Original Article

Least privilege access can feel completely out of reach. Here’s what we’ve heard:

You have a ton of different SaaS applications running your business, your infrastructure is in the cloud, you have multiple IdPs, employee details in your HR system, contractors somewhere else, and each application owner oversees user access to the apps they own. Provisioning and deprovisioning users is complicated and a high-cost effort. Your engineering team owns granting and reviewing access for your infrastructure, SalesOps owns your CRM, finance owns your financial tools, and so on. Not to mention the custom, backoffice applications you built specifically for your business…

The Cyber Hut Comment: Modern IGA startup ConductorOne have added an access request component to their kit bag. C1 initially started out looking to improve the access review part of the identity governance and administration world - where organisations were spending considerable effort manually reviewing existing employee relationships and their associated permissions.

The second part of that journey is to handle the access request process effectively in the first place. How are users being assigned permissions, do workflows exist that can include the necessary approver (who incidentally should be fully informed of why and how they are being asked to approve an access request in the first place) and how can that completed access request approval be fulfilled on the downstream system?

In the world of continual communication (think Slack overload) line managers and supervisors should be able to use the tools of their everyday business journey to engage in access request workflows. It seems C1 have jumped on this to provide an easier approach for both the end user and approver to engage via opinionated workflows or via exceptional circumstances.

It seems the vast majority (80:20 rule) of access requesting should be handled via pre-configured fine-grained policies and associated automatic workflow approvals. Clearly not every case will utilise automation, but the manual nature of both access review and access request introduces errors, inconsistency and of course huge personnel cost (in both time and wasted salary).

ConductorOne are part of the next-generation of IGA players looking to optimise the key parts of the IGA journey and this new feature sees them trying to “shift left” the governance process to something that is more pro-active, instead of spending effort on the classic access review process which is often seen as being reactive.