This organization is one of the top personal property and casualty insurance groups in the United States. Over is its 118-year history, the company has evolved to offer automobile, homeowners and other personal lines of insurance to AAA members through partnerships with AAA clubs in over 23 states.
The Pains of Disparate Identity Systems & Processes
In 2005, this organization’s Chief Information Security Officer kicked off an IT transformation, part of which included automation of their identity management program. They were using a homegrown tool alongside a legacy system to create and terminate accounts and manage entitlements. In 2012, as the company grew and personnel changes made the homegrown solution more difficult to support, they began to look at identity governance solutions. The IAM Architect advocated for a modern, market-leading solution that would allow the company to automate their identity program today and grow with the program’s changing requirements in the future. The insurance industry is no stranger to regulations, and they also needed to achieve and demonstrate a compliant environment under PCI and NAIC regulations.
Migrating to a Next-Generation Identity Governance Program
The company chose to partner with SailPoint for their next-generation identity program. They kicked off the project by onboarding an expanded set of applications into SailPoint beyond what was previously managed by their homegrown solution. Leveraging some of the same policies that were in place, the IAM architect migrated their role-based access program to the new system. Role-based access provides the IT organization a list of approved entitlements based on job role or function to which every employee in that specific role should have access.
“With the visibility and control over our identities that SailPoint provides, we now automatically grant birthright access to critical applications for 80% of our employees on day one of employment,” the IAM Architect said. “With SailPoint, we can confidently and securely enable our employees to be productive on day one.”
A comprehensive certification process was also established, allowing managers to certify access to all entitlements for a specific role. A single business role can now certify several thousand entitlements, creating an audit trail showing appropriate access was granted. This closed-loop process allows this customer to confidently demonstrate compliance.
Expanding the Scope to Privileged Users
The remaining 20% of the company’s employees make up most of the IT organization that carries a high number of users with privileged access. Privileged access accounts are high-risk because the entitlements allow access to servers and administrative functions meant for a small population in an organization. This organization began focusing on privileged access in 2017, as an extension of their identity program. They currently have groups in Active Directory that grant access to servers. That data is brought in from the configuration management database, ServiceNow, and tags those groups with the server to which they grant access, the application running on those servers, and the application owner. This allows them to run privileged access certifications by allowing the application owner to certify the users that can log into the servers running their application. They began by focusing on certifying Windows and UNIX servers, and are in the process of expanding to other servers that grant privileged access.
“We aim to dramatically reduce potential threats to customer’s data by certifying privileged access and limiting who has access to servers and administrative functions. Auditors are asking for more sophisticated representation of privileged access and we are now confident we can demonstrate proper management of privileged accounts. SailPoint’s Privileged Access Module and IdentityIQ ServiceNow integration allow us to partner with CyberArk, ServiceNow and SailPoint to put more effective governance controls in place on these high-risk accounts,” the IAM Architect shared.
Identity at the Board Level
Information risk is a major threat to the enterprise. Their board of directors recognizes that identity management is one of the most important areas to focus on in terms of reduction of risk and has demanded the company showcase how they are reducing that risk. “All big breaches are usually the result of some weakness in identity-related processes – usually a compromised account with privileged access that leads to a breach,” he explained. “Identity is a board-level topic here. The good news is that with SailPoint, we’re moving in the right direction.”