This New England bank has grown 200% in the last three years causing their employee count to quadruple. This growth is largely attributed to a national student loan consolidation and refinancing platform, as well as proprietary personal loan and mortgage products introduced in 2016. At the time, they were a $600 million bank and this year just surpassed $4 billion in federal and private loan consolidation.
Advocating for Identity Governance
This organization’s Chief Technology Officer joined in 2016 and was quickly brought up to speed on the current identity management processes. She believed the IT environment, specifically the identity management processes, would not be able to keep up with the growth of the company. Manually managing identity processes created a lack of consistent control around user access and provided zero tracking capabilities required for audits. Issuing access and completing access reviews was also time-consuming and error-prone. The CTO advocated for an identity governance program by educating senior management and the board on the risk and productivity issues that the manual environment was creating, as well as the business value a more focused effort could provide. Her recommendation was an identity governance program that automated employee access and certification campaigns and extended that capability to govern access to data stored in files – another growing concern for the company. “Our identity processes became something fine for what it was but was completely unsustainable with our growth model. We would have continually faced regulatory challenges. As a financial services company, if you don’t have your act together with identity governance and security, you will be very challenged moving forward. SailPoint was the business partner to help us jump that hurdle,” their Information Security Officer who played an important role on this journey, shared.
Addressing Access Certifications with SailPoint IdentityNow
“I had worked with SailPoint at a prior company and knew they would be the catalyst to help us move forward,” the CTO shared. They set out to establish the foundation for their identity program, starting with the fundamentals to create a consistent, traceable and stable program based on who has access to what and what they are doing with that access. Their initial phase focused on addressing the compliance gap and taking a risk-based approach with key applications. They developed a roadmap with goals and refused to deviate from the plan using SailPoint documentation as a guide. “The out-of-the-box functionality of SailPoint’s SaaS solution and resources available with SailPoint allowed us to be up and running with our certification program in four months. We are now confident in our ability to continue scaling while maintaining a compliant environment,” the ISO said.
Prior to SailPoint, application owners manually conducted yearly access reviews which was a highly labor-intensive process. After SailPoint’s SaaS access certification capabilities were live, they learned that application owners had only been looking for deltas in access change. Access for many employees had just been accruing, creating potential risk. “The certification process was so intensive. By the time a certification program had finished, the data that was used to do the initial campaign was stale and almost worthless,” the ISO reflected. Certification campaign data is now in one place which creates a much easier process for the application owners. Campaigns are now run quarterly and take 75% less time than the annual reviews that were run manually. “We recently showed our auditors our implementation and how far we have come. The feedback was tremendous, and they now have a sense of assurance for the solution we put in place that benefits our regulators, board of directors and customers – a win-win for all,” the ISO shared.
Protecting Sensitive Client Information
A natural progression from certifying applications was to turn their attention to the sensitive files being accessed in the organization. “As a bank, we are regulated by the Gramm-Leach-Bliley Act (GLBA) and our primary concern is protecting our client’s data,” the ISO shared. The team determined the manual workarounds they could implement to put some structure in place for managing access to sensitive files, but that it would never completely solve the problem. They needed a solution that would crawl petabytes of data in the organization to discover where sensitive information is located and flag who has access to it. SailPoint’s File Access Manager was part of their identity governance platform that would help address these challenges.
The CTO and ISO are now able to glean insight and manage who has access to sensitive data in the organization as part of their overall identity program. Their focus has been the high-risk applications where sensitive data resides, including Windows File Servers, Exchange, Box and SharePoint accounts. “File Access Manager allowed us to report to our board on GLBA, which used to take months to prepare for with contractors. Now we run a report to show access to sensitive files in minutes,” they shared.
The Value of Business Partnership
“The value-add SailPoint provides is their focus on the business partnership. You are in this together. My prior experience with them stuck with me so strongly that I remembered it through iterations of my career and I inherently knew this was the right solution,” the CTO shared. They have not hired any additional headcount to manage their cloud-based identity program and shared recommendations for other financial services organization looking to invest in their own program. “Set a definitive scope before launching and stick to it. Always consider where you are and where you need to go, and scale as needed after you have the foundation in place,” the ISO shared. “We look forward to our continued partnership with SailPoint and growing our identity program.”