OGE Energy Brings Identity to the Cloud

When we think “reliability,” electric utilities often come to mind: when people flip the switch, they expect the lights to go on. After all, if the power goes down not much else in modern society works very well.

Energy utilities face all of the business and technology challenges every other organization experiences, but they must also ensure their critical infrastructure remains secure and operational. Perhaps this need to always deliver is one of the reasons why so many utilities excel at balancing security and the provisioning of their services.

One of the foundations to those security efforts is ensuring that staff and contractors are granted proper levels of access to the applications and systems that not only run the business of the utility, but also maintain the highly regulated environments that drive operational processes and critical infrastructure. “The control of access into our process environments is a challenge. One has to match organizational capability, industry best practices, and regulatory requirements all at once,” says Ian Anderson, enterprise security manager at integrated electric utility OGE Energy Corp.

As an integrated electric utility, Oklahoma City -based and publicly traded OGE Energy Corp. serves its customers across Oklahoma and parts of Arkansas, including the 1.5 million residents in the Oklahoma City metropolitan area. OGE Energy must also contend with stringent state and federal regulations. For example, “there is considerable focus on Sarbanes-Oxley on the business side and for our operational infrastructure we have to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) regulations,” Anderson says.

When it comes to attaining and maintaining the levels of security OGE Energy needs, as well as regulatory compliance to Sarbanes-Oxley and the NERC-CIP, effective identity management is critical.

The Challenge: Scale and automate identity management

As OGE Energy grew, the employment market evolved, and the regulations it faced increased in complexity, the identity team found it needed to enhance its identity management and governance processes. As Anderson explains, growing employee headcount and the increased demand for short-term contract labor has placed considerable strain on manual identity management processes.

“Traditionally we had a very stable user base,” he explains. “But now the market is such that people often come and go freely and easily. This is great, because it helps our business units take advantage of short-term skills needs, but as an identity management team it demanded that we rearchitect our offerings to scale and automate,” he said.

Coincidently, the increased mobility of the staff and use of cloud computing compounded the team’s identity efforts. “We also have challenges when it comes to all the places we now find our users,” Anderson says. “They’re working at the office, at home and on the road. We need to be there as well. Our goal is to be where the business is to help facilitate organizational goals in a safe and secure manner,” he adds.

Additionally, because the manual provisioning and related identity management processes were often conducted on specific applications, identity team members had to become specialists in their various access management activities. “Everyone having specialized roles strained our team, and it made what should have been simple things, such as covering while someone was on vacation, very difficult,” he explains. Anderson says the siloed processes also meant the processes themselves couldn’t scale without a considerable increase in identity team headcount.

Anderson and the team sought an identity platform that would

automate its identity processes and reduce the overall friction users experience when requesting or receiving access to applications, remove those identity management silos, and provide the business with the ability to properly understand and govern who has access and to what.

“Identity is the new perimeter and as we evolve as a company and move toward hybrid cloud and on-premises environments, we need to ensure that we have the appropriate level of protections for our users,” Anderson says. An added benefit of automation, along with providing an identity platform that would make the team more effective, would be freeing the team to focus on initiatives more strategic than operational support.

Moving identity governance to cloud

Identity provides OGE Energy Corp. the ability to automate processes, enhance the user experience, and eliminate those identity operational siloes. And, just as importantly, SailPoint’s IdentityNow enables identity governance throughout hybrid IT environments as it unifies identity management processes across cloud, mobile, and on-premises systems.

Furthermore, the first identity governance initiative the team undertook was to streamline and automate their manual access certification processes. “We deployed certifications right away. This immediately saved all of that time we previously spent certifying. And we could then reinvest that time into improving our identity program,” he says.

Anderson says with an identity strategy OGE’s Identity Team has  effectively streamlined the Company’s identity management and governance efforts. Before IdentityNow, it would take identity team members several days to provision a new account for a contractor. That process has been reduced to less than 15 minutes. The identity team plans to reduce that time even further by continuing to add new integrations.

Going forward, Anderson and the identity team will keep building upon their successes and continue to improve their identity management processes, such as enhancing password management and eventually moving on to increased role-based access control. “We’ve come a long way, but it’s about continuously improving” says Anderson.


Discussion