Access Control Review: Addressing Challenges and Ensuring Compliance in Cloud Service Consumers
Published 02/10/2023
Written by members of the CSA IAM Working Group and the Zero Trust Working Group's Identity Subgroup.
An access control review is a process of evaluating and analyzing an organization's access control system to ensure that it is functioning properly and effectively. Access control systems are designed to protect an organization's assets, such as data and systems, by granting access to authorized users and denying access to unauthorized users.
There are several challenges that access control review addresses and there are a few challenges that it faces. In this blog, we will elaborate on several use cases that access control review addresses, including but not limited to Cloud Service Consumers (CSCs).
The Necessity of Access Control Reviews
One of the challenges unique to CSCs is introduced by the existence of the CSA Shared Security Responsibility Model, which requires a Cloud Service Provider (CSP) and CSC to share responsibility for managing user access to a CSC’s data. While many CSP SaaS products support integration with a CSC’s Identity Provider infrastructure, some SaaS products are unable or unwilling to support federated authentication.
When this happens, a CSC must cede to the SaaS product provider many of its responsibilities for managing user access. Therefore, while the CSC may have the ability to advise the SaaS product provider which CSC users should be assigned to specific groups or roles, the CSC responsibility for granting and revoking access from its users is no longer completely within its control. The CSC users are now using what can be defined as non-federated or local accounts.
Non-federated or local accounts that are completely managed by a SaaS product provider are a paradigm shift from the responsibilities required for on premise user access administration and CSP federated authentication. In the shared responsibility for non-federated accounts model, a CSC no longer has the ease to add or revoke user access via automated internal processes for joiners or leavers. A separate administrative process for user access and revocation must be managed and must include coordination with the SaaS product provider’s access management processes.
When a SaaS product provider manages non-federated accounts on behalf of a CSC’s users, it is essential that the CSC and the SaaS provider work together to build and maintain a strong program for access control reviews, which are an administrative security control. Access control reviews minimize the risk of unauthorized access to CSC information that may be protected by law and where a breach could result in financial penalties for the CSC or criminal penalties for the officers of the CSC’s organization.
Other Reasons for Access Control Reviews
There are several reasons why an access control review should be conducted.
Firstly, access control reviews can help to identify any unnecessary or redundant access privileges that have been granted to users. This is important because granting unnecessary or redundant access privileges increases the number of potential points of entry for cybercriminals, increasing the risk of a data breach.
Secondly, access control reviews can help to ensure that the organization's access control system is in compliance with relevant laws, regulations, and industry standards. This is important because failure to comply with these laws, regulations, and standards could result in fines, legal action, and damage to the organization's reputation.
Thirdly, access control reviews help identify any leavers that still have access to the organization’s systems. Any leavers having access can cause exfiltration of data, including but not limited to PII, trade secrets, and PHI.
The impact of not performing access control reviews can be severe:
- If leavers retain access to critical assets, this may lead to data exfiltration, loss of trade secrets, and so on.
- Leavers may also enter the environment and try to erase traces of any malicious activities they conducted while being employed.
- The above scenario is also applicable to staff who move between different departments.
- Unidentified ghost accounts may be harvested by malicious actors.
- Having excessive privileges violates one of the key principles of security - least privilege. This can cause an issue if an unauthorized user has access to sensitive data. Access control reviews identify excess privileges/privilege sprawl.
Challenges of Access Control Reviews
There are several challenges that organizations face when it comes to conducting access control reviews. One challenge is a lack of buy-in from stakeholders. In some cases, stakeholders may not see the value in conducting an access control review, or may not be willing to invest the time and resources necessary to complete the review.
Another challenge is certification fatigue. Many organizations are required to undergo various types of certification processes on a regular basis, such as security audits and compliance reviews. This can lead to a feeling of "certification fatigue" among employees, who may be resistant to yet another review process.
A third challenge is rubber stamping, which refers to the practice of approving access control requests without thoroughly reviewing them. This can occur when there is a high volume of access control requests and not enough time or resources to review them properly.
The fourth challenge is the lack of integration between IT systems and HR systems. Many organizations reconcile the identities in IT systems with the users in HR systems manually to ensure that only active users have access to systems. The manual process may result in errors if the number of users is large.
The fifth challenge is the existence of various identity stores in an organization. For example, an organization may have Active Directory as an enterprise identity provider, but may use several SaaS applications, creating an identity for their users within each SaaS application. In the absence of single-sign-on integration with SaaS applications, identities of leavers may live on in the SaaS applications, leaving the scene open for data exfiltration.
Conducting an Access Control Review
There are several typical targets of access control reviews, including user accounts, entitlement/role accounts, application accounts, and data accounts. It is important to review both human and non-human accounts, as both types of accounts can potentially be exploited by cybercriminals.
There are several types of access control reviews that can be conducted, including user manager reviews, entitlement/role owner reviews, application owner reviews, and data owner reviews. Each type of review focuses on a specific aspect of the organization's access control system.
An effective access control review process should be conducted on a regular basis, such as annually or bi-annually. The frequency of the review will depend on the size and complexity of the organization, as well as the level of risk it faces.
To ensure an effective access control review process, organizations should consider the following recommendations:
- Involve stakeholders from across the organization, including IT, security, and business units.
- Clearly define the scope and objectives of the review.
- Use a standardized process or framework to guide the review.
- Ensure that there is sufficient time and resources dedicated to the review.
- Use a combination of automated tools and manual review to ensure thoroughness.
- Regularly review and update the organization's access control policies and procedures.
- Follow up on any issues or recommendations identified during the review to ensure that they are addressed.
Conclusion
An access control review is a process of evaluating and analyzing an organization's access control system to ensure that it is functioning properly and effectively. It addresses several use cases, including but not limited to CSCs, which are unique in that they are required to share responsibility for managing user access to a CSC’s data with the CSP. This can result in non-federated or local accounts which are completely managed by a SaaS product provider, resulting in a paradigm shift from the responsibilities required for on premise user access administration and CSP federated authentication.
Access control reviews are important because they can help to identify any unnecessary or redundant access privileges that have been granted to users, ensure that the organization's access control system is in compliance with relevant laws, regulations, and industry standards, and help identify any leavers that still have access to the organization’s systems. However, organizations may face challenges such as lack of buy-in from stakeholders and certification fatigue.
Contributors
- Shruti Kulkarni, CISA, CRISC, CISSP, CCSK, Cyber Security Architect, 6point6
- Faye Dixon, CISA, CDPSE
- Alon Nachmany, CISM
- Ravi Erukulla, VP Analyst Relations & Customer Advocacy
Related Articles:
Data Warehousing Demystified: From Basics to Advanced
Published: 11/08/2024
Mitigating GenAI Risks in SaaS Applications
Published: 11/07/2024