The Annual Access Audit Survival Guide

So, you’ve decided to conduct an annual access audit. Now comes the obvious question: where do I start? Just like you wouldn’t embark on a mountain climbing excursion without a clear understanding of the terrain and gear you need, the starting point for an annual access audit requires an understanding of the process, people, and tools you’ll need to get started. Let’s go!

Step 1: Role Discovery

The starting point for every access audit is identifying and validating the roles you have in your organization. This process defines:

• The company's employee structure
• Each team's structure
• Initial analysis of access available to each role

Technical staff, such as the IT or infrastructure engineering team, are usually responsible for technology roles and planning. However, everyone needs to be involved in this process. If the organization doesn't take the time to plan access upfront, it may end up providing too little or too much access to employees, which can lead to security issues.

While it may be easy to start with job titles and access needs, it is worth noting that there will be cases where a specific job needs the access to multiple roles. 

Step 2: Inventory your stack

After you’ve compiled the full list of roles in your organization, you’ll need to pull together a full list of the tools and technologies in your tech stack. If you skip this step, you’ll find that tools may exist outside of security and IT purview, increasing your overall breach surface.

Similar to the above, this is a collaborative process that defines:

• Tools and technologies in your tech stack
• Current and future usage of each tool
• Understanding of data and sensitivity of each tool

Step 3: Access: Role Alignment

Once you've completed the discovery phase, you must align each role to the required access. The key questions to ask in this phase are:

• Does this role really need access to this tool?
• Is every tool still in use? What can be retired or deprecated?
• What is the appropriate level of access based on the sensitivity of data or the criticality of each tool?

Infrastructure administrators must identify who has access to all resources, including files, databases, Kubernetes clusters, and servers, for example. This step is foundational to implementing just-in-time access and zero-standing privileges. The information gleaned from this step will help define access and when it’s needed. 

Aligning Access: Slices, Roles, And Test Cases

Users need different access to various systems and information to do their jobs. Slices are the specific use cases for access, Roles are the groups of Slices related to specific job responsibilities, and Test Cases are the plan you make to ensure everyone has the access they need to do their jobs safely and securely. Let’s break those down further:

• "Slices" are like the tools and equipment needed for each part of the climb. Each Slice is a specific task or use case that requires access to certain systems or information. 

• "Roles" are like each climber's jobs or responsibilities on the mountain. Different people in an organization have different Roles based on their job responsibilities. Each Role is a group of Slices related to a specific task or responsibility. For example, the IT administrator might have a Role that includes Slices for managing servers and databases. In contrast, the marketing team might have a Role that includes Slices for creating and managing campaigns.

• "Test Cases" are like practice hikes you would run to prepare for scaling a mountain. When setting up access audits, you must map out who needs access to what systems and why. Test Cases are real-world examples that specify who needs access to what information or systems and why they need that access. Test Cases validate the Slices and Roles and ensure everyone has the access to do their jobs safely and securely.

Access discovery can take time, especially if your organization grows rapidly, resulting in a complex and distributed IT infrastructure. However, getting a clear picture of your infrastructure and performing a yearly check-up is essential to reducing risk.

Part 4: Building your annual access muscles 

Conducting an access audit for the first time can be daunting, but there are steps you can take to simplify the process. Start by setting clear objectives and goals for the audit, such as identifying all the access points to your infrastructure or assessing the effectiveness of your existing access management policies. Establish clear milestone goals on the calendar and track your progress against those goals.

After conducting the audit, update it regularly to reflect any changes in your infrastructure or workforce. For instance, if you onboard new employees or migrate to a new cloud provider, you must update your access policies accordingly. Regularly performing an audit ensures that you're always up-to-date with the latest changes in privileges and assures the team that the access management policies remain effective.

Need Help Getting Started?

The annual access audit is a best practice for IAM teams. 

If you need help getting started, we have a webinar for that. Or if you learn more by doing, we have a free access workbook to help you get the ball rolling. 

​​This workbook includes the following:

• The steps required to run a Role & Access Discovery project
• Tabs that you can use to track the who, what, roles, and slices of roles and access
• Example test cases that show how you can attempt to match the case to the best role

Once you wrap up your annual access audit, you’ll need to consider how you implement the changes. At this point in the process, many enterprise organizations seek the help of a Zero Trust Privileged Access Management (PAM) platform (like ours 😎) to help manage all of that access. We can implement and execute the necessary changes based on your findings. Think of us as your seasoned guide to editing access; a knowledgeable and experienced local who knows the environment like the back of their hand. Book a demo.