August Platform Walkthrough
blog C1 Perspectives

How Treasure Data Transformed User Access Reviews with ConductorOne

/images/author-claire.jpeg Claire McKenna, Director of Content & Customer Marketing

Share

/images/company.jpg

When Ryan Schoeller joined Treasure Data four years ago, their user access review (UAR) program was barely scratching the surface. Reviews happened sporadically, often focused only on AWS accounts, and were driven by ad-hoc exports into spreadsheets. A single person would comb through the list and make basic decisions like, “Does this user look right?”

It was a classic phase 1: manual processes scenario on the UAR maturity model: high effort, low scalability, and limited security value.

Laying the foundation: people, process, then technology

Ryan started with the basics.

“I wanted the team to understand the ‘why’ first,” he explains. “What’s our objective? What does good look like? Once we had that, we could build a process that was better than rudimentary spreadsheet checks.”

For about a year, the team ran a highly manual but structured process each quarter:

  • Pulling data from ~15 systems
  • Gathering user lists from HR and app owners
  • Reconciling access with VLOOKUPs in spreadsheets
  • Verifying only surface-level criteria like terminated employee access

The upside? The process trained interns and helped solidify a repeatable workflow.

The downside? Every new system meant a new round of manual exports, coordination, and follow-up, a method that couldn’t scale.

The case for ConductorOne

By the end of that first year, the people and processes were in place. What they lacked was technology.

Ryan pitched ConductorOne to his CISO with a clear business case on what a tool could do to mature their UAR program.

Access review rrocess: before vs. after ConductorOne

Table showing before and after ConductorOne.

The value was clear: from 160 hours annually to just a fraction of that time, while simultaneously expanding scope and improving review depth.

Moving into phase 3: intelligently scoped reviews

Today, Treasure Data is firmly in phase 3 of the UAR maturity model: intelligently scoped reviews that focus on risk and relevance.

What changed with ConductorOne:

  • Automated conflict detection: Instead of full campaigns, the team uses access conflict monitoring to catch issues in real time via Slack.
  • Broader review scope: Beyond terminated employees, the team now reviews privileged access, group-based access, external accounts, inactive users, unused permissions, and more.
  • Streamlined remediation: Exceptions flagged in reviews automatically generate Jira tickets, cutting remediation from a manual spreadsheet exercise to a 30-second export.

This shift has allowed the team to target high-risk areas once neglected because of the heavy manual lift, such as sensitive Google Workspace groups or critical infrastructure entitlements.

Why ConductorOne

Treasure Data selected ConductorOne for three main reasons:

  1. The people: from initial calls to direct involvement from ConductorOne’s executive team, Treasure Data trusted the partnership.

  2. Breadth of connectors: ConductorOne integrated with their tech stack from day one.

    “The amount of connectors that were available that aligned with the tools that we used in our tech stack was extremely appealing.” — Ryan Schoeller, Director of Governance, Risk, and Compliance

  3. Value beyond UARs: It wasn’t just an access review tool; it was a full identity security platform with automation and extensibility.


    “It’s not just an access review tool, there’s other functionality here that other departments can use. It’s a total identity and access management platform, not just a single point solution.” — Ryan Schoeller, Director of Governance, Risk, and Compliance

Looking ahead: toward phase 4

Ryan’s team is now setting their sights on phase 4: exception-driven reviews. Their roadmap includes:

  • Building an RBAC matrix within ConductorOne.
  • Implementing real-time, exception-based alerts instead of quarterly campaigns.
  • Moving toward zero standing privileges with just-in-time (JIT) access.

The goal is continuous assurance: if an HR employee suddenly receives Okta admin rights, the system flags it instantly, not three months later during an audit.

Lessons learned

Ryan’s advice for peers starting at phase 1 or 2:

“Go in with a process in mind. Even if you don’t have one, ConductorOne is simple enough that someone can log in and create a campaign quickly.”

ConductorOne didn’t just make Treasure Data’s UARs faster, it changed the way the team thought about compliance. What used to feel like a box-checking exercise now delivers meaningful security outcomes. As Ryan put it:

“By using ConductorOne, we’re not doing compliance theatre, we’re getting a level of depth that actually matters.”

From 160 hours a year to intelligent, continuous reviews, Treasure Data’s journey proves the power of combining the right people, processes, and platform.

 

/images/newletter-post.png

Stay in touch

The best way to keep up with identity security tips, guides, and industry best practices.

Explore more articles

/images/five-ways-thumbnail.png

Five Ways to Streamline SOX Compliance with ConductorOne

/images/technical-insights-1.png

How SLA Escalation Policies Work in ConductorOne

/images/build-vs-buy-thumbnail.png

Build vs. Buy for IGA: Why ConductorOne Wins Every Time