The company was founded in 1888 and today, manages approximately $27 billion in assets. Based in Columbus, Georgia, the bank provides commercial and retail banking, investment, and mortgage services through 29 locally branded divisions, 280 offices, and more than 400 ATMs in Georgia, Alabama, South Carolina, Florida, and Tennessee.
This organization was managing identity with a combination of legacy tools and manual processes. While this approach is one that many companies take when initially grappling with managing identity, as the business grows it is often hard to maintain. Resources get overworked, and errors are made which then lead to audit findings, and the bottom line is affected.
Their identity and access management (IAM) team knew there was a better way. Andrew Bowman, Information Security Engineer, knew that to have an efficient workforce, accurate understanding of user access and a compliant environment, investments needed to be made in an end-to-end identity governance program. “We were ready for automation. We wanted to empower users to drive their success by giving them access to the systems and tools necessary to do their jobs on day-one. We knew removing the manual workflows would reduce the workloads on managers and IT staff, and increase the reliability of the reports we were generating for audit purposes. Our top goal was to gain visibility into as much of our IT infrastructure as possible,” Bowman shared.
The company selected SailPoint as the identity governance platform that would empower them to accomplish these goals. “SailPoint was the most complete and least complex solution from an implementation and consulting costs perspective,” Bowman reflected. They set out to automate the certification process right off the bat. Andrew and his team worked to bring in all applications to SailPoint so that managers could automatically certify users. Bringing applications and their users under one viewpoint allowed them to track who is accessing the apps and data and provide that information during audit reviews. Prior to SailPoint, application owners were certifying access and getting audited directly. “When users and applications were put in SailPoint we saw an immediate adoption of the product because it reduced manager work for quarterly certifications. Automating the certification process and providing a unified interface has improved the management experience and reduced the time needed to certify each quarter by five hours. We’ve also seen a reduction in audit findings which we contribute to the consistent experience and automated approach,” Bowman reflected.
Provisioning roles for groups and user accounts were the next steps on their journey. They now grant new employees’ access to applications based on their job role, providing them with everything they should need access to on day one. This has directly contributed to increased employee efficiency. Through SailPoint, they can now automatically track the movement of employees as they join the organization, move to other positions and leave the company – all without human interaction. Not only do managers now have a complete view of their team’s access, but it is integrated with the certification’s workflow, giving them a consistent experience – a win, win for everyone.
Automated group provisioning has removed the responsibility of getting users into groups from the IAM team. The process is automated now, including the approval flow. Now that the IAM team has offloaded access requests and onboarding employees manually, they have been freed up to focus on other identity priorities.
Application owners have also benefited from the automated workflows and now have a consistent experience for certifications and provisioning. If an employee requests access, they are instructed to go into SailPoint and request the role needed to gain access, removing responsibility from the application owner.
“The program was initially born from the need to meet compliance and regulatory requirements and reduce the burden on managers, but it has been a win for everyone across the organization, and I’ve seen a tremendous response in the adoption of the tool because the benefits were immediate,” Bowman said.
Identity governance is a journey, not a destination and the program continues to evolve by bringing more applications, directories and integration into the program. Bowman shared a number of recommendations he has for banks just getting started on their journey.
- Build an accurate map of your applications, teams and users and the use cases for how they interact. The more accurate your understanding of your current environment, the less complicated it will be to get to your intended result.
- Address what needs to be certified and provisioned. Know the applications and data in your organization and plan for the unexpected. How do you handle exceptions like sudden hires or terminations?
- Spend a lot of time with your HR department and develop an understanding of their data. Their processes and the state of their data will need to be considered.