The City of Boston is the most populous city in New England and the economic and cultural force, 8.2 million strong, of the Greater Boston metropolitan area.
Being the center of such a large and vibrant metropolitan area, there is a substantial need for effective government. Government that provides the services necessary for such a city to thrive: schools, public safety, social services and more. With thousands of employees and such a diverse set of activities that must be completed each day, the City of Boston requires a robust IT infrastructure and identity management program.
Aging identity management infrastructure takes toll
Essential to managing City of Boston’s employee access to the IT infrastructure, is their identity management program. For years, the department of innovation and technology relied on an aging and highly customized Oracle identity management deployment, which had grown increasingly difficult to manage. “The system had become very fragile,” says Gretchen Grozier, project manager for identity and access management at the City of Boston.
When employees are first hired at the city, they are assigned a basic identity that provides them access to the resources they need to do their job. Additionally, so that everyone can work more effectively, employees are provided access to applications and resources relevant to their department and job position. For instance, an employee who works in the arts and culture department needs access to a different set of applications than a teacher or a driver for the Public Works department.
It was essential that the IT and HR teams keep the identity system up to date, but that alone became extremely difficult because of the level of customization required. And because it was not easily upgraded, the aging Oracle infrastructure started suffering considerable outages. In an attempt to keep the people up to date, the HR application support team would run a weekly report that would be emailed to application owners and other managers. The goal being that they would manually update any systems to reflect changes. There had to be a better way.
“The identity management team is small, so whatever system we came up with would have to be much more serviceable. It would need to be flexible, but also not require heavy customization,” Grozier said.
The department of innovation and technology requested the necessary capital budget, developed its request for proposals, and set out to find an implementation partner who could recommend and implement the identity management software and services they’d need to develop a flexible, sustainable, and cost-effective identity management platform.
Building a sustainable, agile identity management implementation
For their identity management platform, the City of Boston chose SailPoint IdentityIQ. With IdentityIQ, the city can quickly determine who has access to what applications and services, as well as determine if that access is within its security policy. IdentityIQ provides the city the ability to implement streamlined account self-service options and automated policy management.
IdentityIQ was integrated with their Oracle PeopleSoft HCM system, which serves as the primary source of employee identity information, essential to effective identity lifecycle management as people join the city, change roles, or leave their positions.
Those accounts that wouldn’t appear in the HR system, such as non-payroll accounts for consultants, interns, volunteers, and others, would be generated directly within IdentityIQ. To make sure there wouldn’t be duplicate identities generated, the team developed customized forms with the proper workflows built-in. The city also built an approval framework for requesting access to applications within IdentityIQ.
The final piece of the initial rollout was the Access Boston Portal that is powered by IdentityIQ and other tools. It’s dynamic, so the access choices and functionality users see depend on their role and level of access. “But to an end user it all looks and feels exactly like every other application the department of innovation and technology runs,” Grozier says. The new system manages all of the required identity approval workflows. With the new portal, users can manage their own account and access all of the central applications they need.
Nobody wants to have to call the service desk to reset their password, nor pay the expense of staff time to take those calls. To improve this situation, the city also built a self-service forgot password option to enable employees to securely and effectively reset passwords themselves. And within IdentityIQ a new identity verification workflow was created for those who could not use the self-service option. “Previously, the manual password reset process wasn’t as tight and secure across the board as it could have been,” she says.
Automating identity management workflow
The results speak for themselves. Today, the City of Boston is automatically provisioning and de-provisioning its accounts. And when people move or have a change in job role, access is automatically updated accordingly. “This is all so very important. Now, when somebody leaves the City of Boston, that evening IdentityIQ sees that they have an employment end date and de-provisions all their access,” Grozier says. “No more weekly reports and vague manual processes,” she adds.
The technology behind the new identity management system, Grozier explains, provides a more robust and stable technological foundation. “From a technology perspective we are now state-of-the-art,” she says. “After we went live, we stopped having identity management system outages. I think that’s just essential for the city: everything works all the time.”
“The City of Boston’s employees also appreciate the new system,” Grozier adds. “And after we put the new system in place, we didn’t get a deluge of help desk calls. It just works. And that’s the real test of a successful identity management program,” she says.