IAM

Simplify Access Reviews for Business Users

Combining Identity Analytics and RBAC for Efficiency

Published: 18 December 2024 

Back to Blog

Identity Analytics

Access with RBAC

Enhancing Governance

Our Recommendation

Access reviews are often a pain point for organisations, being time-consuming and frustrating for both business users and IT teams. Why do they remain such a challenge?

  • Business Users: Reviewing access permissions often feels like an interruption into their busy schedules. Many view it as an “IT problem” and may either approve everything without proper scrutiny or ignore the task entirely. 
  • IT Teams: IT often sees access reviews as a box-ticking exercise done to satisfy auditors, leaving the true purpose – reducing unauthorised or unnecessary access risks – largely unaddressed. 

Why Traditional Access Reviews Fall Short

Access reviews often fail to mitigate the risks of unauthorised or unnecessary access due to several inefficiencies:

Lack of Context

Without clear, business-oriented definitions, reviewers struggle to understand what the access is about. 

Gaps in Identity Data Governance Controls

Access reviews may be sent to the wrong person, causing delays, extra work, and increasing risk of errors.

Invalid Access Data

Entitlements or roles under review may no longer exist or have changed without proper monitoring.

Manual Effort

Preparing and running access reviews requires significant manual effort due to poor governance and unoptimised workflows.

The “IT Problem” Perception

Many end users perceive access reviews as only an IT issue, lacking understanding of their importance in reducing organisational cyber risks.

Lack of Awareness

Senior management needs to sponsor and enforce controls to ensure participation in access review campaigns.

Mitigation of Risks with Governance Control

Effective governance has to be aligned and integrated with your operational risk framework. Governance controls should not just be used to satisfy auditors annually. Strong governance shall consider gaps in access reviews as risks, with clear ownership, agreed thresholds, and remediation actions for risk owners. 

While the above helps improve cyber risk remediation, it does not reduce the burden of critical access reviews.

Identity Analytics: A Smart Approach

Identity Analytics focuses on analysing identity data and patterns, such as behavioural ones, either manually or using advanced tools like Generative AI. 

In the context of access reviews, de-provisioning only the accesses rejected by reviewers is a short-term patch but is not solving the underlying problem. When a reviewer spots a discrepancy e.g., a third-party user still having access weeks after their departure, it highlights an issue in the Leaver process.

  • Identity Analytics will reveal gaps and inconsistencies in your governance model, showing where time should be spent to reduce future access remediation efforts. 
  • By providing insights like Monthly Key Risk Indicators (KRIs) and Management Information (MI), Identity Analytics helps sustain the benefits of an IAM programme.

      Instead of relying on traditional scheduled access reviews, prefer access reviews triggered by events from your Identity Analytics.

      Some examples: privileged access, high risk behaviour detected in the last 30 days.

      A Smarter Approach to Enhancing Access Control with RBAC

      Role-Based Access Control (RBAC) and its derived terms ABAC and PBAC have been used for decades, offering valuable solutions.

      • Role-Based Access Control (RBAC): A security model that assigns access to resources based on a user’s role in an organisation. Users with the same role have the same permission. 
      • Attribute-Based Access Control (ABAC): A security model where access to resources is granted based on attributes (e.g., HR department, job title, location). Permissions are determined by evaluating these attributes rather than predefined roles. 
      • Policy-Based Access Control (PBAC): A security model where access decisions are made based on defined policies that consider various factors like user attributes, actions, and the environment. Unlike ABAC, which uses attributes directly, PBAC focuses on rules that guide how those attributes are used to make access decisions.

        Aligning Entitlements with Access Control Models 

        Entitlements are linked to roles or policies in Identity and Access Management (IAM) systems, depending on the chosen approach. These controls ensure that users receive the appropriate access levels based on their job responsibilities, roles, or other defining factors.

        Example: Automating Access for a New Project Manager

        Consider the case of a new employee joining as a Project Manager. An IAM solution can save both time and money by automating access tasks. Here’s how the process works:

        1. Role Assignment: The “Project Manager” role determines the required access to various applications and systems. 
        2. Identity Details: HR sends the employee’s identity information, including job title, to the IAM solution. 
        3. Automated Provisioning: The IAM solution automatically provisions the necessary access to all required systems based on the “Project Manager” role. 
        4. No Need for Approvals: The process eliminates the need for requesting and waiting for manual approvals, streamlining the onboarding process. 

        This approach ensures that users get the right access from day one, improving both efficiency and security. This structure clearly explains the concept of aligning entitlements with access control models and provides a real-world example to illustrate the benefits. 

        Example: Business Roles Mapping Matrix

        The Role Review Process

        The matrix mapping business roles to entitlements is typically reviewed once or twice a year by application and business role owners. This Role Composition Review process is ideally automated through an Identity Governance and Administration (IGA) platform. 

        By reviewing roles and rules within them, you avoid reviewing every single access. For instance, if a business role links to 10 entitlements and has 15 members, reviewing the role rather than the 150 individual accesses (10 x 15) reduces the burden significantly. 

        Security controls are applied to roles, so users inherit permissions based on their roles rather than having every single access permission reviewed. However, these methods may cover only 60-80% of entitlements, leaving some traditional access reviews work to do.

        Our Recommendation

        Combining Identity Analytics with RBAC enables organisations to refine policies, reduce exceptions, and streamline access reviews. For instance, as mentioned previously, reviewing the matrix mapping business roles to entitlements once or twice a year can significantly reduce the frequency of individual access checks, saving time and resources. 

        Switching from manual reviews to risk-based methods like Identity Analytics and RBAC saves time and improves security and governance. By embracing these combined approaches, organisations can improve efficiency, reduce the manual workload, and establish a more secure and streamlined governance framework.

        Other Blog Articles 

        More  from IAM Experts

        Upcoming Events

        Latest Case Study

        Meet Us

        Our Partners

        IAM Experts purposely remain agnostic of technology vendors while providing Advisory Services.
        We work and develop expertise with market leaders as well as upcoming vendors which we dedicate time to research and analyse.

        Please get in touch with us to find out more about the vendors we recommend for specific use cases.