It’d be hard to tell if it’s a good news or a bad news situation. You’re the senior vice president of identity and access management at an international financial services enterprise when you’re informed that you’ll be given all of the budget and resources you need to transform the identity governance program for 34,000 employees, thousands of contractors, and about 1,500 applications. The bad news? She’s given a year to do it.
“They gave us a challenge: fix access control in 2017,” she recalls.
What was the catalyst for this change? There were a number of factors. First, it became clear that a significant amount of risk associated with the organization’s decentralized, largely manual, identity management processes could be eliminated. Second, employees and contractors had to suffer long waits to be provided resources they needed in order to do their job. Finally, anticipated regulatory compliance changes relating to the General Data Protection Regulation (GDPR) would need to manage — and enhanced identity management capabilities would be central to those efforts.
The identity management team went straight to work. For the next three months, her teams planned their course of action, and assembled the team, including contractors, that would put the new identity management system in place. “Our first goal was simply to get all of the core functions running,” the senior vice president said.
Those core functions included as many applications, directories, and platforms on-boarded in the new system as possible. It also included integration with authoritative sources, access request and managing workflow, automated provisioning to the extent possible, as well as logging, analytics, and certifications.
So how would the team measure success? Success would be defined by how many of the core capabilities and targeted applications, platforms, and directories were integrated.
The identity transformation begins
There wasn’t much time to spare. The hodgepodge of manual identity management processes across 1,500 applications for 34,000 employees created more risk than was necessary, and made it difficult to maintain regulatory compliance. Not to mention the inefficiencies of manual processes when onboarding and managing worker identities. “It’s incredibly complicated and frustrating for any new employee or contractor because they just don’t understand where to go for what access,” she says.
The financial services firm has about a dozen or so decentralized platforms that could be used for access or provisioning requests and identity certifications, but the company has primarily relied upon manual spreadsheet entries and emails. “We have manual processes for privileged access and although they’re sound processes they are inefficient,” she says.
“The result is that there’s no visibility across applications or platforms. No discovery, no transparency,” she says. “We have hundreds of people who spend at least part of their time, and in many cases all of their time, just submitting access requests and having reports run to validate that their requests were fulfilled as requested,” she adds.
After establishing the plan, the race was on to improve security, regulatory compliance, employee onboarding and entitlement management. They would use SailPoint’s IdentityIQ to get the job done. “We intended to integrate the IdentityIQ platform with several of our unsupported legacy provisioning and certification tools,” she says.
To deploy SailPoint’s IdentityIQ, the team focused on getting their identity authoritative sources integrated, access request and entitlement approvals working, automated provisioning up to speed for about 250 applications, and the ability to view permissions for 1500 applications. “IdentityIQ became our one-stop-shop to see our access permissions and rectify any gaps,” she says.
What the team appreciated about SailPoint, when compared to its competitors, was the comprehensiveness of the SailPoint portfolio. When it came to IdentityIQ, the team appreciated the identity-related transparency it provides into applications, users, data access, and enhanced regulatory compliance.
SailPoint has become their go-to for transparency into access permissions and to rectify policy gaps. That said, the enterprise didn’t shut down legacy processes just yet. “But, we can see 1500 applications, and user permissions in IdentityIQ, and now that we have all of our sought-after core capabilities running, we’re going to get the end-to-end automation processes enabled and shut down the duplicate processes over time,” she says.
One of her tenets in overseeing the identity management transformation was to keep the system simple and not overrun people with complexity.
“The goal is to shut down our legacy processes and build on the scale in the platform so that people don’t feel like they’re being sent to just one more decentralized tool to request access for 20 applications,” she says. Next up, they plan to deploy the IdentityIQ Privileged Account Management Module and SecurityIQ.
Deploying IdentityIQ also helped the enterprise to fix hidden data quality issues that had been lurking in many of their disparate systems, including those involving customer-permission requests. “SailPoint enables employees to clean many of these data quality challenges on their own. Over the long term we can provide better data to our customers regarding their access,” she says.
The results are in
The result is that the enterprise has managed to reduce a lot of risks in the identity management process and streamline their user experience. For instance, in many of the countries where they operate, they’ve simplified the onboarding initial users by creating a simple template for standard needs, including network requests, email, office-collaboration software, and other basic services. This has sped onboarding considerably. “What used to take about three weeks to onboard a new employee can now be done in less than 24 hours,” she says.
Another win? Client satisfaction.
“Our clients are benefiting from getting access to our system faster, too. It’s not just our employees and contractors. And we’re able to react more quickly to our customers’ requests for new products and for product changes,” she says.
Of course, there are still occasional access issues that arise, , but those instances will be minimized by having the identity permissions more visible. “We can now fix issues before users know what’s wrong,” she says.
“I’ve been with this company for 20 years and I’ve seen many big projects, and I’ve never seen a project get the visibility that this one had. And we consider ourselves successful. We got all of the core features in SailPoint running the way we wanted to get running. Much of that success is a testament to our team, executive leadership backing of the initiative, and the ease of using SailPoint,” she says.
“We the full backing of our executive leadership, and that made a big difference. It’s so powerful when they are behind what we needed to do, and I’ve never seen another platform – especially one with so many moving parts – get implemented and integrated in a single year,” she said.