How to Take the Pain out of User Access Review
Periodic access review of users' privileges is a key control for publicly listed businesses that must comply with Sarbanes Oxley section 404. However, the access certification process (or user access review as it's also known) creates a tremendous burden to collect user access data, then send out error-prone spreadsheets waiting for replies from control managers and process owners.
Rapidly growing cybersecurity risks have increased the need for businesses to follow the National Institute of Standards and Technology Cybersecurity Framework. Cybersecurity measures include access review to limit access to sensitive privileges and data to only authorized users. Any unauthorized access must be terminated to eliminate any threats. Without effective access controls, businesses cannot ensure the sensitive data they are responsible for is kept safe from hackers and cybercriminals.
Join SafePaaS CEO Adil Khan and VP Solution Specialist Bob Enders as they discuss how you can streamline the access review process with automated workflows to reduce the cost of SOX compliance and mitigate cybersecurity risks. They will also share recent case study of a global Fortune 500 company that adopted the solution across the entire enterprise.
Learn how to prevent the risk of application access control failure by completely automating the enterprise certification process for ALL IDENTITIES across the application and ALL other data sources, including IDM, IGA, ITSM, Database, and Servers.
How a Fortune 500 Company adopted SafePaaS to automate the entire process
Emma - Good afternoon, everybody and welcome to today's session, “How to Take the Pain out of User Access Reviews.” My name's Emma, for those of you who don't know me. Welcome to our monthly webinar series. I'm delighted to be joined by Adil Khan, SafePaaS CEO and Bob is our VP Solutions Specialist.
Just a few housekeeping items before we get started today, This session will be recorded for reference after the session. We will have time for Q&A at the end, so if anybody has any questions, feel free to pop those in the control panel and we'll get to those at the end of the session. So, Bob, if you'd like to go to the next slide, and I'll briefly talk through the agenda we're going to be following today.
So we'll be talking about Opportunities and Best Practices, Essential capabilities to look for, Business Drivers, we will talk through a recent case study of how a Fortune 500 company has adopted SafePaaS across the enterprise, and then go into a quick demo, if we have time. So Adil over to you.
Adil - OK, thank you, Emma and Bob and everybody for joining today's session. I think it's a really important topic, especially in the recent months where we have seen an increased focus on access governance. We've done a lot of educational webinars around policy based access, segregation of duties etc… but what we're seeing is a big need in the market right now around access certification capabilities. That’s what I'm going to talk about today. This slide sort of describes that -when we talk about access governance, what does that mean?
Many times, folks think that access governance is about users and passwords, and making sure that you know and that's great. That's really good housekeeping for security, but access governance is much broader than that. It's typically, a company has policies around access governance that drives the controls, and the security and the business. You have to sort of step back and look at the enterprise level. And so, what we're talking today about is, not just being able to define policies and control access based on those policies, but also specifically around, how do you certify that access and how do you make sure that the users that do have access, as they're changing jobs, coming and going into organizations or within the organization moving roles, how do you manage that? Because that's an area that's getting exploited for ransomware for various types of cybersecurity threats that the market is facing today.
And so we're going to talk about how to prevent that, how to mitigate that risk, where possible. So it involves various aspects of access governance. Like I said, it's also user provisioning fined grained access. It's about privileged access management. It's about continuously monitoring the processes themselves, where many of the fraudulent or cyber threats are being captured today, and so that's the overall series of what access governance is - we’re picking one more slice of that today, which is specifically around access certification.
So, let's talk about where is the opportunity? So I picked this out of a Gartner report, a recent Gartner study, that it's a couple of years old but basically, it talks about the access management market and what's happened because of these threats that I've talked about, cyber threats what's happening in the market is the Access management problem has changed. Initially, it was more about consolidating all your identities into a single manageable platform so you could manage thousands of different identities, user, non user service accounts etc…, from one place, one throat to choke, as I say.
And, and then we realized that even with that technology in place, which is now a couple of decades old, the identity access management systems weren't really addressing the problem of the cyberthreats that has popped up in the market now more aggressively in recent recent years. So privileged access management is becoming a big part of that. IGA is becoming a big part of that.
So, we're going to focus on those aspects today, and the reason I wanted to share this data with you is because that gives you an idea of the opportunities. So what Gartner, in their analysis of the governance market determined, is that the market is shifting. The old technology that was built a couple of decades ago is no longer addressing the needs. And what's interesting to me, on the right side of that graph is, based on the responses that they got from their customers, that the technology environment has changed. We're all going to digital. We're all cloud. And so, your requirements are different today than they were when you possibly first implemented, let's say, Active Directory, or some of the older systems.
And so, 30% of the respondents said that they’re replacing their incumbent system.
And that's definitely an opportunity you have today. You can get, for example, a more modern system like Okta or Azure that has that capability, but even with those capabilities. And then in the cloud, as any other observation, even with those capabilities, unless you have good policies that drive the controls, you're still, access governance wise, you're still lacking.
So, as you're making these decisions around changing or upgrading your system, so you're just looking to maybe just keep the system as you are as they are, because you've got other priorities, like dealing with customer service and supply chain issues.
We'll talk a little bit about how we can also leverage what you have today, not necessarily have to go buy something new, but you can add on SafePaaS capabilities on your current IAM system, current ITSM system, and that's basically the piece that I could get out to you is that whether you want to add and upgrade to your new system or stay with it, what you have, we want to help you be able to govern your access better.
So with that in mind, what are the capabilities you should be looking for in Access Certification.
So, Access Certification is a process, like any other process in your access governance area or domain. So, you want to have a really simple process because it touches every manager in the organization that has the reporting as a role. So, any supervisor that has one or more employees, staff members reporting to them, will have to certify the access they have granted approved in the past. And that's the central steppingstone on getting your access going. So you could do that today, maybe you're doing that today in spreadsheets, you're using e-mails, if you're a small company, you can send out, e-mails and say, “Hey, you know, Bob has three employees. Bob, can you confirm that these employees have access to Salesforce and Cloud ERP, and these responsibilities and roles”, and Bob gets an answer back, and the audit will use that to verify if there's a change - if somebody has changed roles, you can do that. So you can start with anything, you're probably doing that today - that's why you're attending this webinar, because you're doing something, or you may have something on the more extreme side.
We work with enterprise customers, the largest customers in the world that have very cumbersome process, where they automate tests, run scripts, generate reports out of those scripts, Then they send it out to different organizations around the world.
We have customers that are in 100 plus countries, they're using some sort of a tool they bought many years ago, But what they've discovered using these tools, is that they're based on abstract roles. So they don't actually go down to the entitlement level.
I'll give you an example of that. So if you have, let us say, Finance Manager as a role defined in your provisioning system, and that's what your managers are accustomed to seeing. So, let's say, Emma has Finance Manager, as the role assigned to her, but she's no longer in finance. She's moved into marketing, so her manager receives the request and they, they don't, then, that's OK. They realized that ok and just just terminated. But other cases are more nuanced. So let's say that Emma is still in finance, but she's moved from accounts receivable to accounts payable. Now, it's a little tricky, because the finance manager doesn't tell you what privileges she has. So she may have had the ability to create invoices and pay invoices in the pas through approval but now, she has the ability to change credit limits, and because she's in marketing, and she has AR responsibilities. Now she might be able to change customer credit limits and issue orders that would exceed the customer limit. So these are the kinds of problems that our customers report at the enterprise side, where the privileges are scattered across many applications. And roles are changing constantly, so you need some way of centralizing that control and that's what consolidated Controls Management means that second point that that we have on the top of the slide, so we talk about having an intuitive capability, and then the ability to consolidate that into a single platform. So if you're doing one way of certifying in Salesforce, and other way of certifying in Workday, and another in SAP - it's hard for the executives to really rely on that data. Because now you have to manually reconcile all these systems and users. And that's where the problem is at the top end of the market. So in the low end of the market, it's e-mails and spreadsheets on the high end of the market, even if you're using tools that are doing catalog level approvals, it's hard to get to that.
The third challenge that we help address and capabilities you help you address, is that the capability to do a closed loop access. So, it's one thing to send out an e-mail and get, “hey, did you approve it or not?” And get a response back, hopefully. It's another to actually have a closed loop system. So, if somebody says, “Hey, Emma doesn't need access to accounts payable any more. Um, well, what then? Did that get taken away from Emma? Or, does she still have that access? We call that remediation, risk remediation. It has to be timely because you're relying on the work that the staff is doing to report your financial results. So, if that issue stays open or it’s open-ended, and the year’s gone by, I mean, now your financial statements are at risk because now somebody is going to question that, Hey, if Emma had access to these items did she in fact process something? Now, you’ve got to go and do another investigation. What we call Materialized Risk Analysis, look back analysis in the audit world.
So now you’ve got more burden on you. So to avoid that, you need closed loop remediation where you can automatically remove the access when it's discovered to access certification. And I'm just surprised to find out how many customers are really struggling with that. So, they're using tools, whether it's spreadsheets or e-mails or even some IAM IGA tools, traditional legacy tools that don't do that.
So, all that investment they've made is not producing the benefits that they were promised. And so, that's an important problem for you to have to look if you’re out in the market looking for solutions. Definitely having the ability to remediate is a key part. That's many times overlooked from our experience. And then does that ultimately on the top, right, the fourth graphic there is, you know, does it really reduce the time.
So, ultimately, any investment today is for a return on investment bases, a Business Justification, How does that justify that? So, having these global roles and entitlements and consolidated into a platform like SafePaaS, as Bob will show later in the presentation, really helps you reduce that cost and the burden on, on your IT systems because now you can do self-service ticketing. So, instead of that ticket being logged into something like ServiceNow, Jira Remedy, that ticket will be automatically generated, it'll get processed, you will get an update back that hey, it's approved, and you will move on. So, now, you have a closed loop system, and you’re synchronizing your IAM system. You're making sure that IGA, IAM is synchronized. So that when the for, let's say you're using SailPoint for provisioning, or you're using, I don't know, Okta for provisioning.
So when the provisioning requests are coming in, you can pick those up. So if there's new requests coming in, you can add them to your certification list automatically. So next time you do a quarterly recertification or review, you will have that already in place. So that integration is really important. Because you're doing that manually, chances are, errors will occur, and you'll end up with the finding. One of the most common findings that we see these days, is where audit is looking at what wasn't the provisioning system? In other words, what request came in, What was certified in the certification system? If it's the same as the provisioning system or different, and what's actually in the systems where the user access was provisioned - fulfilled.
And if you don't have all that integrated, chances are some users through exceptions, emergency access, whatever, got access to the entitlements and roles, which are not part of the records, recordkeeping, and therefore, you have an audit finding now. So, that's a common request we're seeing, as more and more customers are have moved on to, you know, a multi sort of a Cloud environment, hybrid environment. We're seeing that as becoming a real pain, and increasing the cost on IT to be able to remediate these kinds of issues offline in a manual way. So those are some essential capabilities that I wanted to highlight, that you should look for as you think about ways to improve your certification process, in response to this increased threat, the cyber threat, and other fraud risks that we're seeing in the market today.
So, the next thing I'll talk about is, now that we understand that there's pain points, and there are needs that you can improve on, how to justify the cost. How do you actually go to business, people that pay for this stuff, and justify that? So, some of the common things that we're seeing our customers ask for when they're asking for budget is improving that risk around the impact we're seeing on daily news, from the cyber. So that's one justification of why you do something.
There's also insider threats. Economies are in turmoil, various regions in the world. And we normally see fraud risk go up. There was a story about Yale University I read in the Times just a couple of months ago, where a long term employee was essentially, buying online. So, buying computers online, and then driving down 100 miles and selling them on Amazon or e-bay, or something like that. And she had caused I don't remember now, but tens of thousands, if not hundreds of thousands of fraud, and that's a one control, really. And that is an insider threat. People that create supplier should not be paying suppliers. If I could create a supplier, change the bank account, or even, put my self as a supplier and then pay myself and accounts payable. I can cause a lot of damage. So, that's just a recent example that comes to my mind.
Auditors are getting more vigilant. So, auditors are improving their analytics capabilities. They're looking at deeper. In the old days, they would use the checklist approach, and just ask some good questions. And put a sample out. Now, they are coming in with audit tools, analytics, like the one SafePaaS offers. In fact, some of the audit firms use SafePaaS. So, they're coming in and doing that for 100%. And they're not doing sampling anymore because of this heightened risk. So, the cost and burden on you goes up if the auditor finds the issue before you find it. Because now you have visibility into it and, and it's not prevented and therefore, it's detected by the auditor and now you have to revisit your process and the control design and rework a lot of that. So, there's a lot of effort on your part there.
So, auditors are increasingly demanding of that. They're saying that please do your certification in this, you're not doing them in a way that we can rely on we're going to come out and do a manual audit, and that's very costly for you.
I already talked about hybrid work model. So, we need access everywhere. You know, we can’t work from one place anymore, for various reasons, COVID being the most obvious one. But also, just the way we're mobile, we're more mobile. What we learned from COVID is that we should be able to work from anywhere anytime that the company and the business requires and our customers require our attention. So, this hybrid work creates a new opportunity and a new business driver for us, because it has made us more agile and productive in many cases. But now we have the ability to access information anywhere, including our mobile devices. And so, being able to have those privileges and roles certified more often, and more frequently, it's more important.
Next bullet point there talks about privileges that are granted and approved periodically.
So not only are we seeing that users are moving, technology is moving too. So, the privileges that are enabled within the application are changing. Vendors, ERP vendors are introducing new capabilities every month, every quarter. We're seeing in the cloud, frequent updates, especially our cloud customers, are reporting, insignificant, a need for having a continuous review of the privileges that are being adopted to improve digital transformation, But they also create a risk, and so, that risk has to be mitigated.
An example is, I have Paywalls Inquiry access, but suddenly we get a new patch or a new release in the cloud. And that now enables me to get access to a privilege that creates the supplier using that role. So, those are the kinds of risks that we want to help you prevent.
And then, what it does is that, you know, you can save those hundreds of hours that you spend manually doing this work, and automate that through the business.
Last couple of bullet points around internal security. So, you have your following security model, let's say you have an ITGC Controls Matrix, and you want to be able to implement these new security standards. It’s one thing, to design them and document them. It's another to provide evidence to audit. So being able to do audit analytics around these standards, to make sure that only the users, that should have access to the company's most important asset, which is information, have the right access.
And then ultimately eliminate the error-prone spreadsheets and so forth.
So there are many we have listed here. They may not be all relevant to you, but pick and choose what's relevant to you, and apply that to your business and create a justification to make a business case for this.
I'm just going to reinforce why this is, the exact customer example, why this is important business driver, and how other customers are using it. I wanted to just share an example of a customer that I recently worked with. It's a customer that it has many applications, including Oracle E-Business suite and Cloud ERP as well.
They use ServiceNow and SailPoint. There are over 100 countries and countries including, um, the countries where there's war is going on, you know, that's in the paper every day, so there's significant risk around access to information and applications and data. And so, they needed a more robust way of doing tight certification, closed loop certification, those capabilities that I talked about, those are the capabilities they're looking for, and it was fairly manual. So, many of the steps, whether it was policy or the audit trail around certification it was manual. And that had escalated to a finding that required better protection around data management, fraud risk management, and so forth. So many business drivers. They came to us. And we do we do a lot of evaluations and POCs with our customers to make it easy for them to really see the outcomes before they ever make up the decision to move forward with SafePaaS.
So we did a extensive proof of concept around this, this area, and ended up that they really liked the capabilities that Bob will show you in a minute about certification. And, and so they are using full platform of AccessPaaS. as well as MonitorPaaS, which is something we're not touching on today's session. But there's plenty of material on our website if you want to read about it.
So in terms of access certifications, what they're doing today is using SafePaaS for segregation of duties, for doing remediation using that automated process I described as one of the key requirements. And they're doing it in a self-service kind of a way.
So what that means is that the managers can go in and certify and and issue termination when the certification requires that justification. They're also being able to use this capability down the line to do provisioning, right, so being able to do provisioning that has components of fine grained. In other words, we apply a policy to every request that comes in from a user to access and then when the request has potential conflicts of a policy. So, let's say somebody's requesting access to payments and suppliers that will generate a contract and red flag. And their manager, or the control owners, and the business process owners, and prevent that access.
Then, today, what we'll talk about, I'll hand it over to Bob, is about how are they doing certifications. Because certifications not only help with the cyber threats, but also reduces your segregation of duty risks, because what we find many times the policies that are being violated by accounts that are no longer active, they're dormant accounts. These never have been terminated because of various changes in the business, or technology.
So, that's kind of a quick case study on a client that I recently worked with, I think, is one more slide or this, next to you, Bob?
This is a transition slide? Yeah, why don't, why don't you pick up here, and kinda walk us through what we did.
Bob - The end of the presentation, we’re going to introduce you to our Enterprise Certification Access Manager. We'll do a little bit of a demonstration, but I think it's important to review this particular slide. We have a converged platform that came out of the case study that Adil just described. And it's kind of stepping through the different tasks and processes.
I go to point number one here, integration. Essentially, we pull ERP data out of the application, bring it into SafePaaS. An then SafePaaS provides the certain analytics or certain capabilities relative to managing access. Segregation of duties is one, user provisioning is another.
Today's presentation is access certification.
So we bring that data in, we go to step number two and the real strength of what SafePaaS has provided there. Enterprise and access certification solution is unlimited or unlimited data sources. Not only does itwork within the ERP itself, but also your database, your operating system, your network. Basically, any data source that you want to do certification against. So we can bring that data into SafePaaS to provide that analysis that you want with respect to certification.
Go to step number three.
The access review and certification, periodically, you want to review individuals' access. You assign your process owners, you assign certain roles and responsibilities, the process owner, and then that process owner can go and view what individuals have access this part of the business. They can make a determination whether to allow it are request that be terminated.
Step number four.
SafePaaS provides full access by audit organization, so they can they can review the results that are in SafePaaS. Adil mentioned closed loop remediation, all that information is being tracked in SafePaaS and also in the ticketing applications.
Go to step five.
We've also provide integration to ticketing solutions, such as ServiceNow. So if you're generating that access certification, and the control owner, or process owner, wants to have someone terminated, to SafePaaS, we can automatically create the ticket into your ticketing application. So that way, it's something that occurs within your ERP, but it's gotta be manually executed. So an audit trail of the actual ticket itself. And when that ticket is completed, it feeds back to SafePaaS, so all that information resides in SafePaaS, as it was initiated by SafePaaS but also when it's been completed by the person outside of SafePaaS.
Step number six, which I just described, ticket number, and the status for that ticket number. So that way when it's completed the individuals that have access to SafePaaS can validate, it's been completed.
The next one point seven, is integration with IAM applications, such as SailPoint, so, you can use a provisioning, requested provision, originally, from SafePaaS into the IDM or SailPoint solution. Then, from there, the SailPoint solution would do the necessary steps to integrate that user that's being requested. SafePaaS does an analysis of the rules that's been completed and can update the ERP directly.
So, I just wanted to let you provide an overview of this particular slide a little bit busy, but I think it's really important to understand the SafePaaS solution, as it stands to identity management.
This is the process that we provide within SafePaaS to do the enterprise access certification. They go through the various swim lanes. Look at swimlane one, You have to identify your applications, your roles, and users. Those are set up within, within SafePaaS. So, you identify what roles users are assigned to a specific process owner, roles, responsibilities, and that would be the baseline for the actual certification process.
You bring data in from your ERP, what we call snapshots. Then we bring in the application security model, so the individuals that don’t have access to your ERP.
They have a complete understanding as to what they're going to be providing access to.
I go to the reviewers and approvers - they're assigned to different parts of the application is. You can set it up where you may have super user status, - somebody in the IT department. You want to make sure that individuals have that access are being monitored correctly. Then once you initiate those assignments, you run the run the analysis, and then from there, the business process owners will be notified of whether through e-mail, as to, and hyperlink as to what users have access to different parts of the application that they're responsible for. They can go in and make a determination to justify or terminate that access.
Then as you go through that process you can upload that data into SafePaaS, which is being done automatically, until the actual certification process actually flows, once it's closed, you can't update any longer.
We have some unique capabilities that can help enforce, the complete review of different access. Once that access is update, then you can run it into SafePaaS depending on whether it's justified, terminated, it's a pass will kick out a service ticket too, remediate that particular access.
This slide, I just want to point out one thing and it's in the title of the slide is Cross linked Data Sources. So, when I say cross link, I can have different applications, or should say different data sources. Users analyzed between those different data sources.
So, if I have somebody that has access to an ERP, so, I want to see who else has access to the database. So, I can create a cross link relationship between those two different data sources and generate a certification or request based on those data sources to identify individuals that have access to both - the business process owner can make a determination that they want to allow bower, terminate that access.
When it comes to workflow, you can define workflow based on attributes or groups.
So, instead of assigning an individual, you can assign it to a group. In this particular example. Business unit: is the group being used in individuals that are in the hierarchy within the business. For this example, Australia, we'll do the individuals that are assigned through the process of owner review, review of different access, and then also, if there's other such as user assigned, you can also do that. So, once again, the workflow is very flexible configurable, and you don't have to necessarily assign a specific individual set automatically based on the application and how it’s configured..
This particular slide is also, gives, represents the cross data source mapping, of two different data sources. Here’s a good example of Tririga and also SailPoint. Then we create that relationship, and then when the individuals, when the certification process is initiated to identify the individuals in those different data sources and bring to the process owners within the review.
The notification process, which we'll see in the actual demonstration, is an e-mail.
The e-mail is sent out to the different process owners, and from there they go and they can use the hyperlink, drill down into a SafePaaS or into the actual certification review.
They make a determination within each individual to have that level of access.
Then, once again, as they continue to update the application updates SafePaaS directly, all the reports are kept current. Then, depending on the dates set to close this survey, it will no longer allow you to update or automatically close it.
As I mentioned previously, as Adil mentioned, you know, there's seamless integration with all data sources, whether on premise or in the Cloud. We provide technology to allow us to bring that data into SafePaaS for that analysis. It's subsequent certification of different users across your organization.
We also have for your privileged access management requirements, the ability to track your super users, what they have touched. Whatthey have access to the ERP.
So that way, if you give those individuals that access, and there's certain functions at performing, since they have super user access, in some cases for firefighter in our terminology. But privileged users will be tracked,. what they touched while they had that access will be tracked for reports.
Now, we also have significant reporting capabilities, which we'll cover in the demonstration. We have just a simple graph that comes out of the application.
You have the very configurable, each user can configure the reports, the format that they prefer to view that data with its graphical representation, typical rows and columns. And you can configure specific to your needs.
VP Solution Specialist SafePaaS
Robert Enders, is an accomplished business systems
professional who has spent over 30 years in the software industry helping public and
private sector organizations improve business operations and controls through technology solutions.
CEO at SafePaaS with over 25 years of experience in enterprise business systems. Adil serves on the board of the Oracle Applications Users Group (OATUG) GRC SIG. He has delivered over 75 presentations on access management trends, best practices, and case studies at many industry conferences.