Governing access and securing data for a leading chip manufacturer

Our client, (who wishes to remain anonymous) sought assistance in enhancing their security processes to protect highly sensitive data, including government contracts. And meet the requirements of their security auditor.

By partnering with Kocho and leveraging Microsoft Entra Identity Governance, they were able to:

• Build a more robust supplier onboarding process.
• Provide structured and manageable supplier access.
• Establish effective controls for removing supplier access when no longer needed.

Uncontrolled Access Provisioning: Addressing a Critical Security Concern

Our client identified the need to improve their security processes to safeguard highly sensitive data and satisfy their security auditor’s requirements.

The key challenges they faced included:

• A lack of structured supplier onboarding,
• Uncontrolled access provisioning
• Difficulties in removing supplier access promptly when it was no longer required.

Comprehensive Supplier Onboarding: Establishing a Structured Process

Our client has had a long, and fruitful relationship with Kocho. Based on their expertise, and ability to address their business specific challenges, this made us the natural choice for this project.

The solution involved the implementation of a comprehensive supplier onboarding process, a structured access provisioning system leveraging Microsoft Entra Identity Governance, and effective controls for removing access when needed.

To achieve this, Kocho took the following steps.

• Environment Evaluation: Our team meticulously evaluated the existing security environment of our client to gain a comprehensive understanding of their specific challenges and requirements. This evaluation served as the foundation for developing an effective strategy.
• Vision Document and Execution Plan: Drawing upon our expertise, we crafted a detailed Vision Document that outlined our client’s desired security objectives. Based on this vision, we then formulated a robust Execution Plan, providing a clear roadmap for implementing the necessary improvements.
• Access Package Development: Recognising the importance of structured access management, we diligently developed an Access Package tailored to our client’s unique needs. This package served as a framework for efficiently and securely granting and revoking access privileges.
• Access Review Development: To ensure ongoing compliance and security, we designed and implemented a comprehensive Access Review system. This system allowed for regular assessments of user access rights, facilitating the identification and resolution of any potential vulnerabilities.
• Review and Enhancement: Throughout the project, we conducted periodic reviews of our implemented solutions and processes. This iterative approach enabled us to identify areas for enhancement and fine-tuning, ensuring that our client’s security processes remained at the forefront of industry standards.

The project took six months to complete, with Kocho supporting the client throughout the implementation process, ensuring a seamless transition.

Technical challenges in enhancing security processes

Throughout the project, we encountered and successfully addressed a range of technical challenges, contributing to the enhancement of our client’s security processes. These challenges included:

• Standardised Access Packages: We defined, tested, and documented a comprehensive package for external partners, ensuring consistency and streamlined onboarding.
• Access Package Documentation: Detailed Knowledge Base articles provided step-by-step instructions, promoting uniformity and efficient implementation.
• Standardised Form Development: We collaborated on a form capturing vital partner information, facilitating accurate data collection, and seamless access provisioning.
• Automated Governance Scripts: Developed scripts to enforce rules, enhance compliance, and promptly identify any deviations.
• Migration of Third Parties: Robust processes ensured a smooth transition of access privileges, maintaining data integrity during the removal and re-enrolment of guest users.
• Prevention of Unmanaged Guest Accounts: Configurations prevented the creation of unmanaged guest accounts with generic email addresses, bolstering system security.
• Terms of Use Enforcement: Comprehensive documents required annual acceptance, reinforcing compliance and security awareness.
• Reporting and Stale Account Removal: Monthly reports and processes, leveraging PowerShell and Graph API to obtain data from Microsoft Entra ID, to identify and remove inactive guest accounts for enhanced security.

Addressing these technical challenges demanded a combination of technical expertise, meticulous planning, and the development of efficient scripting solutions.

By overcoming these obstacles, we significantly strengthened our client’s security processes, fostering a more secure and streamlined access management system.

The results: short-term

• Trusted suppliers were empowered to approve their own users for resource access, streamlining the onboarding process.
• Users were able to sign in with their own corporate accounts, and access was immediately revoked when they left their organisation, reducing the risk of unauthorised access.
• Regular reviews of individual access were implemented to ensure ongoing necessity and compliance.
• Access grants were assigned specific end dates, improving security and reducing the risk of prolonged access to sensitive data.

The results: longer-term

• The implementation of more rigorous supplier onboarding rules, including structured JML processes and the use of an industry-standard identity provider in Microsoft Entra Identity Governance.
• A balanced mix of automated and manual controls were established to create a rigorous process for granting access, reducing the likelihood of security breaches.
• Rigorous controls over the external user lifecycle were implemented, ensuring that access was revoked promptly upon termination or when no longer required.

Conclusion

Through close collaboration with our client, the security processes were successfully enhanced, resulting in improved protection of highly sensitive data and the satisfaction of their security auditor’s requirements.

The project’s success showcased the effectiveness of the implemented solution built with Microsoft Entra Identity Governance, and its positive impact on the client’s business and technology outcomes.

Want to find out more? Our team of experts would love to speak with you. Get in touch today!