How to Stay on Top of Users' and their Access Rights

October 25, 2018

David Bryant | Director, Product Management | Ivanti

With the widespread adoption of cloud services and mobile devices, today’s modern IT environment has experienced rapid change. Your users now need access to dozens of applications to do their jobs from day one. Onboarding users has become more complex and time-consuming for IT, especially if undertaken manually. And when users leave or change roles, deprovisioning access to applications is often last on the list of tasks or slips through cracks completely.

How do you give an increasingly diverse and mobile group of users, access to the applications they need and stop them circumnavigating IT to get what they want? To keep your users productive, the best solution is a policy-driven identity and access management (IAM) system to ensure they are accurately identified from day one and to automatically remove access when a user leaves. By providing access to only the systems, applications and data your users need you also reduce the attack vector, common when users have more entitlement than required.

Join Dave Bryant, product management director for Ivanti Identity Director, in this introductory webcast to understand:

  • Why it’s important to adopt an identity-based approach to control user access to systems
  • How automated onboarding and offboarding can improve productivity
  • What are the key components you need in a scalable IAM solution?

Transcript:

Liz: Hello and welcome. We're glad you could join us on today's webinar on Identity and Access Management. I'm Liz Angus from Ivanti's product marketing team and I will be your host for today's webinar. The topic we're talking about today has become increasingly important to IT teams and the organizations they work in. With the adoption of things like cloud services and mobile devices, identity and access management and related processes such as onboarding and offboarding have become a bigger challenge for all businesses and more complex and more time consuming for IT. Your users need access to dozens of applications to do their jobs from the first day and as they move within and out of the organization, either they change roles or leaves the organization altogether it's critical to have a consistent and easy way to deprovision their access to applications to keep the business secure.

From any businesses, this deprovisioning is often the last task on their list and, or maybe even slips through the cracks altogether especially when processes are undertaken manually and this results in great security risks for the business. We're fortunate to have Dave Bryant and Matt Kowinsky [SP] with us today. David's an expert in identity and access management and subset identity governance and administration. And Matt is from our product management team. He's a product manager for our IAM and automation solutions here at Ivanti. Dave today will be sharing his expertise with you on how adopting a policy driven identity and access management approach can help you ensure your users are accurately identified from their first day and then how their access can be automatically removed when the user leaves. And with that introduction, I will turn it over to the expert. Dave, it's all yours.

Dave: Thanks Liz. So topics that we're gonna cover today, we're gonna go a brief primer about what is identity and access management and then we're gonna go through and focus on identity governance administration. After that, we'll give you two use cases. The first one, like Liz mentioned, is on and off boarding and the second one will be compliance and audits. They're very closely tied together. And if you do the first one correctly, the second one actually becomes much easier. Then we'll go over have Ivanti's, Identity Director solution go through some customer success stories. And finally we will have a demo provided by James Szivos.

So as we're going through this presentation, here's three different things to think about, right? So questions to think about how long does it take before a new employee has all the resources to do their job, how long does it take to remove access and their accounts when they change roles and leave? And finally, how much time and resources do you spend auditing your access points to different systems for compliance? So if you think about those, those are the questions we're going to try to answer today.

So the first is what is identity and access management? So identity and access management ensures the right people get the right access to the right resources at the right time for the right reasons, enabling the right business outcomes. So it's, you know, this is important because it's really about mapping all three of those together. The people and notice I said people and not accounts because a person can have multiple accounts, the entitlements or services which also include the business policies and processes and then the devices as well.

So if you're looking in this space, you might see and hear a bunch of these terms, right? Cloud access, security broker, identity as a service, multifactor authentication, privileged identity management, identity governance administration, authentication, authorization, risk management. The IAM space is really large, but fortunately, you know, what we're really focused on today is identity governance administration. So this is a subset of the larger identity and access management space. And it includes terms like identity life cycle compliance, access reviews, account provisioning, deprovisioning security. This is the authorization part and the compliance part of the IAM market. We will not be talking about things like single sign on or multifactor authentication. Those are in a different market segment. And we actually integrate very closely with those companies. So we integrate with companies like Okta and Azure ID from Microsoft and a bunch of those other ones. Now there's also some things going on like privilege access management and privilege information management. Those are more about security aspects of the industry. And that's also another subset of the IGA market.

Now, when you're talking about Identity Governance Administration or IGA, which is of course a Gartner term, there's also identity management and governance, which is a Forrester term, but they pretty much mean the same thing. The identity life cycle is really about the employee and their changes from when they join an organization to when they change jobs, change access levels, and then leave. So it's all about that. You take that, you tie that to the entitlements using business process, and then when the change occurs, you do some sort of account provisioning and account deprovisioning. And that can be done automatically with something like automation or it can be done manually, which is also called indirect provisioning by submitting tickets and requests to an ITSM solution.

Now, in order to validate that that process is correct and is being followed, we do access reviews. So periodically what happens is an organization will print out a list of employees with all their access, give that to managers and managers will go through it and say, yup, this looks correct or no, it doesn't, and then they'll do remediation on that. And alternatively they'll also take a list of everybody who has access to a specific application, let's say Salesforce give that to the owners of that application and then they will request the application owner to validate that those people should have access.

Now, if you're doing the identity lifecycle with the account provisioning and deprovisioning correctly, you know, that's more of a review of your business policies and processes, but if you're not doing that, then that really becomes a focal point because you need to validate that for example, your service requests are being handled correctly. And of course there's also a big compliance and security aspect to this. You know, with larger regulations like HIPAA and everything else, you really need to take those things into account.

So, you know, we've been doing account provisioning and deprovisioning and identity life cycle for a long time. So why do we care about it today? You know, I took this slide from somebody at Ivanti in the security space and I liked it because it says the user is the new perimeter. It used to be that you could just secure your Active Directory and your network and your location so that's all you had to do. But now with all sorts of cloud applications, SaaS applications, mobile devices, people working from home, you really need to secure the user as well. So the user is the new perimeter. So Matt, does that make sense to you? Anything I left out there on the primer?

Matt: No, that's a pretty accurate synopsis there Dave. And at Ivanti, we do see the users in that new perimeter, especially with the SaaS applications, the just in time delivery of the apps for people, they want it now. They want immediately and really securing your user is the new goal.

Dave: Perfect. So that was the brief primer. And of course there's a lot of information out there, but two of the most important use cases in here are the first one is onboarding and offboarding. So, you know, there is issues around the onboarding and offboarding process and these are the ones that I like to point out. So the first one is reactive removal of access. I don't know how many employees ever complain about not having access to some or still having access to something when they shouldn't, but they always complain about not having access to something to do their job. So what I typically hear and I've visited some customers and stuff like that and what I've heard is, you know, if you want to get something done, if you just joined the company and you don't have the access, go to the person who has been there the longest and has changed jobs the most. Typically, they will have access to everything that they used to have access to because a lot of companies don't go through those reviews and don't deprovision those accounts, especially when they change jobs and they're still part of the company.

So that one also ties very well into the unknown job responsibilities. You know, IT typically does not know what somebody needs access to. That's really a part of the business and the business policies. So a lot of times when somebody joins, you know, the manager will say, "Oh well, you know, Matt just joined, his role is very similar to Ian's. So just clone Ian's account." Well now the problem comes if Ian's been there for 30 years, Matt now has all of the access that Ian had, even when he shouldn't. So by doing an IGA solution and implementing it correctly, now you don't really have to know what that person needs access to because you can do it based on all sorts of attributes and birthright entitlements and everything else like that.

Also there's a, you know, a lack of productivity if you don't have something like this implemented. You know, somebody starts specifically like let's say a contractor, you know, they're typically in a different type of system. It's usually a last minute thing. They show up and they don't have access to anything. And it takes a long time to get them access because you have to go through those approvals. Now if you have a solution in place like this, yeah, you can actually sync from multiple sources, gather that information about the user, even if they're a contractor, temporary employee and you can have them be productive day one, which is a great cost saver as well. Also, if people don't have access to what they need, they'll go through the shadow IT process. Basically with all of the prevalent SaaS applications today, it's very easy to, you know, go sign up for something. And when you do that, IT usually has no control over it. They don't know about it and therefore it's a risk for a data leaking out of the company.

Another one I've seen a lot is the path of least resistance. So I call this the path of least resistance because if you join a company and you need access to something, you usually go to, let's say a service request portal and you can just say, "Hey, I need this, this, this and this." And a lot of times, you know, the service desk doesn't necessarily know if you do or not. So a lot of times if it's not a highly-regulated application, a lot of times they just approve that because they don't have that business policy in front of them because it's just easier to do.

And then, you know, we do have direct response as well. I can't tell you how many times we've been to companies and they have, you know, more Active Directory employees than they do inside the organization. And that's because things are not cleaned up correctly. A lot of times people have multiple accounts and it's not tied to that single identity. And finally, contractors and temporary workers are, you know, their own issues as well because a lot of times, like I mentioned, they're in a different system or they're managed strictly by like a PO process as well. So Matt, what do you think about that? Is that what you guys are seeing as well?

Matt: That is, and I think we're gonna touch on it when we talk about Ivanti. Identity Director is the removal of entitlements. I think that's a big area that IT and companies miss. May be good or okay. I am providing the entitlements and the access, but it's really like you said, with the cloning the accounts and removal of access when role changes or personal offboards, that's usually a big miss. Yeah. With Identity Director in the compliance and auditing and the way we handle entitlements, the whole life cycle of the entitlements, that's really not an issue using Identity Director.

Dave: Yup, exactly. So we're going to show you kind of a basic architecture slide or a marchitecture slide. So any identity governance administration tool pretty much has this sort of architecture. So the first one on the left is authoritative sources. So this is information that is typically things like an HR system, a spreadsheet for contractors a project system, all of those different sources of truth that have information about people that work at that company. So what typically is done is those authoritative sources are synced and consolidated into an identity repository. So this is information about all of those people that you might wanna take action on. So it could be things like who is the manager, you know, what is their first and last name, what role are they in, what job, what title, what department, what location are they at? All of these different things are used to make decisions.

So those are tied directly to the entitlement repository, which is all of the access that somebody should have, including data access, access inside of applications, you know, for example, you can have different roles in Salesforce. So those all map together and you map the identity repository to the entitlement repository with business policies and process so that when somebody should have access to something, the entitlement repository will kick in and it'll say, okay, that person should have it. And then on the far right hand side is all of the applications and access that somebody should have. And those things are provisioned and deprovisioned either automatically with an automation tool or through indirect provisioning with an ITSM tool where actually humans can go and do the work, um, and then that gives you that access. So all of that stuff is pretty much done in any identity governance administration tool.

So if you follow that and you follow those issues and use that type of architecture, you solve those on and off boarding problems by managing the identity life cycle, right? So when somebody has joined or change or leave, you map those entitlements to the access at that person should have. And then you know, what should be added or removed. And with that, every entitlement should have a delivery and a return. So typically a lot of people focus on just the delivery. And if you focus on just the delivery, you open yourself up to security risks as well. Also you should use birthright entitlements whenever possible. A Birthright entitlement is something that somebody should have as soon as they join. It's not something that needs to be requested. It's something that should be automatically delivered. And finally use access reviews to provide another validation point. So periodically go through and validate that the access that has been granted is correct and access has been removed when appropriate as well.

So another use case that we have is compliance and audits. So when you're talking about compliance and audits, a lot of times you're worried about that because lack of policy enforcement. Like I said, a lot of times the policy is not followed. Sometimes it's because it's not known. Sometimes it's because it's not defined, but a lot of times it's just because people get busy. Also with those complex environments, the SaaS and cloud services and everything else, you're not just focused on your own environment anymore. So you really need to validate that the entire application access and an application dataset is followed and deliberate in removed. Also with that, multiple people or people usually have multiple accounts. This is especially important for administrators. A lot of times they have a separate account and if you don't tie those to a specific person. And you're just worried about accounts those can be missed.

So I did speak with a company one time, which, you know, they thought they removed everybody out of out of their system, but they forgot that some of those people where admins when they closed an office and those people actually still had access, you know, a long time after they left. Luckily nothing happened, but when they went through an access review, they actually realized that that happened. Also a lot of times there's no validation of the desired state versus the actual state. So again, that's done through access reviews and through dashboards and everything else like that. And finally, if there is some sort of breach, a lot of times there's either a loss of reputation or there's actually a bunch of big [inaudible 00:18:00]. So that can happen, especially in healthcare. Does that sound about right, Matt, from what you're seeing?

Matt: Yes, Dave. But if somebody doesn't have an IAM solution in place or how are these audits and compliances done from an IT perspective?

Dave: It usually involves a lot of paperwork, a lot of stuff printed out, a lot of auditor's time, a lot of, you know, IT's time because they have to chase down a bunch of different accounts and do a lot of validation. But if they do have an IGA tool in place, a lot of times it's mostly just a spot check then because they know that that policy is in place and that everything happens with a specific trigger point. So a lot of times those audits and compliance checks are a lot quicker and there are a lot simpler for both the auditors and the IT department.

Matt: Okay, thanks.

Dave: So again, how do we solve those issues? Right? It's all about the access reviews and reconciliation, which again, are going to be pretty simple if you follow the identity life cycle with the provisioning and deprovisioning and you have those entitlements and business policies defined because, you know, we do automatically do a lot of that stuff with the role based and policy-driven administration. So, you know, you don't have to have managers remember that this person is leaving and they have access to all these things and it needs to be removed. Also the ability to follow the entitlements from the user to the application and back again, so you have that whole chain if you're using an IGA tool. So it makes it very simple as well.

And another one is the system wide account verification. So again, you know, it's not just internal to the company, it's also external with SaaS applications. And finally, the use of automation for standardization. This is one that I think is very important and actually gets underplayed. But if you use automation, then you're not relying on somebody to follow steps and everything is gonna be done standardized. And it's gonna be done the same way for every person. So it's gonna be done and it's gonna be recorded, logged, and it's gonna be traceable as well.

So what does Ivanti offer? So Ivanti has Identity Director and Identity Director manages and enforces entitlements, adapts rights automatically as roles change and workers leave. So again, that's important. And if you take a look at this marchitecture slide for Identity Director, you know, it follows that previous marchitecture slide that we looked at as well. So on the left there you have the authoritative sources which map into identities which are also mapped to entitlements depending on those attributes which results in direct or indirect fulfillment and then access relocations when they no longer need access and it's a big circle. Now one thing that Ivanti has, which is pretty cool as well is they have automation. So a lot of this can be done with that direct fulfillment, right? No human intervention needed.

And Ivanti has connectors to that automation platform for all sorts of things like PC life cycle management, mobile device management, virtualization, SaaS applications, ITSM. I know infrastructure as a service, all of that stuff, and they continue to put new ones up on the marketplace. So if you hear things like lifecycle management, entitlement, catalogs, you know, flexible delivery and integration, rapid time to value, powerful automation, role and attribute driven access, all of those things are in the key capabilities for Identity Director. Anything to add there, Matt, before I get to success story?

Matt: No, that's pretty key. I mean the IAM space requires for entitlements and mapping those entitlements and role changes are mapped very well with Identity Director. We covered that all. The compliance and auditing, every transaction, every entitlement delivered and revoked from a user is audited. And that's what I was driving that question earlier about compliance and auditing, it's just running a report after that with my IAM solution like Identity Director.

Dave: Yup, exactly. So some customer success stories, you know, Identity Directors deployed throughout a variety of organizations from financial services to retail to healthcare and everything in between. Typically you'll see the highly regulated industries deploy sooner a lot of times because of that compliance reasons. So one company that we worked with Woodforest, so they had an Identity Governance Administration solution already deployed and it was highly customized, like a lot of the legacy ones are. And so what they did is they needed to upgrade and they got a quote from that vendor. And it was a lot of professional services around 18 months, I believe it was. So they started looking at other solutions because, you know, while they did have that implemented, there was still some manual on and off boarding because of those customizations and they couldn't upgrade.

Now they are regulated because they are a bank. So they ended up looking at Ivanti Identity Director and because they had that policy defined, it was a very quick implementation with about eight weeks for that implementation. So it wasn't that huge quote of professional services that they were quoted before because they had all this stuff that they needed. And with Identity Director and automation, it's a lot of configuration and there's no customization there. So they ended up, you know, automating their Active Directory users, about 80% and they reduced their offboarding from three to five days to about 10 to 20 minutes. So that was a good success story. And then they tackled the contractors as well and forced everybody to follow their process.

James: Hey Dave, what's the difference between configuration and customization on that? Because I think that's a key point.

Dave: Sure. So configuration is using what's available. And if the tool is flexible enough, you don't need to make, you know, underlying code changes. So what it allows you to do is it allows you to do upgrades quicker, you know, more of that next, next finish, install the upgrades instead of with customization, you need to install the upgrades and then you need to a lot of time redo everything that you've done before. So that makes it very difficult to do upgrades.

Another one we worked with his Mattress Firm. So they went through a lot of merger and acquisition activity. Um, so they had a large IT challenge of integrating all their systems. Everything was manual for on and off boarding and, you know, it could take up to six months to fulfill that process and they had a lot of failed audits because of all of that stuff as well. And with retail setting, there's a lot of turnover that happens. So they were really looking to modernize their IT department, go from firefighting to being proactive and work on processes and projects that benefited the business. So they chose Ivanti Identity Director as well. And with the identity warehouse that Identity Director has, they were able to combine multiple systems to get a better overview of who those employees were. And the entire employee life cycle was controlled by Identity Director. They used automation to do all that direct fulfillment and standardize all those changes. And they were doing know 3,000 to 7,000 automated tasks a day and every once in a while they would hit that 20,000 to 30,000 automated transactions per day as well. So that's a lot. Imagine if you had to do that as all manual steps that would take an awful long amount of time. And they, you know, once they implemented Identity Director, their audit time actually decreased significantly as well. So they started having successful audits and reduced the stress and burden on the IT staff. Anything to add there, Matt?

Matt: No, just I'd like to point out that the onboarding offboarding the manual process and the multiple scripts from a three to five days to 10 to 20 minute time. And that's reproducible using Identity Director and automation because as you mentioned before with the automation, Ivanti automation, those are in the library they're standardized, they're traceable. And I think that's a huge advantage, especially with the compliance and auditing.

Dave: Exactly. Um, and now I will turn over the presentation to James. James Szivos is a presales engineer for Ivanti and he's gonna walk you through the demo of the product.

James: Okay. Thank you Dave. I'm gonna be sharing my screen and I just wanna validate that you can see my screen now.

Dave: That's good.

James: Okay, awesome. Yeah, so I wanna take us through a demo. We'll do the entire life cycle of new hires from the onboarding request to access management, to reviewing that access and then eventually offboarding that user. So in my demo environment... There we go. So what I have and what I'm gonna use today is as I have a spreadsheet which I'm using to populate my identity warehouse and this is for my contracted employees. So I added two new people. I have Matt and Dave and I've assigned them to a specific department called the Philadelphia Flyers. I'm actually a really big hockey fan, so I built out my demo environment based upon an HR roster data and then I have the ability to do contracted employees on top of that, for demo purposes.

So what I'd like to do is I'm just gonna go over here, and this portal that I'm in, actually is a self-service portal. It's where employees, managers and IT people can even interact with to be able to manage access, to request through access, through approvals, even do things like delegated access management, access reviews and attestation. So I'm gonna kick off this request here and it's gonna synchronize that contractor database to the identity warehouse. So the idea is that you would probably have the synchronizing in the background on a [inaudible 00:29:32] role that you define and that as you add people to your HR system, your contractor database from whatever your quantitative sources are, you'll have that people data synchronized into the Identity Director and then based upon their entitlement, that'll provision their access automatically or entitle that person to be able to request access.

So what happened in the background, it's just synchronizing that CSV file over to the Identity Director. And what I see happening inside of Identity Director is that we actually have two new employees. We have Matt and we have Dave, and it's entitling them to access inside of Active Directory. So we see that step one, it's gonna provision out their Active Directory account. Then once that's completed, it's gonna move on to provisioning all the access that they'll need for their job. So security groups, [inaudible 00:30:27] email, third party applications, whatever you wanna integrate with. And what I'm gonna do is I'm gonna open up both of these users. I'm gonna show you that we can actually look at a user, be able to review their access track, what's happening in the background, but what I see is that I have two new employees. I have Matt, I have Dave, and then I can see what organizational structures that they're a member of. So what roles, what departments, and this will actually entitle them to privileges and access that they'll need to do their job.

The other thing that I wanna point out is that we do, if you've seen other Ivanti solutions, then you're probably familiar with our Extraction Dashboard. Extractions are a way of being able to report and aggregate and be able to manage the solution from a reporting standpoint in auditing. And what I can do real time is I can actually track the access changes that are occurring. So this dashboard specifically is for tracking Active Directory Access. And it shows me all the Active Directory changes that have occurred during this window of time here from November of last year to right now. So I can see who's been onboarded, when their access was granted and then eventually when their access was removed. So this is an auditor's dream when it comes to access management. So those needless sort of reports. Oh go ahead Dave.

Dave: I was just gonna say, and how long did it take you to develop this dashboard?

James: Oh, this dashboard, it probably took me, about, I don't know, maybe 15, 20 minutes.

Dave: Awesome. Nice.

James: Now the key thing about our extraction connectors is that we produce these connectors for you for our products so that you don't have to be a sequel reporter in order to be able to extract data out of the product to produce those useful dashboards. So actually, I'm running into an issue here. Okay, cool. So I just moved it on there, I apologize. I had multiple jobs running in the background that was tripping over what was happening.

Right. So what happened? So what we see right now real time is it's going through the process of provisioning access. It took a little bit longer than normal to get the Active Directory account because I had a transaction that was pending that it wasn't able to run, but it's moved on here and it's setting up all the properties for these two users in kind of Active Directory. So populating the attributes, defining who the manager is, assigning user to security groups, setting up their exchange account, etc.

Now I'm gonna hop over to Active Directory. I have my domain controller over here and just prove to you it's not smoke and mirrors. So this, this is a before snapshot. You can see there's a Dave Bryant there and there's no Matt Kowinsky. I'll just do a refresh. And what we see is that we have two new people. We have Dave Bryant, and then we have Matt Kowinsky. And then you can see that they're assigned specific security groups based upon their entitlements. So who are they, what role do they have, what department, what location are being assigned to? And in my demo environment, the Philadelphia Flyers, therefore they're gonna get assigned security groups based upon that information.

So we're gonna hop back over to extraction. I wanna show you another powerful thing about this solution is that you can pivot this data real time. So suppose I just wanted to see changes to the Philadelphia Flyers. I add a filter here and it updates the list that we're reporting upon. So we're only looking at Philadelphia Flyer data. And then yes, I wanted to add an additional criteria. So let's say I wanted to look at the Detroit Redwings as well. So now I'm looking at people data from multiple teams.

So we talked about onboarding and automation and what happened here. So we, we had two new people in the identity system inside that contractor database. We synchronize that data. We saw the access get created inside of Identity Director. It created access in Active Directory. Now the user is ready to work. But let's suppose during that that person's employment, they get added to a system that they're not authorized to have access to. And this is a really common problem that companies struggle with is what if someone bypasses the request process? And let's say that a rogue admin changes a user security group. From a compliance standpoint when you do your next reporting, maybe you're required to do SOX reports. This is gonna raise a red flag and the user's gonna have access to a system that they're not entitled to. So it's key to have a solution being able to remediate that from an identity governance standpoint.

So I wanna show you how you can remediate that access on the fly. So what I've done here is I've actually logged in with the manager of these two new employees. It's the coach of the Philadelphia Flyers, Dave Hakstol. And inside of this user's portal, he has the ability to do delegated administration to be able to review access, remove and apply new access to employees. So if we were to look at Matt Kowinsky for example, I have the ability right here to kick off an Active Directory group to attestation. So right now I'm doing this as a manual process, but this could be something that you have run in the background based upon your compliance needs. So maybe once a month, once a quarter, twice a year, once a year, etc. And then the manager would get notified via an email or a pop up, an alert that they need to remediate access for their employees.

So in the background, what's happening, what we're doing is we're looking at are entitlement data that's defined in the Identity Director. And then we're comparing it to the target system in this case, Active Directory, and we're saying, okay, Matt Kowinsky, he's entitled to these security groups in Active Directory and he's a member of these other security groups. And then it'll go through the process and determine which one is he not entitled for. It looks like I actually had a failure here. I'm not sure why, but I wanna give it another shot. And we'll recertify his access and we'll choose another user, Matt Reed.

Okay. So while this is running, I'm gonna move onto something else to do in parallel. And I wanna show you how this portal can be used by users to be able to request access. The secure fashion. So what I'll do, I'll log in with our brand new user, Dave Bryant, and look at that face right there. And so I'm gonna go into the user store, their portal and be able to request access. And the key use case that we hear about is requesting access to privileged systems. You know, maybe it's an HR system, an IT system, a financial system, and being able to be able to do approvals and then track that access. Write a use case here, this is actually getting access to be an admin for the Identity Director product.

So I have a request here, the user can go to it and you can see this will give the user access to the Identity Director, will submit a request. And then it'll kick off the workflow to be able to track that access to manage the access. So each change within our product attracts it and what we see is this is a view from an administrative standpoint like an IT person would look at and we see that Dave Bryant requested access for Dave Bryant to become an Identity Director admin. It's pending and approval. We go over to the user's experience so you can see that. The user can also see that it's pending approval. You can see who has to approve it. And then if I go over to the manager's portal, you can see there's an approval action right here. So I can either deny, I can reject it or I could approve it. Let's go ahead and approve it. When I give an approval, there's an option to provide, um, a reason behind that approval. So I can do something like I certify that Dave Bryant is an admin. You know, from an auditing standpoint, not only do you know who requested it for who is the access is getting delivered. You also know who's approving it or why it's being improved or in the case of a rejection, why it's getting rejected. So all of that is available from a reporting and auditing standpoint.

And I'm gonna bounce over to this transaction again and what I'm gonna show you is that it, it actually completed the action and it sent a notification to the user. So the user is notified that they have access as an admin to the Identity Director. And if I were to go over to that target system, in this case I'm on providing that access through Active Directory. You can see that he's a member of a new group here called ID Full Admins.

Dave: Now James, could that also be outside of Active Directory? That could be something like a Salesforce role or something.

James: Absolutely. So this sort of scenario could be applied to any target system so we could fulfill, remove and review access to those users in those systems. Okay, so I'm gonna pop back over to the manager viewpoint and I wanna show you a couple of things. So the first thing is that I do have a notification about the attestation. Now, I'm not sure why it's not working for Matt Kowinsky. I probably have something misconfigured, but this is an example of a recertification that ran and it validated that access is correct. So what we see is that Matt Reed is allowed access to these groups. He's actively in these following groups and the access is correct and it's just an informational message to, to kind of document the compliance. Any event that access is incorrect, it would give the person that you want to delegate a person the ability to remediate that access.

Okay. So I'm gonna wrap up the demo here. What I'm gonna do, so I'm gonna go back to my contractor database and I'm gonna take these two new employees and I'm going to update their access, whether they're a valid employee or whether they should continue working their activity in roster status and I'm gonna change it out. So this is the same thing as terminating someone in an HR system or contractor database. And then we'll synchronize that back over to the Identity Director.

Dave: So back on your last, you know, access review. So if there was changes could you then also do a workflow step and do remediation and you could fix the problems automatically or ask for approvals, do any of that stuff is, is it flexible enough to do all that?

James: Yeah, absolutely. So in my case, the manager would be the one that is delegated to remediate that access. So it provides a pick list of the groups that the user is not entitled for. And by selecting those groups, it'll kick off a sub action to remove them from those selected groups.

Dave: Perfect.

James: Okay. So I'm gonna bring up the transaction view just so that we can see what's happening in the background. And what we see is that for both of these users, both Matt and Dave, is that it's actually kicking off our workflow to remove their access. And I can see that because their Active Directory account is being returned and it just completed that action. So it's begun the process of revoking access to these users that should be off boarded. And then so for each one of these actions you can go into the workflow and you can see exactly what's happened in the background.

The important steps that I'm doing is that it's actually disabling the AD account and then it's moving into an OU called disabled users. And I can apply additional steps on here, uh, from a data protection standpoint or a data cleanup standpoint. And when I hop back over to Active Directory we'll do a quick refresh and you could see Dave Bryant is no longer in here. And I think like disabled users. Oh, here we go right here. Let's scroll down to Dave Bryant. You can see the account's disabled. And then Matt Kowinsky, so access has been removed. And then, you know, [inaudible 00:47:11] from a reporting standpoint, what I'll do here is I'll clean up my filters so we can look at all the data. And then as an auditor simulating that I need to prove that access has been removed. I can go right over here and I can see Dave Bryant. And you can see that access is removed here at 11:49 local time. I can click on this user. I can select view records and it can show me every step of the process that occurred. So when it delivered access, it was at the start of the demo at 11:34. When I tried to remove access, there was actually a failed transaction.

And the neat thing about the solution is that it kicked off that action again. And then I can double click this. And if I'm authorized as an auditor, just log in with my admin account. And so I can see that transaction here. So I can not only see that it should have removed access, but then I can actually see the visual workflow about what access did it truly remove and how was it removed and then the success or error codes here. And I'll just show you something pretty quick. If we say that we wanted to use one of those accounts like Dave Bryant. And you can see the account's currently disabled. So at eye level, that's a demo of a very quick life cycle of our employees, Dave and Matt.

Dave: Thanks. Good job.

Matt: Thanks James.

Liz: Yeah, thanks James. That was a great demo. It's always great to see what Matt and Dave have talked about in action. Okay. So I think Dave we're now ready to switch back over and see which questions have come in for Q&A. I'm looking through the queue. It looks like we're getting some good questions from the audience. So I'll just start with the first one. This question comes from Hector. How many terminations can you run at once?

Dave: So yeah, so with Identity Director you can run, um, a whole bunch. There's really no limit. You're gonna run into more of a limit on concurrent calls to APIs and everything else. So you can throttle that, you can specify when you wanna do it. But yeah, you could do, you know, hundreds if you wanted a time. James, can you pass me the username please?

Liz: The next question we have, it looks like comes from Cindy. Does this work with Okta?

Dave: Yeah. So Identity Director will complement Okta. Okta, we'll be doing of course the authentication and can provide a screen for showing the tiles so people can easily go to those types of SaaS applications. And you know, it can work with Okta in order to make sure people have the right access based on their entitlements.

Liz: Perfect. And I see that you have the marketplace slide up. Um, this next question is actually about marketplace, so I'll let you present that piece and then we'll get to this question if, if it's unanswered.

Matt: Sure. So we just wanna bring this up marketplace.ivanti.com. is a one stop shop for add-ons, connectors, not just for automation in Identity Director but for all the Ivanti product line. So James just showed that extraction dashboard and right before this we started [inaudible 00:51:14] We said, "Oh great, you can package that and put it on the marketplace for us." But on the marketplace for identity and automation, the different connectors for things such as Salesforce or SAP or Office 365, those types of entitlements you can find there. Along with things such as we call them, building blocks, which are sampled, how to get started with them. It's well-documented. There will be things around Password resets and attestation. So check the marketplace. If you have a use case, you just click on automation or Identity Director and you can see the list of available connectors and building blocks to get you started.

Liz: All right, I think that answered most of the question that came in about connectors. That question was just about the connectors to service management products. So you can find those there as well.

Matt: Yeah, we have connectors for Ivanti service manager, and uh, within the week we'll have one for Ivanti service desk as well.

Liz: Great. And it looks like we have a few more minutes. I'll just add a couple more questions. This next question that's come in, we would like to know more about how those integrations happen to third party applications.

Matt: Sure. I can take that one. Identity Director uses the Ivanti automation to connect to those systems. So as we just discussed around marketplace, good marketplace, see those connectors for that third party system such as Salesforce. If there's not, automation provides a built in support for scripting language such as PowerShell, Python, whatever your scripting language would be. If you would need to make calls through an API you can develop them yourself or contact our professional services to build your solution.

Liz: Great. And the last couple of questions that have come in, the first part again is, is this product already released?

James: Yes. It's released, it's deployed in several large customers, enterprise customers, both Automation and Identity Director.

Liz: Great. Thanks Matt. And lastly, this'll be our last question for today. They are just wanting to confirm that the Automation piece and all the connectors in the marketplace are included with Identity Director.

Matt: Yeah with Identity Director licenses you get, correct me Dave, two server licenses for automation. So those are sufficient enough to call things such as APIs and you use the connectors for SaaS applications and Active Directory and those things.

Liz: Great. Thank you. Matt. It looks like a, that's all of the questions that we've had come in right now. So as we wrap up, I just wanna mention that we have a lot of great resources on our website which is ivanti.com. If you're interested in learning more about the topic from today in general or about the Identity Director solution and Automation. Under the solutions section of our website you'll find white papers and solution sheets on the general topics like streamlining onboarding and off boarding as well as compliance and auditing. And then under the products you'll also find...on our Identity Director page, you'll also find more white papers and solution sheets on policy-driven identity access and management. And of course also things like the Identity Director datasheet. So lots of great resources on our website, so you'll be able to check that out.

One more thing, I'll mention the case studies we [inaudible 00:55:15] a couple of success stories today and you can find more of those on our resource library as well. And then just to end today's webinar, I just wanna thank Dave, Matt and James who were presenting and demoing and sharing all of their expertise. We also wanna thank you, our audience for your attendance and participation today. If you do have any questions that we didn't get a chance to answer on today's webinar in the Q&A, or if more questions pop into mind, please don't hesitate to reach out to us. And thank you again and have a great rest of your day.

Dave: Thank you.