What is most valuable?
- Centralized access management/governance
- Access Forms
- Online Approval
- Automatic on-boarding of new users and Termination of users that have left (i.e. Joiner, Mover, Leaver Process)
- Business approach to access (Business Roles and descriptions)
- User friendliness
- Review - this is great for audit purposes, and proof of compliance.
How has it helped my organization?
- Access Provisioning: the time-frame has been significantly reduced, as this was a paper based process previously.
- All application access requests are completed from a centralised portal, whereas previously was also paper-based and confusing to users
- Users and managers understand the different levels of technical functionality and can make risk-based decisions about granting access
- Violations are highlighted almost real-time and can be managed much more effectively -and this reduces risk exposure of sensitive applications
What needs improvement?
For how long have I used the solution?
What was my experience with deployment of the solution?
No issues with deployment.
What do I think about the stability of the solution?
In the older versions, there were sometimes instances where memory would get used up and the application would need a restart.
What do I think about the scalability of the solution?
No issues with scalability.
How are customer service and technical support?
Both with Aveksa, and now RSA our experience has been good.
Which solution did I use previously and why did I switch?
No previous solution used.
How was the initial setup?
The people and change management process was quite complex, as we were changing our process and a major touch point to IT of the entire organisation.
The complex nature of the enterprise environment in terms of different applications was quite complex, in that all technical access had to defined and thought of from a business functionality perspective.
What about the implementation team?
We used a vendor team. They helped us through the technical side of things, and also got involved in business workshops and demonstrating the value and benefit of the solution to the organisation.
Which other solutions did I evaluate?
Yes, we compared it to Oracle.
What other advice do I have?
Get business involved from the initial stages.
Spend some time on user change management, communication and education.
Adopt a maturity model of implementation - getting from a paper based access request governance process to a fully automated closed-loop verification one is a large change. It is possible to get small wins for a large number of applications in stages, For example:
- Attain visibility into user access first across all applications
- Initiate a clean-up of legacy access (this adds a lot of value and reduces potential risk exposure of multiple applications)
- Define/workshop technical access and how it correlates to business functions for an application at a time
- Implement business rules and violations
- Initiate user and access reviews
- Automate provisioning.