Rubberstamping is ruining the effectiveness of your Identity Governance and Administration.
Introduction
User Access Reviews (UARs) are a foundational component of effective Identity Governance and Administration. This is because there is a direct correlation between the quality of UARs conducted and an organization’s security posture, compliance outcomes, risk management, incident response efforts, and more.
And, though most GRC stakeholders understand the import role that they play, User Access Reviews are still a massive undertaking for any cybersecurity team. They require a major investment of resources, time, and employee bandwidth from both the admins accountable for them and the managers responding to them. In fact, running a single UAR can take months, resulting in other projects and priorities being sidelined or derailed completely. In short: Inefficient UARs can easily cause overall productivity to nosedive, causing a ripple effect on larger business objectives.
But, just because UARs are a considerable lift, doesn't mean there aren't ways to make it better. There are a few notable ways that you can make User Access Reviews more efficient. Automating processes around preparing and distributing UARs will improve efficiency (still sending nag emails manually?). Adopting or developing a tool that also handles revocation without admin intervention can improve things even further. But there’s one thing automation can’t help with. And that’s managers.
UARs are only as accurate as the responses your managers provide. If your managers are rubber stamping during reviews (news flash: they are) then you might as well not have run the review in the first place.
But what causes Rubberstamping in the first place, and why is it important to minimize it as much as possible?
What is a User Access Review, and Why Are They Important?
A User Access Review, also known as Access Certification, is a process conducted by an organization to evaluate and validate the access rights and permissions granted within their systems, applications, and data repositories. Reviews can be completed for individual users or user groups. They can also be carried out for specific systems, roles, or other unique use cases where it’s important to assess and authorize access rights. User Access Reviews are a crucial component of Identity Governance and broader access management and security practices. Ultimately, the objectives of a User Access Review are:
- Establish effective access controls
- Minimize the risk of unauthorized access
- Ensure compliance with regulations
- Optimize operational efficiency
- Reduce costs related to orphan accounts
- Foster a secure and well-governed environment
What Is Rubberstamping?
After a UAR is prepared by an admin it is distributed to managers and other reviewers. The manager’s responsibility during a UAR is to review a user’s role and then approve, or revoke, access as needed.
This is arguably the most critical part of a User Access Review. The goal is to only grant access based on the principle of least privilege. Managers need to scrutinize privileges while also keeping in mind whether the identity in question really needs access at this specific point in time in order to fulfill their job requirements.
Unfortunately for most organizations, this is when rubberstamping occurs.
Rubber stamping refers to approving permissions granted without proper scrutiny or evaluation. Managers will see a massive review and rather than spending hours carefully looking at each entitlement they hit “approve all” and go about their day. Rubberstamping indicates a lack of consideration or independent judgment during identity-related processes within an organization.
What Causes Rubber Stamping?
As we mentioned above, rubber stamping refers to when managers respond to reviews hastily or with minimal attention to detail. While working with customers to help improve UARs within their organizations, we’ve identified 3 main causes for rubberstamping during reviews.
- Time constraints: If you’ve prepared a UAR before, you’re very familiar with what a time-consuming process it is. UARs are also a time-suck for managers who are likely already very busy with other deadlines and projects that directly impact them. This makes it difficult to convince managers to spend hours reviewing employee permissions. Managers who are hyper-aware of the time burden that UARs present are more likely to rubberstamp “approve” on every entitlement so that they can get back to their work.
- Lack of understanding: As an admin, you live and breathe cybersecurity. But most of your reviewers do not fully comprehend the intricacies and implications of access rights. This can lead to managers rubberstamping simply because they don’t have the knowledge to support the scrutiny required during a UAR.
- Review Fatigue: Imagine being a manager with 10 direct reports. Combine that with the knowledge that on average, enterprises use 200 applications to support operations. This translates to thousands of items that require review. Managers will quickly be overcome by the daunting amount of work required during a UAR, resulting in what is known as review fatigue. As they become more and more overwhelmed by the number of items they review, managers are more likely to rubberstamp simply to check the task off of their to-do list.
There are several other reasons managers will rubberstamp User Access Reviews, but in working with customers ranging from insurance providers to consumer products, the ones listed above are repeat culprits.
Nearly every organization struggles with rubberstamping because most of the managers completing reviews are not cybersecurity professionals. They don’t understand why these massive, time-consuming, and confusing reviews are important. Instead, reviewers see User Access Reviews as extra work that’s entirely unrelated to their role within the organization. And so, they disengage. They rubberstamp and rush through reviews to get back to what they believe is more important aka the job they were hired for.
You can have the most talented identity and cyber security team but if reviewer's aren’t provided with the resources they need to respond accurately and quickly during UARs, there’s nothing that your team can do.
Why Rubber Stamping Is a Problem
Long story short, if you can’t get a handle on rubberstamping you’re never going to have effective Identity Governance. Rubber stamping during User Access Reviews completely negates any access controls currently in place and increases the risk of unauthorized access or failed audits. By reducing rubberstamping during a UAR, organizations can ensure that access rights are thoroughly reviewed and approved based on business needs and security requirements.
Wrapping Things Up
Rubberstamping is like risk; you can't completely eliminate risk from your organization. Instead, you have to identify risk, limit potential, and accept necessary risk. You can do the same with rubberstamping. Through a combination of modern technology and best practices you can identify why rubberstamping occurs, limit rubberstamping that will have a major impact, and accept instances where you know rubberstamping will occur.
The success of your Identity Governance efforts starts with effective User Access Reviews. It is crucial for organizations to establish well-defined processes that encourage a culture of accountability.
Reducing Rubberstamping with Risk Powered Governance
Clarity takes a risk centered approach to Identity Governance, known as Risk Powered Governance, to minimize potential for audit failure due to access mismanagement during User Access Reviews. Through a combination of automation and Machine Learning, Clarity has helped customers improve response accuracy and reduce potential audit failure while saving time, money, and employee effort.
Want to learn more? Schedule a call with a Clarity team member to learn how Risk Powered Governance can help you reduce rubberstamping during User Access Reviews.