Say goodbye to manual user access reviews

Post by Glenn Folkes, Regional Sales Director

User access reviews are an important part of every Compliance Program. Yet even today, delivering accurate, easy to review user access information is incredibly difficult.

In this post, I’d like to explain why, and touch on another approach.

Ok, so why does this happen? Any large business will have a complex IT environment.  That often means a collection siloed applications, legacy systems, in-house apps, customer information or physical security systems. And let us not forget IOT, or customer and vendor access portals. Commonly this is described by our customers as ‘if you can imagine it we have it’.

Inevitably, each will have a different administration model. This means that just extracting basic user access data can be time consuming, and even plain difficult. The output data can be dense, technical and still not give line managers the actual names of the people using that application. If you consider some of your legacy applications, then the security model can really be quite novel and require specialist skills to interpret.

So with this context, the collection and correlation of user access data across systems, roles, teams or security controls can get ugly quickly. It’s also time consuming and often delayed.

The impact is that line managers are being asked recertify user access based on incomplete or out of date data. We end up with ‘Tick & Flick’ access reviews, and compliance theatre. Inevitably, audit red flags appear, and questions get asked.

In any organisation where compliance is a non-negotiable, this scenario is becoming increasingly unacceptable.  

Of course there is a better way to handle this.

RightCrowd IQ automates the collection and correlation user access data. Access reviews can be scheduled in the product as per the Audit Plan, and user access reports are sent to the appropriate approvers. User access reviews can be tracked and managed, and review reports can be supplied to external auditors.

The most significant benefits come from the provision of up to date user access information to approvers. Accurate data means that re-certification decisions have a real impact on compliance, and security. It gives you the ability to talk with team leaders and application owners, and for them to see what their people can access today.