Skip to main content

Automated Reconciliation on Identity Access Management

In this article, we address questions that came along with the rising demand to automate reconciliation processes, as well as discuss how you can similarly adopt a robust, effective, and efficient automated reconciliation model in your organization today.

The rising demand to automate reconciliation processes

In today’s increasingly complex Identity and Access Management (IAM) world, where tens or hundreds of applications and access rights are to be granted or revoked yearly, organizations are faced with real-time challenges. An IAM Manager is inundated with daily access requests, compliance requirements, internal audits, and external audits to provide reconciled data. It goes without saying that the traditional manual comparison of data and information has become outdated and unfeasible for any organization.

The mind-boggling questions that start alarm bells ringing for IAM Managers begin with:

  • How do I create a process that allows for real-time comparison of the organization’s list of actual accesses vs. the desired state of permissions granted?
     
  • How should I utilize automation to govern and implement a successful, efficient and secure process for my organization?

In this article, we will address these questions, as well as discuss how you can also adopt a robust, effective, and efficient automated reconciliation model in your organization today.

The automated reconciliation process for a Global Tier-1 Bank

In this section, we will explore some of the challenges our client, a Global Tier-1 Bank, faces in assessing and designing their automation process within their IAM program.

An agreed-upon RACI Matrix

Regardless of the size of your IAM program, one of the key measures of success is to ensure that all team members, stakeholders, and management are aligned on the specific roles and responsibilities. Often, it is at this step that many organizations deploy overlapping roles and lack accountable parties, and ultimately, this leads to poor IAM.

Through deploying an organized and signed-off RACI matrix with all the necessary parties (aligned with security policies), an organization will be able to successfully avoid confusion and the omission of key tasks and responsibilities assigned in transforming their reconciliation activities.

As simple as this sounds, in a complex organization like our client's, a Global Tier-1 Bank with multiple levels of management, it can be challenging to have the consolidated viewpoint of an agreed-upon RACI matrix. Therefore, it is of paramount importance that organizations carefully detail the use-case and requirements and the necessity of the automation process for the bank, so that all parties are clear on their individual responsibilities and roles required to be adopted.

Feasibility analysis

After creating an agreed-upon RACI matrix, the Global Tier-1 Bank must assess the ideal state of an IAM governance solution.

  • What are we trying to address through automating our inventory warehouse and applications?
  • Which data sets would we need to satisfy our requirements?
  • Which tools can we deploy based upon the organizational resources available?

Through an iterative process, the Global Tier-1 Bank would perform a feasibility analysis to understand and assess their needs. With thousands of applications in their inventory warehouse, it is critical they deploy a phased approach to successfully implement auto-reconciliation.

A phased approach

In the first stage, the IAM manager would create a business case and propose a selected group of applications, defined for the scope to be auto-reconciled for the cycle. Bearing in mind that this is not a one-off process, additional phases should be planned for the years ahead.

Through the business case, the IAM manager will propose the needs, budget, requirements, and timeline to Senior Management including Business Team Line Managers, the local Chief Information Security Officer (CISO), and the regional Head of Information Technology Team. Following this, a Steering Committee Team is formed in order to track the progress of the outcomes and deliverables proposed in the business case.

In the second stage, the IAM manager will deploy the designed state of auto-reconciliation with the selected stakeholders as per the RACI Matrix. This can include the Application Owner, the Access Rights Provisioning Team, Business Line Manager, and the local IAM Manager.

Collaboratively, this group of stakeholders will cooperate and assist in the implementation of:

  • Extracting the users’ application data from the application back-end;
  • Creating a mapping file to the main inventory data system;
  • Performing a gap analysis assessment from application vs. inventory data;
  • Cleaning-up unused accesses;
  • Creating a link between the application and the data warehouse system;
  • Performing tests in a UAT environment;
  • Creating test scenarios where violations may occur.

Depending on the resources available, such tasks could take up to 6-8 weeks for a single application to implement access rights auto-reconciliation.

In the last stage, the IAM manager needs to consider how to resolve the scenarios where incorrect access rights are picked up through the auto-reconciliation processes. This will ensure that access rights are aligned to the actual state of the application rights granted at any given time. The IAM manager will also check for toxic combinations, least privilege, and need to know. This phased approach can be time-consuming but is nonetheless a worthwhile exercise to undertake in the long term.

The benefits of auto-reconciliation

At the heart of a robust IAM program, to ensure the smooth, consistent and accurate access rights data ready-at-hand for various uses, is:

The benefits of auto-reconciliation

Through these considerations of the key benefits, organizations are increasingly recognizing the need to start automating this critical function within their IAM program

Paying attention to fraud-sensitive applications

With regulations, laws, and sanctions on data privacy multiplying globally, it is important for organizations to pay particular attention to fraud-sensitive applications. For our client, a specific set of applications is identified as Fraud-Sensitive. Of these, all Business Leaders are aware of the inherent, business, security and compliance risks that these applications pose in the event of fraud incidents.

Therefore, organizations would benefit from considering the importance of classifying their applications, paying specific attention to fraud-sensitive applications and designing controls and processes to ensure that these applications are ring-fenced from outside penetration

Sia Partners' Approach

At Sia Partners, we believe that it is important to create a lasting impact within the IAM program for our clients. In enabling a successful implementation of the automated reconciliation process, we work with our clients to set specific targets, goals, and roadmaps in line with the expected objectives.

Through our experience, we have identified the following areas which we deem crucial to the success of an automated reconciliation process.

Challenges when implementing auto-reconciliation processes

A significant challenge that needs to be carefully managed during the auto-reconciliation phase is to obtain the buy-in from business.

Resistance from Business Team: Often, the resistance to adopt auto-reconciliation from business teams can slow progress by creating lack of accountability and ownership of the auto-reconciliation work. It is therefore important for business teams to understand the priority of the Bank, the IT needs that should be considered, and the qualitative and quantitative benefits from executing the program.

Key Success Factors

The following factors are essential in order for an auto-reconciliation program to successfully work in an organization, especially a large one.

Buy in from Senior Management: Early on during the business case analysis, it is critical to obtain the buy-in from Senior Management, which sets the tone from which the importance of the program is recognized. This will not only increase efficiency but also embeds ownership and responsibility across all stakeholders.

Involvement of SPOC’s: Through the training workshops conducted and with the use of the RACI matrix, a SPOC from the business team will help to ensure priorities are met by owning the responsibility to discuss gaps and issues and to address inaccuracies throughout the 6-8 weeks of development.

With the IAM needs of organizations evolving at a rapid pace, an effective automation process can help to ensure that your organization is well-placed to meet compliance and security requirements and to manage your data effectively in real-time. Sia Partners can play an integral role in defining a roadmap for your organization’s IAM journey and tailor the approach to your needs.