Becoming SOC 2 compliant
AccessOwl has helped Drieam achieve SOC 2 compliance and reduce toil, complexity, and cyber risk
Drieam creates software solutions and provides services which guide higher and continuing education institutions in improving the employability of all learners.
SOC 2 Compliance
All employees have a clear process for Access Requests and Approvals
Single-Source-of-Truth of every access
Based in Eindhoven, the Netherlands, EedTtech startup Drieam began its growth journey by winning new business in Europe and the U.S. Prospective clients required that the firm ramp up its security compliance efforts with SOC 2, forcing it to find a replacement for a legacy, Google Sheet–based user access management workflow.
Drieams goals were to increase the efficiency of access management while at the same time reducing potential errors — and found the ideal partner in AccessOwl. AccessOwl’s platform saves Drieam’s users time and effort, helps Drieam maintain SOC 2 compliance, and streamlines onboarding and offboarding. The company is now future-proofed for the next stage of growth as its user numbers swell.
Drieam’s journey to automated access management began as it started to build out its client base and as a result increased the number of applications and systems in use. With new customers in its home country of the Netherlands and further afield in Europe and the U.S., requests began to flood in for enhanced security requirements. Recognizing the importance of both meeting customer demands and prioritising internal security, Strategy & Operations Lead Tom Lamers set about updating the firm's access management processes, opting for SOC 2 to drive greater customer trust and assurance while ensuring the highest level of security at Drieam.
Originally, Drieam managed access controls manually via an authorization matrix, built with Google Sheets. That meant poor visibility and control over who had access to what, as well as extra time and effort for the three or four admins tasked with managing access via the spreadsheet, Tom says.
“We effectively had a matrix showing each user, which app they had access to, and with which role. The big problem was that whenever someone was granted access to an app, they would also have to inform one of those three [admins], who then had to manually update the file,” he explains. “It was all manual, which made it much easier to skip documentation than not to.”
Aside from the impact on user experience, this manual way of logging access created a certain amount of anxiety over potential security risks — such as forgetting to offboard leaving employees promptly.
“With our size of company, I think it would still be a theoretical risk that something bad would happen, because most people leave in good faith. But, of course, when you grow, you don't want any trouble, so it's just better to do everything properly,” says Tom.
[the] manual way of logging access created anxiety over potential security risks — such as forgetting to offboard leaving employees promptly.
Tom and his team were looking for an automated tool that could be neatly integrated into Drieam's Slack-based working environment. Their criteria were pretty clear.
“It needed to reduce work and not make things more complicated. Plus, it needed to improve our security compliance within the company,” Tom explains.
Fortunately, Drieam found AccessOwl on the Slack Marketplace just days after it was listed on the site. Both the technology and type of company immediately appealed to the team, and there were no other vendors shortlisted.
“Because we are starting to scale up ourselves, we always like to work with companies who are also in the startup/scale-up phase who we believe have growth potential,” says Tom.
Access Owl replaces manual, spreadsheet-based processes with an automatically synced single source of truth for all user accounts and permissions. Users can now perform self-service access requests and approvals, which are all managed directly in Slack.
Thanks to AccessOwl, Drieam has been able to institute a proper approvals workflow, whereas before there was only reactive decision making and ad hoc judgements based on “gut feeling,” according to Tom. This has helped to boost confidence in the process and support compliance efforts, as has the granular visibility admins now have into employee access rights.
“Without AccessOwl, the level of confidence [around who has access to what] wouldn't be as high as it is today, which could be a potential risk,” explains Tom.
The move to AccessOwl has also helped to improve the employee experience — for both general users and administrators.
“It's saved [our admins] quite a lot of time because they don't have to update the Google Sheet anymore, or check if people were granted access to an app without it being documented,” Tom says.
“And because of the AccessOwl onboarding template, new employees already have access to multiple applications on day one, by default, so they can have a great start to their new job.”
This streamlined onboarding is becoming even more valuable as the company grows.
“In the past, our HR manager, Celia, had to manually remind app owners to grant access for new starters, and it was not easy to create different profiles for different roles,” Tom explains. “Today it's so much easier. We might have five or six people joining on the same day, so it's really convenient to just click a few buttons. Everything is done automatically, and there's no need for HR to follow up anymore.”
As Drieam expands its employee base, AccessOwl will also help by supporting proper workflows for access requests and approvals — saving time and increasing confidence that all users are correctly provisioned.
“When you're a bit smaller, it's quite clear which person owns which application, so finding them on Slack is fairly easy. But when you're a company of 60 people, it gets more complicated. And when you're a company of 100 people, nobody knows who the application owner is,” says Tom. “As you grow, a few people can no longer oversee everything in a simple, manual way. You need proper workflows, so it gets more and more necessary to have a tool like AccessOwl.”
Tom and his team are delighted that the platform has helped them to hit their two main KPIs: achieving and staying SOC 2 compliant, and “removing barriers to empower our people.” They're impressed with the continued level of innovation occurring at AccessOwl, which means a steady flow of new features, and recommend the tool to others.
“AccessOwl is a great way to tackle one of the most important things in your security compliance strategy: your access management,” Tom concludes. “I would tell organizations considering AccessOwl to give it a try and just do it. I think it could help them.”
AccessOwl is a great way to tackle one of the most important things in your security compliance strategy: your access management.