Microsoft Rights Review: Three problems faced by companies

Reviewing access rights is an important step in an access control and governance strategy.

It involves ensuring that users' data-level access rights comply with a company's Microsoft 365 security policy and user activity.

However, setting up and managing rights review campaigns can be complex. There are three main problems encountered by companies when conducting a Microsoft rights review.

• Setting up a rights review campaign
• Engaging users in the rights review process
• Tracking corrections and measuring the impact of a rights review campaign

Setting up a rights review campaign

One of the first difficulties encountered is planning a campaign. Companies will have to analyse their data, define a scope and configure the rights review campaign.

Analysing and defining the scope

Faced with the volume of information and access rights to be reviewed, it can be complicated for companies to analyse the information or to have a clear view of the risk prioritisation process (the rights associated with privilege accounts, which ones have anomalies, who should review these accesses).

This analysis forms the basis for configuring the recertification campaign: targeting, duration, periodicity, resources, etc.

After defining the scope, you must be able to address the data owners to have the ability to have the rights reviewed by the right people and on groups that are still in use. Again, identifying owners across thousands of on-premise groups can complicate campaign implementation.

Campaign settings

To configure and launch the rights review campaign, Microsoft offers a few tools such as Microsoft Access Reviews or SharePoint Data Governance.

However, they are not currently optimised to launch large-scale recertification campaigns and the rights review process is not made more streamlined for the user.

Automating campaigns

“The Cloud changes the governance situation and pushes us to extend our tools, to rely on expert solutions.” Eric Vautier

The automation and industrialisation of rights reviews will make it possible to more quickly reduce the risks of malicious access and illegitimate sharing.

For this, it is necessary to equip yourself with a specialised tool offering a single interface to streamline the entire rights review process and save time on campaign management. The information is thus centralised, reducing the risk of manual errors and promoting the reliability of the results obtained.

Discover the feedback from the SNCF: Industrialising the rights review process

IDECSI has developed a recertification tool, MyDataSecurity, which resolves the issues of volume and complexity in rights review processes, allowing data security to be maintained over time.

Administrators have a platform to plan recertification campaigns simply and quickly.

Engaging users in the rights review process

Once the rights review campaign is launched, data owners need to be engaged in the process. This is an essential step, because the business teams are best able to review the data and govern it over time.

To integrate them into the process, it is necessary to take care of the communication, the quality of the information transcribed and to simplify the correction. Indeed, a user who does not understand the information transmitted will not take the trouble to validate or review it.

Each user must be identified and be informed in a clear and precise manner about what is expected of them and what is the interest of their action. It is important to make them aware of the approach for a more serious commitment from all the stakeholders.

This is why setting up regular rights reviews makes it possible to begin a process of revalidating access and sharing the content exchanged. The user will be able to confirm whether the action is indeed compliant or help identify an anomaly and validate or not the compromise.

IDECSI has developed a simple and intuitive platform for users to improve data governance: MyDataSecurity 

Discover MyDataSecurity in 1 minute:

Tracking corrections and measuring the impact of a rights review campaign

The last problem encountered on rights review campaigns is the follow-up of corrections over time.

To verify that the objectives of the review have been achieved or to meet compliance requirements, it is necessary to be able to demonstrate that corrective actions have indeed been implemented on the problems identified.

Without clearly defined KPIs or a dashboard summarising the actions carried out and complicated long-term monitoring

These elements will determine whether or not additional actions must be scheduled such as reminders to data owners.

Some examples of KPIs monitored:

-% of people having access to MyDataSecurity

-% of remediation action, Net Promoter Score (NPS)

-satisfaction score on the platform.