User access management is one of those maintenance activities that’s good for you, but that few do well. Like cleaning out your garage, you know there’s an overwhelming mess waiting for you, with no good way of tackling the chore. It’s going to take more time and energy than it should.
Unlike cleaning out the garage, you can get in trouble with your Assessor (and dramatically increase risk to the organization) if you don’t keep up with user access management on a regular basis. Almost every certification requires you to go through and validate the user accounts in your system.
Validation involves going through your centralized repository and reviewing the full list of all users that are currently in your central authentication system. If your user access list looks like my garage, you have your work cut out for you.
But you can calm the chaos. Here’s how.
Getting User Access Management Under Control
Each account should have a description that succinctly explains what type of account it is and why it’s there. If this is your first time doing this, the list of user accounts is going to be an awful mess. It won’t be organized, most accounts won’t be labeled, and you won’t know what the hell this or that account is for.
What you want is a nicely ordered, organized list of accounts so you know exactly what they’re associated with and why they exist in your system. Having a nicely ordered list of accounts makes it immeasurably easier to validate the user accounts efficiently.
The first step in reviewing your user accounts is to organize them. Usually, I split the accounts into three different groups to make it easier to track them. I recommend the following categories:
- User accounts
- Vendor accounts
- System accounts
As you set up new users, maintain the nomenclature consistency so your list stays nicely organized.
Next, add a description for each account, so you know what it is and where it belongs. Use a standardized nomenclature. Every organization does it in a way that makes sense for them. The important thing is to be sure your descriptions are consistent with each other. For example, you might do something like this:
- For internal user accounts: USER: [YOUR ORGANIZATION NAME]
- For vendor user accounts: VENDOR USER: [VENDOR NAME]
- For service accounts: SERVICE ACCOUNT: [SERVICE AND PURPOSE]
Once you’ve organized your lists, the review process itself is fairly straightforward. Go through each of the segmented account groups and systematically review each list of users. I extract the lists and review specific key fields.
Here’s how I approach the review of each of the user account types.
Auditing Internal User Accounts
First, look at all the enabled user accounts. Each user should have their own named user account. As you’re reviewing your internal user accounts, ask the following questions:
- Should all of the enabled accounts be enabled? Should any of them be disabled? Look for terminated employees or interns who have moved on. You shouldn’t have enabled user accounts that are no longer needed.
- When does the password expire? Make sure all passwords expire, and that they have the same expiration period in accordance with the standards your organization maintains (PCI DSS requires 90 days or less).
- Are there any expired passwords? If so, follow up to see if the user still needs the account. If not, it should be disabled.
- When was the last login? If a user has never logged in, or hasn’t logged in for a long time, they may not need the account anymore.
- Are there any accounts that aren’t allocated to specific people? User accounts should be allocated to specific individuals. If you see an account labeled something like developer or internal_admin, dig a little deeper to see who is using that account and for what purpose.
- Are there multiple accounts for the same person — for example, bob.smith and bob.smith_a, or maryjones and maryjones1? There could be a legitimate reason for multiple accounts, but it could also be a sign that you have a bad actor in your system.
NOTE: If you find users on your list that have been terminated but look like they’re still active, there could be a valid reason for that. Many organizations keep accounts open for a period of time so they can access the individual’s files. If that’s the case, make sure the credentials have been reset. Also make sure you have an established procedure for following up to retire these accounts in a timely fashion.
Auditing Vendor User Accounts
For each vendor in your vendor list, ask the following questions:
- Is this a valid vendor that is still doing work for us? If not, remove them.
- Ask the vendor to validate each of their individuals with an account. Are they still employed by the vendor, and should they still have access?
- Also go through the same checks that you made for internal users.
In most cases, your vendors will have named accounts for each of the individuals assigned to your organization. For example, your IT vendor might have six people serving your network, each with their own account. Check each account that falls under that vendor.
Occasionally, vendors might use a secure repository for making connections into your environment, under a single common account. On their end, they know specifically who logged in, did what, and when. In this case, be sure they’re doing their due diligence to manage user access in accordance with industry requirements.
Related: How to Audit Your Vendors for Security and Compliance
Auditing Service Accounts
Service accounts are different from internal and vendor user accounts. These accounts are there to support systematic authentication only. They aren’t associated with an individual. They’re also typically set up without a password expiration.
Go down the list of service accounts and look for consistency patterns. Ask the following questions:
- Are there any expiring passwords? Investigate those accounts — they may be mislabeled as a service account.
- Does your organization still need each of the service accounts? If not, turn them off.
- Are any interactive logins turned on? If so, turn them off. This prevents users from authenticating to the network from the front end. You want the interactive login turned off for service accounts, because it’s being used behind the scenes by a system and never needs to log in through the front end. Frankly, if you have the capability to alert on interactive logins with Service Accounts, put that in place as it should never happen. This is an additional protection mechanism for service accounts, because those passwords never expire.
Bonus Tips for User Access Management
If you see anything that isn’t set up properly when reviewing user accounts, take it as a sign that there’s an opportunity to button up the internal controls within the environment. For example, when a terminated user’s credentials are still on, there’s a failure in some other control within the environment.
Don’t forget that individual devices may have their own local accounts, in addition to the centralized list. Go to each of your various systems and confirm whether or not you have local user accounts. If so, follow the same procedure that you use for the centralized directory. Keep track of all the devices that have their own local accounts and include them in your periodic review procedures.
Clean up disabled accounts
It’s good hygiene to clean up your mess. Unless you have a good reason to keep disabled accounts indefinitely, you should have an established approach for removing them permanently. The fewer accounts you have on the system, the fewer opportunities there are for someone to make a mistake.
Control the Chaos
User access management is one of those areas that most people initially dread, because they know the chaos that’s waiting for them. You don’t need to feel that sense of dread, if you take a systematic approach to segmenting, cleaning up, and maintaining your user accounts.
Once you dig in and do the initial work, the quarterly reviews are fairly quick and simple.
Need more help gaining control of your compliance management? Subscribe to our blog!
Get equipped with insider expertise
Subscribe to the TCT blog