Access Review AutomationConsumer Products
The client is a subsidiary of a large and diverse conglomerate. They are one of the largest equipment and service providers for the Oil and Gas industry. The client was faced with the task of mitigating security risks and managing and reviewing access to the geographically distributed and technically diverse inventory of applications. The existing manual process was unwieldy, inefficient and limited to a subset of all applications and servers due to resource and time constraints. Moreover, the review and audit team was dependent on the applications teams for user listings which were time-consuming and not a foolproof solution in spite of the additional burden placed on the application teams.
THE BUZZCLAN SOLUTION
The solution was to create a solution to shift the task of retrieving the user listings from the application teams to the access review team and then implement an efficient and scalable automation solution. The BuzzClan team worked with the application owners and technology teams to understand the existing process and gain an understanding of the technological profile of each application. The team worked on analyzing the various categories of data sources and categorizing the applications for which the data source was unknown. Alternate solutions were analyzed and proposed to the client where available. The team then worked with the application teams and the access review team to finalize the automation method for each application. Requests for service accounts to access various data sources were initiated and the BuzzClan team recommended creating read-only accounts with access to the minimum artifacts or tables that were necessary to retrieve the user listings. This was recommended to ensure mitigation of security risks from the service accounts created for the access review. The proposed solutions were broadly categorized into the type of review and the technological
profile of the application. A solution template was created for each kind of database and other identified data sources. A scalable generic solution was identified for Database and Application server level audits.The BuzzClan team developed, tested and optimized user listing extraction scripts for various applications and the generic extraction scripts were created for the application and database servers. BuzzClan team analyzed Various automation solutions and Oracle Data Integrator (ODI) was chosen as the automation orchestration tool based on the client’s preference. An initial proof of concept was implemented for various kinds of data sources. Rest of the applications were automated using ODI after the POC was accepted.
- The automation process was configured to generate files that are ready to be uploaded to OIA (Oracle Identity Analytics tool) eliminating another manual step performed by the access review team.
- Reduced burden on the application teams as they are freed from manual process of generating and sending the user listings apart from the additional documentation they had to generate during the extraction process as proof of the time when the listings were generated.
- Reduced burden on the Access review team eliminating the multiple email requests for the user listings from the application teams. Significant efficiency gains to the access review process.
- Security risk mitigation by ensuring the user listing that is generated is up to date and complete. Though the application teams were obligated to provide proof of up to date listings during the previous process, the process was not entirely foolproof.
- Increased footprint with a Scalable solution that can be extended to many more applications and servers that was not practically feasible using the manual process. Reduced number of steps in the access review workflow adding to efficiency gains.