AXA is one of the largest insurance companies in the world, with a presence in 56 countries and with 102 million customers worldwide. A few years ago, AXA decided that they needed to move beyond silo’ed access controls to the unified process offered by IAM systems.
“We needed to get away from managing access rights inside of each business application and move to a centralized system. Our existing process was far too manual and expensive, and we wanted to deploy a solution that would allow us more visibility,” said Emmanuel David, security architect at AXA Belgium, at SailPoint’s second annual user conference, Navigate ’14.
Meeting Both Business Needs and IT Objectives
AXA’s business requirements included ensuring that external users (and any users, actually) couldn’t access assets that they shouldn’t; delegating administration of certain rights to external customers, who could now manage their own users; and efficiently re-certifying access rights to the most mission-critical apps. The business also needed to comply with audit recommendations.
Finally, AXA wanted to establish a “Joiner, Mover, Leaver” process, being able to efficiently request or revoke access rights and limiting the risks associated with ex-employees or employees who’ve switched roles retaining access rights they should no longer have.
While IT had its own set of requirements, they did, ultimately, complement the business ones. IT needed to standardize and simplify their access and provisioning architecture, establish a centralized repository for access governance, and, ideally, find a way to aggregate authoritative and target systems automatically.
IT and the Business Side of AXA Argue for Different Approaches
The AXA IT team initially had trouble getting sponsorship for the IAM project, since the organization had a long list of projects it wanted to fund. Eventually, though, IT persisted and secured the funding to begin deploying an IAM system.
The business side of AXA initially wanted to develop a homegrown system that would work within their insurance application. They were migrating from an old insurance application to a new one and felt like they could handle access and identities as part of that process.
The IT team, however, had other ideas. The team knew that a homegrown approach would be a bad idea. They feared that they would simply end up migrating all of their identity and access headaches from the old app to the new one if they handled the project internally.
IT argued that AXA developers don’t have the security expertise that pure-play security vendors do, and, they pointed out that as AXA added more apps and more external user populations, they’d have to replicate the process over and over again, since the homemade approach would not scale. The siloes wouldn’t be broken down, just moved. It had established an Enterprise Privileges Management team, which they called MyAccess.
AXA Selects SailPoint IdentityIQ
As the business side of AXA began to understand the downside of a homegrown solution, the MyAccess team began studying IAM systems. The advantages were obvious, and the MyAccess team eventually persuaded the rest of AXA to go with an external IAM system.
AXA ended up selecting SailPoint and its IdentityIQ product to modernize access management and user provisioning.
By deploying IdentityIQ, AXA hoped to gain more control over access rights, automate the certification process, and streamline access request workflows. They also wanted to be able to better serve external customers, such as brokers and insurance agents, being able to offer them secure access to various applications.
With IdentityIQ, AXA is now able to grant corporate customers the ability to declare an insurance claim or approve claims on their own. Previously, this would have to be administered by an AXA employee. Now, AXA can safely grant access to its insurance applications to external customers without exposing AXA to additional risks, since IdentityIQ allows them to grant access to external parties in a safe, managed, auditable way.
“In our old application, when a user requested access, a security manager (i.e. person handling customer access requests) had to handle every one of those requests,” David said. “Now, the security manager is replaced with IdentityIQ, which handles those requests automatically.”
IdentityIQ began paying dividends immediately. Not only did IdentityIQ streamline the process of granting access rights, but it also helped AXA gain new customers. A large Belgian-based grocery chain liked the fact that their users could securely access the insurance application themselves, and they cited this as a reason they choose AXA.
“Many administrative security tasks have been shifted away from AXA security administrators to our corporate customers,” David said. “It makes sense to do it this way. After all, the external customers know their employees better than we do, and they have a much better idea of who needs access to what.” Meanwhile, AXA retains the visibility into the process to ensure that the external users aren’t introducing new risks.
AXA has been happy with the results they’ve achieved so far, but there is still more to do. Soon, AXA will onboard more applications, and they also intend to build out role-based privileges. Eventually, the entire “Joiner, Mover, Leaver” process will be automated as well.
“With IdentityIQ, we now have an established set of processes in place to manage identities and access rights as we add new internal users, new applications, and as we invite external users into our application,” David said.