takes an admin a minute to click into each system to add, remove, or scan the list, and confirm it’s all correct in each of those three processes.
If it’s not correct, figure out what went wrong and solve it from a process perspective. Remind your team how to set up or remove access correctly. Identify if there’s a process gap, where you might be providing ad-hoc access without a defined way of tracking that.
Summary
If access reviews are taking an obscene amount of time, or causing excessive pain for your teams, there's probably a better way. Hopefully this post prompts ideas that you can apply to your approach. If in doubt - get in touch. As an independent audit firm, we won't do it for you, but we can guide you, challenge your existing approach, and bring a fresh perspective.