The Co-operative Group (Co-op) is a British consumer co-operative with a diverse family of businesses spanning retail and wholesale, financial services and legal services with over 4.5 million members and 4,200 locations. Running a large-scale business like this requires the backbone of a strong security program rooted in identity.
Identity is security’s backbone
The Co-op is going through a major cloud transformation which stemmed from their focus on improving their IT security strategy. Identity and access management became a topic during the transformation conversations as the IT team concluded that addressing this gap in their program could be a huge security benefit. Without a solution in place, the audit process had become manual and time-consuming, resulting in some difficult conversations. Onboarding new employees was also tedious, as employees changed roles, they kept their previous access and it wasn’t removed promptly when that employee left the organization. Each of these scenarios brought a tremendous amount of potential risk for the organization.
“We had a real opportunity to improve the way we respond to audits and how access was controlled and managed, but we could also improve the experience we were giving employees,” Nick King, Technical Specialist, IAM at The Co-op shared. King and his team began putting together the plan, building blocks and team to get their identity governance program in place. SailPoint’s vision and capabilities made them the chosen partner and platform for The Co-op’s journey.
Where do we start?
Granting, removing and changing access was the first order of business. King and his team were well aware that data needed to be accurate and routed through a centralized source in order for the platform to be used to make intelligent decisions about access. They began working with HR and the various businesses to clean the data in their systems ensuring one identity existed for each employee. When employees leave the organization, their access is now severed immediately by HR. This closes the door on the ability for bad actors to move through the organization through dormant identities. The Co-op is also granting access to employees by establishing roles which pre-populate the access an employee needs based on their job title.
On the compliance side, King and his team began running certification campaigns on roles with privileged access typically found in the HR function. Any employee in HR who can export data goes through a certification review each month to ensure that access is not being abused and is still needed for their role. On a recent campaign, this process surfaced 4% of the users in the campaign that held access they were no longer needing. The IAM team was then able to revoke the access, mitigating any potential risk lingering access could create. “Our strategic relationship with HR has been critical for building this program. They have been crucial to helping us establish an authoritative source needed for our new identity governance program,” King said.
Self-service identity for the modern workforce
Cloud password management is another area the Co-op is addressing with SailPoint. Prior to SailPoint, the service desk was contacted for any password-related assistance. Employees now have access to a portal where they can change their passwords without needing the service desk to intervene. “The user experience has drastically improved with this functionality. Our service desk is now able to focus on other priorities saving us resources and time,” King said. Employees have a self-service experience that allows them to manage their passwords directly.
What really brings an identity program full circle is governing human or non-human access to all data and applications. The Co-op is also investing governance and controls around the data in their organization to address this growing area. “Data minimization and sensitive data are large topics of conversation at the Co-op. We believe that foolproof identity governance that addresses these topics has the ability to bring cost savings, efficiency and increased compliance standards,” King shared. “Data that is being stored and not needed is an unnecessary line item on the budget. Sensitive data that is not properly governed and at risk of exposure can be even more costly. We’re confident of our secure future now that we have SailPoint.”