Regular user access reviews serve to verify and validate that user access to systems and applications is appropriate given their roles and responsibilities within the organization.
The OPSC conducted its access reviews in an entirely manual fashion, supported by spreadsheets which were reviewed and certified. Mpho Basitere, Head of IT for OPSC, explains: “The process was cumbersome and time-consuming and by the time the review was completed, the situation would have changed again, so it was never a true reflection. Access reviews were conducted twice every year, but audit findings showed this was not frequently enough.”
Some of the OPSC applications were hosted by external providers. For access review exercises they would need to request the information from the application owners and it would often take 2-4 weeks before all the information was collected. From start to finish the certification process would take 6-8 weeks to complete. Business participation was hard to secure as the process was so manual and this resulted in inadequate reviews and certifications.
The OPSC wanted a solution to help them automate access review and certification so that they could perform monthly reviews. Automatic scheduling was a must too, so that it does not become an onerous task for the identity governance administrator.
Micro Focus presented its NetIQ Identity Governance capabilities, and immediately OPSC could see the potential, according to Basitere: “It was clear that, using Identity Governance, we could satisfy auditors and business managers with intuitive user-friendly and automated access certification processes and reports. It was a real worry that our business participation was low as this could lead to unidentified orphan or dormant accounts which ultimately present a security risk to the organization.”
Identity Governance ensures initiatives stay on schedule with automatic system reminders to business reviewers and progress updates for administrators. This means that the identity governance administrator only has minimal involvement to review any escalated issues.
With a combination of internal and externally-hosted applications at OPSC, it was difficult to conduct enterprise-wide access certifications. Using Identity Governance, data from all applications is collected using a wide range of access protocols so that all relevant applications are included in the process.
Once the solution was operational, increased business participation soon followed. Basitere comments: “Access review reporting is made so much easier through Identity Governance. We can conduct far more granular reviews, including privileged user account reviews, as all the information is available within Identity Governance.”
Access revocations are still dealt with manually, but OPSC has included automation of this on its roadmap and Identity Governance fully supports this.