Skip to content
Lab651 Process

User Access Review - Cloud Platforms

Overview

Section titled “Overview”

Purpose

Section titled “Purpose”

To ensure that all access to cloud providers (e.g. Azure, AWS, Heroku, etc.) analytics platforms (e.g. Lucky Orange, Google Analytics, etc.) and specialty technologies (e.g. CMS, PIM, etc.) follows the principle of least privilege and is regularly reviewed.

Scope

Section titled “Scope”

Applies to both human users (employees, contractors, clients) and non-human users (service accounts and application identities) within cloud environments.

Key Areas Covered

Section titled “Key Areas Covered”
  1. Access Control: Defines who may access cloud accounts and under what circumstances.
  2. Role-based Permissions: Emphasizes least privilege principles, granting permissions aligned with specific responsibilities (e.g., owner, viewer, billing, etc.).
  3. Review Process: Details a quarterly access review to validate the necessity and appropriateness of each access vector (human users, service account, etc.). Includes guidelines for promptly revoking access when employees, contractors or services no longer require it.
  4. Activity Monitoring and Logging: Outlines the process for logging and monitoring activities within the cloud platforms to detect unauthorized access or suspicious activity.

PolicY Statements

Section titled “PolicY Statements”
  1. Access Management and Least Privilege
    1. Policy Statement: Access rights for all users, including human and non-human, must be restricted to the minimum necessary for their roles, ensuring no individual or application has more access than required.
    2. Actionable Item: The IT Security Team will review and assign role-based permissions for all users, maintaining access lists that reflect only the necessary access privileges for each role.
    3. Policy Statement: All users will be assigned roles based on their job function, with permissions aligned to specific responsibilities, and sensitive resources are accessible only to users or applications with a verified need.
    4. Actionable Item: Department managers, in collaboration with IT, will validate and approve role-based access assignments for each user, ensuring least privilege is maintained.
  2. User Access Review
    1. Policy Statement: A quarterly review of user access lists and permissions for human users and non-human users in Azure, Heroku, and AWS will be conducted to verify appropriateness.
    2. Actionable Item: The IT Security Team will compile and review quarterly access reports with department heads, identifying any access that is no longer needed or does not align with current roles.
    3. Policy Statement: Each user’s role and permissions will be validated quarterly to ensure they remain relevant to their current responsibilities or application function.
    4. Actionable Item: The IT Security Team, along with managers, will conduct a quarterly access validation to confirm that permissions align with each user’s current role.
    5. Policy Statement: Elevated access and administrative permissions will undergo additional scrutiny, and permissions will be reduced wherever possible.
    6. Actionable Item: The IT Security Team will review all privileged accounts quarterly, documenting and reducing permissions that exceed the user’s essential needs.
  3. Service Accounts and Application Identities
    1. Policy Statement: Service accounts and application identities are designated solely for non-human access and must not be used directly by employees or contractors.
    2. Actionable Item: The IT Security Team will assign, document, and maintain all service accounts with access restricted to application functions, ensuring they are separate from human user accounts.
    3. Policy Statement: Permissions for service accounts will be limited to the specific operations required by the application, with credentials like API keys and IAM roles securely stored and regularly rotated.
    4. Actionable Item: IT Security will manage and review service account permissions quarterly, storing credentials securely, implementing regular rotation schedules, and using multi-factor security for protection.
    5. Policy Statement: Direct access to service accounts by human users is prohibited except in temporary emergency cases, which must be authorized and logged.
    6. Actionable Item: In emergency access cases, IT will log and authorize access to service accounts by human users, with a clear justification and access duration.
    7. Policy Statement: Service accounts and application identities will undergo quarterly reviews to ensure they remain necessary and compliant with least privilege.
    8. Actionable Item: Service account activity logs will be reviewed quarterly, and any unnecessary or inactive accounts will be deactivated or removed.
    9. Policy Statement: Logs for service account activities will be reviewed regularly to detect unauthorized access or unusual activity.
    10. Actionable Item: IT Security will configure and maintain log monitoring for service account activities, generating alerts for suspicious behavior and maintaining logs for one year.
  4. Access Termination and Modification
    1. Policy Statement: When an individual’s role changes or they leave the organization, their access will be promptly modified or revoked, and access for inactive service accounts or applications will be disabled.
    2. Actionable Item: Department managers will notify IT immediately of role changes or terminations, and IT Security will revoke or modify access accordingly within 24 hours.
    3. Policy Statement: Access for employees or contractors who no longer need system access will be revoked immediately upon departure to maintain system integrity.
    4. Actionable Item: HR and IT will coordinate on offboarding procedures to ensure that access is terminated for all departing personnel within 24 hours of departure.
  5. Documentation and Accountability
    1. Policy Statement: All user accounts, service accounts, and application identities, along with their permissions, will be documented and maintained in a secure, centralized repository.
    2. Actionable Item: The IT Security Team will maintain a secure access repository, updating it with all user and service account access changes as they occur.
    3. Policy Statement: All changes to access permissions, roles, or credentials for both human and non-human users will be documented to provide a clear audit trail for compliance purposes.
    4. Actionable Item: IT will document and log every access change or permission adjustment, ensuring clear tracking and accountability for access control.
    5. Policy Statement: Quarterly access review findings and any corrective actions will be reported to the IT Security Team to ensure ongoing alignment with the least privilege principles.
    6. Actionable Item: IT Security will prepare a quarterly report summarizing access reviews, findings, and adjustments made to align with least privilege and submit it to management.
  6. Review Frequency
    1. Policy Statement: This policy and associated access review processes will be reviewed annually and updated as necessary to reflect changes in security standards, technology, or organizational structure.
    2. Actionable Item: The IT Security Team will conduct an annual review of this policy, incorporating changes based on security updates, technology, and organizational changes, with final approval from leadership.
Section titled “Related”