Payment Technology Provider Achieves Automation & Compliance with SailPoint

This German company assists over 34,000 customers in one hundred different countries with electronic payment transaction solutions and risk management. As a financial services company that is newly listed on the German stock exchange, ensuring their environment is secure and compliant is a top priority.

Manual Processes Create Inefficiencies

This growing company was facing complex security and compliance requirements. Their employee access and audit processes were done manually, creating a demand on internal resources. “Regulatory environments are continuing to grow and change, and our processes were not keeping up with the times. Our team manually collected audit requirements and issued access to applications which was time-consuming and costly,” Leader of the IAM Competence Center who is responsible for Identity Management, Access Control and Security Awareness.

Manual audit records were based on user access management and the history of approval decisions recorded on spreadsheets. The IAM team did not have any software in place to assist with these processes. “We envisioned a structured approach for a global, centralized identity and access management program. Our goal was to efficiently support our activities by defining standards and processes to operate the program with the maximum amount of automation,” the Team Lead reflected.

Automating Employee Lifecycle & Compliance Management

The IT Security team partnered with SailPoint to address these provisioning and compliance challenges. To reduce the manual burden on IT staff and managers, they tackled user access first. In their manual world, when a new employee was onboarded, a manager would create a checklist of needs the employee would require for their role. This was uploaded to a ticketing system and sent to each department to request approval for the access rights, creation of the user account, issuance of a password and request for a physical work environment. With their new program, this is completely automated.

Once the request is submitted, the user account, password and access to applications for the specific role is created and issued after midnight the day the employee starts their job. Part of that process is an autogenerated ticket sent to facilities so that their desk and physical work environment can be set up for their first day. Security is also notified directly via SailPoint so the employee has the proper physical access and badging created.

“We have pre-populated birth-right access for 150 departments and the individual job roles within each. Our department leaders own the roles and pre-approve access for these roles. Knowing what employees need access to before they start helps us enable them to be up and running on day one of employment,” the Team Lead shared. “When an employee moves roles or leaves the organization, the change is triggered by HR and their access is automatically transferred or revoked too. Prior to SailPoint, job role changes took weeks to transition over to the new role.”

This organization is subject to the Payment Card Industry Data Security Standard (PCI DSS), Assurance Reports on Controls at a Service Organization (ISAE) and other local state and global financial regulations. To keep up with the demands of the changing regulatory landscape, the IAM team included an access certification program as part of their larger identity governance strategy. Prior to SailPoint access certifications were run through spreadsheets, taking months to complete documentation for their auditors. “We have now automated this process, running our certification program twice a year through SailPoint. Our auditors now feel assured with our audit practices and our staff now has time to focus on other priorities,” the Team Lead said.

The enhanced employee onboarding experience and the reduction in manual efforts is felt across the organization. “Standardizing identity management globally is an important initiative and core to our security strategy,” she shared. “Our identity governance journey with SailPoint is centered on improving security for our digital assets based on a need-to-know principle. Nothing is more important than securing the data in our organization.”

She shared what she learned on this journey thus far and what she recommends for other financial institutions embarking on their own identity governance journey.

  1. It is critical to have support from upper management. Without it, you will struggle to work through roadblocks and issues that inevitably come up.
  2. Over-communicate throughout the journey. We met twice a week with each of the departments to educate them on the program, discuss our progress and address issues. It helped create a collective investment and allowed us to problem-solve as a team.
  3. Develop a realistic plan for your program. If you stick to your plan and create quick wins, you can show the value to the rest of the company quickly. 

Discussion