Live Webinar- Through the Eyes of the Adversary: Breaking and Defending Identity
A man in a brown blazer and checked shirt smiles beside text announcing, New Head of Marketing: Sam Erdheim. The Radiant Logic company logo appears in the bottom left on a blue background.

Radiant Logic Welcomes Sam Erdheim as Head of Marketing

/in /by

Radiant Logic Welcomes Sam Erdheim as Head of Marketing

At Radiant Logic, we’re excited to announce the appointment of Sam Erdheim as our new Head of Marketing. With over two decades of experience in cybersecurity and enterprise software, Sam brings a strategic vision that will further position Radiant Logic as the leader in Identity Security Posture Management (ISPM).

Strengthening Our Mission to Secure Identity Data

In today’s rapidly evolving digital landscape, mismanaged identity data is one of the most pressing security risks organizations face. Radiant Logic’s Identity Data Platform empowers enterprises to unify, cleanse, and secure identity data at scale—enabling businesses to improve their security posture and accelerate digital transformation.

With Sam at the marketing helm, we’re doubling down on our commitment to helping organizations gain 360º observability into their identity ecosystems. His deep knowledge of cybersecurity and proven track record in driving demand generation, brand awareness, and go-to-market strategies will play a pivotal role in expanding Radiant Logic’s reach.

A Vision for Data-Driven Identity Security

Sam’s background in product marketing and thought leadership at top cybersecurity companies like GuidePoint Security, Fidelis Cybersecurity, and AlgoSec uniquely positions him to lead Radiant Logic’s marketing efforts.

“Radiant Logic has long been the pillar of identity data management and security, and the company’s recent developments further showcase the level of ingenuity and innovation it takes to lead a market,” said Sam Erdheim, VP of Marketing, Radiant Logic. “I’ve seen the huge impact that mismanaged identity data can have on enterprises and I look forward to helping elevate the brand and drive the company’s mission forward. Together with the team, we will continue to innovate and deliver cutting-edge solutions to customers.”

Driving Innovation with Identity Intelligence

Radiant Logic’s Identity Data Platform is the only solution delivering enterprise-wide identity hygiene at scale. By unifying 100% of an organization’s identity data and delivering real-time identity hygiene assessments, our platform helps businesses:

  • Identify and remediate mismanaged identity data
  • Accelerate time-to-value in digital transformation projects
  • Reduce security risk with AI-powered risk remediation
  • Gain unmatched precision in identity analytics and reporting

With Sam leading our marketing efforts, we’re excited to amplify these benefits to a wider audience and help organizations unlock the full potential of their identity data.

What’s Next?

As Radiant Logic continues to expand its footprint in the identity security space, Sam’s leadership will play a key role in driving our brand vision forward. Stay tuned for more updates on how Radiant Logic is revolutionizing identity data management.

A brightly lit subway station with large yellow and gray dome lights, blue illuminated walls, and two trains passing by on either side, creating motion blur. Benches are placed in the center of the platform.

Revolutionizing IAM with RadiantOne AI and AIDA

/in /by

In the digital age, identity management and access governance have become critical components of organizational security. The integration of generative AI technology will usher in a new era of identity intelligence, revolutionizing the way organizations visualize and govern identity data with unprecedented speed and accuracy. 

RadiantOne takes a modern approach to identity management by leveraging artificial intelligence (AI) and machine learning (ML) to manage and secure user identities and control access privileges to critical resources within an organization. Our industry-leading platform provides the capability of analyzing large volumes of data at high speeds to support and enhance human decision-making.  

Using Generative AI for Data Management 

The integration of generative AI technology within the RadiantOne platform signifies a pivotal evolution in identity data management.This technological advancement empowers organizations to proactively address anomalies and atypical access rights, setting a new standard for efficiency and compliance in the industry. 

“Identity and access management (IAM) has become too complex and fast-changing for humans to identify entities and control their access without the help of automation that uses machine learning (ML). The emerging IAM design vision is that the IAM systems and end users themselves should perform the majority of IAM tasks with appropriate analytics guardrails.” 

—Gartner¹ 

RadiantOne AI promotes a cutting-edge approach that harnesses the power of artificial intelligence to effectively manage, audit, and control identities and their access within an organization. By integrating RadiantOne AI into IGA processes, companies can leverage advanced analytics and machine learning capabilities to streamline identity management and simplify access controls. It will also help tackle the complexities associated with identity management and entitlement sprawl.  

The RadiantOne Identity Data Platform integrates our big data heritage with advanced analytics, dramatically increasing the speed of informed decisions based on accurate data. We apply the power of generative AI to add lightning speed to your current processes and workflows around identity and access management, governance and compliance.  

AIDA: RadiantOne AI’s Guide to More Effective Identity Access Processes

“IAI [Identity Access and Intelligence] is a capability that harnesses GenAI innovation in conjunction with IAM data and analytics efforts to take the application of ML in the IAM field to a new height. Examples are an IAM copilot that can assist with IAM-related tasks, or in-product features that are built on customized GenAI models and orchestration technologies together with other IAM data and analytics systems.” 

—Gartner¹ 

The RadiantOne AI copilot, AIDA—short for Artificial Intelligence Data Assistant—presents an innovative way to navigate identity and access governance. Leveraging the power of large language models and advanced data visualization capabilities, AIDA empowers business line and application managers to accurately review, grant, and revoke access rights via a natural language experience. 

Using RadiantOne AI to Expedite and Improve User Access Reviews 

The inaugural utilization of AIDA within RadiantOne AI involves serving as a generative AI assistant for expediting user access reviews.This advancement has drastically reduced the review duration from days or weeks to mere minutes, signifying a groundbreaking transformation in identity and access management methodologies.  

AIDA navigates users through the review process, automating decision-making, enhancing employee productivity, and guaranteeing audit compliance. Simultaneously, it directs focus towards areas needing closer examination.  

Informed by an extensive data model and leveraging over 150 control points, AIDA performs data analysis by highlighting potential risks, providing insights, and suggesting remediations. This approach delivers the visibility necessary for organizations to be informed about identity issues so that proactive actions can be undertaken without removing the human touch from decision-making. 

Through automation, RadiantOne AI effortlessly identifies anomalies, eliminates redundant access privileges, and ensures compliance with regulatory requirements. Companies can control and monitor effective access governance throughout their information systems and make identity-based decisions with confidence, maximizing their overall security posture.   

To learn more about RadiantOne AI, AIDA, or share thoughts on generative AI for data management—contact us. We’d be happy to show you a demonstration of AIDA or help you get on the waitlist today.  

 

 

1: Identity and Access Intelligence Innovation with Generative AI, Gartner, August 11, 2023, by Analyst Homan Farahmand 

A pattern of yellow rubber ducks arranged in evenly spaced rows on a bright blue background, each casting a shadow to the lower right.

Making Identity Hygiene a Non-Negotiable for Organizational Security

/in /by

In today’s hybrid work settings, organizations face a pervasive challenge in effectively handling employee credentials and access across both on-premise and cloud-based environments. This blog will highlight the significance of adopting a strong identity hygiene strategy to protect against data breaches and ensure adherence to internal and external security policies and regulations.

“IAM data availability and quality issues significantly limit IAM capability effectiveness in many organizations.”

Gartner Predicts 2024: IAM and Data Security Combine to Solve Long-Standing Challenges

What is Identity Hygiene?

The organization’s identity hygiene must be addressed to remediate technical debt, which restricts business agility and security enhancements. According to Gartner: 

“In the context of reducing IAM technical debt, good IAM hygiene is the result of finding and remediating issues with accounts and entitlements that can cause security risks. These issues are usually caused by the prevalence of bad practices when managing user accounts, entitlements, roles and groups. Improving access governance, privileged access and authentication processes can help to achieve better IAM hygiene.”

—Gartner 2024 Reduce IAM Technical Debt

Identity Data Quality is Key to Security and Compliance Initiatives 

 “Poor IAM hygiene severely limits the effectiveness of IAM controls in an organization. Migrating legacy IAM tools to the cloud may help with infrastructure management, but does not improve the efficiency of IAM controls or address poor IAM hygiene.”

—Gartner 2024 Reduce IAM Technical Debt

Although often overlooked, the accuracy and quality of the identity data within a company’s information systems is the common denominator for successful IAM programs. As the saying goes, “junk in, junk out.” Ensuring compliance with industry standards, regulations, and internal security policies will pose a significant challenge with auditors. This is particularly true if the identity data included in access reviews and other processes is not pristine.

3 Reasons to Implement an Effective Identity Hygiene Strategy  

The key reasons for developing, implementing, and maintaining an ironclad identity hygiene strategy are the following. 

Gain Full Visibility 

Organizations need to acquire accurate information about individuals who have access to certain data and resources and the entitlements, rights, and permissions associated with that access. Having comprehensive visibility into the access chain enables the proactive management of cyber risk and helps with immediate action to any potential threats that may occur.  

Standardize and Automate Access Governance  

Implementing and enforcing a strong identity hygiene strategy helps companies to monitor and control identity access across their entire ecosystem, regardless of its location. This tactic, in addition to reducing the likelihood of compliance and governance issues, greatly improves an organization’s security posture and practices.  

Ensure Compliance with Standards and Regulations 

Identity data accuracy and access becomes especially important for those organizations faced with rigorous compliance regulations and requirements. Bolstered by a powerful identity hygiene game plan, these entities not only demonstrate to auditors that they effectively manage compliance with all relevant security policies and regulations but are also successful in reducing security breaches and the subsequent potential for fines. 

“Gartner clients report that they often assign entitlements to users based on what other users typically have and lack effective access reviews. Poor IAM hygiene, due to bad IAM tools and processes, violates “least privilege principles” and results in excess privileges.”

—Gartner 2024 Reduce IAM Technical Debt

How to Approach Identity Hygiene 

It is crucial to maintain the cleanliness, accuracy, and on-going quality of identity data to protect unwanted access to a company’s sensitive resources by adhering to the following steps: 

How to Gain Full Visibility 

  • Know where the identity data lies and how it is spread throughout the information systems and networks within the company  
  • Make sure the focus is on knowing and understanding “who” has access and “what” the user has access to 
  • Create comprehensible and useful reports based on the maintenance of the identity hygiene strategy  

How to Standardize and Automate Access Governance 

  • Establish policies around an identity hygiene strategy and make them a part of the overall data and access compliance directives of the company  
  • Devise a practical and functional plan for remediating any identity data found to be missing or incorrect as part of the identity hygiene strategy
  • Implement analytics-based strategies that identify accounts, entitlements, and related risk across siloed solutions and identity sources

How to Ensure Compliance with Data Regulations 

  • Consistently observe and address risks to mitigate the cyber threats associated with accounts and access points 
  • Emphasize access governance and identity hygiene as the foundation of an organization’s security posture 
  • Make the best decisions about locations where identity data is kept and used 

Identity Hygiene is Crucial for IAM and Compliance Success  

To prevent cyber risk, breaches, and other forms of malicious activity, it is fundamental for an organization to create, maintain and uphold an identity hygiene strategy that will demonstrate the accuracy and quality of the identity data held within its information systems, networks, and infrastructure. In doing so, regulatory requirements and other internal and external security policies relating to identity data and access will have a greater chance of success in avoiding cyber threats and minimizing all associated risk.

Have questions on what great identity hygiene could improve in your organization? Get in touch and we can get into the details with you.

A glowing digital globe with neon blue circuit-like lines and bright nodes, representing connectivity and technology, set against a dark background with light streaks rising upwards.

Artificial Intelligence and Identity and Access Management

/in /by

AI-driven Identity and Access Management (IAM) refers to the utilization of Artificial Intelligence (AI) in managing user identities and controlling access privileges to critical resources within a company. It fills the need for cybersecurity solutions that monitor permissions and ensure the safety of sensitive information. By integrating AI-driven identity analytics with existing IAM solutions, organizations can greatly enhance the efficacy and value of their IAM investments.  

Across the enterprise, AI-driven IAM provides: 

  • Continuous user access visibility 
  • Real-time information 
  • Control 
  • Remediation 

With the expanding digital landscape, the demand for advanced cybersecurity solutions that provide robust control over access permissions while ensuring the safety of sensitive information is growing. AI-driven IAM analyzes large volumes of data and delivers real-time insights, enabling organizations to effectively manage user identities and control access privileges. This technology utilizes AI and machine learning capabilities to streamline identity management processes and enhance operational efficiency. By leveraging AI-driven IAM, organizations can ensure the safety of critical resources while reducing manual effort and improving overall security posture. 

Get Ready for Generative AI in IAM in 2024 

One significant aspect of AI-driven IAM is AI-Driven Identity Governance and Administration (IGA). AI-driven IGA harnesses the power of artificial intelligence to oversee, evaluate, and govern identities and their access within an organization. Integrating AI into the IGA process helps companies leverage advanced analytics and machine learning capabilities to streamline identity management and simplify access controls. 

AI-driven Identity Governance and Administration (IGA) is a cutting-edge approach that harnesses the power of artificial intelligence to effectively manage, audit, and control identities and their access within an organization. By integrating AI into the IGA process, companies can leverage advanced analytics and machine learning capabilities to streamline identity management and simplify access controls. 

AI-driven IAM and AI-driven IGA enable organizations to tackle the complexities associated with identity management and entitlement sprawl. With AI-driven IAM, processes can autonomously run and continuously adapt to changing user access patterns, reducing manual effort and increasing operational efficiency. AI-driven IGA ensures that user identities are effectively governed and access privileges are aligned with security policies. Leveraging AI within identity and access management process helps organizations: 

  • Elevate user experience 
  • Improve operational efficiency 
  • Ensure enhanced security 

By analyzing user behavior and detecting anomalies, generative AI helps counteract threats and security weaknesses. Its integration into IAM enables organizations to monitor access policies and identify possible internal threats, empowering them to take preemptive action against risks. The combination of generative AI and IAM enhances user experience, user identities, and overall security. 

AI Copilot for IAM 

To streamline complex IAM tasks and enhance user experience, organizations can rely on an IAM copilot. Powered by GenAI technology, an IAM copilot automates IAM tasks through natural language interactions. It offers a user-friendly experience and enhances efficiency in IAM operations. 

IAM copilot features require addressing factors such as: 

  • Security 
  • Privacy
  • Comprehension 
  • Reliability 
  • Scalability 

By integrating AI and machine learning capabilities, organizations can effectively manage user identities, control access privileges, and mitigate security risks. These AI-driven solutions enable organizations to adapt to the evolving digital landscape and ensure the safety of sensitive information.

With the increasing complexity of cybersecurity threats, the adoption of AI-driven IAM and related technologies is becoming essential for organizations to stay ahead in the ever-changing landscape of cybersecurity. 

One Step Ahead With AI-Driven IAM 

Additional research and development in the field of AI-driven IAM will further enhance its capabilities, making it an indispensable tool for organizations striving to strengthen their cybersecurity measures. Organizations that embrace these innovations will be better equipped to secure their data, maintain regulatory compliance, and protect against emerging threats in today’s digital age. 

This continuous evolution of AI-driven IAM will play a crucial role in keeping organizations safe and secure in the future. By constantly learning and adapting, AI-driven IAM has the potential to revolutionize identity management and access control, making it a key component of cybersecurity strategies worldwide. So, it is crucial for organizations to stay updated with the latest developments in AI-driven IAM and incorporate them into their security practices for optimal protection against cyber threats. 

In conclusion, the integration of AI in IAM has opened up new possibilities for organizations to enhance their cybersecurity measures and streamline identity management processes. From AI-driven IAM to generative AI for IAM and IAM copilot, these innovative solutions are continuously evolving and will play a crucial role in keeping organizations safe from cyber threats.

As we move towards a more digital future, embracing AI-driven IAM will be imperative for organizations to stay ahead and protect their valuable assets. So, it is crucial for companies to invest in these technologies and leverage their capabilities to achieve a strong and resilient security posture. 

The integration of AI in identity and access management empowers them to stay ahead in the evolving digital landscape while effectively managing user identities and controlling access privileges. The future of cybersecurity lies in the integration of AI with traditional IAM solutions, and those who embrace this approach will have a competitive advantage in the ever-changing digital landscape. 

A close-up of a butterfly with orange and black wings perched on a round, purple flower. The background is blurred green foliage.

Spring is Springing: What’s New from Radiant Logic in Spring 2024

/in /by

This week we announced our upcoming spring 2024 release of the RadiantOne Identity Data Platform. We are thrilled to share our innovations in Artificial Intelligence (AI), analytics, and data management for identity—and in particular the benefits they will bring our customers for reducing risk and streamlining compliance.  

Challenges for Identity in 2024  

Gartner will tell you that data availability and quality are essential prerequisites to Identity and Access Management (IAM) success and security initiatives—and the data management capabilities that come with “action” tools like Identity Governance and Administration (IGA), Access Management (AM), and Privileged Access Control (PAM) solutions don’t cut it. 

As built-in data integration and data governance capabilities are often insufficient for client needs, this frequently results in significant implementation and integration challenges—which slows the time-to-value delivery for many IAM programs and other interdependent programs, including data security.” —Gartner Predicts 2024: IAM and Data Security Combine to Solve Long-Standing Challenges

 One of the most stubborn obstacles in deploying effective IAM systems is getting access to high-quality identity data, due to:  

  • Legacy, tightly coupled, and siloed systems 
  • Constant change in the form of: 
    • Cloud migration 
    • Mergers and acquisitions 
    • Pivot to remote work 
    • Explosion of human and machine identities 

These factors have made it nearly impossible to get one global picture and management point for identity data, leaving organizations open to risk of breach, increasing the cost of running the business, and making it difficult to meet regulatory requirements. 

What can Artificial Intelligence do for Identity? 

Let’s start with the bad news: bad actors are leveraging AI to exploit the growing identity-related attack surface. 2023 was the worst year on record for data breaches. 

Organizations have more identities to manage than ever—and the complexity of doing so is a major problem for security. The IDSA 2023 Trends in Identity Security report found that “one of the biggest challenges for security teams was the sheer number of barriers they now face. The top two reasons were identity frameworks being complicated by multiple vendors and different architectures (40%) and complex technology environments (39%).”  

Between identity sprawl and the complexity of the infrastructure, things start to fall between the identity management cracks, resulting in some of the best targets for hackers: dormant, leaver, or ownerless accounts.  

This risk can be addressed by more automated identity data hygiene and access governance—this is where RadiantOne AI is making a big impact this spring. 

Levelling Up Identity in 2024: Easy to Manage, Easy to Understand, Easy to Govern  

Our upcoming release applies the power of AI to identity, simplifying currently unwieldy processes and helping users to make more accurate decisions for user access reviews. With an intuitive, low-code/no-code user experience and cloud-native infrastructure available as a SaaS or self-managed deployment, RadiantOne Spring 2024 is easy to put in place in any organization.  

Our mission is to make identity data easy to connect, manage, and govern. This release brings unprecedented ease to building data flows, getting granular visibility across the distributed infrastructure, and remediating risk for complex organizations. 

AI Makes User Access Reviews Fun (Ok, as Much Fun as Governance Can Be) 

The tools used today to combat identity-related threats are not enough. Specifically, manual user access review processes are not only ineffective but also are a much-hated time-sink. Managers are made to certify access without relevant information, often via Excel spreadsheets. This exercise often ends in “rubber stamping” access without a true review based on accurate and current data, leaving the organization vulnerable to attack (and audit failure) through over-privileged and other inappropriate access. 

But what if you, as a business user doing access reviews, had a tiny data scientist in your pocket as you navigated the process, pointing out anomalies and digging up need-to-know context? Answering your questions in natural language, making suggestions about who should have what access, revoking access when you say so, raining down digital confetti when you’re done? That’s what AIDA, our AI Data Assistant can do. 

Not only does AIDA make reviews super fun, but you also get to make auditors happy. You keep your organization secure. And best of all, you can get back to your real job (woooo!). 

Nip Risk in the Bud with AIDA, our Generative AI Data Assistant for Identity 

Artificial Intelligence requires lots of high-quality data to be useful (bad data leads to bad decisions, too little data leads… also to bad decisions). What makes AIDA so great, beyond having a killer logo, is that it has access to enterprise-wide data and advanced analytics-based controls for identity data quality and risk. With RadiantOne, organizations build a one-stop shop for identity data, leveraged by AIDA to surface insights and make the most informed recommendations. 

RadiantOne cuts through identity complexity to deliver the insights and tools needed for effective access governance: 

  • Data availability 
  • Data quality 
  • Complete visibility (into users, accounts, attributes, entitlements) 
  • Risk insights and context 
  • Real-time remediation 
  • Remediation orchestration and tracking 

TL;DR: What’s New, Coming Spring 2024 

RadiantOne’s new spring release makes it easier than ever to automate complex identity management processes and streamline business operations while minimizing the identity-related attack surface.

  • We are bringing the power of AI to IAM—AI copilot-guided user access reviews increase accuracy of results for a more secure and compliant organization
  • RadiantOne goes fully cloud-native for even easier adoption at your organization using SaaS or self-managed Kubernetes-based deployment
  • A low-code/no-code interface with analysis and visualization capabilities makes it easy to connect, manage and govern identity data
  • Expanded visibility with the integration of technical resource data (servers, middleware, databases) helps to secure the IT infrastructure
  • Real-time remediation of access review findings streamlines operations and reduces time-to-fix

It’s an exciting time to be in identity…

View looking up at tall skyscrapers disappearing into a misty, cloudy sky, creating a dramatic and modern cityscape with buildings on all sides.

ISMG Survey Finds that Many Identity Teams Lack Visibility and Operational Maturity

/in /by

ISMG research surveyed over 100 IT leaders on their IAM challenges, and we’re pleased to share the results with you.

A quick preview of some of the findings from Gaining Security Visibility and Insights Throughout the Identity Ecosystem, sponsored by Radiant Logic:

  • Over 90% of participants had opportunity to improve their identity maturity
  • 49% do not report have good visibility into identity data and associated risks and security gaps
  • A quarter of respondents reported confirmed identity-related cybersecurity incidents in the last year—with a number of additional respondents not knowing if they had been exposed
  • Legacy system limitations were named as the top challenge to managing and integrating identity data, followed closely by IT infrastructure complexity and shadow IT

If you would like to be the first to receive the complete report on the day it is released in March 2024, please complete the form below.

This field is for validation purposes and should be left unchanged.
Name(Required)







Opt-In(Required)










A close-up of a sewing needle with multiple colorful threads—red, orange, yellow, green, blue, and purple—running through its eye against a black background.

Reducing IAM Technical Debt with an Identity Data Fabric Approach 

/in /by

In today’s rapidly evolving digital landscape, the complexities of managing identities across various systems and platforms have left many organizations grappling with the looming specter of IAM technical debt. Identity and Access Management (IAM) is no longer a static component of enterprise IT but a dynamic and critical piece of the cybersecurity puzzle. Reducing IAM technical debt becomes paramount to ensure security, compliance, efficiency, and ultimately, a robust digital ecosystem.

Understanding IAM Technical Debt  

Technical debt in the realm of IAM is accrued when new tools are bolted on, homegrown tools become outdated, shortcuts are taken, or IAM processes and solutions fail to evolve with the system’s needs. The newly released “Reduce IAM Technical Debt” paper by Gartner analysts Nat Krishnan and Erik Wahlstrom points out that siloed IAM tools, legacy applications, and poor IAM hygiene are prime contributors to this debt.

Gartner’s paper outlines five key challenges that result from IAM technical debt. Enterprises must take a proactive approach to tackle these challenges posed by nonstandard or legacy applications and incomplete discovery processes. As operational complexities magnify, the need for strategic simplification grows.

Reducing IAM Technical Debt without Disruption 

The adoption of an Identity Data Fabric aids in reducing operational bottlenecks and unwinds the accumulation of technical debt. Radiant Logic’s solutions empower organizations to modernize outdated systems and tools, while optimizing their identity infrastructure for reliability, performance, and security. By consolidating directories and sunsetting obsolete technologies, our customers have achieved remarkable cost savings and operational efficiencies. Let’s take a closer look at the steps involved in implementing this approach.

Step 1: Detailed Discovery of the IAM Environment

The first step is to conduct a detailed discovery that addresses all identified challenges, including legacy systems and applications. This process unravels the complexities of the existing identity landscape, laying the foundation for an optimized IAM environment. A comprehensive and ongoing discovery process is crucial not only for efficiency but for security.

“Organizations lack comprehensive discovery processes for accounts and entitlements, and dashboards that provide insights of what’s found. Processes often miss a large set of users such as contractors, partners or machine identities. The discovery process may be limited to a one-time activity and not be continuous. This results in a static view of identities, leaving critical blind spots in terms of threat vectors for a part of the IT surface area. Poor observability limits IAM operation and weakens the security posture of an organization.” —Gartner

Step 2: Integrate and Consolidate Siloed Tools  

The second step involves integrating and consolidating various IAM tools and systems, such as Active Directory, LDAP directories, and legacy and SaaS applications. This process eliminates data silos and provides a single view of identity information.  As stated in the paper from Gartner,

“Organizations must move from many user identities to a single identity that allows visibility into, and control of, access while mitigating risk.” —Gartner

Step 3: Enable Modern Identity Protocols  

Lack of interoperability and lack of support for modern protocols hinders adoption of security best practices and delays deployments. Composability is key to a mature IAM architecture. To enhance operational agility and the security posture of IAM environments, RadiantOne allows modern identity protocols such as OAuth and OpenID Connect to be stitched into legacy systems, without application customization. This integration enables secure and seamless access for both internal and external users, reducing the risk of data breaches—while minimizing further accrual of technical debt.

Step 4: Flip the Switch to RadiantOne 

With RadiantOne you can wire together your entire identity data infrastructure in the background and create a single global profile for each identity. Once that is complete, you just flip the switch to RadiantOne and your data and access will continue to flow seamlessly. You can then start to decommission older platforms without disruption—or maintain legacy sources while embracing modern applications.

Case Studies and Expert Insights on Reducing IAM Technical Debt 

Organizations that have adopted the Identity Data Fabric approach have experienced remarkable enhancements in their IAM capabilities, resulting in substantial cost savings and operational efficiencies. In collaboration with Forrester Research, we conducted an extensive Total Economic Impact Study involving 5 long-time Radiant customers. The findings indicate that by leveraging Radiant Logic, a composite organization can effectively reduce technical debt by $9.2 million over a span of three years.

Here is what our customers had to say:

  • An IAM lead told Forrester: “Since we adopted Radiant Logic we have been able to eliminate ineffective outdated technologies and transition away from old data repositories.”
  • A principal IAM architect shared: “With Radiant Logic we have been able to consolidate directories into a single platform, and we have been able to decommission identity silos and all the operations and the tech stack that we built to keep that old architecture up and running.”
  • A principal IAM architect said: “We were spending thousands of dollars a year maintaining old directory architectures. By bringing in Radiant Logic, we have been able to streamline the operations to one system and have been able to remove a lot of technical debt.”
  • A senior IAM leader told Forrester: “We wanted to address technical debt. Ever since we moved our data into Radiant Logic and started using it as the authoritative data store we have been able to eliminate a lot of complexity and redundancy and avoid other technology renewals.

RadiantOne Identity Data Platform Offers a Clear Path to Mitigate IAM Technical Debt   

The RadiantOne Identity Data Platform offers a tangible path to mitigating IAM technical debt. As affirmed by the insights drawn from Gartner’s expertise and the documented results from Radiant customers, the benefits of modernizing your IAM infrastructure extend well beyond immediate cost savings. It unlocks potential for secure, efficient, and scalable growth. So, if you’re still struggling with IAM technical debt, it’s time to unravel the complexities and unlock the potential of identity data as an asset that can transform your organization for good.

Rows of shelves filled with organized paper files and folders in an archive or records storage room, with a modern, industrial interior visible in the background.

Is Your European Company Prepared For The Digital Operational Resilience Act (DORA)?

/in /by

The DORA Regulation: Europe’s New Cybersecurity Measures 

Over the last two years, the European Commission has been working on regulations that they refer to as the Digital Operational Resilience Act (DORA). In November 2022, this act was adopted by the European Council. DORA aims to promote resilience to Information, Communication and Technology (ICT)-related risk for companies doing business within the financial sector in Europe, including banks, insurance companies and investment and asset management firms. Even third-party providers that handle crucial financial data, records and information will be subject to this regulatory statute. This act follows the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) who, in 2020, created and proposed guidelines to which European financial institutions were highly encouraged to adhere, focusing on cybersecurity measures and the implementation of independent and objective controls of data and resources within these companies.

 

 

As stated in the Council of the EU press release of May 11, 2022, “Once the DORA proposal is formally adopted, it will be passed into law by each EU member state”. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.” According to most accounts, it may take up to two years to implement the requirements associated with DORA, but companies can start early by tightening their compliance and security policies through investing in new technologies and processes.  

But what does operational resilience mean with regards to DORA? Operational resilience is the result of the effective management of operational risks which means that internal and external policies and rules are in place to prevent catastrophic incidents such as data breaches and cyber-theft. Identifying and mitigating risk in addition to continuous monitoring and testing are examples of ways that companies can reduce any disruption to their operations that could lead to serious consequences.

Digital Transformation in the Corporate World

The corporate landscape has dramatically changed over the last few years. A great percentage of employees now work from home at least part of the time.  This means that daily digital activities are no longer on premise and significant data exchange is happening through cloud-based frameworks.  This new environment inherently brings with it a higher level of cyber-risk that must be addressed in a more aggressive manner than in the past, and more specifically, within the financial sector.  This is because this area has the highest potential gain for hackers and cyber criminals.

The regulations included in DORA will oblige that financial institutions within the European Union adhere to the act by reducing, whenever and wherever possible, the weakness of their internal systems and processes that could potentially increase the chance of cyber-attacks.  The only way to do this is to have the proper tools, processes and directives in place, including extra vigilance of third-party organizations that have access to sensitive resources. Detailed reporting, audits and testing will become essential in monitoring the companies for whom DORA will become an obligatory practice.

DORA Regulations: The Five Targets 

The focus of the Digital Operational Resilience Act will be on five main areas within ICT and information security, including:

  • Digital operational resilience
  • Risk management
  • ICT incident reporting and management
  • Information sharing
  • Third-party risk management

Now that the act has been signed, what does this mean?  It means that entities and institutions cannot and should not wait to begin ramping up for these regulations which will be enforced in approximately two years from the date of signing.  Strategies must be put into place as soon as possible to be prepared for DORA’s official roll-out.

Radiant Logic Supports DORA Directives 

 “DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them,” according to a press release published by the European Council on November 28, 2022.

The first step in securing a company’s network and information systems is by knowing, first and foremost, who has access to them, how they got the access granted to them, and is this access legitimate.

Thankfully, there are competent companies like Radiant Logic who provide software solutions that can be implemented today for a smooth transition tomorrow.  One of our key platforms is Identity Analytics which has been designed to help with the detection, measurement and reduction of risks related to identity and access data quality issues, providing a full understanding of access rights and the knowledge of who has access to what and to what extent.

By far, the Identity Analytics component which delivers the most immediate benefit to the business teams is the automated user access review.  In addition to supporting audit requirements, performing regular access review campaigns promotes:  

  • The security and protection of resources
  • The compliance of access rights granted to employees
  • Conformity with the current internal and external security policies and rules, including segregation of duties.

There is no better way to begin complying with the Digital Operational Resilience Act.

Why wait?  Take your first step towards compliance with the Digital Operational Resilience Act by contacting Radiant Logic, the expert in the field of identity analytics.

A human hand writes on a clipboard with a pen while a robotic hand types on a laptop keyboard beside it, symbolizing collaboration between humans and artificial intelligence.

Are User Access Review And Access Recertification The Same Thing?

/in /by

Do you know the difference between user access reviews and access recertification? They sound like they could be interchangeable, but nothing could be further from the truth. Although both are designed to protect the resources within your information systems (IS), the user access review and the recertification of access rights are two distinct control mechanisms and do not address the same issues.

In practice, however, we tend to use the two terms interchangeably. Recent discussions with our customers have led us to believe that clarification is needed. While the differences between these two approaches may seem subtle, they are crucial. Read on to learn more about why.

The Definition and Main Aspects of User Access Reviews

The periodic user access review is one of the most widespread and unavoidable security control mechanisms for logical access rights. For example, the guidelines initiated by the Sarbanes-Oxley Act, better known as SOX, aimed to reduce fraudulent financial reporting by establishing the implementation and maintenance of internal controls that include information security protocols to ensure the security of financial information while calling for the audit of these controls to verify their effectiveness.

One aspect of all good information security protocols is periodic user access reviews. As companies continue to evolve their systems to incorporate more digital information management, it is imperative that sensitive information is only available to those authorized to view it. The purpose of an access review is to confirm that only authorized users can access secure data and revoke access from those who should not.

Data, Applications, and Infrastructure within an Organization: Who accesses what, why and how?

The periodic review of user access and entitlements is the process that allows organizations to examine which employees, both internal and external, have access to which resources within the information systems (IS) of the organization. The user access review applies to and includes all people who may have access to the organization’s information, including employees, partners and even subcontractors.

The Zero-Trust User Access Review

Because it also concerns employees and other people accessing a company’s resources off-site (via the cloud, for example), the review of user access and identities is perfectly in line with the zero-trust approach. This paradigm consists of abandoning the old practice of perimeter cybersecurity in favor of an approach that is adjusted to new processes and uses. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.” The idea is that Zero Trust goes beyond the “castle-and-moat” theory that was the basis for former methods of securing the perimeter, suggesting that trust can be considered a vulnerability with regards to security.

User Access Review and Compliance: How can you meet the challenge?

Before launching a campaign, it is important to take inventory of the user access to all resources being reviewed, ensuring that the scope accurately reflects the current situation at the time of the review by following a “bottom-up” approach. By doing this, the user access review will be more thorough and comprehensive, which also helps monitor the effectiveness of the access request process.

The Fundamentals of Access Recertification

Just like with user access reviews, access recertification is a control function using processes linked to an IGA platform. However, the challenges and purpose of the exercise differ significantly.

Recertification and the Request for User Access

Within most companies, there are more requests to grant access rights than there are requests to revoke them. Companies are continually affected by the movement of people, including new hires, departures, internal transfers of employees or service providers, promotions, reorganizations, etc. These changes have consequences related to IT authorizations and policies for users and account holders. This is where the recertification of access rights comes in, as application and business line managers are regularly asked to verify that the accesses that have been requested on behalf of their team members are still valid with regards to their current roles and responsibilities within the organization.

Tackling the Recertification of Access Rights

User access that has been previously requested and granted is periodically reviewed by department managers. The reasoning behind performing an access recertification is that, while certain access rights were requested – and approved – by a manager at one time, they may now be outdated or irrelevant and should be revoked. Regular recertification of granted user access by the resource owner or business manager can help to avoid the accumulation of illegitimate rights and the creation of potentially toxic combinations.

What are the similarities between user access review and access recertification?

Review Campaign Configuration: A Top Priority

The user access review as well as the recertification of access rights can be done manually using Excel tables. However, we highly recommend that you opt for the automation of your campaigns in order to save time and money on this practice.

Because of this, their frequency and the targeted perimeter can vary with regards to the goals and objectives of the exercise. Different strategies can be considered and implemented, including periodic, continuous, incremental and differential review practices. In order to know which one is the best for you, it is essential to pay particular attention to the configuration phase of the review project.

User access review and access recertification address different security issues. This depends on the level of sensitivity of the resources and changes within the organization as well as the audit deadlines and reports that may be imposed.

The Key Stakeholders

Business line owners and application managers have a crucial role to play. They are the only ones who have sufficient knowledge of the job functions of each member of their team, including what resources they need to access and what level of entitlement should be granted for their level of responsibility.

All these stakeholders need to review the access rights of each team member in order to ensure that the principles of least privilege and need-to-know are being respected. They must review the actual access rights as well as the incoming requests to grant access, requiring them to make the appropriate decisions by asking themselves the following questions:

• Have the access rights of each person on my team been approved?
• Are they objectionable and should they be revoked?
• Who can access what, when, why and how?

In this way, user access will be constantly monitored. Once a review campaign is completed, any identified problems, anomalies or gaps can be corrected in order to reduce the associated risk.

Notable differences between user access review and access recertification

Given the many similarities between these two control systems, it is not surprising that many confuse the review of permissions with the recertification of access rights. From the configuration to the execution of the exercise, the approach is relatively similar. However, the source data being examined is fundamentally different and impacts the scope of the project.

User Access Review: Targeting Regulatory Compliance

The periodic review of user access and permissions is based on the real and effective rights of users as recorded and reported in each system and application. This is an essential activity for anyone wishing to:

• Protect and secure the resources within a company’s information systems,
• Ensure that the security policies enforced within the organization are being respected (ISO 27001, ISO 27002, ISAE 3402, SOC 1 and 2, SOX, CMMC, HITRUST, HIPAA, CRBF, Solvency, etc.), and
• Demonstrate compliance of the company’s user access rights and respond with reports to auditors.

In fact, the periodic user access review is applied to the entire scope of accesses, regardless of their nature or the way they were obtained, either automatically or through an approved request or waiver process. In this way, the principle of completeness and accuracy, which is so important to auditors, can be met.

Recertification of Access Rights: Spotlight on the Request for Access

Access recertification primarily examines validated access requests. User access and accounts that were granted outside of the usual access request process may not be included in the scope of recertification.

Does the recertification of access rights prove compliance?

Unlike user access review, access recertification does not take into account actual rights and entitlements. It relies only on the information managed in the Identity Governance and Administration (IGA) or Identity and Access Management (IAM) system. This can cause several problems.

First, the IGA/IAM system may not manage all the accounts within the scope of the review. For example, desktop user accounts are managed in the IGA system while privileged access is managed in a PAM system. More importantly, IGA/IAM systems have only partial knowledge of the authorizations assigned to accounts. For example, macro rights (application roles or those assigned via security groups) are managed in the IGA system while fine-grained permissions are managed directly, and often manually, in the application itself. In this case, the recertification of IGA accesses will not necessarily be a true reflection of an employee’s actual rights within the application.

For this reason, the implementation of an access recertification process only using the data in IGA/IAM systems is often considered insufficient by auditors when it comes to ensuring compliance of access rights to sensitive applications and systems.

User Access Review and Recertification of Access Rights: Two Distinct but Complementary Approaches

While the protection and security of corporate resources remains a shared priority when performing a user access review or access recertification, the nature of the data and the project’s objectives differ in both cases.

One thing is certain: implementing the most effective tool is a priority for anyone wishing to gain time and efficiency in the execution of user access review campaigns which can even help to better motive and engage the team leaders and review owners in charge.

It should also be noted that it is possible to combine both the review and recertification approaches within the same process. For example, an appropriate control plan can automatically reconcile the actual rights of employees and other users in the applications with the access requests recorded in the IGA system. Any discrepancies detected can be highlighted during the periodic user access review process, alerting the reviewer to the potentially unjustified nature of an access that was not granted according to the official or standard practice within the organization.

Conclusion

To learn more about all the advantages and benefits of automating your user access review campaigns, please contact us. Together, we can take the next step towards effortless user access compliance within your entire organization.

 

Need a little help on your user access reviews?
Close-up of a small aircraft cockpit showing various flight instruments and gauges, including an altimeter, airspeed indicator, vertical speed indicator, and attitude indicator, with sunlight shining in from the left.

ITGC Controls: Why Are They Essential And How To Execute Them?

/in /by

Today, no organization escapes demonstrating the security and compliance of access rights which are subjected to regulatory standards (ISO 27001, ISO 27002, ISAE 3402, SOC 1 and 2, SOX, CMMC, HI Trust, HIPPA, CRBF, Solvency, etc.). The implementation of IT General Controls (ITGCs) in the context of IT audits or in addition to them, makes it possible to verify the security and compliance of a company’s logical access rights.

However, their execution raises several issues because the lack of formal processes to frame their triggering exposes organizations to considerable risk.

Through three real use cases, we will look at why ITGC controls are essential to protect your organization’s resources and keep your business healthy. At the same time, we will learn how to optimize their execution.

ITGCs: What Are They Used for and When Should They Be Used?

Definition of ITGCs

ITGCs are IT general controls designed to protect your organization’s data from use, disclosure or compromise. They can be applied to applications, databases, logical access rights and infrastructures within your information system (IS). Their implementation is mandated by regulatory entities for most companies and helps to fight against the risk of data theft or fraud.

What Is the Scope That ITGCs Cover?

IT general controls can be applied to all levels and in many areas, such as the identity lifecycle, privileged accounts and logical access rights. They contribute to the implementation and verification of compliance using several functionalities.

 

The main aspects of ITGCs that we will focus on here are:

  • The control of logical access rights, meaning the control of user access rights to applications, repositories and data sources
  • User access review campaigns
  • The segregation of duties (SoD)
ITGC and Compliance Management: What Is the Typical Internal Process Within Organizations?

In order to better understand the control points to be considered, the underlying issues and the involved individuals with regards to your company’s requirements, we will refer to a standard compliance management process that could be applied within an entire organization.

The typical process would be considered at three levels of ongoing controls:

  • Permanent ITGCs: Level 1
    This refers to operational or technical controls carried out by people close to the field, such as line managers or application managers.
    The problem they face is identifying the actions performed by their teams on the information system (IS), and, in the case of the application manager, knowing who accesses which resources and at what level of permission.
  • Permanent ITGCs: Level 2
    These on-going controls apply to consolidated data within the entire company and with a much broader scope. This is the case for risk analyses or independent controls which can be carried out at any time of the year. In this situation, the internal control services or the risk and compliance management departments are in charge.
  • Periodic Controls : ITGCs Level 3
    This third level of control refers to post-incident or periodic checks. These serve as prevention control but also as proof of compliance regarding the regulations your company is subjected (SOX, HIPAA, GDPR, etc.).
    The final contact for these controls is internal and external auditors and/or regulatory authorities from your sector of activity geographical region. The latter requires certain controls to be carried out and reports to be produced attesting to their proper execution.

Since Level 2 and Level 3 ITGC controls apply to consolidated data, the first challenge is to make the top-level controls as effective as possible. In this way, Level 2 and 3 controls can be optimized.

Why Is It Essential to Apply ITGCs to Logical Access Rights?

Beyond the need to comply with security and access rights compliance standards, ITGCs are a great way to protect your organization from a multitude of threats. As harmless as it may seem, a lack of control related to the access rights of one of your employees can have dramatic consequences.

In fact, the management and rigorous execution of these controls is an essential prerequisite so as not to jeopardize your organization and weaken its financial equilibrium.

The following three scenarios led to critical situations, situations which could have been avoided by resorting to the execution of targeted IT general controls.

Case Study #1: Why Can Regular Execution of ITGCs Help Avoid the Worst-Case Scenario?

The departure of an employee is an integral part of a company’s daily activities. However, this is a major event that must be subjected to rigorous controls, particularly in terms of access rights.

What if your network administrator retained active rights after leaving the company? He or she would still have access to resources using high permission levels that were in line with the job function held at the time of employment.
Like many of his or her colleagues, privileged access was granted to be in line with job responsibilities and duties and most likely includes access to sensitive resources. Additionally, this person is most likely aware of any vulnerabilities in the company’s information systems.
For this discussion, it will be assumed that this person has left the company within a conflictual context, such as resignation or dismissal, and that his accounts remain active upon his departure.

 

What Are the Risks to Your Organization?

Being someone with a high level of knowledge as well as knowing how to penetrate the information systems using a high-level of privileged access permission, the following two kinds of threats will make the company very vulnerable:

  • Sabotage or disruption of business: The former employee with continued access to his privileges and permissions uses them to commits damage, such as data deletion or a massive shut-down of servers in a can lead to a malfunction of your services and applications, internal and external.
  • Data leakage: This person continues to connect to the information systems to retrieve confidential data on his behalf or that of a competitor (customer database, financial data related to sales policies, intellectual property data, etc.).

 

What Is the Possible Impact?

There repercussions are numerous and can be of many different types, including:

  • Loss of customers or staff to the competition (if the former employee poached your employees, for example, or reached out to your customers using confidential data).
  • Legal proceedings by customers impacted by sabotage carried out on your information system.
  • Heavy expenses required to get the information systems up and running as well as secured.

 

It Happened to Cisco

In 2018, a Cisco system administrator resigned and retained active rights. Several months after his departure, he connected to the Cisco systems and carried out significant damage.

  • More than 450 servers that operated the Webex service (Cisco’s video conferencing service) were erased
  • 16,000 customer accounts accessing this service were deleted

To restore the accounts and restart Webex, two weeks of intensive work was required. In total, the operation will have cost the company nearly $2.4 million.

  • $1 million was allocated to the labor needed to restore service
  • $1.4 million was spent on hardware, software and restorative actions

All of this is in addition to the business consequences and loss of reputation that this attack on the Webex service provoked.
Cisco is far from being an isolated case. The American credit operator, Equifax, and the US Navy have experienced similar setbacks following the departure of one of the members of their teams.

 

Why and How Could Using ITGCs Have Avoided These Situations?

Two types of IT general controls (ITGCs) could have been considered to prevent drift:

  • Permanent ITGC controls, or
  • ITGC controls that are triggered in the event of an incident

Permanent ITGCs are useful to:

  • Identify the active accounts of people who have left the company
  • List orphaned accounts, dormant accounts, technical, generic, test or training accounts (which system administrators may be aware of and may be tempted to exploit without being able to uncover their actions or trace them back to them)
  • Monitor the activity of people with privileged access (verify the use and timing of their connections to sensitive assets, last transactions made, etc.)

ITGCs associated with events can be triggered as soon as the departure date of an employee is entered into the HR system. This would make it possible to:

  • List the privileged access that the person has
  • Identify active accesses that should be removed
  • Identify a person’s permissions in the event of internal mobility (change of department or business function)
  • List all access held by someone associated with a conflict of interest within the organization
Case Study #2: Why Should You Use ITGCs to Resolve SoD Conflicts?

How Do I Prevent or Detect SoD Conflicts?

One of the basic principles of access right security is to ensure that toxic combinations of rights are avoided as much as possible by respecting the principle of segregation of duties (SoD). Some regulations require monitoring of the activity of identities holding permissions whose combination is toxic.

For example, a person with the ability to modify a bank identity statement in payroll software while having the necessary access to issue a transfer accumulates access rights causing a toxic combination. Fraud or human error then becomes possible and directly impacts the company. Therefore, the principle of segregation of duties should be observed as best possible.

 

What Are the Risks to Your Organization?

There are many, some of which are cited below:

  • Overbilling: Using fictitious suppliers or in a situation of conflicts of interest
    • For example, a buyer declares a fictitious supplier and links his own account statement to this supplier to make payments if the access rights that allow the creation of suppliers, the issuance of transfers and the validation of orders are combined
  • Stock market fraud: In banks or financial institutions
    • A person can make purchases of risky assets by doing what it takes to secure the organization’s own funds
  • Financial fraud
    • An employee generates the creation of fictitious customers and income to artificially inflate the turnover, to embellish the company’s accounts in the event of a merger and acquisition, or to suggest that his individual objectives are achieved and, thus, receive his bonus.

 

What Is the Possible Impact?

The cases of fraud mentioned above may give rise to:

  • Financial losses, including the crashes on the stock market
  • Considerable damage in terms of image and reputation that will have to be compensated by implementing a crisis management and communication strategy
  • Legal proceedings and criminal sanctions (fines, imprisonment) against the leaders of the organization involved in a case of fraud

 

It Happened to an Automotive Supplier

This company uncovered massive internal fraud equivalent to more than $20 million. How did it happen? The elaborate development of a false invoicing system set up from scratch by unscrupulous service providers having access to the company’s management system in an Asian subcontracting country.
This system of false invoicing directly benefited the relatives of the perpetrators of the fraud and was developed by using extensive access rights that had then been assigned to them in the ERP.

 

Could the Execution of ITGSs Have Prevented This Situation?

The establishment of permanent ITGCs would have made it possible to:

  • Identify the list of toxic permission combinations by mapping the access rights assigned to users and by carrying out regular checks on detected risky situations
  • The creation of a role catalog (role mining) that grouped sets of compatible permissions and assigned them to employees who needed them as part of their job functions
  • Run checks on the contents of each role and who can access it
  • Identify individuals with access rights to applications to which they did not request access or the access was not validated through an access rights management (IAM) application within which these request processes are documented

Event-related ITGC controls are particularly useful to:

  • Trigger campaigns to review access rights applied to identities on the move. It could be decided that each movement within the company triggers a review campaign of access rights as part of which the manager will be asked to recertify the access rights of people changing departments. In this way, the team leader could revoke the rights associated with the former functions held by the person if they are no longer necessary or validate that fact they he retains them.
  • In the case of cumulative rights generating an identified toxic combination, alerts could be triggered when the user who holds them connects to the associated applications to monitor his activity.
  • Finally, an alert system could also be set up when a new right that has just been granted generates a SoD conflict.

ITGC Controls: How to Facilitate Their Execution?

ITGC Controls Have Certain Benefits but Are Sometimes Complex to Execute

As we have seen during the two practical cases studied, IT General Controls have many benefits.

Optimizing logical access control tasks can make it possible to:

  • Reduce the risk associated with logical access rights
  • Fight internal fraud
  • Improve a company’s defense against cyber risks
  • Demonstrate to auditors the compliance of logical access rights within the company

However, many organizations struggle to implement these controls, which involve the correlation and quality of disparate and large amount of data in a context where internal staffing changes frequently take place.

Automating ITGC Controls with Radiant Logic

To make it easy for companies, Radiant Logic delivers its expertise in access rights analysis through one of its flagship products: RadiantOne Identity Analytics.

With Identity Analytics, get a 360° view of the access rights present within your information system and discover how to:

  • Automate your control plane using over 150 built-in, standard control points
  • Enrich your control plan with configurable controls that can be adjusted to your specific needs
  • Generate reports allowing you to list deviations
  • Follow compensating controls and control exceptions
  • Automate your access rights review campaigns
  • Create a catalog of relevant business roles
  • Produce compliance reports to provide to your auditors

Need a little help to automate your ITGCs? Don’t worry, we can help—contact us.

© 2026 Radiant Logic, Inc. All Rights Reserved. | Privacy Policy