User Access Reviews at Lightning Speed with AI

Okay, everybody, thank you for joining us here today. We are going to be talking about doing your user access reviews at lightning speed with artificial intelligence. This webinar is being presented by Radiant Logic. We hope you learn something through this webinar, and you’re going to be hearing today from two of us.

Before I start, if you have any questions, please put them in the question feature here of the webinar. We will get to those at the end, time permitting.

Let me introduce myself. You’ll be hearing from two of us. I’m Leanne Leanne Debeurre. I’m one of the Product Marketing Managers here at Radiant Logic, and you’ll also be hearing from my colleague, Khadija. Khadija, could you say a few words?

Yes. Hi, Leanne. Hi, everybody. So glad to be co-hosting this webinar. I’m Khadija and I’m a Senior Technical Enablement Specialist over at Radiant Logic. I basically handle trainings and training content regarding our Identity Analytics offering.

Perfect. Let’s get started and learn a little bit more about how we’re going to help you with your user access reviews today.

We have taken a couple of polls, and we thought these results were interesting to share with you. You might have the same answers as some of these people. The first question we asked our customers was: have you ever performed a user access review on your applications? Overwhelmingly, the answer was yes, and we know why. There are a lot of regulations out there, and there are also internal and external security policies that people have to follow. Eighty-four percent of the people said yes, they have, mainly for compliance reasons.

The second question we asked was: do you conduct user access reviews on a regular basis? For us, that meant more than once per year. Here the numbers changed a bit. Just a little over half of the people said yes, they do them on a regular basis. About a quarter said no, they don’t, and around twenty percent answered “sometimes.” One of the reasons, as you all know, is that user access reviews are really complicated to set up and run. They take a lot of time, they’re tedious, with many manual parts. Sometimes we’re still using Excel spreadsheets. It’s understandable that some people try to avoid running these reviews when they can.

Our last statistic is the best one. Are you motivated to do your user access review? Ninety-seven percent of the people said no, and we just explained why. It’s tedious, time consuming. Some people tell us “this is not part of my day job; I have to squeeze it in and get it done, and I have a time limit,” etc. That’s why a lot of people are not motivated. Khadija is going to go into a bit more detail about why that is.

Yeah, thanks, Leanne. When it comes to the challenges that these companies face regarding access-review campaigns and why we’re seeing these figures, the first issue we have to keep in mind is data quality. Just getting relevant data and making sure all accounts and access rights are known for one user, let alone multiple users, is already a challenge. We’ve had many customers who had a hard time gathering all the extracts, making sure that they have the full scope of Active Directory accounts, the full HR data, and that they have the latest version of these details.

If you multiply the need for data accuracy by the number of applications, repositories, and assets that need to be merged and integrated to get a 360° overview of each person’s access rights, you can see the size of the challenge.

Then there’s configuration and implementation. Many of our customers face challenges when setting up access-review campaigns, both from a technical standpoint—where integrating multiple technologies is already difficult—and from a functional standpoint. How can you make sure your overview of each user’s access rights will include both cloud-based and on‑prem applications, both vendor and homegrown applications, application access rights along with privileged accounts, technical accounts, and privileged-access rights?

Along with the technical challenge of configuring and implementing the access review, making sure it launches on time and rolls out to all the appointed reviewers, there’s also the organizational challenge. How can you make sure everybody will make themselves available to help you with the organization of your access-review campaign? How can you be sure all the application owners, repository managers, and line managers will be available either to provide extracts as inputs or to check the list of access rights under their responsibility and give you the right review decisions before the official end date?

Even if you’ve nailed down the first two parts of this equation—maybe you’ve had a campaign roll out smoothly with relevant data during one year—each year you still have to face auditors or authorities who come up with new requirements, asking you to include more applications in your campaign. You also have to keep track of updates to your information system: if an application is decommissioned and replaced, how do you make sure the new one is onboarded into the next review campaign? This becomes a bigger challenge over the years as your information system and organization change.

So let’s imagine what the ideal access-review process would look like from the standpoint of a compliance officer or compliance manager. As a compliance manager, my ideal campaign would be time-saving. I would like a process or a platform that allows everyone to approve or revoke access quickly. I’d like to set up my campaign quickly, send it to all reviewers, and then proceed with remediation and revocation of all undue or illegitimate access rights.

I’d also like to get help along the way. I’d like my access-review process to be assisted when it comes to organizing the campaign, selecting the scope, and also to provide assistance to each reviewer when deciding what to do with each access right—how to figure out whether it should be kept, approved, or revoked.

Of course, I’d like to automate as many manual tasks as possible to avoid the risk of human error and to make things less tedious for all stakeholders. In addition, I and the security team leads would like to improve security, making sure we can catch undue or risky access rights and decommission or revoke them before anyone can use them to cause harm to the information system. We don’t want reviewers blindly approving all access rights that their team members currently hold. We want them to actually examine access rights with all relevant KPIs that might indicate risk, and to catch and revoke them, not just approve everything.

Finally, I want my access-review process to include all types of accounts and IT assets. I want to be able to schedule campaigns for technical accounts, user accounts, user access rights, privileged accesses, local accounts on Windows or Linux servers, etc.

This is something that our RadiantOne platform can help with, especially when it comes to setting up yearly reviews or reviews on demand. Some customers schedule one review once a year. Others schedule more than one campaign per year, either running the same campaign multiple times (for example, quarterly) or setting up different campaigns for different types of assets once a year. Our platform can bring this process down from days to minutes.

This is the addition to our RadiantOne platform that we were very glad to announce last month: the new AI data assistant that is going to be released in our spring release, called AIDA. AIDA is short for AI Data Assistant, and we will walk you through this new feature during this webinar.

Basically, AIDA will help any compliance manager with all the items I mentioned in my ideal wish list. AIDA will help reviewers save a lot of time and reduce the process to just a few minutes for completing their access-review tasks. AIDA will suggest possible decisions to each reviewer regarding the details of the access rights they need to review and what risks they should watch closely. Not only will AIDA suggest decisions—such as “here are twenty access rights that you should revoke because of this reason”—but if you decide to approve AIDA’s suggestion, AIDA will automatically apply that decision and automate the analysis of access‑rights risks up until the final sign‑off of each reviewer’s task.

Thanks to this decision‑making help, AIDA will ensure that all your access rights are actually reviewed for what they are, and that no manager blindly approves all access rights held by their team members. Managers will actually revoke the access rights that are flagged as risky. Finally, the AIDA feature will apply to several types of campaigns: whether you’re reviewing application access rights, role content, service accounts, or privileged accounts, the AIDA assistant will be there for you.

Now I’ll give it back to Leanne so that she can show you an overview of the AIDA assistant and how it will help you once it’s released with our spring release.

Okay. Now comes the fun part. How is AIDA actually going to work for you and with you as you do your user access reviews? Let’s pretend I am Dustin Knight. You can see that Dustin, or myself, has received this email from the IT department. In the subject of the email, it says “Access review campaign Cash Pooler – 500 access rights to be reviewed as part of our SOX compliance program.” I receive this email as the reviewer, and inside I have details about why I’m doing this, my deadline, and a link to go directly to the portal where I’ll perform my review.

I click the link, and I arrive at the platform. On the left I see the screen where I’ll work, and at the top, AIDA pops up and says, “Hey, I’m here to help. What can I do for you?” I decide to do my review with AIDA. Keep in mind, if you don’t have or don’t want to use AIDA, you can still perform a review on the platform by checking the boxes you see on the left and manually doing it one by one.

Otherwise, AIDA comes in here and, as you see the screen scrolling, AIDA says, before I even start, “Do you want to take a look at the past decisions you made, during your last review?” There are about 305 entries, and AIDA is asking whether I want to stick with what I did last time. AIDA also points out that forty‑three of them have some risk associated with them. But it’s my choice, and this is really important: AIDA does not make the decision. AIDA suggests information that allows me, as the reviewer, to take the decision.

I remember what I did last time, so I decide to accept all of the decisions I made during my last review. That clears out forty‑eight percent of what I was supposed to review. Basically, in about a minute, with the additional context given by AIDA, I was able to get nearly half of my review done.

Now we go to step two: AIDA is proposing the right information, helping with decision‑making. Here AIDA shows some risky issues, one of them being leavers. On the right, it says three people have left the company and it is advisable to revoke their rights. AIDA tells me that I can go into each of those individuals, drill down, and get additional data manually if I’d like, or if I know the context, I can revoke all of those rights for the three people who left the company and move on to the next step.

Next, AIDA helps clarify the context by delving more deeply into the information and providing analysis. In this screen, I have seventeen leavers that I need to take care of. AIDA brings up the exact screen I need to look at, so I’m not fumbling through the platform. AIDA puts the relevant screens right in front of me. AIDA tells me there are seventeen leavers and asks what I want to do about these risky items. I ask AIDA to show me a histogram or chart of the details behind those seventeen. On the right, I see a histogram with colors showing when these people left: some in the last three to six months, some more than a year ago. With that additional information and analysis from AIDA, I can make my decision and revoke those seventeen dormant accounts.

The last piece is that AIDA helps you make the right decision. Here I’m looking at similarities in a cluster in my cross table. In the purple box, the tool is showing a group of people with the same job title (down the left-hand column), and across the top are the permissions. AIDA shows me a box saying all these people with the same job title have all these same permissions and asks, “What would you like to do about that?” As the manager of this department, I understand that I need to approve and proceed to the next block. I can do this by block, and AIDA puts that information before me so I can make the right decision. AIDA will also highlight outliers or permissions given to people outside the department, so I can review what’s going on there.

After I look at all those similar permissions and access rights, I can see that I reviewed 120 similar entries in two minutes and thirty seconds. You can see how we’re building toward those eight minutes we talked about for completing a user access review with AIDA. Now I’ll give it back to Khadija for a few more words.

Thank you, Leanne. With our Identity Analytics access-review features, here’s the feedback we’ve had from customers. They were glad to see both a cost reduction in organizing and setting up their access-review processes, and less effort spent by reviewers when executing the review. They noticed an eighty‑percent cost reduction in the access-review setup, and a seventy‑five‑percent reduction in time and energy from reviewers, who are business managers and not professional reviewers. That’s a clear positive. They also noticed that the cost reduction came while increasing the scope of the review and the thoroughness of the data included in each review task. It was helpful in cutting cost and time without cutting review quality—and even increasing it.

Many customers were satisfied to see that they went from an average review completion rate of sixty percent to one hundred percent completion. And that wasn’t after several years of running extra campaigns; hitting ninety‑eight to one hundred percent completion was often achieved during the very first campaign they set up with Radiant Logic’s access-review platform. You don’t have to wait long to get these rates. You can reach them during your first campaign, and hopefully get there even faster with the release of our AIDA assistant in the spring.

Excellent. Thank you, Khadija, for all of that. Before we get to the questions, I want to highlight that we have created a wait list for this feature. You’ll see the information on the screen. You’ll be able to join a wait list so that you can get information sent directly to you when this is ready to launch. It will also be available on our website as a banner across the top.

If you have any questions, there are a few already, but if you didn’t get a chance to put your question in the box, please do that. In the meantime, we’ll address the few that we received during Khadija’s presentation.

Here’s one: “Do I have to be a current customer to be able to use AIDA?” The answer is yes. More specifically, a corporation needs to be a customer for the Identity Analytics offering that Radiant Logic provides. For a new customer who is only considering using AIDA now and doesn’t yet have any of our software, they would need to purchase our Identity Analytics licenses, set up their Identity Analytics platform to the latest version, and then they would be able to start running access reviews powered by AIDA. For existing Identity Analytics customers, they would need to upgrade their platform to the latest version, ideally the spring-release version, to use AIDA. As for Radiant Logic identity-data‑management customers, they would need to purchase Identity Analytics licenses separately and set up their own Identity Analytics platform the same way new customers would.

Here’s another important question we’ve been asked: “Can I perform user access reviews without purchasing AIDA?” Yes, that is still possible, and it is how our current access-review platform already works. On the screens you’ve seen, the AIDA assistant appears on the right side, but everything shown inside the main web page is still available if you want to set up your own access review manually and release tasks to each reviewer or manager. They can see the same screen; they just won’t have the AIDA assistant on the right. They will still be able to check the data, click each entry and see details of each person’s access rights, see risk flags, switch to the pivot-table mode, see clusters of common access rights granted to the same team members or people with the same job function, and bulk‑apply their decisions either to clusters in pivot‑table mode or by selecting rows in the list display. This is totally possible without AIDA.

We have a couple of minutes for questions. One question: “Can you review by common access? Meaning, can you review all users with a specific role or entitlement?” Within the layout of your application access rights, you can group your access rights by permission, job function, or identity. That allows you to see all accesses for one person and bulk‑approve or bulk‑revoke them, or see all people who have one permission and approve that permission for everyone if it is a basic user permission, then focus on higher‑level accesses. AIDA will also give you insight on common permissions granted to people with the same job function, such as “accountant,” and will point out atypical access rights held by only one person where others with the same profile don’t have it. That might indicate an access that should be revoked because it came from a previous job or team.

Another question: “Others are claiming to have an AI feature. What makes RadiantOne different?” The AIDA feature we’re releasing combines the power of artificial intelligence with all the Identity Analytics insight our platform already provides even without AI. AIDA is effectively an expert that guides you through executing an access‑review campaign. You can use it as a chatbot and ask questions, but even without prompting, AIDA can tap into our existing set of risk assessments, controls, reports, and analytics and give you relevant insight, guiding you through what should be done with your access review. It’s flexible enough to let you go with the flow of AIDA’s suggestions or to take back control and review each item in the blocks that AIDA points to.

That is basically the power of our artificial‑intelligence data assistant coming this spring.

Excellent. Thank you, Khadija, that’s great. We’re just at the top of the hour. We’d like to remind you again that there’s a wait list for people who want more information and want to be notified when this is live in the spring release: radiantlogic.com/waitlist. Thank you for attending, everybody. You will be getting a recording of this in your inbox. We hope it answered many of your questions. Kat, I wanted to thank you for your participation.

Thank you so much, Leigh Ann. Thank you, everybody, for attending this webinar, and we hope to see you back at a future webinar soon.