<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

The Annual Access Audit Survival Guide

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

So, you’ve decided to conduct an annual access audit. Now comes the obvious question: where do I start? Just like you wouldn’t embark on a mountain climbing excursion without a clear understanding of the terrain and gear you need, the starting point for an annual access audit requires an understanding of the process, people, and tools you’ll need to get started. Let’s go!

Step 1: Role Discovery

The starting point for every access audit is identifying and validating the roles you have in your organization. This process defines:

  • The company's employee structure
  • Each team's structure
  • Initial analysis of access available to each role

Technical staff, such as the IT or infrastructure engineering team, are usually responsible for technology roles and planning. However, everyone needs to be involved in this process. If the organization doesn't take the time to plan access upfront, it may end up providing too little or too much access to employees, which can lead to security issues.

While it may be easy to start with job titles and access needs, it is worth noting that there will be cases where a specific job needs the access to multiple roles. 

Step 2: Inventory your stack

After you’ve compiled the full list of roles in your organization, you’ll need to pull together a full list of the tools and technologies in your tech stack. If you skip this step, you’ll find that tools may exist outside of security and IT purview, increasing your overall breach surface.

Similar to the above, this is a collaborative process that defines:

  • Tools and technologies in your tech stack
  • Current and future usage of each tool
  • Understanding of data and sensitivity of each tool

Step 3: Access: Role Alignment

Once you've completed the discovery phase, you must align each role to the required access. The key questions to ask in this phase are:

  • Does this role really need access to this tool?
  • Is every tool still in use? What can be retired or deprecated?
  • What is the appropriate level of access based on the sensitivity of data or the criticality of each tool?

Infrastructure administrators must identify who has access to all resources, including files, databases, Kubernetes clusters, and servers, for example. This step is foundational to implementing just-in-time access and zero-standing privileges. The information gleaned from this step will help define access and when it’s needed. 

Aligning Access: Slices, Roles, And Test Cases

Users need different access to various systems and information to do their jobs. Slices are the specific use cases for access, Roles are the groups of Slices related to specific job responsibilities, and Test Cases are the plan you make to ensure everyone has the access they need to do their jobs safely and securely. Let’s break those down further:

  • "Slices" are like the tools and equipment needed for each part of the climb. Each Slice is a specific task or use case that requires access to certain systems or information. 
  • "Roles" are like each climber's jobs or responsibilities on the mountain. Different people in an organization have different Roles based on their job responsibilities. Each Role is a group of Slices related to a specific task or responsibility. For example, the IT administrator might have a Role that includes Slices for managing servers and databases. In contrast, the marketing team might have a Role that includes Slices for creating and managing campaigns.
  • "Test Cases" are like practice hikes you would run to prepare for scaling a mountain. When setting up access audits, you must map out who needs access to what systems and why. Test Cases are real-world examples that specify who needs access to what information or systems and why they need that access. Test Cases validate the Slices and Roles and ensure everyone has the access to do their jobs safely and securely.

Access discovery can take time, especially if your organization grows rapidly, resulting in a complex and distributed IT infrastructure. However, getting a clear picture of your infrastructure and performing a yearly check-up is essential to reducing risk.

Part 4: Building your annual access muscles 

Conducting an access audit for the first time can be daunting, but there are steps you can take to simplify the process. Start by setting clear objectives and goals for the audit, such as identifying all the access points to your infrastructure or assessing the effectiveness of your existing access management policies. Establish clear milestone goals on the calendar and track your progress against those goals.

After conducting the audit, update it regularly to reflect any changes in your infrastructure or workforce. For instance, if you onboard new employees or migrate to a new cloud provider, you must update your access policies accordingly. Regularly performing an audit ensures that you're always up-to-date with the latest changes in privileges and assures the team that the access management policies remain effective.

Need Help Getting Started?

The annual access audit is a best practice for IAM teams. 

If you need help getting started, we have a webinar for that. Or if you learn more by doing, we have a free access workbook to help you get the ball rolling. 

​​This workbook includes the following:

  • The steps required to run a Role & Access Discovery project
  • Tabs that you can use to track the who, what, roles, and slices of roles and access
  • Example test cases that show how you can attempt to match the case to the best role

Once you wrap up your annual access audit, you’ll need to consider how you implement the changes. At this point in the process, many enterprise organizations seek the help of a Dynamic Access Management (DAM) platform (like ours 😎) to help manage all of that access. We can implement and execute the necessary changes based on your findings. Think of us as your seasoned guide to editing access; a knowledgeable and experienced local who knows the environment like the back of their hand. Book a demo. 

About the Author

, Content Manager, Angela supports the marketing team by developing creative content that helps StrongDM tell its story in creative and authentic ways. Experienced in the advertising agency space and the consulting world, Angela spent her early career years serving as a client-facing writer and project manager for brands large and small. Her specialties range from brand development and strategic campaign planning to social media execution and long-form content production. Angela obtained her Bachelor of Science in Business Administration from the University of Tulsa. She majored in Marketing and Management and completed minors in Advertising and Communications during her time at TU. To contact Angela, visit her on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) is the systematic control and oversight of vendor access to an organization's systems, applications, and data. It involves processes such as onboarding and offboarding vendors, utilizing solutions for Just-in-Time access, ensuring security, and streamlining workflows to minimize operational inefficiencies.
What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
Implicit Trust vs. Explicit Trust in Access Management
Implicit Trust vs. Explicit Trust in Access Management
Trust is an essential cornerstone in access management. However, not all trust is created equal. When it comes to how you approach access, two types of trust stand out: implicit trust and explicit trust.
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
People come, and people go, and while digital identities should cease to exist after a departure, many times, this doesn’t happen. At any given time, organizations can have thousands of user identities to manage and track, so when processes aren’t automated, it’s easy for many identities to fall through the cracks. This phenomenon is called Identity Lifecycle Management, and when it comes to access and security, it’s worth the time to get it right.
Reduce Security Risk with StrongDM Device Trust
Reduce Security Risk with StrongDM Device Trust
We are thrilled to announce a new feature to our StrongDM® Dynamic Access Management (DAM) platform: Device Trust. This feature amplifies your organization's security posture by employing device posture data from endpoint security leaders CrowdStrike or SentinelOne.