Performing User Access Reviews Quickly & Efficiently.

Background

Common in many companies, various teams with differing philosophies installed the customer’s 25 enterprise applications over the last ten years. This disjointed approach has resulted in an application landscape with 5-10 unique user identifiers that may not be consistent with each other. Additionally, active directory manages some of the applications and other applications utilize local accounts.

The company’s HR system only includes full-time employees and less than 25% of active contractors. The existing HR configuration means part-time employees and 75% of the contractors are not assigned a universal identifier, making user access reviews complicated.

Compiling the information and running the correlations for the user access report takes the company weeks to complete. After the report is complete, the IT team must wait for all the managers to respond before remediating any findings. The responses often take weeks or months to collect.

Company Profile

Since the company is responsible for over 750 websites, they face regulatory requirements to perform user access reviews on a semi-annual basis. The purpose of these reviews is to ensure that employees do not have inappropriate access.

Company Profile

Since the company is responsible for over 750 websites, they face regulatory requirements to perform user access reviews on a semi-annual basis. The purpose of these reviews is to ensure that employees do not have inappropriate access.

Clarity Security’s Solution

The customer’s goal is to speed up the time it takes to complete a user access review without compromising accuracy.

Once ratified during the onboarding process, these policies will automatically provision accounts based on a user’s position in the company. Access is not granted on a user-by-user basis but through a role-based system. This approach removes the dependency on managers’ in-depth understanding of the enterprise application landscape and knowing all their employee’s access points. With Clarity Security, managers only need to verify that their employees are still employed and have the correct title.

Our manager portal caters to the non-IT professionals by presenting the users and information for manager review in a simple-to-understand format. Once the managers review the items, their change submissions trigger the remediation activities automatically.

The Results

Non-Personal Data

Before Clarity Security, the company’s user access review cycle was a 6-week process twice a year. The effort includes running reports, generating spreadsheets, and performing hundreds of correlation searches – all taking anywhere from 40 to 80 hours to complete.

With Clarity Security, the 40 to 80 hours compresses into a 5-minute effort consisting of logging into the portal and clicking “Initiate User Access Review.” Managers are then immediately notified, and their responses and changes are tracked and maintained within our system.

Review & Remediation

Without Clarity Security, the IT team would need to contact all of the managers after the user access report is generated and compile their responses into a master spreadsheet. Once all responses were received, tickets were created with the respective teams to disable or correct access with an SLA of 14 days. Ticket-based remediation means that ticket submission occurs after the full user review is complete. Each application requires a remediation ticket.

After implementing Clarity Security, managers can log into their portal to see the items they need to review. As the managers log their responses, corrective actions (adding and removing access) occur in real-time. This approach eliminates the time to remediate and allows the IT teams to focus on other initiatives.

Reducing Costs by Identifying Orphaned Accounts

Background

This company faces a familiar problem for many organizations. While there may be HR procedures for terminating an employee, the other departments are often disjointed and are not a part of the formal termination procedure. This means any applications that are not centrally managed begin to accumulate a wealth of former employees. When coupled with contractors and temp employees not being managed through the HR system, the number of accounts that stay active post departure gets out of hand quickly.

 

Due to the subscription model many SaaS apps use, these accounts incur unnecessary license costs the moment employees leave the company.

 

Company Profile

The Digital Marketing Company has faced rapid growth, resulting in the expansion of departments and new employees. In turn, new applications and tools are onboarded across the organization.

 

Key Challenge

The company has found hundreds of active application accounts for terminated employees. Due to SaaS subscription models, the company has unknowingly been paying for these users even though the accounts are unused.

Clarity Security’s Solution

Clarity Security provides instantaneous proof of value through our Identity Unification™ process. Once the APIs and Webhooks are established into the enterprise applications and HR system, we automatically begin to match the accounts using proprietary mapping algorithms. After the algorithms complete (less than an hour), a report is prepared for administrators that outlines every instance where:

  • Unique usernames appear

  • An account has not been logged into in 30 days

  • A username appears in a handful of applications but none of the directory services

 

As administrators review the findings, they can act immediately by deprovisioning the accounts directly from our portal.

 

The Results

The Digital Marketing Company’s IT team speculated that there were 200 active user accounts associated with employees no longer with the company. After completing Identity Unification™, we identified 350 active user accounts in AD, all of which were no longer employed by the company. After deprovisioning these accounts, we were able to free up 10% of their IT license spend.

 
 

The Digital Marketing Company has successfully freed up 10% of their IT license spend by eliminating orphaned accounts.

Streamlining Terminations and Access Removal Through Automation

Background

The Digital Marketing Company is responsible for the management of over 200 websites, SEO, and content creation for their customer base. The Digital Marketing Company’s developers and content team have access to a wealth of intellectual property, making it crucial that there is a timely deprovisioning process in place.

 

As The Digital Marketing Company grew, the number of employees and applications grew along with it. Unfortunately, an identity management solution was not set up to scale with the growth in the business. Through the years, as new applications were onboarded, access provisioning and deprovisioning procedures were half-heartedly created and left undocumented. As the creators of those procedures left the company, the access policies were forgotten.

 

The lost procedures seemed harmless until a disgruntled employee was terminated and took advantage of the company’s weak identity governance policy. After their termination, the former employee was able to log back into sensitive systems and delete customer data, take down multiple websites, and halt business processes for numerous clients.

 

Company Profile

The Digital Marketing Company is responsible for the management of over 200 websites, SEO, and content creation for their customer base. The Digital Marketing Company’s developers and content team have access to a wealth of intellectual property, making it crucial that there is a timely deprovisioning process in place.

 

Key Challenge

The company has no process or system in place to eliminate all access for terminated employees in a timely manner, resulting in vulnerabilities and risk. Developing internal processes has been unsuccessful and too time consuming.

Clarity Security’s Solution

The Digital Marketing Company’s goal is simple – make access deprovisioning painless and straightforward without overhauling their HR system, applications, or infrastructure. Clarity Security’s innovative identity governance solution can solve their problems while matching their constraints.

 

First, we use our extensive application integration library to tie into their HR system and SaaS, cloud, and homegrown applications. This connection allows us to automatically map out access roles that define what applications and entitlements their employees should access.

 

Once these roles are in place, the Clarity Security system monitors the company’s HR system for any employee terminations. When a change happens, our system triggers events to initiate and complete the deprovisioning activities automatically.

 

The Results

Our platform has consolidated and automated the termination workflow for our customer. When management and HR decides it is time to let an employee go, a member of the HR team initiates the termination from within the HR application. This initiates the deprovision workflow and disables the employees access within 5 minutes of the final click.

 

With Clarity Security, The Digital Marketing Company can rest assured that any disgruntles employees will not be able to access sensitive systems and cause expensive damages.

 
 

The Digital Marketing Company can now easily provision, deprovision, and adjust access as needed through Clarity Security’s automated identity governance platform.

Simplifying Onboarding with Automated Access Generation

Background

Due to undocumented procedures, shadow IT, and lost tribal knowledge, a new hire can be left without all of the access they need for months.

One of the challenges faced by the development team is AWS provisioning. Their current AWS new-hire processes results in new employees waiting for up to 3 months before they can perform all of their required tasks in AWS. This is due to a heavy reliance on tickets, tribal knowledge, and multiple bottlenecks throughout the process.

Additionally, the Digital Marketing Company has regulatory requirements that require specific approvals before certain access is provisioned. Meaning, if a hiring manager does not know about the requirement, the access will go un-provisioned indefinitely.

 

Company Profile

The Digital Marketing Company is responsible for the management of over 750 websites, SEO, and content creation for their customer base. Internal processes are built around agility, precision and speed. The expectation is that a new-hire should have the tools and resources available day one.

Key Challenge

The company faces bottlenecks while manually provisioning new hires, meaning users are left without critical access for months.

 

Clarity Security’s Solution

Clarity Security’s role generation and access automation were implemented into The Digital Marketing Company’s environment to alleviate the reliance on tickets, eliminate the need for tribal knowledge, and remove the bottlenecks.

Following the conclusion of Identity Unification™, access roles are generated based on the current environment and tailored to be the gold-standard for the company. Once the roles are set, a new hire’s organizational attributes are evaluated by Clarity Security and the appropriate access is provisioned through our event processor.

For access that cannot be provisioned automatically, custom workflows were developed that notify approvers daily to review the request. If the access is approved, the event processor then automatically provisions the access.

The Results

Prior to Clarity Security, it wasn’t uncommon for a newly hired junior developer to be without their required access for two months. After implementing Clarity Security, all access is provisioned immediately after the employee is finalized in the HR system.

The Digital Marketing Company can now easily provision, deprovision, and adjust access as needed through Clarity Security’s automated identity governance platform.