At the Gartner IAM Summit in London last week, we had the pleasure of hearing our customer (and partner) PwC speak to attendees about their own identity governance story. It was interesting to hear from our long-time partner talk about their own internal identity governance story – we’re so used to hearing about how they help our joint customers get off the ground and running, that this was an interesting turning of the tables, so to speak.
As background, PwC is one of the world’s leading global professional services firms, employing 21,000 people across 64 offices in the UK, Channel Islands and Middle East. PwC is part of a global network with offices in 157 countries and more than 223,000 people. As you might imagine, getting a handle on their own identity governance program with so many employees across offices around the world is no small task and actually, is part of a broader 5-year security transformation strategy.
The goal of their security transformation project was three-fold: gain visibility across their entire IT infrastructure, increase control and reduce their attack surface. This transformation project was driven by the need to establish global shared security services across all business units. These security services span IAM, incident response, network standardization, perimeter consolidation, borderless network architecture, standardized technologies and processes, rationalized policies, establishing multi-region hubs, etc.
As you might imagine, identity governance has proven to be the foundation of PwC’s overall security transformation strategy. PwC needed full visibility across all 275,000 users, identifying stale or orphaned accounts, recertifying users as needed and managing privileged access. To do all of this, PwC chose to deploy ‘AccessAble’ which is a hosted version of SailPoint’s IdentityIQ. The implementation itself took about 8 weeks and included the following: data acquisition and onboarding, understanding policy and configuring the pre-built reports, definition of roles, training and full testing lifecycle.
The results to date, well they speak for themselves. For starters – PwC now has much-improved visibility across all users. They can proactively provide reports on dormant and inactive accounts, a process that was previously not in place. This has resulted in clean-up of 307 orphaned privileged groups, with 261 (85%) owner identified. But perhaps the biggest result is that they’ve since transformed a formerly manual identity management process into an automated one. PwC now has an automated periodic review process in place which has reduced manual process steps by 50%, resulting in seven months of successful certifications performed on the CyberArk platform.
PwC’s security transformation is well underway, and with identity governance as their foundation, the company can now move their business forward confidently and securely. Talk about an excellent example of the power of identity working!