Network Access
The Situation
All requests for network access for the information resources are fulfilled for at least a few days because the three people sequentially approve them: the manager of the employee who requested access, the manager of the employee who owns this resource, and the information security officer at last.
The Task
Speed up the execution of requests for network access at times.
The Action / Approach
My team developed and implemented the special-purpose IT system that maintained the actual matrix organisational structure. Provided the end-to-end IT resources inventory and each of them got the owner organisation unit. In addition, we classified all IT resources by environment: DEV, TEST, STAGE, and PROD. Our HR team helped us assign one or more matrix organisation units to each employee according to the actual functions of these employees. For instance, our HR team set some guys to multiple units if they worked on several projects simultaneously.
We developed a policy with clear rules for granting network access: these rules were based on the organisation units of the matrix structure. So, for instance, to allow the employee access to a virtual machine in a DEV environment, no one’s approval is required if the employee works in the same department that owns this virtual machine. If he works in another department, then to grant access to this virtual machine, the approval of any owner-unit employee is sufficient without waiting for the head of this department’s decision.
For the small share of requests, the information security officer approval still was needed – for instance, if anyone requests access from a virtual machine to the Internet directly, without a corporate proxy server.
We automated the execution of all access requests by the Jira workflows. We formed all necessary access groups automatically in the Active Directory based on the matrix organisational structure and granted network access automatically based on these groups – in the campus network via Cisco ISE, and in the data centre network – via VMware NSX.
The Result
My team shortened the execution time for 90% of network access requests to 1 hour instead of a few days.