Identity Transformation in the Public Sector

SailPoint talked to Jason Corbishley, CISO, Police Digital Service; and Kurt Frary, Deputy Director of Information Management & Technology / CTO Norfolk County Council, about what identity management means to them.

Identity is at the heart of access controls. As more and more people choose to work from home, public sector organisations have had to adopt a smarter and more resourceful look at how they protect their critical IT infrastructures.

Local government and the police force are on the front line of protecting sensitive data from cyber threats and risk of breach. Today, security perimeters no longer exist. The IT department needs to look at security in-depth to keep their organisations secure.

Kurt Frary, Deputy Director of Information Management & Technology / CTO Norfolk County Council says: “We took a hard look at identity, mainly due to the pandemic. The core of that was how do we enable people to work remotely but also identifying who they are to enable them to work online.”

Jason Corbishley, CISO, Police Digital Service says, “Identity access management is not something new, but we have not previously achieved its total implementation. We need a common blueprint approach. We have at least 43 separate organisations in the policing authorities who are looking for a baseline blueprint for access and identity control.

Jason continues: “How do we provision identity at the centre of the police forces? We need to manage the identity of joiners and leavers to the service and create that footprint for the lifetime of their tenure. We need a balance between transformation and enablement.”

“The basis of identity for any organisation is knowing who is accessing data, at what time, and for what purpose. Huge infrastructure projects are a thing of the past. We need to enable an identity service where we can put trust in the identity of the end-user. That applies to whether it is guest access or from within their organisation,” says Kurt.

Jason says: “Culturally this is a change – we are still on a journey. We can really show investment as a return and SailPoint is embedding that into its identity solutions.”

Simplicity at the core

For any system to be successful, it needs to be simple to use. Lots of services are now available online. “A single sign-on is important,” says Kurt. “You have to enable people to do their jobs. We’re trying to automate the simple processes. The low-value stuff, such as joiners, leavers etc., is time-consuming but relatively simple. If you can free people’s time to focus on other things, then it helps everyone.”

“We chose SailPoint because their technology works for our organisation,” says Kurt. “We put all our eggs in one basket and said, ‘let’s go with it’. The future is here now.”

From a policing perspective, the focus is very heavily on process and governance. The tools that are used for management become important in the role of information asset development. “The ability to undertake role-based certification campaigns starts to give confidence to the whole piece. It opens up the use of data assets and applications,” says Jason.

Jason continues: “Suddenly, we have the functionality and capability to understand control. But we can make the change, if necessary, to who has access to what, at any given time. It is a cultural change journey. Technology is the easier change piece to implement. The harder bit is for the users and owners of information to understand the new capability and how we can exploit it to deliver business and service benefits. How can we use it to deliver more and better policing services to the citizens of England, Wales, and the UK?”

Legacy at an End

For Kurt, the battle has been to convince public sector staff to adopt the new system. “We have had to adopt role-based access control to make sure we have access to the right information at the right time. We have also had to build confidence in the user base that we have the tools that will do that job.

“After shifting from a legacy system, it is always a journey to convince people that we can do the job. Once you have done it a few times and it works, then it builds that confidence in people. SailPoint has helped us tremendously to get over that hurdle,” said Kurt.

For both Jason and Kurt, the vital part of the process was the planning stage. If there was one core lesson, says Jason, is to define the process upfront. At the outset, organisations need to define the key joiner and leaver processes, the roles that need to exist and set the ground rules for provisioning and governance. That includes who is going to approve access to specific role-based groups and the level of corporate assets that can be accessed from each one.

“It’s important to ask, ‘what do we mean by access identity management?’ from the start and set the ground rules for the organisation. Spending time upfront to define the process before we start implementation will reap rewards down the line,” Jason says.

Kurt says: “Identity governance is a business tool. It needs resourcing properly. If you set the governance rules around it, then you also need to ensure that you resource it, otherwise it just won’t work.”

But for both parties, whether local government or policing, then identity is the key to strategic transformation. It needs planning, and it needs resourcing. But involving the business and SailPoint from the start at every stage of the process can ensure a smooth transition from legacy systems to the new forms of identity control for the remote working era.


Discussion