How RRCU cut risk with automated user access reviews and JIT access

Red River Credit Union (RRCU) has been serving the wider community of Texarkana, Texas—the aptly named twin city straddling the border of Texas and Arkansas—since the 1940s. Originally founded by employees of the Red River Army Depot, a local US Army supply and maintenance facility, RRCU now has 119,000 members, $1.5 billion in assets, and 30 locations throughout Texas, Arkansas, Louisiana, and Mississippi—adding Oklahoma by year-end. “We’re big enough to require a lot of regulatory compliance,” says Brandon Baker, RRCU’s Information Security Officer, “but small enough that compliance is managed by a small group of people.”

Brandon joined that small group a little over two years ago and, just three months into his role, went through his first National Credit Union Administration (NCUA) security audit. The federal audit revealed that their core banking system—the backend servers that manage all of the credit union’s financial transactions and records—lacked the internal capability to conduct user access reviews (UARs). 

RRCU’s team knew they needed to get a UAR solution in place as soon as possible, and Brandon took the lead on the project. Read on to learn how RRCU used ConductorOne to not only automate access reviews but also clean up the data in their core, move to just-in-time access, impress auditors, and realize a stunning $1 million reduction in risk—all in under a year.

Bringing modern controls to legacy systems

Like many financial institutions, RRCU is in the active process of updating older infrastructure and security practices to meet evolving threats and compliance requirements. But system change in the highly regulated financial industry is slow and careful. RRCU plans to move to a new cloud-based core system in 2025, but for now they’re still running an on-prem core that “was developed in the 1980s and feels like it,” says Brandon. So his first priority was finding a UAR tool that could work with the old core. “There are products that offer user access reviews for cloud-based systems, but you need to be full cloud—and that’s not a lot of organizations. We’re still hybrid, which limited the products we looked at.”

Equally important for Brandon was finding a solution that didn’t just check the UAR compliance box. His larger goal was to push RRCU’s security program forward by getting better real-time visibility and control of user access. “Point-in-time reviews are antiquated,” he says. “I didn’t want to only implement user access reviews and already be behind on the modern standard. Finding a solution that could do both access reviews and access requests became a make-or-break-it for me.”

At the time, RRCU’s access request processes left a lot to be desired from both a security and a productivity standpoint. “I couldn’t tell you what applications users had access to because every application was managed by a different department and admin,” Brandon says. In some cases, access requests still required filling out and scanning paper forms. Deprovisioning users involved emailing app owners to find out if the terminated user had access and collecting proof that access had been removed. Brandon had no viable way to audit or securely manage who had access to what, and IT, app owners, and employees were frustrated by the system’s inefficiencies—depending on the app, it could take up to a week to get provisioned or deprovisioned. 

Brandon and his team found several vendors that offered either access reviews or access requests, but Brandon was determined to get best-in-class reviewing and requesting capabilities in one solution. “I didn’t want to have to bounce back and forth between multiple products. I wanted to minimize our panes of glass as much as possible.” 

Improving identity practices across the organization

“ConductorOne was the best of both worlds,” Brandon says about finding the platform. ConductorOne could help RRCU automate both access reviews and requests—and crucially, ConductorOne was designed to connect hybrid systems. “I didn’t have easy options for integrating our old core—no APIs. So ConductorOne’s ability to ingest on-prem application roles via CSV was really important for us,” Brandon explains.  

Brandon and team set up a POC with ConductorOne focused on reviewing and tidying up the core’s access data. A programmer at RRCU created a CSV export file from the core database, so all Brandon had to do was upload the file to ConductorOne to get a comprehensive view of the core’s roles and entitlements. “We then used ConductorOne to do partial reviews and make changes—we did a rinse and repeat five or six times to bring everything in line.” 

Improving their identity and access hygiene created operational and security benefits right away. “It started good discussions because we had to re-identify some of our roles and ask things like, ‘Why do we have a role that’s essentially the same as the role right beside it? What differentiates them?’ That led the HR department and operations to better define RRCU roles and their responsibilities.” 

Lowering standing access while improving user experiences

RRCU went live with ConductorOne straight from the POC—no implementation changes necessary—and  quickly began integrating the platform into more parts of the business. “We were completely up and running with reviews and requests within two or three months,” Brandon recalls. 

While gaining visibility and automating access reviews is a huge win for RRCU, it’s ConductorOne’s access requests that have provided the most benefits. “Reviews are essential,” Brandon explains, “but the ability to do just-in-time access along with reviews in the same product—that’s the big thing for us.”

Having a way to move sensitive roles and entitlements to time-based access has fundamentally shifted the way RRCU approaches access overall. “ConductorOne’s philosophy is zero trust from an access standpoint,” says Brandon, “and it’s really changed my department’s thinking about how access works. We traditionally viewed access reviews and requests in terms of birthright access. That’s gone away and we’re leveraging just-in-time access more.”

RRCU employees no longer retain privileges, for example, when they’re on vacation, or privileges they only use once a month. “Now we can grant those privileges only when needed, and users can self-request,” says Brandon, “which makes us safer. The last thing I want is for one of my employees to be the reason an incident happens,” he says. “But they still have to be able to execute their jobs, and they have to have some privilege to do so. If I can limit that privilege from 8 am to 5 pm, they feel better. I feel better. Everyone feels better.”

RRCU employees are happy to give up access they don’t need because getting access is so much easier now—no more figuring out which department to contact or downloading pdfs to print out and scan. “If nothing else good came from this, I’d still be happy that we got rid of emails and paper documents,” Brandon laughs. “Now requests are sent in a few clicks.”

Running the numbers on ROI

ConductorOne’s value is obvious to Brandon and his superiors. “Our audits are coming back clean, with low findings that are just the last bits of regulatory details at this point,” he says. “Those visibly better audits are a big proof of value for anyone I report to.”

But for financial organizations, the proof is always in the numbers. Brandon documents all the controls his team puts in place and calculates the percentage by which each control reduces RRCU’s inherent risk, which is based on dollar amounts assigned to the confidentiality, integrity, and availability of each member record across their systems. Every control that improves information security in these categories lowers the credit union’s inherent financial risk by some percentage.

In 2022, RRCU’s inherent risk was negatively impacted by their lack of a regular access review process; without reviews, the likelihood of identifying and remediating problematic access was low. By early 2024, after implementing ConductorOne for access reviews and requests, RRCU’s inherent risk assessment had dropped by $1 million—a 10% reduction that amounted to a 2,000% ROI for ConductorOne in just the first year of use. As Brandon wrote in his risk report, “ConductorOne exceeded our requirements and provided invaluable controls in our risk management strategies.”  

Coming full circle with auditors

The NCUA agrees. When they returned for another audit in April 2024, RRCU’s new access controls “got a thumbs up from the NCUA auditors. They loved ConductorOne,” Brandon says. “They were actually shocked to see that we had so much integrated—credit unions of our size almost never have this much maturity in their security stack. Now when they see other credit unions struggling, they’re going to send them our way for recommendations.”

Going from being unable to run access reviews on their core to becoming an industry-leading example of good compliance in just over a year is a huge accomplishment for Brandon’s team. But Brandon is most proud of how much they’ve been able to improve RRCU’s overall security posture by modernizing their approach to identity security. “We’re really leaning into just-in-time access. It’s the new way forward that I think everyone needs to be focused on, and we couldn’t do it without ConductorOne.”

He’s eager to continue that modernization journey when RRCU moves to their new cloud-based core next year. While the challenge of transitioning an organization’s most critical infrastructure from on-prem systems to the cloud doesn’t spark joy in most security practitioners, Brandon is optimistic. “ConductorOne is one of the best working relationships I have. They strive for us to have success with the product—something you don’t find with a lot of vendors.” With a good partner by their side, Brandon and the RRCU team know they can continue to move the credit union’s information security program forward and lead their industry by example into a more secure future.