User Access Reviews: Best Practices for Security and Compliance

Introduction

User Access Reviews (UARs) are a critical part of Identity and Access Management (IAM), ensuring that only authorised users have access to the necessary systems and data. This process helps organisations prevent access creep, minimise insider threats, and ensure compliance with regulations such as SOC 2 and ISO 27001.

What is a User Access Review?

A UAR is a formal process where user access rights are reviewed to confirm whether they align with the user’s current responsibilities. The review helps enforce least privilege access by identifying unnecessary permissions and removing access that’s no longer needed.

Example: Let’s take GitHub as an example. GitHub enables developers (full-time & contractors) to access code bases in the business. Naturally, access can be extremely sensitive, and only required for certain projects. As a result, it’s critical that access reviews are conducted on GitHub at regular cadences - without them, the business is exposed to a significant security risk.

How is a ‘User’ defined?

A user is defined as an individual with login access to a given application. Therefore, a user can be a number of different roles, such as a:

• Full-Time Employee
• Part-Time Employee
• Contractor
• Consultant

Who is Responsible for Conducting the Access Review?

One of the challenges with UARs is deciding who should complete the review for a given application. Typically, a security leader will be responsible for managing and overseeing the process, but the access review itself for a given app may be completed by another individual, such as an app owner or app manager.

Example: Let’s stick with Github as an example. Often, it may be the CTO that ‘owns’ the tool. However, especially in larger organisations, it’s unlikely that the CTO will manage the day to day running of the Engineering team. As such, it might make more sense for the VP of Engineering to conduct the UAR as they’re much closer to the expected usage and access of the tool. Meanwhile, the IT Manager will be responsible for managing and overseeing the UAR process as a whole.

Why Are User Access Reviews Important?

Security

Prevents Access Creep: As employees transition between departments or roles, they often retain access to old systems they no longer need. This is known as ‘access creep’, and can expose your organisation to unnecessary risks. Regular User Access Reviews ensure that permissions are updated in real-time, limiting access only to the systems employees need to perform their current role.

Reduces Insider Threats: Insider threats, whether malicious or accidental, are a major concern for businesses. By reviewing user access frequently, you can minimise the risk of internal misuse by ensuring that employees don’t hold access to sensitive data that falls outside their job scope.

Principle of Least Privilege: The Principle of Least Privilege means giving users only the permissions they need to perform their duties. UARs help enforce this security practice by auditing permissions and removing any excessive or outdated access. This ensures that your organisation operates with the least amount of exposure possible, keeping your data and systems secure.

Compliance

SOC 2 Compliance: One of the five SOC 2 Trust Service Criteria focuses on ensuring that no unauthorised access occurs. UARs help meet this compliance requirement by demonstrating that access rights are routinely audited, and adjustments are made as necessary to avoid security gaps.

Orphaned Accounts: When employees leave the organisation, their access rights may not be fully revoked, creating orphaned accounts. These accounts pose a significant risk as they could be exploited by malicious actors. Conducting UARs helps identify and eliminate these accounts, especially for systems that don’t have SCIM (System for Cross-domain Identity Management) capabilities, which often miss these during offboarding. 

Example Scenario

Let’s take Sarah as an example. Sarah works as a Solution Engineer. As a result she has access to a lot of tools that span Sales and Engineering. It’s hard to put Sarah in a traditional RBAC (Role-Based Access Control) role - a common problem in modern day access control. 

As part of a restructuring, Sarah has been moved to work as a Senior Engineer and therefore no longer needs access to tools like Salesforce, Zendesk and customer databases. However, the company doesn’t have a robust mover process (a common problem among businesses) meaning Sarah retains her access.

This is where User Access Reviews come in. Luckily, Salesforce, Zendesk and customer databases have UARs conducted at a monthly cadence. It’s at this point that the reviewers identify Sarah’s department & job title has changed - so they can successfully remove access she doesn’t need and therefore minimise privilege.

Step Guide for Conducting User Access Reviews

Step 1: Create a Plan

Define the Scope: Start by determining which applications to include in your User Access Reviews. Consider the nature of the data the app holds, its risk level, and its criticality to the business. Both security & regulatory requirements should be considered. 

Prioritise Apps: Once the scope is defined, prioritise apps based on risk factors. Critical apps with sensitive data (e.g. HR or Finance Systems) should take priority. This allows you to focus your efforts where security risks are highest.

Assign Responsibilities: Identify the individual responsible for conducting each review. Remember that this could be the app owner or a team manager.

Define Start & End Dates: Set clear timelines for each review. Establish a start date when the review will commence, and an end date by which all access decisions need to be made. Having a clear deadline ensures the process doesn’t drag out indefinitely.

Step 2: Communication

Communicate Responsibilities: Ensure that all access reviewers are aware of their responsibilities. Make sure that they understand the importance of access reviews and how they play a role in mitigating security risks.

Schedule Training if Necessary: For any tool owners unfamiliar with the UAR process, schedule training sessions to guide them through what’s expected. Provide them with templates or tools to make the process easier and more consistent across the organisation. 

Step 3: Conduct the Access Review

Revoke Where Necessary: Once the review is underway, app owners should carefully evaluate who has access and whether it’s still required. If an employee’s access is no longer necessary, it should be revoked or downgraded as necessary.

Communication: Notify affected employees about changes to their access. Clear communication is key, explaining why access has been modified and how it impacts their work.

Step 4: Documentation

Update Records: Ensure that every access review is fully documented. This includes who conducted the review, what changes were made, and why. Documentation serves as proof that you are complying with security and regulatory requirements, and it creates an audit trail.

Store Evidence: Keep all records in a centralised location where they can be easily accessed for audits or future reviews. This could be a digital repository within your IAM system or a secured folder for storing evidence of reviews.

Set Next Review Date: Based on the cadence of each app, establish the next due date for the review. This ensures a continuous review process, keeping security tight over time.

Best Practices For User Access Reviews

1. Automation

Automating User Access Reviews significantly reduces manual work and eliminates human error. Automation ensures that reviews happen on schedule and removes the burden of sending manual reminders or collecting evidence. Tools with automation capabilities can also track access changes, generate audit trails, and notify relevant personnel when action is required.

2. Create Risk-Based Process

Not all applications carry the same level of risk. Develop a risk-based weighting system that prioritises high-risk apps like HR systems, financial platforms, or production environments (e.g., AWS). These systems often contain sensitive data, so they should be reviewed more frequently. Lower-risk apps (e.g., marketing tools) can be reviewed less often.

3. Determine Cadences per App

Different apps should have different review cadences depending on their risk profile. For example, high-risk apps like AWS could be reviewed monthly, while lower-risk apps like Miro might only require quarterly reviews. Establishing cadences based on risk ensures you focus resources where they’re needed most without overburdening your team.

4. Decentralise Decision Making

Shift the responsibility for reviews from the IT or Security department to app owners or team managers, who are more familiar with the specific access requirements of their tools. App owners & managers are often better positioned to understand the nuances of who needs access and why. This shift ensures more accurate and efficient reviews, as the app owner/manager can quickly identify who should maintain or lose access.

5. Implement the Principle of Least Privilege

The Principle of Least Privilege (PoLP) ensures users, systems, and applications have only the permissions they need to perform their functions. During User Access Reviews, scrutinise access data to identify any unnecessary privileges and revoke or downgrade them to match the user’s current role. Combined with processes that allow for self-service JIT access, this will help enforce least privilege access and reduce unnecessary exposure to security risks.

6. Improve Offboarding Process

One of the most effective ways to streamline UARs is by tightening your offboarding processes. When employees leave, ensure all their access rights are immediately revoked. This minimises the occurrence of orphaned accounts and reduces the workload for future reviews. Integrating SCIM or similar provisioning systems can help automate this process, but regular reviews are still necessary for legacy or non-SCIM systems.

7. Document and Audit

Every review should leave a clear paper trail. Ensure that all decisions made during the access review are documented, including why access was revoked or maintained. This documentation is essential for compliance audits and gives your organisation transparency in its access management practices.

Challenges of User Access Reviews

Manual Process

Time Consuming: Conducting UARs requires extensive planning and organisation. The Security Leader responsible must manage the end-to-end process, and this is multiplied by every app that needs to be reviewed. Without automation, it can be a daunting task that takes a significant chunk of the individual’s time.

Spreadsheets: Often, the best tool available to manage the UAR is a spreadsheet. This exposes the organisation to the risk of human error though, due to manual data entry and re-entry. Additionally, it also lacks scalability and gets disproportionately more challenging as organisations grow.

Distributed Ownership

Difficult to Centrally Manage: Managing User Access Reviews across multiple applications and app owners can quickly become overwhelming. With each app operating on its own review schedule, it’s challenging to keep track of who’s responsible, who’s completed their review, and when reminders need to be sent. When you’re dealing with numerous apps and stakeholders, staying on top of deadlines and follow-ups becomes a major coordination effort. Without a centralised system, the process can quickly become fragmented, leading to delays and missed reviews, which increases security risks.

Differing Priorities: Without clear communication and cross-departmental alignment, app owners may deprioritize access reviews, delaying completion and leaving the organisation exposed to security risks.

Inconsistent Evidence Collection: Different owners use various tools for data collection, which can lead to disjointed data collection and the need to manually re-enter data.

Automating User Access Reviews With Ploy

With Ploy, you can automate the end-end access review process, making it significantly easier to manage access reviews. From automatically sending access reviews to distributed tool owners, to highlighting high-risk orphaned accounts, to centrally tracking the entire process - Ploy can do it all!

It’s why our customers love us, and why on average they spend 90% less time on access reviews.

Check out our Automated Access Reviews webpage to learn more, and view a short demo video below!