Most organizations are aching under the pressure the feel from auditors in delivering information. A large portion of that is based on access reviews, i.e. demonstrating that the least privilege principle and related regulatory requirements are met.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Most organizations are aching under the pressure the feel from auditors in delivering information. A large portion of that is based on access reviews, i.e. demonstrating that the least privilege principle and related regulatory requirements are met.
Most organizations are aching under the pressure the feel from auditors in delivering information. A large portion of that is based on access reviews, i.e. demonstrating that the least privilege principle and related regulatory requirements are met.
Good afternoon, ladies and gentleman, welcome to our call webinar under pressure from the auditor rapid rapid response by rapid access reviews. This webinar is supported by ware. The speakers today are meme Martin Ko and principle Analyst call and who is co-founder and CTO at deliver. We also have low home from ware standby for the Q and a session before we start some very quick housekeeping and information about keeping a call and then we directly will proceed with the webinar. For some reason, my slides don't shift.
Ah, here we go. Sorry, could be a call. As an Analyst company, we are delivering a variety of services from our research, such as executive view reports and leadership to inquiry calls, advisory projects, and all of our different types of events, such as webinars, conferences, and eLearning. We do this for a variety of topics, specifically around anti access, cybersecurity, artificial intelligence, and others, hot topics that companies need in their journey.
And to the digital age, we have a variety of research formats, our flagship format leadership compass, where we compare vendors and defined market segments. Our executive usage provide very concise overview about certain market segments, our advisory notes and our leadership briefs. We also have various types of standardized advisory services in supporting strategy portfolio management, portfolio definition, roadmap, definition, choice of tools and guiding in projects. And the third then are our events.
We have a range of upcoming events for and winter 2019 around digital finance, cyber security, artificial intelligence, consumer identity, and other topics. Have a look at our website and check out which events we will run. So then let's directly move to the housekeeping part. So to speak for audio, you are muted central. As you don't need to control these features. We are doing this. We will record our recording the webinar and we will provide a podcast short term as well as we will provide the slide X for download. And finally, there will be a Q and a session by the end of the webinar.
And we always appreciate receiving a lot of questions from you to have a lively discussion. So use the area questions in the go to webinar control panel, enter your questions. And we will pick them up in our Q and a session. Having said this let's have a look at the agenda for today. The agenda is as usual split into three parts. In the first part, I will look at the challenges of today's access reviews and hydro to concretely overcome common pitfalls to deliver rapidly and efficiently on the requirements.
And maybe even beyond in the second part I know of ware, we'll talk about or give you insight on demo importing access to entitlements, normalizing the structure dealings with specifics of environments and how to really run efficient access reviews on that information. So he already will demonstrate how to quickly respond to all it requirements. The third part, as I've said is the Q and a session at the end of the webinar. So when we look at this entire topic and we have these terms such as compliance, audit security, then we always keep in mind that these are fairly different things.
And that at the end, it's essential taking the right actions to become more secure. So checklist compliance doesn't really help you. It's about more. So when we look at the term compliance compliance, it's about meeting laws and regulations. It is a formal requirement which includes audit. Audit is factually them the ability to prove that you do what you say you are doing. So audit is the proof that you do this and that you, for instance, meet requirements of regulatory compliance, and then there are the actions and the actions are what you actually are doing.
And that could be less than an audit, which would be meaning, okay, something the audit went wrong, or it could be more, or it could be exactly that. So compliance instead of what triggers audits, which, what triggers actions, what actions could be factually more. And you need always to look at this from a perspective of what do you need, really from a security perspective, beyond trust compliance and beyond trust the audit requirements, because you might pass an audit and still not be secure.
That is something you should always keep in mind specifically because, and that's our topic of today. Access reviews because access risk is a business risk today. And the ability of managing access risks really today is essential for mitigating critical business risk. There have been enough example far to many examples of factually over the past years where access risks have put businesses into real big trouble, not only banks, but also other types of businesses. And so one level of that obviously is the identity and access management.
It's really looking at the access risk because we all know fraudulent access imposes, financial risk, regulatory risks, reputation, risks, etcetera. These access risks are part of your perspective. You need to take on the it risks.
So it, in this risk management require approach covering all it risks. That also includes for instance, all the things around business continuity around cloud risk, but in a very central position, also the access risks, the C level then need to look at the business risks. So what do these risks? And it risks are part of that. They're not the only ones, but they're part of that. What do they mean to the business regarding the financial reputations, cetera, they must become visible. And today we are a situation where access risks as certain types of it.
Risks can become such a server business risk that there's a risk of putting a business out of business. And factually, when you either look at it from shareholder perspective, their perspective is cost and there's a cost associated with access, risk access, risk, factually put the value of an organization at risk. When you look at the stock quotes of targets two or three years ago, when they address the incident, they massively dropped. There was a lot of money lost. And if it's going first down to bankruptcy, obviously then all the money is lost. So there's a success risk.
And we need to keep an eye on that from a business perspective, that leads us down to the next step to access governance, because this is the essential element. When it comes to mitigating the access related threats, there are variety of such threats. There are illegal transactions. So when you look at specifically around the topic of segregation of duty controls, then these, there are these typical financial fraud things like someone creating a supplier. And then, then, then approving the invoices of the supplier to account. He owns himself. These are the typical types of that.
There's a fraud and a broader sense. The app use of data due to excessive use of entitlements, or in fact, to having excessive entitlements and then effect using them. There's the risk of information leakage, which is another access related threat. So really losing information or changing data. So this is per less visible because so leakage is a commonly defined discussing, but there's also risk of fraudulent changes of critical data, which can cause massive harm. And there's the risk of data loss. So leakage is one thing. So you have the data, but someone else has it losses.
You don't have the data anymore because it's deleted or because it's first deleted and then deleted external attacks. Very clearly every external attacker, at least targeted tax is always after the accounts that have the critical access to the excessive entitlements. There's the risk of like reputational damage specifically in the days of breach notification, when it comes to PII, that can become a subverting and there's industrial Pash, which is somewhere related to information, leakage and targeted external attacks, but obviously your intellectual property.
So the, the crown rules of your organization, they're always at risk. And so there are variety of access related threats, and you need to have an appropriate governance for access in place to mitigate these risks.
However, when we look at where identity management and identity and access governance projects struggle, we, on the other hand, observe that many of these things are related to challenges in doing access governance, right? Because many of these project trips are in some sense, overly complex, far complex for the organization. That is the thing we will discuss on this webinar. How can you do that faster with loading an overly big workload and burden on the organization? So one of the common symptoms and behind it, there's always some sort of disease is that users are complaining.
They might complain because they don't find their entitlements. They need to request, or they complain because they say, oh, this access re-certification campaign. This is so complex. There's so much information. I don't understand it it's too much work. I don't want to do it. Another one is the amount of manual work. So which includes for instance, help desks and, and operators and administrators being, being, being pushed to do a lot of manual changes to target. So that's one part of it.
The other, again, goes back to the entire audit access governance re certification piece, which is a lot of manual re-certification. I still see quite regularly scenarios where people have a stack of 70 pages printed out on their desk or monstrous axle files. And they should say, okay, all these entitlements are correct. Or what do we need to change this manual thing? Doesn't really work. We have the lengthy processes, which is more process design thing.
We have the escalations and escalations again, frequently happen around access governors because people just don't do their re-certification trial because it's not done well. And then there are the audit findings because it's not done well because it's not done at all. And these are obviously very heavily, very frequently around things like privileged access, like, like access reviews, like other things which are close to the core of access governance. And at the end projects just might fail. And there's still many projects failing because they're too complex, not well planned.
Doesn't, don't align with the business, all these things. And that means we need to look at how, how can we find the balance between the requirements we need to be secure. We need to be compliant. We need to pass the audit. That's the one side of the things the other is what is our organization capable to do it? How do we do it, right? How do we do it in a way that works for our organization? And that factually needs to think about what do we really need in access governance? And that is, we need insight into the details of all of the systems delivered in an efficient way.
So that is on one hand, that's bras and integration. So we need to have a CRI on all the applications we have regardless of the deployment, but so to speak the connect part, it's the death. So what are the entitlements in these systems down to the level required? And when you look at certain types of systems, if you look at mainframes that if you should look at SAP systems, are the EERP environments, another can be quite complex. This is the analyze thing. And then there's the way we do it effective. So doing the right things.
So really doing what we need to do for security, for compliance, for past the audit and efficiency, doing it right, doing it in a way that works, focus on delivering what is required, looking at where you can automate, where you can simplify that is delivered. So always think it is connect, analyze, and deliver. When you look at access governance and really interesting question, obviously, Dennis, is there a way, really a way to have a fast track approach does this way work for you?
And it might be the way because when we are realistic, a lot of access governance approaches, which try to be implemented are too complex. It takes too long specifically when you FD audit pressure. So if the auditor is there, you can't spend months or years in defining role models. If the auditor is here, you need to deliver, you need to deliver fast without too much of manual work. So how can you do that fast? Or how can you do that? That might be sometimes also scenario I say, okay, I do that first.
And then I move to sort of more include as advanced you can discuss with Richard event approaches at the end, the point is what is what you really need, what is how you can balance it. And the first thing here to do is understand the real requirements. So what do you really need? Don't go for, okay. If we do access governance, we need to have an enterprise role management with some role mining in place with that in place, whatever that type of access review campaigns done in a certain way, start with, what do you really need? What is the thing, which is essential.
And that is by looking at what is the required output to require output at the end of today is ensuring that there are no excessive titlements to the least principles in first, in an efficient way, check this business and audit to discuss this requirements. Not only blindly following common approaches, understand the really leads tailor is so it's really just checking and then revisit the options you have, and there might be different types of options. Is it a quick way, fast track solution? Will you be able to rule out a complexing on time?
Is it that you might do a step one and step two then? And how does will this the rest of your IM that's not an easy thing to answer, but it's something you should consider and you should think about various options you have and fast track might be something which is a very interesting option for you. So this is basically my thinking around entire access governance thing, step back first, and think about what do you really need when, in which level, what is, what your sort of organization can really deliver? So where are you as organization maturity?
What are the things which are maybe trust too complex? So there are a couple of questions you should ask yourself when looking for the right access governance solutions.
So time, when do you need to deliver, if you have massive pressure, go for lean solution tactics versus tactics versus strategy. So it might be an approach saying, okay, I have this pressure, or I'm just not, I feel that my organization's just not ready for a very sophisticated approach. I go for a tactical thing, but I sell it as tactical. And then I think about what is my next step? How does it work with your architecture, with your existing components? What is the right way to do here?
Could a tactical technical faster solution become more by integration, or is it really tactical usability? Does it work with your, for, for your users today? Understand one of the most important things is an element, which is mainly not tool, but communication. It is. And translating technical entitlements into business language business. People only can do access review for what they understand. And if you did this translation, once it's easy to use it in a different system at a later point of time, what fits your organization?
So honestly, complex role models, three year role models, following a standard Arabic approach. They work for few organizations, specifically some types of finance organizations, but many, many organizations struggled with the implementation. So step backing, can you do it simpler by grouping? How do you do it, right? What works, not also your review approach? What is the way? And at the end, it's about focusing on the higher risks best by the way, something the audit is always appreciate.
If you have a clear risk focus that is positive from a perspective on auditor, they don't want you to do everything at a same sort of level of granularity and frequent. They want you to focus on the high risks. Obviously not only because low, low risk can become high risk over time, if you don't care about, but it's put, focus on that. And then the skills you need the skills to implement to run it. And sometimes it's just that something which is simple might be better because you get it up and running fast and then there's also costs.
So obviously if you do it right, you might get a lot of other benefits beyond trust meeting the audit requirements, but cost is an aspect to consider with that. I am done with my part of the presentation and I right now hand over to law to make the moderator and hello, it's UAM.
Hi, thank you, Martin. I am a Richard, the city of ware, and the main idea of this presentation is to show you how it works, how to get this rapid response and set up rapid access reviews.
But first, just a few words about CLE. CLE is a pioneer of identity and access governance. It's a European company found in 2005 and because of regulations, our customers have historically and primarily been financial companies, bank or insurance regression has become more and more important regarding risks to access management.
And today, many companies use clear I to ensure compliance with these regulations and mitigate those risks today, Claro is focused on European development by developing its channel of partners. So clever IG is simple and rapid setup for many reasons.
First, there is no need for coding. When you integrate a new application to oversee within clever IG, you can design data model that will fit your environment. It's very flexible to implement, and we will see that certification company are very quick to set up, but at the same time, you can have the long-term approach. What you have done in a short time could be reused and to make it durable for continuous, for certification regarding ized cycle. So let's see the, the different step of the, the, the integration. The first step consists in collecting the extractions.
You just need to extract the data as it exists within your system, by using native expo Pokemon. And don't mind about file format.
Clever, I ag will handle it. Data collection is journalist. It's not intrusive. And that's a first one that makes clever I easy to, to integrate. The second steps consists in Ling and the extraction.
As I said, there is no cutting. We did at this stage, we just graphically choose the information to keep from the heterogeneous file we got from the it system.
I, as an example, I show you the way we can configure the integration of an LD file from active directory. You can get this file just by executing the native common line LD. D I precise that what will be displayed now is the integration module. We use only at design time when we integrate new extraction, or when we want to modify the information to keep from this extraction. Then at turn time imports our automatically running, according to the, the configurations that has been done here, and actually for active, we naturally provide ready to use configuration.
You can start with, and if we open an LD file, we'll see that information are in blocks with attributes and multiple lines. And the format is the same for every file coming from different LD. Even if the attributes are not the same clever, I G provide able to load any file and auto discover the structure on all the attributes. One it's loaded. You can have a look on the content by using a window, which will display the information as in the management consult, as you can see here. And then the transformation modules shows different option.
You can choose the object class, want to keep choose the, the attribute just by doing drag and drop. And you select the, the current you want to, to, to keep. And as I said, there is no cutting to do that. It's an graphical configuration. You just drag and drop all attributes individually, or you can add the all at once. As we can see here, there would be a lot to say to, to show all the capability of this transformation module, but in the few world, just keep in mind that you just do that and draw up to select information.
And even if you need to manipulate data as shown on the right on the slide here, it's only customization to extract information inside each field. There is commonly issue regarding data integration. You may not have a unique ER, in all your applications. So it's difficult to know which account belongs to which person ware IEG provides mapping features, which will help you to address this issue. You can create advanced mapping words to data by name, by first name by division or, or whatever you want. Or with advanced string construction.
Then clever IG will help you to correlate information, even in case of typographical error or spelling mistake. And because all information is unique, you will design your own data model in order to enable advanced analysis, there are commonly the same issue to address, but the way the access are granted on the information system are different from each other, depending on your environment, you may have system accounts, application accounts, authentication, or application authentication.
You may have localized profile, I mean, same profile, but with contain access depend for instance, on the user division in your application. So the way you know, who can do what on your information system will defer. According to these special cases, the data model geographically design in clever IG will fit your organization and it'll fit the way antis are granted to people To show you how it works. I will take the example of adding a new application in the model.
So let's assume that we integrate simply user some their anti regarding transactions S P model in real life will include a lot of other entities, such as authorization, objects, groups, and so on. So I graphically add my two entities S P users and S transaction and draw the links between entities and with them. We do some, some graphical customization by choosing relevant eco for HTT. We assume at this stage of the configuration that we already picked the right information in SAP file, whatever the formats. So we have no input files ready to use for our model for SAP users.
I will add all the fields I want to manage my model. It could be the name, the login, the last connection, all the information. And as I already get all the relevant information in, I can map each field to each current coming from my transformation module here, I can map identify your name, last name and so on. And here we can see that we're able to read specific data formats, such as that with custom customable reading pattern. So I can read the date with different from, from fire. Then I do the same for SAP transaction.
It means adding the relevant fields, such as stable and level, and then map this field to the appropriate cur of the appropriate file. And then I populate the links of the model. For example, link between identities and S users could be populated by a file coming from the curation process, linking the Aune to, to the person. And then I populate the model with appropriate file to link user and their transactions.
Well, You just need to design your model once. Then the importation process automatically keeps the right information and map it to, to your model at turn time. And once you have done your, your model, you are able to set up some rules to follow up in order to check compliance regarding your policies and get some reports. Typically this kind of features will provide some immediate insight into such risk as our phone account it's accounts that are not associated with very business owners.
It could be accounts, typically accounts not connected for, for example, three months, you could, you could have an inside or privileged account OD violations. So it means segregation of duties, violations, or resources, access limitation, or whatever the, the rules you have in your policy. So at this stage, we have a full toolbox to keep the right information coming of our extractions and ensure the correlation process. We are so hard built to data model, according to our environment, and have a first relevant assessment regarding identities and in the information system.
And as I already mentioned, you do the design once, and then you share design configurations on server and set up automation.
Process automation is available for the extraction for data modernization, for correction, and even for reporting or auditing features you can schedule or alerting, according to the role you have created, The next step is a stage at which you provide insight to the business and the manage reviews, always with the coding, but with customization, you'll be able to set up a web Porwal that enables the business to explore identities and access and remove inappropriate and entitlements.
This web Porwal also allows you to manage access or certification and set up what we call identity life cycle governance. So here I'm connecting as a business unit manager, and as a manager, I can see all the identities in my scope, for example, in my business unit. And when I click on an identity, I can get all its entitlements. The way the information is displayed is fully customizable and linked to the data model you have built. So as a manager, I can also wonder who can access to a specific transaction. My department, as I can see here, or I can wonder who can access to a specific group.
And so, so at this stage, you, you really, you really have a choreography on who can do what in your scope. And you can do that as a business manager or as a resource manager and AI display a specific user who is assistant branch manager. And then I drill to its active directory account. I see that he is member of the group server management. He seems to be not relevant. So I have the ability to request its duration and give the reason, for example, inappropriate access. So now the question is where goes this duration request.
So first the duration request is registered in Ry IEG, and then it can fire an event that will automatically call in a PI on your ticketing system. Many customers have connected duration process to their ticketing system or other access management workflows. You see on this slide, some non exhaustive examples of implemented interconnection with clever IG and ticketing system or IM management workflow. Then in your workflow, the will be and may be closed by your system administrator.
And then for audit ware, IG will provide an additional verification by checking the effectiveness of the ion in the actual data, collecting the system. As we receive regularly extraction from the system, we can check if the ion is actual in the data we have received from the system. So now let's connect to clever I as campaign manager or campaign administrator, We will create a new access or certification campaign. It starts by giving a name to our campaign. This is an organizational campaign. It means the, the approvers will be business line manager.
Let's schedule the, the deadline of our campaign. Then there are many options when you set up the campaign, but let's leave the, the default options for now.
First, when you have created your campaign, you are in design mode, you will populate what we've called a catalog. It means what are the entitlements you want to submit to the, to be reviewed by your business line manager, to be simple, we select all entitlements here to be part of the review in the same way, You will decide who will be the approvers. You can set up a campaign for a single business line or set up a campaign at the company level.
He will synchronize the world company and we see who will, what business unit and another part of the design process consists in preparing automatic emails, for example, associate an email template to be sent to each manager. When the company will start. Once my company is designed, I take what we call snapshot to any information. I take a snapshot. The snapshot will be the repository for the company, a full set of identities, the accounts and the entitlements is computed to be the reference snapshot of the review. According to what we have selected to be, to be reviewed during this campaign.
And once the snapshot is done, I'm ready to launch my campaign. I G one me about all the managers who will receive an email. And then I confirm, then I connect as a business line manager. I have received an email that informed me that I have an access review to do. And when I display my access review, I see the identities in my business line. Some are in stripper green here.
I mean, it means that though is priv. I, and I don't need to review it. I will come back later on that though account empty blue accounts on which certification has not bigger yet. And as in the consultation page, if I see inappropriate access, I can remove it. I give a reason and my duration request will follow the same workflow as in the consultation page, if all other permissions are okay, I conclude I can include, I review it implicitly approves, all the remaining entitlements and the here we are pair in yellow because the ion is done, but there is at least one permission, Deion requesting.
If I validate an icon without any modification, it will appear in green. And when I do my review, if all account of an identity are okay, I can validate at the identity level, there are some additional features available that I don't show today, which consist to highlight risk. If additional business context, for all permissions that improve even more, the efficiency of the access. Now I'm connecting again. As the campaign manager, I have some feature to ensure good follow up. I have global statistics that indicate number of validated identities with, or without modification.
I can follow up all these statistics, that business line level or at the approvers lever. I can also the reminder process if I need and clever way, IG can generate some reports over the campaign with statistics or with a burden court to ensure the progress regarding the ideal trend line.
The, this demo I talk quickly about priv account and account is prived. If it has already been reviewed in the previous campaign and the person who it belongs to, didn't have a job change since last campaign. And additionally, the account has not been granted any new authorization since like campaign. If all these conditions are met, the is predating and don't have to review it again. It can focus only on changes that occurs in SLS campaign and will stream the, the, the access review.
And now just a few words about I don't life cycle governance, I don't life cycle governance in EG consists in controlling changes that occurs at the identity level or at the organizational level. I don't have enough time for demonstration, but what we do regarding identity life cycle is unsure legitimacy of created identities. And we guarantee that all has been done to remove access when an employee has left your company and we will certify grant access after a job mutation.
That's the main point regarding access review by doing access for certification on the identity, just after mutation, we are setting up continuous access review directly, according to the identity life cycle. And by doing that, you make durable all what you have set up to do access you. And as I don't see lifecycle consists in continues or certification our account reviews, the during the, the S workflow could be pre date in the next campaign, it means that we set up continues for certifications that will increase even more the efficiency of access reviews. And to finish.
I got a few words from customer about setting up quickly and efficiently certification campaigns. First from sales re work at January, he say security is moving fast and clever solution is always ready to take customers in a quick and efficient way.
Oh, I got this testimony from, from who said raw certification is not just not, it's hard work without the right tools, clever offers solutions, that's streamline access reviews with business. The clever solution is mature and easy to use. Thank you for your attention. Thank you very much, Arnold. That was a very insightful presentation. I moved back to me as the presenter. Give me a second. Here we go. And we are back to the agenda. And with that, we are at the Q and a part of our webinar.
And as I've said already, the more questions we have, and it's the request to the audience, the more likely our, our conversation right now will be. And so one of the questions I already have here, and that's probably one to start with. I know you said the customer trust needs to do native data extraction was native commands, but how do you manage file system entitlements or share on entitlements? Is there some native command, some integration too? So how do you deal with these types of systems?
Yeah, yeah, yeah. Thank you for this question. Ly in most applications, the data collection is simple, but additionally clever provides extraction tool to collect containment in structured data. By instructured data. We talk about five system SharePoint and so on.
And for, for cloud applications, there are commonly API API. We can use to collect information and especially for office 365 or Azure cleverer provides ready to use data corrector that will help our customer to, to collect all the, the data for access and all clever I integration.
So, so you're providing a number of redefine connectors actually to common systems Colleague connector, but more like extractor as it runs as online, but that we provide, we extract information into files that then we, we add through our integration process. Okay.
Well, I understood. And so there's a simple integration to extract all the data from, from a variety of systems. And from what I understood is it goes down into very complex applications, such as mainframes, SAP systems, etcetera.
Yeah, yeah, yeah. We, we, So, so how, how long does it take them to, to set up a connection to, to some of these systems? So if you say you have whatever standard in the environment with office 365 and some standard windows servers and SAP, and maybe some customer applications, how long do you work with the customer commonly?
So, so usually when we set up this kind of project, our customer have an idea of, of some sensitive applications that you want to, to, to deal with, to do, to the raw certification and to, and to, to control. And usually it's just a couple of days per applications we have to do during this integration process. So you have the full deployment of IG, we, which is quite easy and work with script and then to integrate application the the month per is not very, very hard. You just have sometimes two or two days per application to prepare and automate all the process.
So, so if you know your audio chorus about to arrive in three months from now, It's okay. Three months. Yeah. It's okay. Yes. Sure. Okay.
Yeah, because that, that is, you know, frequently the situation, you know, okay. We currently, for instance, seed and travel with some strengthening of the, the banking regulation, upcoming insurance, and so financial service capital market regulations, it means that a lot of organizations know, okay, within the next couple of months, I will have to pass an audit by, by the auditors.
And that, that is that's scenario where they say, okay, I know I have to be ready by November. Yeah. Sometimes. And that is good.
You can, you can help them If you want to be very, very quick on the specific environment. Just in a few days, you, you use our quick start version just to do access control, not reviewing maybe by the business business line manager, but with business owner on a specific application, just in a few days, you can review all the access and be sure that they are compliant with the policies in your company. Would that also be something which can be used when the auditors already on, on your side and says, we will need to insight in that application.
Then the quick start solution could also deliver on that Quick start solution will deliver reports, it'll deliver a full graphy of who can do what on the it systems and will help you to highlight and do an assess regarding your, your, your system. And then the enterprise version will help you to, to set up access review with business line manager or, or resources or business owner and to, to, to set up. Or would you access review with business? Yeah.
Could you, could you, before we come to an end, okay. There, there's just another question arriving. How do you deal with proprietary applications, which data model you might not have represented in your system?
Yeah, so, so applications such as for instance, banking, applications, banking systems, etcetera. So yeah, yeah. Usually banking application dips with database, we can, in which we can extract data, the, the, the structure could be complex in banking system, but we were able to, to understand the, the, the, the entitlements model. And we actually works with most of the, the private, private, with many private bank. We use something like Olympics tens or something like that.
Or, and it's not an issue. We always are able to extract the information and, and deal with the complex structure, because we, we are able to, to do customization and, and peak the right information and have a flexible model that will fit the banking system, access management.
So, so, so it means when, if there is an API or command line interface To Then you can access, and then you can rather easily construct the data model in which whatever is required. So sometimes you will find API.
So we, we, we use the P to extract the information and we have some technology partnership with the banking system. And sometimes it's, it's you, we just collect data from the, the database databases to, to just have a dump of the information.
And we, we discover the structure of the identity and access. Okay. So it looks like we are done with the questions. I don't see that we have further questions here. So we started as up to me to thank you, ano and law, and to think all the attendees of this webinar for participating, particularly in these days of very hot temperatures and across Europe. So thank you very much to have you soon at one of our upcoming events or one of our upcoming cold webinars. Thank you. Thank you.