Last week we broke down how to scope and create your UAR campaign using ConductorOne. This week, we’re going to look at campaign execution, the reviewer experience, and reporting to auditors.
In the traditional, manual process of running a UAR campaign, you might create multiple spreadsheets, send each sheet out to reviewers, manage communications within tickets or one-off emails, and manually follow up on any access changes. We’ve seen this take weeks, if not months, to complete manually. With ConductorOne, you can run, complete, and report on a UAR campaign in a matter of days.
Kicking off your campaign
Once you’ve defined the scope of your campaign and chosen your review workflow, all that’s left to do is prepare the campaign and finalize it. To make it easier on reviewers, you have the option to create a shared Slack channel and the ability to turn on notifications and reminders.
Completing reviews from the end user perspective
The goal here is to make it as frictionless and as easy as possible on reviewers. To do so, ConductorOne gives the reviewer a view of all certifications assigned to them in the Slack homepage. Clicking into any task will take the reviewer to the web app, where they can easily view tasks by application and user with a roll up to the entitlement.
Detailed context is included in each access review so the reviewer has relevant information such as risk analysis, downstream effects of group memberships, and compliance implications. If there are any questions or clarifications needed, you can comment directly on the certification so that important context isn’t lost in one-off emails. Any certifications that are denied can automatically kick off revocation tasks and deprovisioning.
Additional tooling and reporting to auditors
ConductorOne provides additional tooling to keep UAR campaigns sailing smoothly, for example, the ability to reassign certifications in bulk in the case that someone is out of the office or on leave. For less sensitive, lower risk entitlements or applications, you can select and approve certifications in bulk.
Reporting the results of a campaign to auditors is as easy as generating a report. The report includes every entitlement that was reviewed and a summary of actions including the resource, entitlement, description, reviewer, and the result of the review.
Customers who use ConductorOne, like DigitalOcean, have been able to reduce the time and effort spent on UARs by 85%, while increasing their on-time completion rates to nearly 100%.
Everyone is at a different point on their compliance journey, so feel free to reach out and chat with us to learn more. If you’re not ready to automate your manual UAR processes, you can also check out our free UAR toolkit.
