Dancing Through User Access Review in Style

Okay. Hi everyone. Thanks for joining. Our meeting is only 20 minutes left and then we can have a nice lunch break. And sorry for the people who left the meeting, I think they will miss a very interesting session because we are going to dance through access review and still, so I hope you are wearing your dancing shoes. And then you can choose if it's ballet or pop up or hip hop, I mean, or another dancing style genre. So my name is mto, I'm director Identity and Access Management in Phillips. I'm responsible for the strategy division for our enterprise, for our partners and for our customers.

This is my colleague Peter Ko. He's responsible for the domain and my team for IGA. So he's my subject matter expert. So it'll be a combined session today during the presentation. First we'll do the commercial part, who is Phillips, then of course how do we mitigate the risk, which we identified. How can access review help us? And we will also share some key takeaways with you. So everybody, oh sorry, I need to rephrase my sense. A lot of times you hear it's like hey, it's a fatigue, but is it really like this? Is it really like a rubber stamping exercise?

Do your end users, your managers or the owners or entitlement and or roles really got a headache from it? Is it really a paper exercise? So we are going to answer this question for you today. So first about Phillips. Phillips is a company which has been founded more over than 130 years ago, but Anton Phillips. And we want to improve the people lives with study flow groundbreaking innovations. But as products and technology comes and go, it's also the same for Phillips.

So Phillips has transformed in the last decades on the company, which is only focusing on health technology, but we are still about one thing. We create meaningful innovations that improves people life. We strive to make the world more healthier and sustainable through innovation. Our goal is to improve the life of 2.5 billion people a year by 2030. But how are we doing that? So at the center of our strategy, we consider the entire health journey. So you're living healthy at home or you did a nice running exercise in the morning with Coing, a cold event.

But yeah, we also provide you tools to get any diseases but in case you need to go to hospital for example because you get a disease. So there we also provide our health professionals products to do some diagnosis and treatment, not a threat because that's something else. And of course we have products for home care. So in case you are recovering, we have monitor equipment in place and hopefully you'll fully recover and you start healthy living again. So if you're looking at this picture, you see a lot of identities.

You see the enterprise as an organization, you the manufacturing, you see the hospitals and there is a lot of risks. And yeah, how do we mitigate these risks? So during this session we will focus on the enterprise risk and then of course, which is related to the access review. So to do that we have a strategic composite defined. So we are measuring our maturity, which helps us as well to define our roadmap. Assume you all are aware of what a maturity model is. But we as so that you measure your scoring from one to level five.

For example, we have defined our maturity model based on, for example, garner curbing a coal or a forester analyst. But also we are using from the vendors inputs to define our maturity model and of course our own insights. So we have our capabilities, so it's on the left side and then we have to score from one to five. And there we have our functions in the file and for identity of an governance administration. So that's one of the domains which we have. We define the following capabilities. And these capabilities we link to controls.

And the controls are defined in the Philip security framework. And these are based on the niche, the sis and the ISO critical controls. And these will link again to threat models. So a threat model which we are using is the Mitra attack framework. And then we got a good understanding from the attack part, which controls we need to implement, but also which capabilities can match which we need to implement to mitigate the risk which we have identified. So with this we can define our roadmap, but this is not sufficient, that's not enough. So we also need to do something else.

So it's really nice all these capabilities and controls, but there is also a link to our coverage. So we need to get an understanding in our organization, how many applications, what do we have, where do you start with your applications, how are we going to mitigate this risk? Then you can also measure it. So we also have identities. So how are we going to cover the identities which we have? So think about the enterprise identities, but also our partners.

And then also you enroll your capabilities, at least you try to enroll with the technology, which you have centralize it, but you cannot cover always everything with your capabilities. So sometimes there are also manual process. And with this, yeah, this are not real numbers, but this is just fictive for today here. But this gives an indication in your organization, okay, where are we? What does are then the risk? So what the question is also, why do we need to have access review within Phillips as an organization? So why is this really important?

So we sit together with our compliance department, but also with our security department. And we were looking into the audit reports 'cause we want to get an understanding what is the risk in our organization.

So again, the next numbers are fictive or they were very from many long time ago. So 48% of the access was never revoked. So if you're 38 years, for example in Phillips, it could be that you still have all the access rights. 60% of the authorization were not reviewed. So it could be that we do review in the application that they do a certain kind of review. But there is also that we do not do any reviews at all.

So, so from security, we want to mitigate these risks, but that's not always helping. So also we need to do it from compliance perspective. Phillips is a highly regulated organization.

So, and people want to ensure that we meet compliance requirements. So we also using the compliance point of view to for pushing the access review. And next to that we also have a centralized standardized process framework. When a Phillips, which every, let's say from ID to market, market to order and order to cash, we describe all the processes, but also in the means for the supporting functions. And security is one of these supporting functions. And we defined an identity and access management process across Phillips for that. And access review is one part of that process.

So how do you not get nts? So how do you ensure that? So first of all, it must be easy to use. So the end users, they should be able to execute it without, without even looking at a work instruction. So it should be user really user friendly. Also from our perspective, we need to define KPIs. So they must also be meaningful, the KPIs of course, but also something which you can achieve. So do not try to achieve a 100% completion 'cause you will never achieve that. So try to find the right balance and then celebrate the successes which you have with your KPIs.

So show that to your management, but also give the feedback to the end users. How successful are, because we, we are doing this together to improve the security from our company of course. And if you're executing the access reviews you need to build in small, do need to do it in multiple campaigns. So you want to achieve a certain target. So build put it in multiple campaigns and then think further than role-based access control. In the past I was consultant and I was selling really role-based access control.

But you know every ARB back field in every company, but there's much more than role-based control. And Peter will also zoom into that later on. And a really important thing is think about change management and communication. So because why are we doing this in fellows? What's the added value for it? So be clear to your end users. So yours or for yours Peter, the dance floor is yours. I say thank you. Alright.

Okay, so thanks everyone. It's my first time presenting here, so bear with me. Very excited. So what does exit review mean at Phillips? There's a few things. So as Mihi already explained, the access review, we've made that part of our enterprise processing compliance. We really wanted that to offer standardization and global adaptation across our enterprise. Phillips is a very big company, so in practice we really need a backbone to support us when we go to all of these application teams, when we talk to everyone in the business to offer a good foundation.

So for us, access review is a process to verify and validate existing access and just understanding what the access is. There is hundreds or maybe thousands of applications within Phillips and when we talk to the teams, sometimes they don't see the actual, they don't see the full scope. So that really means that they need really some additional help and that's what we're really trying to offer here.

Also, just to make sure that all of the access is correct. As Michel mentioned, we're not really a role based type of model. So we are really down to the nitty gritty entitlement. So we really need to ensure that it's correct. Also remove all of the inappropriate access and make sure that we can document evidence for compliance. So also adhering again to that process and security management framework and to all related security controls. So currently we have basically two mainstreams implemented. We have a role in an entitlement owner review and a manager review.

The role in entitlement owner review is really focused on the application teams verifying okay is are these the right people that need access to my system in general? And then there is the manager review, which is I think the most elaborate one that we have rolled out currently is that the managers really need to validate if their direct reports have the correct access. And that's a, that's a real decision that we've taken.

That's a, yeah, that's how we wanted to approach it. The manager in Phillips is responsible for almost anything, especially when you join the company. Your manager will have to give an additional approval before an application team will actually consider giving you the access. So there's always that additional verification step needed. So the manager in this case is not now not only responsible for the assigning of the access, but also for making sure that the process is being kept in place and that we can also review and remove it if needed.

So yeah, how we're doing that now, we're currently doing a full annual review. Of course some application teams they can, they can, well that differs a little bit. So there is a little change periodically. So annually now. But we are considering indeed in going to me more periodically and also on demand and also event based, which is the, the latest and greatest. What we're doing now is really looking dynamically at what access people have and changing in their attributes to ensure that we can do the right access reviews.

Alright, so how and when do I start? I think that we did a lot of things, a lot of preparation before we started doing access reviews. Our platform, our IJ platform was really quite mature, but we do, we did take a lot of time to prepare it and I think that's also where most of the effort went into. So the platforms and users need to be ready for the basics to be able to review. So we basically talked to all of the application teams person by person and looked at, okay, how does this process now work? Demo it to you and make sure that everyone understands what the purpose is.

You can of course imagine the application teams we're already reviewing access in spreadsheets, it's cumbersome, it's tiring, doesn't work. We made, of course Im into an important business process. So that really gave us that additional support to make sure that we have the proper documentation stored in a dedicated location, which is, well the, where the, the quality can be maintained. So there's always this very strict way of documenting these instructions. Of course convey the right message and be ready to support.

So we, in preparation for our whole campaign needed buy-in from basically anyone. So what we did is we talked to our security department, to our wider security department, even to our chief security officer and our CFO and said, Hey look, this is our plan. We want to improve security in our company. Let's do it. Can we get your buy-in? And with them, we sent out a clear communication across the business to say, look, we really want this and this, these are the people who are backing us, so please help us achieve a good goal and also make the right choices to match that audience.

So the business is of course expecting a different type of a message than it people would. And we really made a distinct decision to first target the IT teams, make sure that they're already unprepared because they are also a majority of the reviewers of course. And the business has gotten a slightly different message where we also used our regional security officers to convey that message, to train the trainers, to also help us get everyone to understand and also be able to perform that whole access review. So of course end testing and improving.

So we have a lot of connected applications, but of course at that time when we started doing the research, not all of them were ready. We really had to talk to all of the application teams and make sure that everything was working as expected. And through having these talks, we also found out that there is actually some application teams that said, Hey look, let's make an improvement. Let's improve the connection that we have so that we can actually do this For them, it was easier. So also make sure to highlight that benefit of everything.

So that's all the preparation you're doing, your access reviews great, but then it ends the campaign's over, oh no, what do you do now? Keep the momentum. That's probably the most important thing. And how we do that, that is by feedback. Feedback I think is the most underrated thing in a business context, right? So feedback allows you to understand what people are going through. We as an i, m and IGA specialist, we all put out our access review campaigns. At least in my view, I, I found all, everything great, I thought this will work great.

We sent out a feedback loop and we got a lot of important feedback and it made me think of a lot of things that I hadn't considered previously. Also, keep expanding your scope. So we still onboard a handful or a couple of applications each month. We started with the most critical ones, now we're going a bit less so to the normal ones and also of course some low priority ones. Depending on scope. It's important that you really keep that up. So keep interacting, keep it on a human level. Access review is considered quite a indeed a rubber stamping exercise. Very papery, very boring.

Keep it on a human level. Try to really, you know, make it part as a sort of a culture that you were trying to achieve. That's at least what we're trying to do. And that's also why we included it in our global security training program. So we already had a security awareness training in Phillips, which is mostly based on passwords, phishing, but of course this access review is another really business facing process which needs to be highlighted and which is very interesting for us to include in that. So some key takeaways define a clear strategy.

I think that's the most important thing that you are clear in your, in your way on how to approach the access review. So consider building it up in batches like we did. Or consider excluding certain applications that already give a standard access, like your standard portal for, for registering your hours. It's of course possible to review everything, but I think everyone knows that we don't wanna make it into a rubber stamping exercise. Clear communication.

Again, be sure to set out the right communication channel. So we included our global communications channels in Phillips to make sure that we really got the message across to everyone. And I think even now we're improving it again by adding all kinds of various translations in, in I think about 12 different languages across our business because we still found out that we need to really approach it from a global scale. Of course, highlight the benefits, sell your story internally as a consultant, which is very important.

What we need to do because we need to convince our business to really say, okay guys, let's use our standard process and comply to this procedure. Of course define the use cases and application and scope as I mentioned. And you really need to scope down what you want to achieve with each application. Some applications might not want a full review. Perhaps there is a good reason, for example, in a repository based application to do, for example, only a mover case where someone moves and you need to review directly, okay, which axis does he exactly have?

And choose the right moment to certify because surprise, surprise people work in a company. Something that we didn't really consider initially. There is always a time in your business where it's more busy than the others. So for us, we did our manager certification at the, at the end of the year, well that was not the best idea to do. So we see that the adoption rate to that is a little bit lower than others. Find the right moment, talk to your, talk to your business and gather that feedback and that should really help you and of course adapt that strategy indeed to the right audience.

So segregate the communication to your business. Also get feedback from the business to make sure you can have the right strategy in place. And of course again, invest in collecting feedback because that's really all it is. And with that, I'd like to end, thank you so much for your time. Thank you. It was a very insightful conversation. There's lots of questions online, so please.

Yeah, I'm gonna try and summarize and maybe synthesize several of the questions. The very lively q and a section there on the app. The biggest one I think is how do you educate people about being motivated to sort of choose the right thing versus just kind of approving all? And do you believe in dropping access, killing access if somebody doesn't recertify in time?

So yeah, we would definitely, we did consider, consider dropping the access. I think that's part of the whole process that we're trying to go through.

So we, we started quite mild of course. Yeah, we need to have people adapt to the whole process and I think that once we've made our message clear, we can really look into, okay, we need to now tighten things down bit by bit because we know that if we drop it, just drop the ball and say, Hey look, all your access is gone. That won't happen. That won't help anyone and won't motivate people to recertify it again. So that's also what we're trying to achieve. Great.

I think, you know, in the interest of time and and lunch, please connect with these folks on the app to maybe pursue any further questions. Thank you very much for your competitions today.