Of all the projects that can be done in the identity and access management (IAM) space, identity governance is often considered the most intrusive. In order to understand why this is, let’s compare other common IAM projects:
Privileged Access Management
These projects add incredible value to organizations from a security perspective, but because it is behind the scenes, 99% of users at an organization won’t notice a change.
The IAM projects that set up automated provisioning add value to users. Their request process becomes either automated or at least an easier and faster process. These projects are a win for users at organizations because they save time and headaches.
Who doesn’t like faster access to applications? Just like automated provisioning, these projects are another big win for users at an organization. Logging in gets easier and users will have fewer passwords to remember.
Identity governance is different. Here, the outcome of the project will be to place additional work on many people at the organization. Most commonly, we help organizations launch identity governance programs where managers at the organization act as reviewers. On average, each manager has 10 direct reports. So if a company has 8,000 employees, this means 800 people are going to take on additional work. Even if this work is easy and important, it is still more work.
How Outsourcing Can Help
So how does outsourcing the management of access review programs help? Put simply, it takes the ownership away from any single resource or team at an organization and outsources it to a third-party company.
When performing reviews, those review requests have to come from somewhere. When email reminders are sent from someone like the IT manager, they are held responsible for all issues. In large companies, this can completely takeover all their resources.
That is where a third party like GCA can help.
Benefit #1: Outsource the Request to a third party
IAM providers like GCA offer Compliance as a Service (CaaS), a solution that takes over the end-to-end management of access review campaigns. This solves the ownership problem because although an IT manager may still be the application owner, the request to 800 managers to do additional work comes from a third party, which removes the political pressure.
Benefit #2: Save Application Owner Time
Another benefit is time savings for internal teams. During access reviews, the most common questions relate to data: “This user doesn’t report to me, why am I reviewing their access?” or “What access does this group grant?”
These are questions that aren’t technically complicated but still take a bit of time and communication to find answers.
Benefit #3: Appease the Auditors
Ultimately, organizations create access review programs to satisfy compliance controls. One of the best benefits of CaaS is that your organization won’t need to be involved with auditors. Each time the auditors perform their review, the third party meets with them and collects all the evidence they need. This all but ensures a smooth audit process while simultaneously saving your team time.