The problem we're solving
For people to collaborate on something, they all need access to it.
But all of those 'share' buttons can have unintended consequences for security and compliance.
As access sprawls across countless files, systems, staff and external people, the business has little control or visibility of ‘who has access to what’.
Manual processes to address these security risks and compliance issues, are costly and imprecise.
This is the problem that we’re solving at Torsion.
Collaboration systems such as Microsoft Teams, SharePoint and Office 365 are designed to encourage information sharing.
Users and admins constantly share access to information. 'Share' buttons are everywhere.
And there are many overlapping technical configurations which grant access in a complex variety of ways.
In fact, access to information sprawls 44 times faster than it is controlled. The business often has very little visibility or control of who has access to what.
Every instance of a person having access to information they shouldn't have, is a potential security vulnerability.
All it takes is the wrong sensitive file in the hands of the wrong staff member (or even worse, external user!) to cause a catastrophe.
With access sprawling fast and with little control, inappropriate access to sensitive information can be very hard to detect.
This is how many cyber security breaches get started.
Many InfoSec regulations and standards like ISO27001, PCI DSS and GDPR require the business to have good control of access to information.
But control isn't just a list names of people with access, it's knowing why those people have access, and being able to prove that everyone's access is correct and appropriate.
If we don't know why someone has access, how can we prove whether they should have access?
This can be very difficult to demonstrate under audit, causing compliance failures, frustration and wasted time.
Manual Governance: Costly and Imprecise
Slow approvals, tedious reviews, painful governance processes - these are all part of manually trying to manage access.
These manual, human-driven approaches all fail for the same reason:
There is far too much information, people and access, changing far too frequently, for any human process to keep up.
IT-centric admin tools don't help, because the business knowledge about who needs access lies with the business users and not with IT. And they're still too manual.
The result is a lot of wasted time, money and frustration. And still the same security and compliance challenges.