logo

User Entitlement Review Explained

What is an entitlement review?

The entitlement review definition is simple: a review of user access permissions and other rights. The goal of a user entitlement review is to ensure that each user in the IT environment has access to the data they need to do their job and nothing more — the principle of least privilege. A structured and regular entitlement review process helps mitigate security risks and protect sensitive data.

The entitlement review process requires the following:

  • Visibility into each user’s data access permissions. Note that access reviews are necessary for both regular business users and IT teams, who typically have elevated access
  • Visibility into user activity, especially access to sensitive or regulated data
  • Accurate assignment of data ownership rights. Data owners are responsible for making access decisions that ensure the right users have the right access permissions to data they own. Data owners typically include managers and active users of particular information.

Why are entitlement reviews important?

Entitlement reviews help organizations strengthen cybersecurity by limiting the data, applications and other resources each user account can access, either accidentally or deliberately by its owner, or in the hands of an attacker who has taken it over.

Failure to perform proper and regular entitlement reviews can lead to:

  • Insider threats (access abuse or misuse): Users can deliberately take advantage of excessive access rights to steal sensitive data or do other damage. Verizon’s 2021 data breach analysis found that more than 70% of data breaches can be directly attributed to misuse of privileged user access. A 2021 IBM Data Breach report pegs the average cost of a data breach at $4.62 million. Regular entitlement reviews mitigate this risk by eliminating excessive access
  • Employee errors: Users can also mishandle sensitive data by accident, due to fatigue, carelessness or lack of cybersecurity expertise. For example, a user might accidentally email confidential information to someone who shouldn’t have access to it, or delete a valuable file by mistake. Regular entitlement reviews limit the data each person might handle improperly.
  • Privilege creep: Users often change roles within an organization. All too often, they are granted the access privileges they need for their new position, but the old access rights they no longer need are never revoked. Entitlement reviews help organizations ensure that excess access rights don’t pile up over time.
  • Overexposure of sensitive data: Sometimes, access rights to sensitive data are improperly granted to large groups of people, such as the “Everyone” group. The entitlement review process helps catch organizations spot and remove such access.

Real-life examples

Here are three cases of security incidents that could have been allegedly caused by an access misuse and in which proper entitlement reviews might have helped prevent them.

  • Marriott leaked data as the result of a compromised third-party app: Attackers who compromised the credentials of two Marriott employees in January 2020 were able log into a third-party application used by the Marriott hotel chain to provide guest services. They gained access to more than five million guest records. The investigation is ongoing, but it is expected that Marriott will face steep penalties because the leaked data contained personally identifiable information regarding guests, and they didn’t catch the data breach for two months.
  • General Electric employees stole trade secrets: Two employees of General Electric stole critical data concerning advanced computer models designed for calibrating turbines manufactured by the company. One of them downloaded thousands of files, including ones that contained trade secrets — which indicates he had excessive access permissions. He also convinced an IT team member to grant him access to files that he had no legitimate reason to see. Using the stolen technical, marketing and pricing information, he opened a competing company. Although the thieves were eventually convicted, sentenced to prison and ordered to pay $1.4 million in restitution, the incident was clearly an expensive and embarrassing ordeal for General Electric.
  • Cisco ex-employee maliciously damaged cloud infrastructure: An IT engineer resigned from his position at Cisco but after leaving, was able to deploy malicious code that deleted 456 virtual machines used for the Cisco WebEx Teams application. Court documents do not explain how Ramesh maintained his access to Cisco’s cloud infrastructure after resigning. The incident resulted in 16,000 users being unable to access their accounts for two weeks. Cisco had to pay $1 million in restitution to affected users and spent around $1.4 million auditing their infrastructure to fix the damage caused by the attack.

Entitlement review best practices

The following best practices can help organizations conduct effective entitlement reviews that mitigate security and compliance risks.

  • Users should be assigned access rights through group membership, not direct assignment. This helps ensure proper provisioning since all users with similar business responsibilities can be made members of the same groups. IT teams need to work closely with managers and data owners to set up appropriate groups with the right sets of access
  • Access reviews should be conducted on a regular basis. Data owners should receive a list of users who have access to the content they own, and they should determine whether privileges should be changed or removed to reflect current access
  • Access reviews should cover not just business users but IT pros and other privileged users as well.

In addition to regular entitlement reviews, organizations also need a broader governance strategy for managing data access. It’s best to have an automated workflow that allows users to request access to the resources they need and have data owners approve or deny those access requests outside of the regular review process. In addition, user accounts should be automatically deprovisioned immediately when a user leaves the organization (or even as the user is being terminated, in the case of an employee being fired); deprovisioning should not wait until the next scheduled entitlement review.

How Netwrix Can Help

The right tool can streamline effective entitlement reviews by reporting on which users have access to certain data, which facilitates review by data owners.

The data access governance solution from Netwrix can help you:

  • Review user access rights on a regular basis
  • Establish and maintain a policy of least privilege
  • Monitor changes to users’ access rights

Frequently Asked Questions

1. Why should organizations perform user access reviews?

User access reviews help organizations ensure that each user can access only the resources they need to do their jobs. Performing access reviews on a regular basis help to minimize the risk of security incidents and compliance failures.

2. What is the process of conducting a user access review?

The user access review process involves:

  • Gaining visibility into each users’ permissions to access data, applications and other resources
  • Providing appropriate data owners with reports that detail access permissions to the data they own
  • Having data owners determine what changes, if any, should be made to the current entitlements
  • Empowering IT teams to implement the access decisions made by data owners

3. What is an entitlement report? 

An entitlement report details all user accounts and their status (active or not), along with information about their roles and access privileges. Data owners can use these reports to identify excessive access rights that should be removed to enhance security and compliance.

Tiffany is a Customer Success Engineer at Netwrix, focused on ensuring that the customer experience with our software is positive. Before joining the customer success team, she worked as a support engineer and support team lead at Netwrix. She has been in the software industry for 7 years and holds multiple certifications through CompTIA.