2024-08-07 –, Florentine E
“Zero trust principles” increase the burden on IT teams to manage granular access.With this increase in complexity and overhead security problems follow: how long after an employee departure does it take for system access to be revoked? How much of this process is manual? When a person is promoted or changed roles, what new access should they gain automatically, what should they keep, and what must be revoked? For example: do new people managers automatically get special “manager” powers?
These problems are universal, and there’s no single tool that solves them. This talk walks through a two year case study of building employee AAA as a regulated company grows from one to several hundred employees: how we got started in the world of data driven access, what employee data we’ve sourced, how we’ve built automation with a mix of low-code and no-code approaches and where we’ve used capabilities native to our HRIS, identity provider, and other tools to automate onboarding and offboarding.
This talk is born from work I’ve done taking Cedar, a healthcare technology start-up’s AAA stack from a hugely manual, IT driven process and workflow heavy operation to automating nearly all aspects of the stack as the company tripled in size.
We started by partnering with our HR team during and after a new HRIS implementation, to ensure they had the core data we needed in a reliable and audited form. We then worked to configure our identity provider to move employees through system access when HR processes changed - job title, department, manager status or transition to full time.
As the system evolved, we expanded on this base level functionality to incorporate more complex workflows - exclusions based on edge cases (like leave status), and continually onboarding new applications and access types without creating spaghetti code and keeping the maintenance burden low.
We’ll talk specifically about lessons learned from tools - what to expect from SSO vendors, how to spot deviations in the data, and how to use delegated access management to simplify work and solve problems.
My goal is that at the end of the talk participants will see what can be possible with modern tooling and feel empowered to build something similar themselves even if they aren’t expert programmers or have a large team or budget, ultimately leading to what powerful automation can do for your team and for your organization.
John Evans is the Technical Operations Manager at Cedar, a health tech startup based in NYC, where he is responsible for corporate IT, business systems and cloud engineering. He’s spent most of his career in IT and security-adjacent work. As a former Apple Retail Lead Genius, he’s also passionate about user experience and building IT and security teams that help people do their best work. He enjoys working with complex IAM problems, DevOps teams and high-growth startups; and finding speed not just in automation but in bikes and sim racers, too.