Hot Take: Bulk Access Reviews are Useless

SecZetta Hot Takes

Yes, bulk access reviews are useless. Point blank.

They probably complete some compliance checkbox for your organization because most everyone is required to review and certify access for individuals via different regulations (SOX, NERC CIP, etc.).

Here’s the problem — when you break down the way that access reviews are executed, they become what’s often referred to as a “rubber stamping exercise.”  AKA someone with authority approves what’s in front of them out of routine rather than careful consideration and review.

This is exceedingly common with bulk access reviews. Why? Let’s say you’re the manager or a sponsor of thirty people (to either employees or non-employees) and you are just assigned a bulk access review. What are you more likely to do? Spend a ton of time scrolling through the list clicking into each profile, reviewing every detail to ensure that every individual’s level of access is appropriate, investigating each thoroughly?  Or are you going to check the box at the top that highlights everyone, click the “approve” button, and move on with your day?

Yes, there are individuals that take bulk reviews seriously, but there are many busy, competent professionals that just don’t have the bandwidth to thoroughly examine each individual to verify that everyone still has the access that they should.

This is especially true for application owners. Access reviews can happen at a manager level, by application owners, as well as by those that own specific roles. For application or role owners, the raw numbers they are responsible for reviewing can be staggering.

For example, imagine someone that manages a third-party vendor that happens to be a call center. They’re likely responsible for reviewing hundreds of people, sometimes even thousands, each of which has some type of access to your organization’s network or platforms. The truth is, if you send all one thousand names to the sponsor and provide them with the ability to bulk approve…more than likely you’re going to get a bulk approval, whether that’s appropriate or not.

Bulk access reviews essentially accomplish only one thing – they allow you to check a box for compliance.  But the spirit of these regulations and compliance requirements are to make your organization more secure. So SecZetta’s Hot Take is that from a security perspective…bulk access reviews are useless because they lack the necessary identity information necessary to accurately govern access.

While SecZetta won’t make bulk access reviews useful, we can provide all the third-party identity data your organization requires to make well-informed decisions on access. If you’re curious about a Third-Party Identity Risk solution that provides you with the third-party identity data necessary to make accurate access decisions, take a self-guided product tour of SecZetta’s Third-Party Identity Risk solution and see how automated identity lifecycle processes can expedite your access decisions and help mitigate your risk.

*** This is a Security Bloggers Network syndicated blog from Industry Blog - SecZetta authored by SecZetta. Read the original post at: