Part of our series on Security for Medium Businesses.
So there’s a joke that metrics nerds love to tell, especially those in security.
A woman comes out of a bar at 1 AM, heading home. She sees a guy peering closely at the pavement under a streetlight. She walks over and asks what he’s doing. The guy (clearly drunk) says he’s looking for his keys.
She helps him look for a bit, and then asks him where he last saw them. He responds, “Oh! Well, I lost them over there” and points across the street, “but the light over here is much better.”
Har har. So what?
There is a persistent temptation in security to choose mechanisms, practices, or indicators because they’re easy instead of choosing the ones that best meet your goals. Unfortunately, this is often especially true of audit frameworks. Compliance with the “best practices” often doesn’t have much overlap with the most effective ways to reduce actual breach or theft.
One of the most common examples is access governance. Access governance capabilities are easy to audit; they don’t require a lot of context, wisdom, or judgement, so you can throw a recent MBA grad on it and they can probably figure it out. This means that access governance practices frequently make the lists of “best practices” that large security organizations follow like ISO 27k, NIST 800, SOC2s, and SOX ITGCs.
The actual security value it provides also scales by the size of the company, with greatest value when lots of people stay at a big company for a long time and frequently change roles and projects. Done the conventional way, it usually requires dedicated systems and a support team.
There are some instances when access governance is worth it for smaller businesses, and you can get them done with a pen and the back of a napkin. Let’s break it down.
This makes the most sense to most people. Fundamentally, it says, “when someone leaves your organization, pull their access.” This can be easy, especially if you’ve got all access tied to a central account. If you need to retain information about that account’s existence, it’s still easy: just make it impossible to log in as that account like changing the password to something long and randomly generated.
This still applies for short-term departures such as sabbaticals or medical leave-of-absences. If they’re not working, nothing good can happen from their account being used. Just turn it off.
If you haven’t yet tied all access to a central account, it’s still not too hard. Create a checklist of systems with worker access. Anytime someone leaves, walk through the checklist and pull access for anything they had.
Included more for efficiency reasons than security, this idea says, “when someone joins your organization, give them the access they need.” This can be as basic as a list of required access for common roles: what does a new sales rep need? What does a new CNC operator need? Just write it down somewhere, and when a common role joins your organization, you look up the right list and provision them in each system on it. There’s some security value in this consistency because people will more consistently have minimum access. If managers must figure out what’s appropriate every time, they’ll often err on the side of too much access: it won’t hurt much for just this person. They’re right, too: individually, excess access doesn’t dramatically increase the risk to the organization; it’s only in the aggregate that it becomes meaningful. Even then, there isn’t huge security value in this control.
Access reviews deliver the least security value for the highest effort in identity management. You could even make a decent case that overall, they hurt security. Unfortunately, auditors love this control more than any other in identity management.
An access review is a periodic task assigned to a manager or leader. Every quarter, they must review everyone’s access within their domain. For each person’s access, they either certify that the access is still appropriate, or that it is not and should be revoked. There are two styles: managers review access for each of their direct reports, or some application owner reviews every worker’s access in their application. Some organizations do both.
One of the biggest problems with this idea is that each quarterly exercise provides almost no value. For small organizations, appropriate access is often intuitive; roles are often fluid and discretionary. Further, reminding a manager to verify something they often do automatically and as-needed is unnecessary and annoying.
For any size organization, most access reviews end up as check-the-box exercises, with reviewers clicking “approve” on everyone with access each time they come up.
When people change roles, they probably need to do different things, and need different access. A mover workflow sends an access review task to the Mover’s new manager to verify that access only required for their old role is removed. New managers are usually a better choice for this because they are usually incented to get the employee on to new projects and stop doing their old job. In theory, Mover workflows make more sense than periodic Access Reviews.
Clearly, you could also automate most of these capabilities. You can buy fancy systems that reach into all sorts of other systems to find out who has access to what, correlate it all to a single worker identity, and deliver the features above based on the role templates you define.
These Access Governance systems are usually focused on satisfying audits; they have other audit-focused features, such as enforcing periodic password rotations (a bad idea but auditors love them). The systems make sure the necessary processes are done at the right times and automatically capture the evidence to show your auditors that you did them perfectly.
If you are under strong audit requirements, you do not need a fancy access governance system to do a great job. Checklists usually already exist in HR for terminating and onboarding employees; just add a step about pulling access or provisioning it (maybe with some helpful templates for common roles).
Is it Worth it?
Doing Leaver events automatically has some value, especially for a grumpy, recently-fired employee. You may not want to give them much opportunity to torch things on their way out.
For the rest, keep in mind the overall threat model: If a worker account is used to do bad things, these will slightly reduce the average amount of bad that could be done. Unless you have non-negotiable audit commitments, you almost certainly have better things to do with your time and money than Access Governance.
Are you arguing with an auditor about Access Governance? Let us help.