Automating Compliance: Revolutionising User Access Management for Enhanced Security and Regulatory Adherence

Managing staff access to data is a key contributor to security protocols for service providers  – how can you automate this to ensure compliance with the TSA and other regulations?

Service providers must follow strict protocols to control access to sensitive data by their staff. Who can access what is often defined by roles – so, in this context, managing Starter, Leaver and Mover (SLAM) processes can be a significant challenge. Simply by changing jobs in the service provider organisation, an individual’s access rights may also change.

Safeguarding these processes is a significant task – and one now covered by legislation such as the TSA. Manual processes are no longer permissible – so how can automation help? A security-first mindset means service providers must ensure SLAM processes are managed more efficiently

All service providers rely on their human talent. Attracting and retaining the right employees can mean the difference between success and failure. From an operational perspective, the on-boarding of new employees and ensuring security after employees have left can be a significant overhead.

It was already a challenge, but new regulations (often government mandated) throughout the world are now changing the obligations on CSPs to assure network security – including user access management. That’s because data security is just one – albeit, hugely important – area covered by legislation such as the UK’s TSA, the EU’s NIS2 and more.

Put simply, ensuring that the right protections are in place, so that only authorised users can access specific data sets, or use certain interfaces and consoles has become something that is subject to fierce scrutiny – and for which failures in compliance carry a heavy penalty.

Automation for Starter, Leaver, Mover

A further aspect to employee access comes when employees move departments, change roles, or gain a promotion, or as new access requirements become available (such as when new equipment or systems go live) – which, again can cause an administrative headache and overhead.

Starter, Leaver, and Mover (SLAM) processes are a key HR and IT activity, but there is now an added onus on service providers to assure user identification and authorisation, and user access management for internal systems, software, and data.

There are multiple challenges for service providers with a workforce of (potentially) thousands of employees. How can they ensure that movers and leavers do not have unauthorised access to previous company accounts? Likewise, when employees move department or take on a new role, access may need to be amended – how can this be achieved automatically?

For example, who has rights to access a system? At what level do they require access to perform their role? What happens to this permission when their job changes? And, how can companies manage adjustments to profiles, based on rights associated with roles?

Many organisations grapple with these questions. They need to ensure that the requisite actions and changes are made correctly, in a timely manner. They need to ensure that all such changes are tracked, so that they can be audited when required. They also need to be able to perform them at scale (lots of people in the workforce means lots of such changes) – and with appropriate governance of the definition of the problems in the first place!

But automation offers a wonderful solution. Manually tracking and amending user access can simply be an impossible task, particularly in larger companies.

User access management set to be stipulated in new regulations

Furthermore, new regulations – such as the UK’s Telecoms (Security) Act 2021 (TSA), which will be implemented on 31 March 2024, and the European Union’s upcoming NIS2 Directive, which has an implementation deadline of 17 October 2024 – stipulate how network or service providers must deal with user access management.

For example, the Code of Practice for the TSA includes multiple references to the obligations of network and service providers when it comes to user access management, including:

  • [Management plane 1 – M2.01] Privileged user access rights shall be regularly reviewed and updated as part of businessasusual management. This shall include updating privileged user rights in line with any relevant changes to roles and responsibilities within the organisation.
  •  [Management plane 1 – M2.03] Privileged access shall be via secure, encrypted and authenticated protocols whenever technically viable.
  • [Management plane 1 – M2.05] Default passwords shall be changed upon initialisation of the device or service and before its use for the provision of the relevant network of service.

These are just a few, limited examples of the obligations that are now on network and service providers, and their clients, with significant punitive measures for non-compliance. For the service provider that seeks to adopt a ‘security-first’ mindset, these challenges cannot be ignored – and, as the legislation demands, must be automated.

How We Are CORTEX and our automation platform can ease the burden of user access management

Automation is the only approach. We Are CORTEX have helped many customers to assure the management of user access to networks and enterprise systems. For example, one of our clients – a major operator – had a manual process for systems and buildings access, which created significant complexity for IT and HR teams.

In this case, we created a new automated solution for SLAM governance from our automation framework. It connects to different systems (including Microsoft Active Directory, Identity access management systems, and more) to enable policy-based auditing for employee status and access rights. When someone moves, or changes role, the relevant permissions are automatically updated. After all, when moving, they may no longer have access to that data, but they need access to this.

The result was a greater than 99% reduction in unauthorised access to accounts by leavers and movers, and a more than 99% reduction in costs. That’s not to mention the importance of assuring compliance with upcoming regulations – and supporting the security-first mindset the organisation was trying to create.

The automation also covered starters and leavers – so that new hires can automatically be given the right access, according to their role, and, when people leave the organisation, their rights are automatically rescinded, closing any loopholes – in line with the requirements of the legislation under which the service provider was bound.

We explore this topic – and the security-first mindset you need to adopt in our new paper, “How a security-first mindset depends on automation” – SLAM is just one of the challenges faced by service providers, so read our paper to learn more.

 

Share this article