Skip to content

Why You Should Expect the Unexpected During Access Reviews

by Bob Giguere | December 13, 2024

Illustration by GCA showing a diagonal column of blue boxes in varying sizes and shades.

There are many terms for Identity Governance (like Access Reviews Recertifications, Certifications, etc.) but they all boil down to essentially the same definition: the process to review access assigned to identities at an organization.

These processes can be used to check things like:

  • Who can add and remove employee accounts?
  • Who has access to sensitive data?
  • Who has paid license accounts to an expensive SaaS application?

Like most IT things on the surface, they seem straightforward, but once you dig in, there will be some unexpected results, like out-of-date data on the managerial hierarchy. In this article, we get into some of the unexpected findings when launching a new Identity Governance program.

Manager-Based Access Reviews

With most access review programs, a user’s manager is the person to review their staff’s access. This makes sense because, in most situations, the manager should know best what access their employees have. We’ve also seen the application owner perform the reviews in some programs, which works great for smaller user populations or applications with limited numbers of users. If an application like Cerner has one thousand employees with accounts, there will be little benefit in having the application team review the accounts because they simply won’t know everybody.

In pursuing the path of manager-based access reviews in multiple client environments, the data isn’t always up to date. Typically in Identity Management, we work with a primary directory that stores all users and basic information about the first name, last name, job title, department, email, etc. The majority of organizations are using Active Directory, a product by Microsoft which has been the dominant directory tool for many years but has had some growing competition in recent years. For instance, vendors like Ping and Okta have the technology available to meet most organizations’ needs.

In general, you want your HR data source, which is the true authority of active employees, synced to your primary directory. The directory will control authentication, so it is important to keep these up to date.

Let’s dive into common data issues.

Example #1 Out of Sync Manager Data

With some organizations, the primary directory is simply out of date with the managerial hierarchy. The correct data did live in their HR system, but this data was not appropriately synced down to their primary directory for various reasons.

This flaw is usually discovered during an access review implementation. One such incident occurred with a GCA client: We created a preview for the director we were working with and just asked the question, “are these all your people.” Within about 5 seconds, the answer came back as a ‘no,’ even one of her team members who had been working on the project for months had his old manager listed. This was a bit unexpected, and ultimately, we had to pull in a data source directly from HR to ensure the data was correct.

Example #2 Out of Date Manager Data

In another example, we worked with an organization that didn’t exactly have an HR tool that they used. This was an enterprise organization, but they were non-profit, so their IT tools were limited in some areas. Their authoritative source of users and managers was Active Directory, the Microsoft directory tool.

We didn’t catch the incorrect data earlier with this review program as we did with the previous example. We launched the campaigns and then got some complaint emails from a Senior VP who had an extra ten people to review who technically didn’t report to him. This caused a bit of commotion, but it was ultimately resolved with some internal research and work. In actuality, we were able to assist the internal team by letting them know which employee the Senior VP had reassigned to someone else, which indicated that person did not report directly to them.

Key Takeaway

The intention of an access review program isn’t necessarily to uncover and sort out organizational data issues like incorrect manager assignments, but that is a by-product of the process. With these programs, a deep dive is taken into data which inevitably leads to the discovery of dirty data.

The key takeaway for anyone involved with or exploring an access review program is to understand that data issues will be uncovered, but really that is the goal. Although the control framework you are working with will say something like “all user access must be reviewed every 90 days,” the pursuit of that control will lead to many side benefits which will strengthen your organization’s security posture. The key is to have an open mind and be looking for dirty data as the project is executed.

GCA specializes in helping organizations manage and secure their identities. We’re experts in identity governance. If you’re having trouble conducting access reviews or you keep digging up dirty data, don’t hesitate to contact us today.