security improvement through elimination of orphaned and dormant accounts
compliance in move from six monthly to monthly access reviews
Replace a manual access review process, which was cumbersome, manual and time-consuming. OPSC wanted to improve business participation and needed a user-friendly solution so that it could increase its access reviews from every six months to monthly to satisfy audit requirements.
Regular user access reviews serve to verify and validate that user access to systems and applications is appropriate given their roles and responsibilities within the organization.
The OPSC conducted its access reviews in an entirely manual fashion, supported by spreadsheets which were reviewed and certified. Mpho Basitere, Head of IT for OPSC, explains: “The process was cumbersome and time-consuming and by the time the review was completed, the situation would have changed again, so it was never a true reflection. Access reviews were conducted twice every year, but audit findings showed this was not frequently enough.”
Some of the OPSC applications were hosted by external providers. For access review exercises they would need to request the information from the application owners and it would often take 2-4 weeks before all the information was collected. From start to finish the certification process would take 6-8 weeks to complete. Business participation was hard to secure as the process was so manual and this resulted in inadequate reviews and certifications.
The OPSC wanted a solution to help them automate access review and certification so that they could perform monthly reviews. Automatic scheduling was a must too, so that it does not become an onerous task for the identity governance administrator.
Mpho Basitere – HEAD OF IT
OPSC
The OPSC is tasked and empowered to investigate, monitor, and evaluate the organization and administration of the public service. This mandate includes evaluation of achievements, and promoting measures that would ensure effective and efficient performance within the public service.
Micro Focus partner Afrocentric IP presented Identity Governance, and immediately OPSC could see the potential, according to Basitere: “It was clear that, using Identity Governance, we could satisfy auditors and business managers with intuitive user-friendly and automated access certification processes and reports. It was a real worry that our business participation was low as this could lead to unidentified orphan or dormant accounts which ultimately present a security risk to the organization.”
Identity Governance ensures initiatives stay on schedule with automatic system reminders to business reviewers and progress updates for administrators. This means that the identity governance administrator only has minimal involvement to review any escalated issues.
With a combination of internally and externally hosted applications, such as BAS, Logis and Persal at OPSC, it was difficult to conduct enterprise-wide access certifications. Using Identity Governance, data from all applications is collected using a wide range of access protocols so that all relevant applications are included in the process.
Once the solution was operational, increased business participation soon followed. Basitere comments: “Access review reporting is made so much easier through Identity Governance. We can conduct far more granular reviews, including privileged user account reviews, as all the information is available within Identity Governance.”
Access revocations are still dealt with manually, but OPSC has included automation of this on its roadmap and Identity Governance fully supports this.
Mpho Basitere – HEAD OF IT
OPSC
Access reviews are now conducted on a monthly basis, which satisfies auditors, and means that the certified information is a true reflection of what currently exists in production. This process requires no paper work and minimal manual intervention.
Basitere: “Using Identity Governance, we have reduced our security risk by at least 50 percent by eliminating any orphaned or dormant accounts, thus closing the security loop available. It has also brought us some cost savings as we will clearly not pay maintenance and renewal charges on those accounts.”
He concludes: “The ability to identify, review, and certify privileged accounts has been really helpful to us. Overall, we are very pleased to have found a solution which has complete buy-in from our business audiences. The monthly access reviews just happen and we always feel confident about the outcome of them. Micro Focus and Afrocentric were fantastic partners for us during this project for us during this project and we can see how expanding our use of Identity Governance will bring us further efficiencies.”
