Breaking the Status Quo: Achieving Mature Access Governance Within Days

Is this on? Yes. Can you hear me?

Okay, perfect. Hi everybody. After a very good panel, let's focus on user access governance, and we are here about achieving that as efficiently as possible. My name is Martin, I'm founder of aia and atali. We propose a new approach to this problem by looking at as a, as a data problem if you want. And so to illustrate what that means, let's start off with a couple of questions. Do you know how many users, how many employees left your organization and still have accounts lying around? Do you know who exactly has administrator privileges across your critical service?

Do you know who can access privacy sensitive employee data, like HR data, financial data? If you, if you use role-based access control, what do all your roles and groups in your systems actually do? Those are all data questions related to user access governance. And it used to be somewhat optional to be to, to be able to answer these questions, but these days with, with cloud and sales and so on, user and permissions really are the only thing tying together your IT infrastructure.

And that's the reason why every major hack starts with credentials being stolen is the reason why all of the major frameworks like ISO 27,001 or N or nist, they all focus on access control. And it's the reason why modern cybersecurity approaches like zero trust, stress, the fact that you have to minimize your identity, attach to efforts that's answering these questions. And so it's critical these days, but still many companies cannot. And actually the list is, is even a lot longer. It's insane. What about guest accounts, app integrations, multifactor authentication?

If you're working with ad, what about groups? Who has which groups and what can these do? If you are mature and you're using this three level role-based access control model where employees have accounts that have business roles that contain technical roles, that contains entitlements to different applications, do you then still understand who can actually do what? Even if you have approved all of these assignments, the list is endless and it's clearly highly complex to answer these questions.

And well, there are many reasons for that. And today I'm going to focus on the, the reason we, we are here at an IM conference and I think as an IM market, the default answer that we give to answering these problems, these questions is deploy your iga, deploy a sale point or a model or one on one identity, whatever system that you want. These are highly, highly complex and highly functional systems and they also integrate with many different sources. So they should give you the insights to also answer these questions. But in practice, this is struggling a bit.

Even if you do have one of these systems and you, you do complete ig, I've heard many companies complain about reporting analytics. That's not the goal of these, these suites. That's a different, that's a problem by itself and we can help with that. But the more fundamental problem is that identity governance and setting it, it up just takes a long time. It takes a lot of money and it's highly complex. And because of that, many companies are just not doing that can be because you are midsized organization and you have just a small security team and you have to do a lot with that.

It's too much can be because you're an extensive organization with a highly complex IT environment and you're just not ready for automating join a move lever processes, for example, whatever the reason may be. This leads to onboarding errors, onboarding errors. I've seen companies if they do do access governance, doing that with access reviews, with manual Excel sheets and, and audits being manual excel exercises. So clearly this leads to security risks and and and wasted effort frankly.

So that, that's one of the reasons that we started a limiting we want to to help here. And so we take a different approach, try to minimize the effort to come up with that and help you take control of user access in a matter of, of ours. And it really means that at least you should have visibility of your as this situation.

The the, the approach that we advocate will not give you the same, the same functionality as a complete IGA rollout, but at least have visibility of who can currently do what. Let your IT team understand that and maybe include line manager of application owners in access reviews. Clean that up and monitor that over time. That's what I mean with the data approach. We work with companies ranging from 500 people organizations up to 50 K employees in the organizations.

So the essentials of, of what what we mean with the essentials of user access governance, that's really understanding your current situation, letting the IT team and the IM team, if you would have that, review that and monitor that over time and act upon things that you see that are, that shouldn't be there. Orphaned accounts, overly privileged employees admin accounts that shouldn't be there and so on.

I'm not going to turn this into a sales presentation, but the platform that we designed is specifically designed for that and especially the collecting the data, that's where you have to do this in a couple of hours. That's our aim, not a couple of days. And that's where data cycle starts. And so for this presentation, let's look at the journey that that comes out of it.

We all do, we do this completely to, to enable what we call a security first IGA journey. This really focuses on helping an organization identify access risks as soon as possible with as little effort as possible. So from a cybersecurity point of view and clean it up and go towards a fundamentally improved cybersecurity postures. And then this approach focuses on your cybersecurity return on investment.

First, it tries to push the, the heavyweight identity governance steps like designing a complete role model or automating provisioning or automating your joint removal lever workflows and so on, pushes that forward afterwards. But of course, if you have this data foundation, it's also really good point to start your role design, but that, that's a different topic. So that's what we call with a security first IGA journey. And in practice looks something like this. This is a customer case. One of our more recent customers, it's a medium sized organization.

So 2000 employees in a, in a privacy sensitive context, they have personal data and they wanted to improve their, their internal control to decrease cyber risk and show compliance. So the first step of this journey is the visibility.

Again, visibility is key to this approach. And if we start this, we always think along with the customer what the most important data sources are. Nine out of 10 companies. That's active directory in these days, definitely also Azure ad. And then it kind of depends on, on, on, on the organization, whether they want to focus on a cloud environment or maybe data shares on, on, on Windows file system, database admin, local admins on the directories, whatever is important. You focus on how you can get that data, bring it together.

And I typically also advise to on adding the HR system to that as well. So you then end up with a data foundation that gives you all of the employees and the different accounts they have in a different system, the different permissions, and then you can enable controls. Those controls. We typically focus on eight categories of what we call key risk indicators. So it's depending on the maturity.

Orphaned accounts is a very, very important one first, but then it covers also privileged accounts, access accumulation, some, some identity and role hygiene and business specific indicators of course as well. I can give a presentation of, of one hour on these topics by itself if you're interested, take a screenshot or or a, a photo it's called and, and take a look at a, at a QR code. It contains the full guide. But what this ends up with is an overview of your, as a situation is the way I like to call it.

And then your most important risks where you are red, orange or green or enables you to compare the different permissions of the people in one team that you would expect to be able to do the same and compare those. And almost always you see people that have been moving around throughout your organization and are only granted more and more permissions and never been revoked. So those red flags, those are the interesting ones to really focus on with your security team, your IT team or your line managers and application owners.

And in this case specifically the goal of the C really was to convince other managers to show that user access management is important. He was convinced of that, but that you can make steps in that in a couple of days, not months or years, which is the basic image that they have returned regarding identity governance.

And so their focus at the very, very first steps was HR and active directory and then these orphan accounts where they saw that there were actually a couple of active accounts that belonged to people that already left the company for contractors as well, or temporary accounts that were still left open. And so really the goal here was to identify this, which we achieved in a couple of days. And in the coming week, they actually removed all of these, which was the perfect signal or the perfect evidence for him to show that they could make steps in a, in a, in a short time.

And so the overall impact there was decreased cyber risk. And then the next steps depend a bit on what, what the organization wants in in essence. In essence, you can repeat this exercise, this manual exercise every three or six months, we can do it as a service as well, but most of the companies that we work with then go towards a more continuous setup. At first for, for the first visibility, we try to avoid costly integrations like asking for service accounts for AD or opening up firewalls that typically takes weeks for the IT team to process.

So we try to avoid it and instead we work with just do a file-based export and import it as a CSV or an LD or something. But then afterwards, if you're maturing them, the the deployment go towards a continuous integration where this data is refreshed. And if you're cleaning up that you then see what the changes are and that you again can show that you're improving. This will buy you a lot of goodwill and you can really start doing this from week one. And then at some point, we'll at the start, the focuses on the, the security team.

They know the most important risks and they can make decisions on those things, but at some point they don't know everything anymore. So in that case, you have to include the other people that are responsible for their parts of the organization, like team leaders for their teams, application owners for their applications.

And and I advise against giving them the same full-blown analytics interface of our product, but include these people in the form of accessory reviews where you just ask, ask them the question, Hey, Martin, in our system, these are the 20 people in your team, is that still correct? Should some of these be removed? And for the other ones, take a look at their active directory groups in the same interface that you, that you saw before.

And the first, the first phase of this inclusion of these people is focused on cleanup again, but if you actually reach the point that you're happy with that, also run your continuous user governance. So the the quarterly access reviews or the periodical access reviews on top of this data foundation, that's really the whole approach in one slide.

This approach is mainly targeted towards the companies that have well mid-sized organizations or a very complex situation where you, where you want to clean this up as quickly as possible, but of course there are other use cases for this data platform as well. It really fits well with a, as a preparation to an IGA rollout as well. So if you're thinking of going two towards the full-blown identity governance setup and definitely I would definitely advise to also have this visibility, it can help you to clean up your situation upfront.

By the way, most of these systems also priced by li by by the user. So if you remove unnecessary users, it'll also make the the suites cheaper and you can start defining roles and so on early in the process, which is typically where the, the rollout of an IGA blocks anyway. So start doing that earlier. That's definitely a good recommendation. The identity pest, that's our name for where we use the product ourselves and we come into a company and we do this exercise ourselves.

And then finally, I also want to mention if you do have an IG and you do have all of this data centralized in one place, it's very valuable to also add these analytics on top and all of the people that are involved in creating roles or connecting new applications and so on, give them the information that they need to answer all of the data questions that they have in their day-to-day work. This will drastically lower the customer insight for these people. So that's the forward use case that we focus on.

I always like to end my presentation with a bit of concrete tips and, and and things to take home. So in this case, when you get back to the office, review your architecture and think of your most important identity source and all identity and access management experts here. So I'm guessing that you all know the top five. Then think what data questions you actually have on these systems. In this presentation I focused on cyber securities.

It can be the same but can also be that you have too many groups and you want to clean that up or that you want to simplify your role model or that you have synchronization errors between active directory and Azure AD and that hinders operational processes. Whatever distinct of whether you can answer these questions and how and whether that affects your cybersecurity. And then really, even if it's not with our platform, apply the data approach.

Think of how you can collect the data, bring that together, even if it's just with excel sheets, act upon it and monitor it will really buy you a lot of goodwill to show that you are, you are on top of things that you're improving over time and, and that you're actually well improving cybersecurity. That being said, if this interests you, we have a boot on the floor, the first floor.

We also have a webinar in two weeks, so if if you're interested to see a bit more of the product, you can join at our booth or to the website and if you want more resources on this topic, again, take a look at our website. We have lots of of guides written by our team there. Thank you for your attention. We have some minutes left. Are there any questions from the audience in your current implementation of your tool? You're doing the analysis, can you also identify segregation of duty violations in there?

Yeah, Yeah, so it, it's, it's a bit similar to the, I added the screenshot of the overview of a team. So that's what we call with a peer review that's useful for the, the role analysis and the outlier analysis, but you can do the same for separation of duty and we, we work with some, some larger companies, more mature companies and their, the, the process was that they were doing a lot of interviews and they had these immense Excel sheets of all the roles that were assigned to at least some people in the, some persons in the, in the department.

And then thinking of all the possible combinations. Again, if you take more of a data approach, you can vastly improve the efficiency of that process. If you see that no one has that combination, don't spend time on this. If you see that 2000 of the, of the 3000 employees have that combination, probably you would've noticed that it is a conflict in the past.

So again, don't spend time on it, but look at the outliers. If only two out of the 2000 people have a certain combination, look at that and ask yourself whether that should be there or not.

And again, that that's a more yeah, step by step data driven approach to the same problem based on your as this situation. Yeah. There's another online question. It says how the legacy system accounts are onboarded on anonymity. Is it possible?

Yeah, definitely. So I didn't spend too much time on the platform itself. On the slide I always put the, the, the usual suspects like active directory and Azure ad, but all, all of our customers have on-premise, leg on-premise applications, legacy applications, custom applications. And so all of them use what we call a custom connector where you define the, the data model and then you can input data anywhere you want, query from the database to CSV uploads using the api. That's how the system is used all to, to get that data into one system as quickly as possible.

That's really the goal of the platform. Yeah. We have two minutes left. Any other questions? Not then. Thank you. Thank you. Thank you.