ABS-CBN and its subsidiaries are the leading media company across the globe for Filipino viewers. They employ around 11,000 people and recently became one the first companies in Asia to dive into the digital space by offering news and entertainment via their applications.
Security Begins with Identity
When Jay C. Gomez, AVP & Head of Information Security, Data Protection Officer, joined ABS-CBN to build out their information security program, the first thing he noticed was a lack of effective identity processes. “We had to start shaping our processes, and when we took a closer look, we saw gaping holes that exposed the organization. The extent of the potential risk was surprising, and needed an immediate solution,” Jay reflected. “When a news company faces a breach, it’s brutally visible. There have been security incidents all over the globe where threat actors exploited identity vulnerability to infiltrate systems and leave profound scars not only on the company, the public as well.”
ABS-CBN’s identity management strategy solely focused on governing and automating the delivery of user access. Jay realized one of the priorities they needed to address was reviewing and terminating access for employees that had left the organization. They began manually reviewing and terminating access for over 2,000 orphaned accounts, but due to the pace they were working at, the desired results were not being achieved. The organization was aware of the ramifications of their disjointed identity management processes but did not have the bandwidth to address the issue. Jay saw the potential risk and need for automation and advocated for an identity governance program that would provide centralized control and security. SailPoint was deemed the only partner that met all of their requirements, and together they laid the groundwork for identity governance for the media company.
Investing in the Future
Jay is methodically leading the team through the roll-out of their automated identity governance program. The first phase is focused on onboarding their most critical applications and building a certifications program that spanned thousands of users. Certifying access provides a trail of access approval that helps govern, whether access has been appropriately provided, changed and terminated for auditors.
Once Jay saw the success of this first phase, he then tackled the onboarding and off-boarding process for employees, which includes transitioning access when an employee moves to a new role within the organization. They have also on-boarded additional applications, including SAP. As for the orphaned accounts that were manually being terminated, they quickly eliminated over a thousand within a few weeks, drastically reducing their risk of exposure.
“Some of the orphaned accounts that were out in the open had elevated access that could compromise our systems. I’m far more comfortable with the trajectory of our growth and our security program’s ability to scale with it. Our security posture has drastically improved,” Jay shared.
Jay is already looking at the next phase of ABS-CBN’s program. “Addressing privileged access is the logical next step for identity governance,” Jay shared. Privileged users or administrators hold access to systems and data that are meant for a small population. Governing access to this and providing increased visibility into how that access is used is critical for securing the enterprise. He is also working in tandem on his data governance strategy. He plans to extend his identity governance program to govern unstructured data stored in files for a complete understanding of not only systems but also sensitive data often stored in file shares and SharePoint folders that is difficult to find.
Jay hopes his experience helps other companies in the Philippines looking to address their identity governance challenges. “Identity should be managed from cradle to grave, using an end-to-end solution. Putting significant thought into building a process for your internal teams, and their use of SailPoint, will help you be successful,” Jay advised. “Implementing a solution without proper communication and processes will complicate things and slow you down. When you take well-thought-out processes and implement a solution using small incremental changes, you are better able to course correct when there are issues. A year down the road, you will be able to showcase the significant strides you have made and show the benefits.”
He also recommends engaging an implementation partner, such as Infocentric Solutions, who really understands identity governance and the cross-functional collaboration necessary to make it successful. “Identity governance is a necessary journey that takes time and requires resources that will see you through each phase properly.”