As in many large organizations, the identity and access management program at Jackson National Life Insurance Company (Jackson) grew organically over time. Most of those growth processes were done manually. As new applications and requests for access to existing applications would arrive, the identity team would get to work on integrating access to those applications or provision new users to the correct resources.
With 120 applications, and growing, manual processes were becoming increasingly unwieldy, in some cases, it could take up to 10 days for access to be provided to a new user. In addition to on-boarding new applications and users into their system, Jackson also needed to continuously manage user access rights to existing applications and periodically certify that only the appropriate levels of access were in place for each user.
This manual process was not ideal for a company that provides annuities to its retail investors and fixed income products to its institutional investors. Today, the Lansing, Michigan company employs about 5,000 individuals and has affiliates across the United States.
“These manual processes involved cultivating a lot of spreadsheets and reports,” said Ken Hudok, associate vice president of identity and access management at Jackson. “The identity team would spend a month just to generate all of the reports that they distributed out to business managers to review,” he said.
Business managers would have to painstakingly audit, line by line, each spreadsheet to verify that every user had the right level of access to the right resources. The identity team was also experiencing increased audit and regulatory compliance demands.
The combined identity-related regulatory compliance, security, and traditional user-access demands of the business required Hudok and his team to rethink how to approach identity management. “We set out to find the best way to centralize our identity governance and access certifications across the enterprise,” he said.
Toward centralized identity governance
So that the team could improve their identity-management program by streamlining and automating their processes, they sought an identity management platform that could help them effectively get the job done. They chose IdentityIQ from SailPoint.
IdentityIQ helps Jackson to better manage their identities by providing the visibility they need in their apps, users, data, and access rights. IdentityIQ not only makes it possible to streamline manual processes but also put the right prevention and detection controls in place to improve security and compliance.
Since the deployment, the identity team has centralized and automated the certification process for many of its crucial and regulated business applications within a system the identity team has dubbed the Jackson Identity Lifecycle System (JILS). The intent of JILS is to provide a common user interface for Jackson’s bi-annual certification campaigns.
During the spring, JILS was used to certify the access of their Sarbanes-Oxley related applications, and during the fall JILS was used to certify the access of privileged accounts and other critical systems. Using JILS, powered by IdentityIQ, Jackson’s identity teams can now automatically review access to their critical systems across their environment and determine whether that access is appropriate.
To ensure the integration of applications into JILS went smoothly, Hudok explained how the team focused on a straightforward catalog of entitlements, which includes entitlement definitions and access requirements.
Effective results and future identity goals
The implementation of JILS has eliminated the manual work for applications in the system that business and identity teams had to do previously. Additionally, not only has the process been streamlined and accelerated, but it’s also reduced a considerable amount of risk. The automated processes have cut unnecessary access rights by 10 to 25 percent for each certification campaign. “This is not only time saving, but it also reduces our threat exposure by eliminating unnecessary access,” Hudok said. “This has provided a tremendous value across the enterprise,” he added.
While there has been a considerable success so far, there’s still much more to come. To date, 40 of Jackson’s 120 applications have been integrated into JILS. Throughout the year ahead, the identity team at Jackson will focus on further enhancing their ability for workforce associates to request access through JILS. “We are going to work toward unifying all of the identity request and approval processes to most of our applications and automate it through provisioning connectors,” Hudok said.
Additionally, the team will move toward role-based access control. “In this next campaign, we’re creating role compositions for job roles. This way, if someone performs a certain function in a part of our organization, the role owner can define that job role based on the entitlements and entitlement roles and that access can be certified,” Hudok explained.
Today, Hudok appreciates how far they’ve brought their identity-management program and is confident there’s more success on the way. “We are much more efficient than we were before, we get consistent answers for the business units and we are improving our risk posture,” he said. “The feedback on how easy it is to add new users has been tremendous,” Hudok said.