Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Access Control Review: Addressing Challenges and Ensuring Compliance in Cloud Service Consumers

Home
Industry Insights
Access Control Review: Addressing Challenges and Ensuring Compliance in Cloud Service Consumers

Blog Article Published: 02/10/2023

Written by members of the CSA IAM Working Group and the Zero Trust Working Group's Identity Subgroup.

An access control review is a process of evaluating and analyzing an organization's access control system to ensure that it is functioning properly and effectively. Access control systems are designed to protect an organization's assets, such as data and systems, by granting access to authorized users and denying access to unauthorized users.

There are several challenges that access control review addresses and there are a few challenges that it faces. In this blog, we will elaborate on several use cases that access control review addresses, including but not limited to Cloud Service Consumers (CSCs).

The Necessity of Access Control Reviews

One of the challenges unique to CSCs is introduced by the existence of the CSA Shared Security Responsibility Model, which requires a Cloud Service Provider (CSP) and CSC to share responsibility for managing user access to a CSC’s data. While many CSP SaaS products support integration with a CSC’s Identity Provider infrastructure, some SaaS products are unable or unwilling to support federated authentication.

When this happens, a CSC must cede to the SaaS product provider many of its responsibilities for managing user access. Therefore, while the CSC may have the ability to advise the SaaS product provider which CSC users should be assigned to specific groups or roles, the CSC responsibility for granting and revoking access from its users is no longer completely within its control. The CSC users are now using what can be defined as non-federated or local accounts.

Non-federated or local accounts that are completely managed by a SaaS product provider are a paradigm shift from the responsibilities required for on premise user access administration and CSP federated authentication. In the shared responsibility for non-federated accounts model, a CSC no longer has the ease to add or revoke user access via automated internal processes for joiners or leavers. A separate administrative process for user access and revocation must be managed and must include coordination with the SaaS product provider’s access management processes.

When a SaaS product provider manages non-federated accounts on behalf of a CSC’s users, it is essential that the CSC and the SaaS provider work together to build and maintain a strong program for access control reviews, which are an administrative security control. Access control reviews minimize the risk of unauthorized access to CSC information that may be protected by law and where a breach could result in financial penalties for the CSC or criminal penalties for the officers of the CSC’s organization.

Other Reasons for Access Control Reviews

There are several reasons why an access control review should be conducted.

Firstly, access control reviews can help to identify any unnecessary or redundant access privileges that have been granted to users. This is important because granting unnecessary or redundant access privileges increases the number of potential points of entry for cybercriminals, increasing the risk of a data breach.

Secondly, access control reviews can help to ensure that the organization's access control system is in compliance with relevant laws, regulations, and industry standards. This is important because failure to comply with these laws, regulations, and standards could result in fines, legal action, and damage to the organization's reputation.

Thirdly, access control reviews help identify any leavers that still have access to the organization’s systems. Any leavers having access can cause exfiltration of data, including but not limited to PII, trade secrets, and PHI.

The impact of not performing access control reviews can be severe:

  • If leavers retain access to critical assets, this may lead to data exfiltration, loss of trade secrets, and so on.
  • Leavers may also enter the environment and try to erase traces of any malicious activities they conducted while being employed.
  • The above scenario is also applicable to staff who move between different departments.
  • Unidentified ghost accounts may be harvested by malicious actors.
  • Having excessive privileges violates one of the key principles of security - least privilege. This can cause an issue if an unauthorized user has access to sensitive data. Access control reviews identify excess privileges/privilege sprawl.

Challenges of Access Control Reviews

There are several challenges that organizations face when it comes to conducting access control reviews. One challenge is a lack of buy-in from stakeholders. In some cases, stakeholders may not see the value in conducting an access control review, or may not be willing to invest the time and resources necessary to complete the review.

Another challenge is certification fatigue. Many organizations are required to undergo various types of certification processes on a regular basis, such as security audits and compliance reviews. This can lead to a feeling of "certification fatigue" among employees, who may be resistant to yet another review process.

A third challenge is rubber stamping, which refers to the practice of approving access control requests without thoroughly reviewing them. This can occur when there is a high volume of access control requests and not enough time or resources to review them properly.

The fourth challenge is the lack of integration between IT systems and HR systems. Many organizations reconcile the identities in IT systems with the users in HR systems manually to ensure that only active users have access to systems. The manual process may result in errors if the number of users is large.

The fifth challenge is the existence of various identity stores in an organization. For example, an organization may have Active Directory as an enterprise identity provider, but may use several SaaS applications, creating an identity for their users within each SaaS application. In the absence of single-sign-on integration with SaaS applications, identities of leavers may live on in the SaaS applications, leaving the scene open for data exfiltration.

Conducting an Access Control Review

There are several typical targets of access control reviews, including user accounts, entitlement/role accounts, application accounts, and data accounts. It is important to review both human and non-human accounts, as both types of accounts can potentially be exploited by cybercriminals.

There are several types of access control reviews that can be conducted, including user manager reviews, entitlement/role owner reviews, application owner reviews, and data owner reviews. Each type of review focuses on a specific aspect of the organization's access control system.

An effective access control review process should be conducted on a regular basis, such as annually or bi-annually. The frequency of the review will depend on the size and complexity of the organization, as well as the level of risk it faces.

To ensure an effective access control review process, organizations should consider the following recommendations:

  1. Involve stakeholders from across the organization, including IT, security, and business units.
  2. Clearly define the scope and objectives of the review.
  3. Use a standardized process or framework to guide the review.
  4. Ensure that there is sufficient time and resources dedicated to the review.
  5. Use a combination of automated tools and manual review to ensure thoroughness.
  6. Regularly review and update the organization's access control policies and procedures.
  7. Follow up on any issues or recommendations identified during the review to ensure that they are addressed.

Conclusion

An access control review is a process of evaluating and analyzing an organization's access control system to ensure that it is functioning properly and effectively. It addresses several use cases, including but not limited to CSCs, which are unique in that they are required to share responsibility for managing user access to a CSC’s data with the CSP. This can result in non-federated or local accounts which are completely managed by a SaaS product provider, resulting in a paradigm shift from the responsibilities required for on premise user access administration and CSP federated authentication.

Access control reviews are important because they can help to identify any unnecessary or redundant access privileges that have been granted to users, ensure that the organization's access control system is in compliance with relevant laws, regulations, and industry standards, and help identify any leavers that still have access to the organization’s systems. However, organizations may face challenges such as lack of buy-in from stakeholders and certification fatigue.

Contributors

  • Shruti Kulkarni, CISA, CRISC, CISSP, CCSK, Cyber Security Architect, 6point6
  • Faye Dixon, CISA, CDPSE
  • Alon Nachmany, CISM
  • Ravi Erukulla, VP Analyst Relations & Customer Advocacy
ComplianceIdentity and Access ManagementZero Trust

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’

Published: 04/15/2024

Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024

Protocols are Passé. APIs are Key for Effective Zero Trust Implementation.

Published: 04/12/2024

Building a SOC for Compliance

Published: 04/11/2024