The connection between identity governance and productivity might not be immediately apparent. But once you start thinking of all the processes tied to identity and access—provisioning and deprovisioning employees or contractors, for example, or managing password resets—the amount of time wasted in mundane tasks becomes all too apparent.
Increasing productivity is a topic discussed and analyzed at length (and for good reason), but what about lost productivity? It’s a concept ingrained into the approach being taken by Carnival Corporation, the world’s largest operator of cruise ships and an employer of some 120,000 people.
“Obviously, we want the commission and decommission of workers to happen effectively and efficiently, because that’s a hole in your environment that you want to make sure you close,” says Gary Eppinger, chief information security officer and chief privacy officer at Carnival. “Within our identity system, we’re trying to measure and understand how much lost productivity new employees have when they don’t have all of the access that they need to start their jobs on day one. There’s more than just access. The data system reaches all the way into talent management processes.”
Beyond Cloning: Automating Access
Eppinger gives one example of time saved and productivity gained in the onboarding of new employees: cloning, which involves assigning the same access privileges given to an earlier user to a new hire. “If you clone an account, it may only have three-quarters of the access the new person needs,” he says. “They’re still going to need that remaining quarter of access once they try to do something and find they don’t have access to a particular system.”
The problem with cloning is the layering of access that can occur when a new user takes over for someone who had been in the job for a long time, with a variety of roles and privileges that might not be appropriate for the new person. The same exposure to risk can happen as employees shift to new responsibilities within the organization or as new tasks requiring different access privileges pop up.
“We’re trying to reduce and eliminate lost productivity and measure it in terms of weeks to days to hours,” Eppinger says. “And we’re doing that in an environment of 2,000-plus applications among different brands, different HR systems, different processes. It’s very difficult.”
Enter modern identity governance, which deploys machine learning to learn patterns and monitor user behavior within set parameters. This enables managers to respond in real time to changes or anomalies. “The system will automatically send a manager a notification that John Smith’s role has changed and then recertify Smith in real time to give him access to the relevant platform in our environment,” says Eppinger, who notes that the system has particular relevance in recertifying access to financial systems as part of SOX compliance. “In years past, this person may have had that access for a longer period than needed because recertifications were done twice a year—and that’s when we would catch it. Now, I can catch it in real time.”
Solving The Password Problem
Self-service also brings simplicity into the complex world of passwords, the bane of many service desks in many IT departments. Employees forget their passwords—and they can have a lot of them. Legacy mainframe systems are not able to synchronize passwords or validate across an entire enterprise. That’s why the highest number of calls to IT is for resets that could be across many dozens of applications or systems.
Getting all the passwords integrated into a single sign-on solves the problem and frees up a significant amount of time. Giving users a portal where they can pick the system in which to reset the password is faster and more efficient. “We’re building in self-service to try to reduce and eliminate the lost productivity that results when employees don’t have access to a specific system or environment,” Eppinger says. “That’s another automation that’s driving productivity.”
Think Big: An Enterprise-Wide Approach To Risk
Carnival is one example of an enterprise using modern identity governance to manage access across a vast landscape of applications and systems. One of the key aspects in its success is a corporate culture focused on risk, where cybersecurity is paramount and instilled throughout the organization’s brands and divisions.
“There is a tendency in some organizations to see cybersecurity as just an IT issue,” Eppinger says. “Technical people may feel they aren’t necessarily able to communicate key issues and the complexity around them to the rest of the company. One thing driving our identity program is the extent to which Carnival has made cybersecurity an issue that weaves and flows throughout all our systems.”
To learn more, read “Identity Governance: The Great Enabler.”