Scenario 2: Benefits in the Access Governance and Recertification Process
Introduction
In the last article in the "IAM: Before and After series" we looked at how organizations can drastically reduce user access calls to the helpdesk by implementing an IAM solution. In the scenario , the client was able to reduce the call volumes by more than 95%.
In the second article of this series, we look at IAM from a security and risk management view – specifically from the Access Governance and Recertification Process in the organization.
Why is Access Governance Important?
Access risk is defined as, "risks related to unauthorized or inappropriate access". As per Forrester, access governance includes three key components,
- Access recertification
- Role management and
- Access request management
Access governance has become a critical component in the information risk management domain. It lowers access risk and improves security because it provides a better understanding of who has access to what and why; thus, fewer people accumulate privileges during their tenure in an organization.
Client Background
Let's take the same client we discussed in the earlier article. The client is a country arm of a global Fortune 500 financial services company with a large user base of over 12,000 which is still seeing active growth. The user base includes internal users, external users and
contractors. Additionally, the organization works with more than 50,000 agents. The business operations are supported by over 30 business critical applications that are built on diverse and heterogeneous technology platforms, and managed by different business teams.
Before IAM
As part of their compliance policy, the client needed to recertify access to all their users and applications on a regular basis. But the process was manual and used to take 2 to 3 months. As it was labor intensive and time consuming, it could not be scheduled more than once a year.
Manual deletion of accounts and recertification took significant effort and so, by default, the tendency was to grant all access unless explicitly denied. Exposure to access risk started increasing year on year, since unwanted access was not being identified and de-provisioned in an assured manner.
The Solution
Aujas successfully implemented a comprehensive IAM solution to address client requirements. The solution included:
- User Provisioning System: This component provided centralized control and 360° automation of business processes involved in user access management. As a result processes for requesting, validating, approving and provisioning access became more efficient and manual errors were eliminated.
- Access Governance Workflows: This component helped by automating and streamlining the periodic review of access entitlements. Additionally, the solution leveraged role information built into the system. As a result, the system proactively prevented violation of separation of duties paradigm while granting access.
- Access Management System: A comprehensive access management system comprising web access management and enterprise Single Sign-on (SSO). This solution component helped in enforcing role based access controls. Access Reporting Dashboards: This component allowed business and IT teams to easily track the status of the recertification process. The system the organization to quickly identify specific areas that created a bottleneck in the processes and to provide remediation in a focused manner.
After IAM
The table below lists some of the significant client benefits after implementing the IAM solution.
| Parameter | Before IAM | After IAM | Benefits |
| Review Cycle Time | 3 months | 10 days | Significant improvement in the reliability of the processes. Time savings and lesser audit fatigue. |
| Approach | Grant Access unless explicitly denied | Deny Access unless explicitly approved | More secure systems which are only accessible on need to know basis. Lower access risk. Reduced chances on malicious activity and information theft. |
| Review Frequency | Annual | Quarterly | Reduce chances of errors in the processes. Faster evolution of role definitions. Reduction in time for potential system misuse. |
| Review mode | Manual | Automated | How many people hours was saved? Approximately 1000 man hours for every review. |
Automating the access governance and recertification process simplified the jobs of the security and risk management team and they were able to ensure a much more focused and tighter life-cycle process to manage access risk.
The biggest benefit for the client was moving from a reactive audit approach to a more proactive role management to manage access risk problem.
Conclusion
One of the key security concerns in any large organization is access risk. Governing access and conducting recertification manually is a tedious process, and most organizations shy away from a comprehensive and frequent review, which leads to access risks. Automating the entire process brings significant efficiency related benefits to the organization and more importantly peace of mind due to reduced risk!
