I Failed my IT Security Audit
We were unable to identify all access rights with our manual process.
We could not detect all the violations & failed to implement compensating controls.
We discovered some improper access rights/roles but unable to identify them all
We couldn’t produce the proof for the access controls (such as whose access was revoked and when)
How do I fix this?
Use an automated process to collect access rights to analyze the status quo
Implement a tool to detect violations and assign compensating controls
Use a system to run periodic access reviews and re-certification process
Implement a mechanism to automatically remove improper user access rights/roles
I am finding errors with our manual access review process
It takes so much time to collect existing user access information from various systems
It is prone to errors
Supervisors end up providing blanket approvals without proper understanding
No mechanism to ensure that user access is actually revoked in the end systems
April 19, 2018
April 9, 2018
April 2, 2018
August 29, 2017
What should I do?
Use a system that provides enterprise-wide visibility into user entitlements across all selected platforms
Empower business managers with a tool to be responsible and accountable for reviewing who should have access and to be able to certify appropriateness
Leverage an authoritative system of records that provides the evidence of access compliance for auditors
Implement a process that validates access information and corrections through a closed-loop process
Unable to ensure whether the user access has been revoked or not
- Unable to guarantee that the user access has actually been granted; and even worse
- Unable to guarantee that it has been revoked when it needs to be revoked.
How can I ensure that what has been revoked has actually been revoked?
- Use an automated review process.
- Have supervisors review a list of all access to verify and certify correct access.
- Use a process that confirms that your validation loop is closed.
Access Review as a Service (ARaaS)
In a world with a heightened sense of security risk, where can you turn for a solution with reasonable cost that can address these questions and concerns?
At ILANTUS, we developed a simple, fast and affordable cloud-based solution to collect, review and certify that the right people have the right access to the right data.
This is how ILANTUS ARaaS (Access Review as a Service) will guarantee an AUDIT PASS
ARaaS achieves compliance and other regulatory requirements by implementing an automated-scheduled process for user access certification.
ARaaS meets the Regulatory and Audit requirements by following a repeatable and scalable process.
ARaaS ensures that users only have the required access to data and authority within applications to perform their job.
ARaaS provides robust reporting and analysis tools to track and measure compliance.
ARaaS maintains a system of record for evidence of compliance and ensures its continuity.