Introduction
Hi, and welcome to another SPK and Associates vlog. My name is Michael Roberts, a Vice President of Sales and Marketing here at SPK and Associates.
In today’s vlog, we’re going to talk about how growing organizations wrestle with scaling access governance without slowing the business down, and hopefully not overcomplicating processes in the process of doing that.
As organizations expand across departments, locations, and systems, managing access becomes increasingly more complex. What may start as a simple approval workflow inside one team can quickly turn into a really fragmented process, added compliance risk, and potentially manual overhead across the entire organization.
Today I’m joined by Amaresh Ray from Multiplier. Amaresh, great to have you here, and please introduce yourself.
Hey Michael, thanks for having me on.
My name is Amaresh. I am the founder and CEO of Multiplier. We’re an Atlassian partner, and we’ve been in the ecosystem for close to over four years now.
Multiplier essentially is a tool, and we work with these growing organizations that typically have struggled with the pain of scaling their access governance process. Where we really shine is we help these organizations automate a lot of those tedious access requests while at the same time helping them automate a lot of their compliance and governance workflow.
I’m really excited to have this discussion with you today on some of those core challenges and how we can help these organizations really kind of take some of those tedious, annoying tasks off their plate.
I love that. Again, I say this a lot, and I used to work at a company that would have benefited from a tool like this. So I’m invested in solving this type of problem because I feel like it’ll satisfy some problem in a prior role that I never could fix.
Hopefully we’ll be able to talk about scaling that access governance intelligently inside of JSM as the backbone of that enterprise-wide automation.
Scaling Access Governance Across the Enterprise
Amaresh, I want to start here.
So many organizations are starting to automate access with a single department or tool, but then they struggle to do it across the enterprise. How does Multiplier help larger and even multi-locational organizations extend that automation across multiple systems and business units while still keeping that governance component?
Yeah. So I’ll say off the bat that Multiplier is designed to be rolled out in an iterative manner. I’m not a big believer in a big bang deployment because I’ve seen a lot of those projects fail because you’re trying to roll out the perfect solution.
What I love about the way I help our customers get onboarded is to start with single teams or specific applications that they’re finding the most troublesome, or the ones that they’re seeing a lot of requests come in for. So I always encourage teams to start with that.
The beauty of a solution like Multiplier is that we’re embedding into their existing workflows if they’re using JSM today. A lot of teams will have, and I’ve seen, forms that they’re already using to intake some of these requests.
What we really do is we can let them put in all of the applications. They might exist in a state where some teams have a lot of their applications being managed within an identity provider such as Okta or Entra, and they might already have full SCIM and single sign-on for those apps, versus there might be some applications, maybe like a mainframe system or an internal tool, that doesn’t have any automation behind it, and it requires a very different set of processes to go and provision access to that tool.
The nice thing about having it all in one catalog, which Multiplier can do, is it can sort of cater to those different needs that different departments might have while still providing a central place for the end users to go in and request access to those tools.
Each of those can then have its own sort of complexity or workflows in terms of how they’re provisioned at the back end. But that’s what I really like about this system, is that you’re not going to different places to request different things. It’s all centralized.
Obviously, as you grow, you can sort of onboard. You can start with apps on day one that have everything automated, whilst being on a journey of still being able to capture requests and still being able to, let’s say, start with everything being super manual, but it’s in that same catalog.
Let’s say in three months’ time we’ve automated the approval routing process for you. So that was a process that you had somebody wrangle people manually to go and chase down these requests. We’ve now automated that piece, and then over time we can also go in and automate the provisioning piece fully.
One of the nice things that we’ve been doing is using AI. We’re now able to also connect systems that don’t have that automation built in from the identity side. That’s one of the new things that we’ve been building that I’m really excited about, because now it lets us close that automation gap even further.
So that’s something that I’ve been really excited about.
And again, taking the approach you took, having all of the capability but still starting small and building the right way, that’s the right approach. I love that approach, and especially the fact that you’ve built it like that. That goes a long way.
Balancing Compliance and Speed
I want to move now to something that I think is extremely difficult. It’s a big challenge for companies when they’re trying to manage access governance, but they’re trying to find the right balance of compliance along with enabling teams to move fast.
How does Multiplier’s integration with JSM streamline the compliance component and compliance process without slowing the rest of the business down?
Yeah, this is something that I really think about, is how can we be an enabler and really streamline some of these things that organizations, especially ones that are in heavily regulated industries, just need in some of these processes.
I think the fact that they’re on Jira and JSM is already a great start because you get an audit trail built into your processes by default. But where we can really shine in the big compliance win is we have the ability to provision access just in time and also make those time-bound.
So for example, instead of giving somebody—and look, this is the way we work with a customer who came in and they were getting audited—and one of the biggest risks that they faced was every engineer got permanent access to their admin systems. That was a massive risk, and you always had to make sure that somebody remembered to go in and revoke access for people that no longer needed that, or they didn’t need it for the entire time, just always have that be available.
So what Multiplier can do is provision access when you need it. Again, because we’ve automated the process around approvals, we can look into your department and role and automate approvals for certain scenarios that you might decide to pre-approve.
So you might say, okay, if they’re an engineer and they’re on call this week, they just need to submit a ticket and we’ll automatically approve their access. They won’t have to go through the standard gates where they need to wait for a certain amount of time for somebody to go in and approve that request.
Also, when they’re done working on whatever they need to do, we can take away their access automatically. We’ve had people in the past who would have, one of our customers, they would have to put calendar reminders to make sure to take away that access.
I think if you see that, that is a massive reduction in attack surface area. Your auditors will love that, and there is zero effort on your part once you configure it. It’s gone.
The other thing that we’ve also done is a lot of companies typically prefer to work in Teams or Slack as well for approvals and things like that. So Multiplier can do things where it’ll route the approvals also to people in the tools that they work in.
So again, it just streamlines. While sometimes you just can’t get around needing approvals for certain things, we try to make it so that the approvals can be handled in a timely manner.
Lastly, as I touched upon briefly, Jira automation is super powerful, and Multiplier really fits in nicely with that. So we pass in a ton of context to automation when one of these requests comes in.
We pass in the requester’s department, their job title, and so this just means that you can build some policies that have these lower-risk, high-frequency requests that now can be pre-approved. You still keep controls on more elevated permissions.
Multiplier can also look into, within each application, where you can have multiple roles, and we can have rules built around, well, if they’re only asking for read-only access to this resource, maybe we don’t need the full bells and whistles in terms of putting them through three approval chains. We can expedite that request.
So the fact that we can pass in this metadata into Jira, and again, as I mentioned earlier, the nice thing is you have all of these audit trails built into Jira, which is super. That’s another place where we can help make compliance a lot more automated than it will be today if you’re not using Multiplier.
Visibility, Auditability, and Governance
And you mentioned the automation component there because I think that’s another valuable area. Obviously, people are trying to mature and they’re trying to build some automation strategies, whether that’s AI-driven or not.
Visibility becomes really key in that ongoing improvement. So how does Multiplier give IT and security leaders that have to look at all these auditability kind of components, how does that give them insights to identify gaps and reinforce policies, continuously strengthen that governance across the organization?
Yeah, I’m actually going to come at this question from two angles.
The governance angle is an interesting one. A lot of companies that we typically work with will be running an access review, usually every quarter, sometimes a couple of times a year. In the past, that used to be done through a spreadsheet.
There’d be all these email chains with spreadsheets flying around the company, and eventually it lands on some manager’s desk, and they’re rubber-stamping the approvals without a ton of context on what they’re actually saying yes to.
One of the things that we wanted to do was to build access reviews into Jira. So we already have a ton of context around when somebody got access, what was their justification for requesting that access in the first place.
What we can do now is give the reviewers a much richer sort of context to base those decisions on. The nice thing is, if they decide to take away someone’s access, we can do that automatically instead of it having to go into a system and remove their access.
Also, for systems that we’re not integrated with, we create that Jira ticket automatically. So it streamlines a lot of that process, which typically required months and months of overhead.
One of the things that we also were able to do as part of this was show you when people had last logged into some of these tools. We had that data, which again helped surface some of that contextual information for people to make those decisions.
License Audits and Cost Savings
One of the things that we wanted to do is take this governance use case and also think about how could we help companies reduce attack risk or essentially save money, because companies were spending money on tools that people maybe weren’t using anymore. It’s a tool audit almost.
What’s really typical is in a company, Sarah starts in sales or in marketing and then eventually moves into a product management role, but her access accumulates over time. So she has access to more and more tools, more and more permissions, and those aren’t really audited over time.
One of the things that we can now do is we can run, our customers can configure policies that say, hey, if somebody hasn’t logged into this tool in more than 30 days, I want to send them a notification that just checks in with them and tells them, hey, do you still need this thing?
If not, you don’t have to do anything. We’ll automatically take away your access. If you still need access, let us know and provide a justification for why you still need this thing.
This thing can now run on autopilot. You can also run this as a one-off campaign, but the nice thing is we now give you a dashboard. So you can see which people were notified, which people said that no, they still actually need access, and maybe they just were busy doing something else and they haven’t had a chance to log in and use this tool, and which people had their access revoked.
That then lets you build a picture to justify, hey, maybe our renewal is coming up, and probably the license tier that we’re on isn’t the right license tier for us, and we can maybe save money if we went down to the next tier.
I think that’s really exciting for us because now the ROI on this tool is really easy to justify when companies can see how much money we’re saving them.
This is all done automatically. You don’t have to go in and configure anything every time you want to do this. It just runs in the background, and we think this is a really great new addition to our platform.
It is. That’s a huge one. Multiplier literally doing multiple things. It’s also a license audit tool to help you save some money at the end of the day too. I love that.
Richer Usage Data
The nice thing about this tool, and I mentioned this briefly at the start, is we were pulling in these login dates from your identity systems.
But the nice thing is we’ve been working with a customer and they wanted us to audit their Zoom usage. So they had Zoom Pro for a few of their users, and we found out that Zoom isn’t really a tool that you’re logging into because it runs on your desktop, but they had an API where it showed you when you last hosted a meeting.
So for certain applications, the usage data that we’re getting is a lot more detailed than just when somebody logged in. We can now tell you when they actually last hosted a meeting. So your insights are going to be way richer than just a simple login.
That’s what I’m really excited about. We’ve also built something for Grammarly, so we know, are they actually using it?
So this is going to extend beyond just SaaS tools and even things that you’re going to be running on your desktop, for example. So really excited for this.
Yeah, absolutely fantastic. Kudos to you and the Multiplier team.
Closing Remarks
I think there’s a couple things that stand out for me. Managing this is a really big problem, especially for larger mid-size and larger organizations, to be able to have some governance around that.
It’s definitely more than just automating approvals. It’s about actually having a framework that grows with the organization and looks at all the numerous use cases around security and compliance and operational agility, and even cost savings, like you talked about, getting value out of it.
So Amaresh, thank you so much for sharing today. Really appreciate you being here.
Yeah, thanks for having me. This has been a blast.
So for organizations using Jira Service Management, obviously like we’ve talked about today, solutions like Multiplier can help transform access governance from a more reactive, ticket-heavy burden into a little bit more, or a lot more, streamlined, policy-driven automation engine, and really creates a framework for future success.
When done correctly, and hopefully with an Atlassian solution partner like SPK, it actually helps enable teams to move faster and still operate within the constructs of IT and security policies, to give visibility to the folks that need to see that and continually improve.
So if you’re thinking about how to scale access governance across your organization or how to better leverage JSM for more enterprise-wide automation, would love to have a conversation.
You can reach out to our team. Our socials will be linked in the bottom underneath here, so please feel free to reach out.
If you found this content valuable, please be sure to like and subscribe and follow our SPK and Associates YouTube channel for more insights on enterprise automation, DevOps, governance, compliance, digital transformation, and more.
Amaresh, again, thank you for being here. Really appreciate your time.
Thanks so much.
Thanks, everybody. Appreciate your time. Thanks for watching. We’ll see you next time.
