Reduce Certification Fatigue with Effective Role Management

Good afternoon everybody. Very pleased to be in front of you today. So I'm French, I'm CT p o of Oad Identity. And Oad Identity is a vendor of modern IGA as a service vendor. So what we're going to discuss today is about certification, fat fatigue, and the way we can reduce with static, with an optimal role management. So during this presentation we will, we will discuss what is the impact of a certification, fat fatigue, what, what does it imply?

How do we optimize the certification campaign and based on concrete case and as well how we can leverage AI and machine learning as part of this certification campaign to optimize the user experience. So that's really the goal and the coverage of its presentation today. So maybe to start, why do we certify? The main reason to certify is really to, to be compliant.

That's, that's the main reason for organization to, to start this certification campaign. That's the main reason for most of your organization to purchase an IGA solution to perform the certification campaign. So for instance, if you are operating in the financial industry, if you don't have a certification, you cannot operate. So it's a must have. What is the goal of this certification campaign? The goal is to make sure that user in your organization have the proper access, right? And continue to have a proper access, right? A different time in this life cycle in this organization.

And what do we see is to, to conduct the certification campaign. Most of the organization are sending some survey within the organizations with some question to validate if the access or correct or not. And what we have noticed is that some of the survey or containing up to more than 1000 question, and that's some of the observation that we, that we, that we have noticed and now we come back on that we, we have made some, some analyzes on the panel of our customer. And you will notice in, in this drawing that we study 40,000 survey with in total 600,000 question.

And on this 40,000 survey, we, we classify this survey and, and try to understand what is the impact of a length and the number of question on the validation rate. And something that is quite obvious is the fact that more you have question more, the rejection rate is dropping. For instance, we survey with 25 question, the rejection rate for an access is 6.5%. When you're moving to 1000 question the rejection rate is dropping to 1%. What does it imply for your organization? First the user experience when you're receiving 1000 question is clearly not optimal.

And when we're doing some consultation against our customer, user experience is one of the top factor for them. The second aspect that you cannot neglect is as well that the validity of the survey doesn't make any, any value. So you by not doing this in a proper way, you are as well increase the security risk in your organization. So going deeper, we, we, we have as well discussed with the different employee and did check with them. What is really creating this, this fatigue according to you, what are the main issue that you face?

So the first one is the, the first remark that we receive is the fact that most of the time the manager is receiving a list of question without any prioritization. Everything is rate equally into the questionnaire. So there is no indication whether the access that is being very dated is important, risky or not. Everything is rate equally. The second part that is also very important and that needs to be considered is the fact that there is not necessary a clear understanding of what is being asked to certify.

So when you are em, onboarding an application is very important that you take that in consideration when it is integrating an application, what is going to be asked as a question needs to be formulated in a way that the end user is going to understand. The next point is obviously the length and the number of question. So that's something that we already discussed too many question. And during this, this discussion, we also had the fact that the data that were submitted to the user were sometime not the correct one.

So the master data that were used to create this survey was not up to date anymore. Sometime the wrong recipient, sometime person not in the right function. So really something that has observed. And finally making this more as something painful, that's something that is really bringing some extra value. So if people don't understand why they're doing something and the value can benefit that it can bring and benefit to the organization, we are going to reject this process.

So it brings us to, to the next point, what is really driving, what are the driving factor to make a certification campaign optimal? So the first one is clearly to have the right tool to conduct that. So clearly an g a tool, tool, there are different vendor in the market, but you need to get the proper data collection to aggregate all the information and to make sure that the information you're going to send and the access request you're going to send to the user or the proper one. The second one is to make sure that you are going to send this information to the right audience.

Again, the I G A tool is going to help you in into this effort. The third one is easy to comprehend. So the way you are going to share and request manager to approve access requests needs to be properly classified. So the user should understand what is a privilege access, what is a basic access. So really this tool is going to help you.

Again, IGA is going to help you for that. And finally the last but not the least is about getting an appropriate number of equation. So it bring us to, to the next point, what is the right number of question? Where do we put the limit is at 5 10, 5000. So here we, we we, we had to rely on survey.

So we we, we did use a survey, so a study created by Survey Monkey. And what we learned from this survey is that the time spent by the user answering a question is clearly not linear based on the number of question more you have question less time is going to be spent answering the question. It means that more you have question, the less accurate we be, the que the answer that will be provided by the user. That's obvious. But what is very interesting is that it's really helping us to determine the maximum number of question that should be asked to a survey.

And the recommendation based on geo medical research is that the number of questions should be below 30 question and the maximum time that should be taken by the user to address this question should be estimated at 30 minutes. So that's basic. So these drivers to the next question, how do I reduce the number of questions that I'm going to ask my end user? And that's really the critical point. And for that you have different way. So the first one, the very easy one is in place of sending one survey every year. You can split it in different part quite easy.

You cert raw risk resource less frequently than high risk resource. That's very basic to be done. That's the first step. The second part is indeed when you onboard some application, you need to classify the resource. It's very important to, to perform the certifi certification and classification. What is high risk? What is medium risk and what is low risk? And based on that you can decide that low risk value will be maybe even not certified medium risk will be once a year. High risk can be on regular basis.

And the last and not the least to come back to the title of his presentation, it's about how do I create an effective role management to reduce this number of certification by an effective role management, we, we estimate that you can reduce the number of question by 10 at least. So within a single role you can put together 10 access that will group under a single role. Now the question is about how do I create this efficient and effective role management in my organization? And we at Ooma we recommend to use four different layer.

One being the basic role, whether you are an internal employee, you are a contractor, you're a customer, very basic role. The second one is based on the organization, whether you are in the finance department, whether you are in the engineering department, sales department, it can be as well that for your organization, it can be by localization as well.

So Europe, north America. The next one is a job function role. Really something that is linked to the business. So whether you can access to as a financial person, whether you can access to the pay, pay sheet information from your employee when you're creating, when you are accessing some sensitive data, whether you can access or not to be sensitive data. And finally on the top end, really what we named special role. That's not something that can, that can be bind or should be bind into a business role.

As such we saw some access to some application that can be bind together but that are restricted to some very privileged access. What do we, what do we notice is when it comes to the basic role, the need of certification is very limited. We do recommend to not certify this basic role as such. So when you are an employee of an organization getting an email, do you need a certification or recertification to get access to an email when you are getting, when you're an employee of an organization Now thank you.

So if someone say yes, I mean maybe you are accessing some very critical information when it comes to the organization organizational role. What we notice is that 50% of your, of his role are requiring a certification and once a year then you move to the job functional role. This one should be certified on a regular basis. And it comes to, to the last one. Obviously this one should be, there should be some request for the access and frequent recertification on the top one. When doing this classification of role, there is a big challenge when it comes to the definition of a job function role.

That's where we, we identify the bigger challenge in an organization. How can I do that? The first one is clearly something that can be defined at the IT level. IT organization can define this basic role. The second one can be defined as a human resource department level with a support with a manager, but is as well very basic. Wherever is a big step is really on this one. This one are really business aligned. That's not something that should be done by IT manager or HR on their own. There is a need of collaboration between the business and the IT people and how do we get there?

How can you optimize this kind of role because that's where you get a lot of time being spent on that. And that's where we, we have been using and leveraging AI ML to reduce this number of raw and to identify this number of raw, how do we do that? So we are using raw mining based on oil management model that we have in place. So that's something that we're offering to our customer. And the goal of this raw mining is to analyze the current assignment that are in place today in into an organization based on the classification that we discuss.

And based on this we can notice that there are group into groups and bio collaboration. Again, bio collaboration with a business people we can start reducing the number of role within an organization. What is very critical to consider is that AI ML is as valuable as your data or valid. So if your data or crap don't expect magic from AI ml. So I'm going now to to give you a concrete case that we have been running with a customer, an organization with more than 10,000 identities.

They have 10,000 and your resource assignment and for a total assignment of 806 60,000 assignment and before running the tool, we had an average identity assignment around 80 assignment per resource. So By running this model we have identified five basic model. And before this basic role we have been able to remove almost 50% of the assignment and we remove all this basic role from the certification process. When it comes to the organization role, we moved to 96 organization role of total for 340,000 assignment job functional. We moved to 1,250 job role 24 2 4, 240 3000 assignment.

So and 71,000 special role assignment. What is give us? And I think that's what is interesting. So For almost 50% of this assignment, we move to zero certification for the organization role in assuming that we have 50% of them that require some certification or recertification, we get 25,000 question jump functional role, 15,000 question. So at the end before this, the usage of AI ml, we, we had an average of, as I mentioned before, 79 question, we move it down to 10 question.

So that's really where using this technology can help you to improve and make your certification campaign much more efficient and to increase the user experience in your organization. So to conclude, What I would recommend you is of course to use an appropriate IGA solution, especially with your digital transformation. So it's very important to align with your digital transformation. The list and shift is only valuable if you bring some improvement in your infrastructure.

Second point or recommendation is really that you limit the number of question to 30 that the maximum that you recommend you to use and to send to your end user the classification and focus effort, really critical when you onboard a new application, make sure that you properly classify your, your resource and that you cert more oftenly the high risk resource rather than the medium. Whatever is raw risk, remove them from the certification effort. And finally, it's critical to onboard your application with a good resource name. The naming aspect is most of the time unevaluated.

So having a good understanding from the user about what they're going to satisfy, start at the onboarding of the application, make that visible in your organization. IT people doesn't necessarily think about it. The application owner doesn't necessary to think, think about it. That's something that is very important. And finally, really create logical grouping as the one we propose as part of our best practice to reduce a number of role and leverage latest technology like ai ml as part of our, our whole mining process. And this is what is concluding my presentation.

And I still have 15 seconds of a question. I'm a bit ahead of time. We Can have one question.

First one, raising hand will have the right no questions. So it means that I was very crystal clear. Thanks for that.

Yeah, thanks a lot and wish you a very good day. Thanks. Bye-bye.