Role & Access Discovery | Who Has Access to What Now?

It’s a nightmare scenario. You work in a regulated market, like financial services or healthcare. There’s a breach. You know the question is coming, but can you confidently answer it? 

“Who at the company could have seen those social security numbers?” What about its follow-up question: “Who actually did see that number?” In other words, who theoretically had access to that information, but also, who actually accessed it?

Often, employees will have access they may not need for their job (over provisioning), and risk is increased because your breach surface just got that much bigger. But that’s the nightmare scenario. 

What about the day-to-day activities? The ones where someone in marketing requests access to a production customer database—do you know if that person really needs access to it?

A critical part of embracing zero trust and implementing privileged access management (PAM) is ensuring that each employee’s access to technical tools is as close as possible to what’s needed for their specific role. But creating unique roles for every individual can be expensive, time-consuming, and difficult to do. 

For example, data scientists may need access to sensitive data, but because of the complexity associated with access management, many companies simply provide that access to the entire engineering department—even though 80% of the department doesn’t need that access. Suddenly, you have audit and security issues as well, especially if you ever have to determine how an infrastructure breach occurred.

The good news is that there’s a way to avoid the pitfalls of providing too much or too little access—and it all starts with role and access discovery. 

Why Access Management Is Hard

Imagine you’re building a house, but instead of having a floor plan or starting with the foundation, you just build it as you go, adding room after room. Over time, you’ll likely end up with a nice house, but not necessarily a functional home (real life example: the Winchester Mystery House in San Jose).

Access can fall into the same trap. Over time, your organization will add new people, new teams, new roles, and new systems. And before you know it, you have no source of truth for who has access to which systems, much less who needs access to them. This inevitably leads to over- and under-provisioning, not to mention that it's now extremely difficult to audit what is happening in each system. 

It usually takes a major financial event, like an initial public offering, or a compliance event, such as achieving SOC 2 compliance, to drive these types of projects. But for any team that doesn’t have those compelling events, you’ll likely be forced to deal with the accumulated frustration of multiple teams who just want the access they need.

Enter Role & Access Discovery

To put it simply, if you start without a plan for infrastructure access, you're going to regret it—and yet, many companies are inclined to skip this step. The result is a hodgepodge of access across multiple roles and systems that becomes impossible to manage. Organizations need to shift their mindsets and behavior to proactively think about who needs access to what, document it, and standardize it. That’s where Role and Access Discovery comes in. 

Role and access discovery is a collaborative process that defines:

• The structure of the company
• The structure of the teams
• Which roles need access to which systems

The task of role and access discovery and planning often gets assigned to technical staff, like the IT team or infrastructure team. And as discussed above, organizations that don’t take the time to think about their end goals or plan access upfront may end up haphazardly providing too little or too much access to individual employees.

Starting the Access Conversation

Even if you have a list of names of employees and systems, tracking and controlling access needs to be granular. That means collaborating across teams—IT, DevOps, HR, Security—to determine how roles should be categorized and how access should be managed for each role. The output should be a readable document that you can share with internal teams and with anyone involved in building your company’s technical infrastructure.

The good news is that you can get started with some simple questions:

• “Who works here, toward what ends, and how are we all organized?”
• “How do we solve for the human part of access? Who actually needs access to what?” 
• “How does access management fit into Active Directory or our existing framework?”

The plan should be reevaluated at a consistent cadence, at least every year, if not quarterly or more, based on your needs. 

Getting Started

Curious about how to get started? We have a few resources to help you down the path: 

• Download the Role & Access Discovery Workbook - an interactive tool that will help drive the process forward
• Check out our webinar series on Getting Started with Access Management. The first session is focused on Role and Access Discovery—you can register here. 

‍