Humana: Seven Lessons Learned Implementing Role-based Access Control

In our recent post, Humana Has Role-Based Access Control Covered, we wrote about how one of the nation’s leading health and well-being companies transformed its identity management program. In that post, Andy Weeks, director of identity and access management for Humana, made it clear that while worth it, the journey wasn’t easy.

As Weeks and his team enabled role-based access control for their 80,000 users, they certainly learned a few things along the way. In this post, we will share many of those lessons learned, presented by Weeks earlier this year at Navigate ’17 in Austin.

To give you an idea of the scope of Humana’s task, a team of 17 staff members were dedicated to the effort for about three years. Weeks explained how each community within Humana spent about 12 weeks of dedicated work to transform their unique areas of the business. “That is an extraordinary financial commitment,” said Weeks during his presentation.

During his presentation, Weeks also detailed the project management discipline that was required, as well as the very specific steps that he and his team guided their business communities through to succeed: Kickoff meetings, identification of the target applications, loading of entitlements, creating access models, and other planning activities.

Throughout the three-year implementation, Weeks says he found the following seven lessons to be crucial to anyone implementing role-based access control:

Lesson #1: Identify responsible parties. You need to know who your accountable parties are—your owners, your stewards, your approvers—and make sure that you have clearly established expectations and accountabilities for each one. You should communicate with these constituencies and determine what they expect, as well as communicate what you expect of them and how they can fulfill their responsibilities.

Lesson #2: Educate users about a new approach to identity. For users, you need to educate them on the impact of the new approach to identity. While those who were in charge of granting access had grown accustomed to turning to spreadsheets that had a list of a dozen or more access attributes, with role-based access control, they can simply request a business role when access is needed. “It’s amazing how difficult it is to get people to break their old habits,” said Weeks. “We’re still getting individual entitlement requests from some of these business communities, even though we’ve implemented role-based access control and simplified the process.”

Lesson #3: Enforcement. The breaking of old habits brings us to the enforcement of new ones. Weeks explained during his talk that Humana is getting ready to soon stop allowing users to request access any other way than through assigned access profiles. “Without an access profile, you can’t request any access. Do not pass go, do not collect $200, and make sure you get an access profile assigned,” Weeks said.

Lesson #4: Get leadership on board. It’s crucial to make certain that business leaders understand their role in supporting the role-based access control program and assuring proper assignment of those needing access to roles. In this business, leaders play a key part. If your business leadership is not engaged, you are not going to succeed, because the entire program is going to require a significant investment of resources as the organization progresses through each business community and defines what levels of access are actually required.

Lesson #5: Fully engage audit and compliance teams. Make certain that you engage your audit and compliance organization from the very beginning. “Our auditors are ex officio members of our governance team,” said Weeks. “They are involved in every key decision that we’ve made along the way. Every time we did something that seemed to run counter to how we have managed this in the past, we sat down with them explicitly to have a conversation about what the implication of that was, and in some cases shifted direction based on the feedback we got from them.”

The result was that the audit and compliance teams were always on board with the direction of the program, even though Humana dramatically changed the approach to how access is managed within the organization.

Lesson #6: Alignment. Finally, success is (according to Weeks) very closely tied to alignment. “It’s not enough for the CEO, CISO or auditors to individually say, ‘We need to go down this road.’” Weeks said. “It really is an aligned activity. If you’ve ever watched a rowing crew, you know that if people don’t pull at the same time and with the same leverage, the boat is not going to go fast and it’s not going to go straight. In order to achieve what we need to achieve, we need the boat to go both fast and straight. In order to do that, you have to get to alignment.”

Lesson #7: Dedicated Office. “We had a dedicated program office that helped us keep all of these alignment pieces moving forward as we go forward,” said Weeks. “And a significant three-tiered governance process, starting with executive leadership, then at the program leadership or ownership level, and then finally at the SME level. The SMEs would typically meet and make recommendations that would get bubbled up to the next level of the governance,” Weeks explained.

Keeping the office up to date on the status of the effort was also central to success. Weeks put it like this: “Are we on target or not on target? Do we need more resources? Where are we relative that?” And through that process, we were able to keep everybody aligned as we went forward and, all things considered, we did a pretty good job of hitting the target.”