Agile Security with Cloud-Based Identity Governance
Global Atlantic Financial Group provides retirement, life, and reinsurance products that help its customers to meet their financial challenges: wealth protection, wealth accumulation, income generation as well as wealth transfer and end-of-life financial needs.
Goldman Sachs founded Global Atlantic Financial Group in 2004. When the company became independent in 2013, it consisted of 50 employees. However, over the next few years, through a number of mergers and acquisitions, the size of the company grew considerably. Like all organizations, as Global Atlantic Financial Group grew, so did its need to put into place effective identity and access management processes. Also, by late 2015, Global Atlantic decided it needed to streamline its identity and access management efforts.
“As we tested our general IT controls, we found that we struggled mightily with identity access and management. At that point we decided it was time to build an effective identity access management program to standardize and automate identity access management functions as well as make it easier for the end user to request and get access,” said Levi Slings, associate within IT Risk Management at Global Atlantic Financial Group.
Areas that Slings and his team wanted to standardize and automate included identity access certifications, identity-related audit compliance processes, and other standard identity and access management functions so that error-prone manual processes could be replaced with effective methods.
The priority was streamlining access certification. For years Global Atlantic handled its recertifications manually. To determine their certification scope, the team would look at their security groups, domain admins, local administrators for servers, database administrators, to identify users and sensitive systems. They would also work with their IT Audit Team to identify financially essential applications, such as those that fell under the purview of Sarbanes-Oxley.
Manual processes prove just too ineffective
There’s a considerable amount of work that goes into identity recertifications, especially when done manually. The data must be prepped, which requires querying system owners, obtaining user lists from system administrators, collecting Active Directory user lists, and getting user lists from the business units. In total, there were 11 targets that the team had to recertify against, and the 103 individual sources that comprise those targets.
In total, Global Atlantic had 179 staff involved in identity certification reviews of more than 3,000 accounts every quarter. “Simply managing the emails to all of the required parties proved time-consuming,” Slings said. “It’s just an absolute nightmare trying to keep that stuff managed,” he said.
Global Atlantic was also continuing to grow. “We’re continuing to grow users at a rapid pace. The scope was only getting bigger,” he said. Slings estimates it took about 100 hours for him to perform quarterly recertification.
Slings and his team looked at many options on the market, including both cloud-based and on-premises identity management systems. Ultimately, they selected SailPoint IdentityNow, which supports identity management within the cloud, mobile, and on-premises systems. IdentityNow’s cloud-native architecture runs on Amazon Web Services (AWS) and leverages the platform’s security, availability and elasticity.“ We ultimately decided that IdentityNow was the way to go. We’re a SaaS-first organization, and believed IdentityNow to be the place for us to start our automated identity journey,” Slings said.
Through SailPoint IdentityNow, we resolved that problem,” he said. Now when somebody transfers to a different location, once their HR file changes, their distribution group is updated. “All the communication that needs to happen on the backend is happening now within IdentityNow,” he said.
Successful identity governance automation
Following the IdentityNow implementation, much of Global Atlantic Financial Group’s access certification process has been automated, with only a few manual certification environments remaining, such as local Windows admin servers, Linux servers, and mainframe. Another area was the effective disabling of accounts in Active Directory. The reality is that effectively communicating employee moves is a challenge in all organizations, and making sure access is removed when employees leave is always good security. However, manually ensuring all of those who need to know about changes actually know, so that they go into effect promptly, is a challenge.
Now, when a staff account is disabled in payroll, that account is automatically disabled and deprovisioned as the payroll systems are updated overnight.
Slings is currently building upon those successes, some of those efforts include continuing to automate their recertification process, automating more routine identity functions that can be automated, and the creation of a self-service access management portal. “We’re going to create a self-service portal for employees. They will see a list of applications and other services, and they can select to request access, and appropriate requests are sent to IdentityNow, which will conduct the access process from there,” he said.