As I mentioned in yesterday’s post, two SailPoint customers presented case studies last Wednesday at the Gartner IAM Summit. Bravely taking on the 8 a.m. time slot (which was well attended for the early hour) was Andy Weeks, Risk and Compliance Manager for Humana. Andy gave a very compelling overview of Humana’s IAM journey over the past five years, using the famous Gartner Hype Cycle as a framework. It was a story that I think many organizations could relate to.
During a phase of dramatic company growth in the 2003-2005 timeframe, Humana set out to improve its user onboarding processes, which were particularly painful in high-growth and high-churn areas of the business. Andy described how Humana’s early IAM projects progressed through a “Peak of Inflated Expectations” phase, then descended into the “Trough of Disillusionment,” as initial enthusiasm and commitment for the IAM program waned. During this period, there were many stops and starts, including a period where Humana considered throwing out its provisioning solution and starting over. But ultimately, the project found stability and success.
In the 2007-2008 timeframe, Humana’s priorities turned to regulatory compliance. SailPoint entered the Humana IAM program in 2008, when Humana selected IdentityIQ to automate access certification and policy enforcement. Andy described how SailPoint IdentityIQ helped Humana gain enterprise visibility to “who has access to what” and automated necessary oversight by IT and business managers. He concluded his presentation with the message that Humana had, after five years, climbed the “Slope of Enlightenment” and was reaping the productivity benefits of a mature IAM program.
Later that morning, Robert Mazzocchi, VP of Identity and Access Management at AIG, took the stage. Robert’s case study described how AIG addressed its compliance and risk management needs during an exceptionally volatile period of the company’s history – events that were exacerbated by AIG’s highly decentralized business units and lack of a centralized HR system. He described how AIG scoped its Global Access Certification project, with the goal of aggregating, correlating and certifying user and access data for high-risk applications that spanned geographies and operating environments.
Robert described how IdentityIQ helped AIG to create certification reports and send them for periodic processing to department and application managers, providing all necessary capabilities such as reminder notices, escalation, delegation, and status tracking and audit reporting. As he described how AIG was conducting global recertifications, Robert emphasized that AIG’s main driver for performing recertifications was to reduce corporate risk. He stressed the need to be able to identify high-risk users in the environment, such as privileged users. And to scope controls accordingly, so that the greatest oversight is applied where it’s needed the most.
For me, the customer presentations were the most compelling ones of the show because they connected the advice presented by the analysts previously at the show to real-world IAM projects. As a result, the attendees got invaluable exposure to first-hand accounts of successful IAM and identity governance projects, which will undoubtedly help them with their own projects.