SailPoint

Humana has Role-Based Access Control Covered

Not having the right access controls in place and automated provisioning can be costly.

Most often the cost of a subpar identity management program is that new workers don’t get the tools and applications they need as quickly as they need it, they may not have access to the right resources, including access to resources they shouldn’t be able to access. Identity is about being able to access the right assets as needed, or necessary for the business to deliver. If it takes days to weeks for new hires or contractors to get onboard, then contracts aren’t met, shipments slip, business doesn’t get done.

In fact, that’s also what role-based access control is all about. It’s about getting users more productive, more quickly, with more flexibility, and working with identity in a way that is more natural. Andy Weeks knows this better than most. Weeks is director of identity and access management for $54 billion health insurance provider Humana. “That’s really the promise that we look at when we look at what role-based access represents for an organization,” said Weeks. “The challenge here is immense. When we looked at the business opportunities we planned to deliver, Humana’s very specific business objectives, we saw the best road to go down for provisioning and access was role-based access,” Weeks said, during his presentation at Navigate ‘17.

“Humana has always been a traditional and title-based organization,” explained Weeks. “There’d be a request for access, they’d get approval, and the access is granted. On the other side, we’d either remove it when the relationship with the user ended, or if it was changing we’d adjust privileges as part of the transfer process. But getting from that environment, where you have literally millions of unique entitlements assigned to thousands of users, to a role-based environment, is a very daunting task,” said Weeks.

That’s the goal, now the business drivers

Humana had five primary goals with their role-based identity management initiative, explained Weeks. “My guess is that for most organizations, they are going to find one of the five primary objectives if not most of them represent the opportunity for value for an RBAC implementation,” he said.

The first, Weeks said, was to better manage regulatory compliance. This was, in fact, the primary driver for Humana’s push into role-based access control. It was their internal and external auditors who said role-based access control was necessary to address a number of exceptions and other issues that were identified through various assessments.

The second: streamline operational processes. To highlight the importance of operational streamlining, Weeks shared a tale of two new hires. Mike and Jenny. Mike and Jenny are both experienced project engineers. And they have both been recently hired by competitors, Worldwide Widgets and General Gizmos. Both Worldwide Widgets and General Gizmos are bidding for the same multi-million government contract. The faster Mike and Jenny can get onboarded, the faster they will be able to work on bidding for that contract and the most swift has a greater chance of winning the contract. It’s very important to get them productive from day one.

Mike walks into Worldwide Widgets and his boss said, “You’re going to need these 10 things in order to do your job, and here’s how you go about getting that access.” Mike tracks down the 14 different forms he needs, fills them out, and submits them. Mike then learns he needs approval from 10 different managers. “Five of those people happen to be out on PTO, and so Mike is waiting,” Weeks said. “Two weeks after his start day, he finally has the access that he requested. He goes and starts pulling up project files and then realizes that there are other entitlements that he needs in order to be able to do his job. So, about three and a half weeks after his first day, he finally has the access that he needs to begin working on the project,” Weeks said.

“Jenny from General Gizmos, on the other hand, walks in, and on day one she has her web access account where she’s able to log in and set up her benefits. She has her Active Directory account, and she’s able to log in and immediately get access to the resources for her department,” Weeks explained.

The result of this fable is that General Gizmos successfully was able to complete the project work in order to begin, put their bid in for the contract, and they’ve already landed the contract by the time Mike even has the access he needs to begin working.

The third is to create an exceptional customer experience. Hidden in the fable is the fact that Mike had to go track down all of the access that he needed to request in order to even start his request. That’s not a very friendly process, especially someone who is new to an organization. Their first experience in the company is to have to track down what access they need to request in order to be able to do their job?

The fourth is to drive down unit cost. “If you can reduce the number of approvals that you need, the amount of manual provisioning that you’re having to do, and get to a much faster time to market, you’re going to do nothing but drive cost out of the equation. This is true from both from a provisioning perspective, but more importantly, the faster you can get someone productive, the more quickly you can leverage their salary to have them do productive work,” Weeks said.

Finally, the ability to move at the pace of business. Humana and the insurance industry evolves very quickly. “The cloud is transforming how we manage access across the organization, and so being able to very quickly move to support such changes that happen in the business as we go forward is something that’s very important for us, and part of the value proposition that we saw with role-based access control,” Weeks said.

How Humana achieved role-based access control

In addition to Humana’s production environment, Week’s and the team setup an identity test environment where they cloned the production environment in order to be able to effectively conduct role modeling and role engineering without affecting production.

Currently, Humana is managing about 2,700 business roles, for about 55,000 users, in their environment. Humana’s RBAC program took four years to implement. In the first year, Weeks and the team started their role engineering with a small pilot, and went through the process of learning and perfecting the role engineering process and the initial role certification processes. “That was the first year: the physical deployment of the IIQ platform, and the initial implementation of the RBAC through a small pilot,” said Weeks.

In the second year, the goal for the program was to work through about half of their internal communities with completed role engineering and certification processes, as well as finish the role assignment for the pilot and a sizable portion of those initial communities. “We came pretty close to hitting that target,” said Weeks.

By year three the goal was to wrap up the remaining role engineering and certification processes. “Sometime in the next three to four weeks, we will have assigned 100% of the access profiles across our environment. That means we have completed the initial role engineering exercise and the initial role certification process. We’re completing the role assignment process, and now are moving into what we call the operationalization phase of this,” he said.

Today, Weeks and the team has shifting from building the role-based access control program to maintaining it.

“There aren’t specific milestones to be followed now.  It’s no longer milestone-based it’s demand-based, the business comes to us with requests. And so now we’ve moved into that phase where we need to build sustainable operational processes,” Weeks said.

To read more about Humana’s success, read the blog post, ‘Humana: Seven Lessons Learned Implementing Role-based Access Control.’