Rockwell Automation faced a looming identity problem. Their legacy system, Sun’s IDM solution, was scheduled to sunset in 2014, so the company had to make a change. Rather than simply replacing one system with something newer, however, Rockwell wanted to get its identity and access management (IAM) program right once and for all, shifting it from a cost center to a foundation that provides value throughout the organization.
Bridget Wilcox, senior manager of Application and Data Security and Brandon Lemery, manager of Information Security recently discussed how they made the shift to automation at SailPoint’s Navigate ’14 conference.
According to Wilcox, Rockwell Automation wanted a solution that would:
- Automate user provisioning;
- Streamline regulatory compliance;
- Improve the customer experience;
- Eliminate manual IT intervention; and
- Provide better visibility into the access assigned to identities.
Before figuring out how to meet all of those business objectives, however, Rockwell Automation had to first confirm their current inventory of existing processes, procedures and throughput. They needed to understand, in as much detail as possible, such things as: what happens when a new user requests access; how are users who leave the company de-certified; and how do users whose roles change get re-certified?
For Rockwell Automation, the whole process starts with SAP, which provides the initial user data feed from HR.
Wilcox and Lemery quickly had confirmation of what they already suspected: their existing processes were far too complicated, time consuming and costly because there were at least 25 different processes that could trigger requests. In fact, in just the 20 applications that have already been integrated into IdentityIQ, there were more than 8,000 requestable entitlements and more than 1,000 requestable roles. And, this was just the beginning.
Access recertification added another layer of complexity. After employees change roles or when employees leave or contractors no longer have roles, they need to be either terminated or recertified to match privileges to new roles. This was another manual process.
“We’re very good at offboarding employees,” Wilcox said. “That’s because business leaders don’t want to pay for people who are not working for us anymore.”
Since everything starts with HR, if an employee’s access isn’t terminated they may well still be drawing pay. Business leaders were motivated to be proactive about this part of the process, since it would cost them money if they weren’t.
“However, we weren’t very good about offboarding contractors. The business managers really didn’t care if those people’s access was terminated, since it didn’t cost anything to leave their accounts active,” she said.
It didn’t cost anything in raw dollars, but this lack of access revocation certainly increased security risks, potentially exposing Rockwell Automation to everything from IP theft to regulatory non-compliance.
Thus, as Rockwell Automation investigated new IAM solutions, automated decertification and recertification topped their list of priorities.
Rockwell Automation Taps SailPoint
To replace the Sun IDM system, Rockwell Automation turned to SailPoint’s IdentityIQ. Automation largely drove the decision, with SailPoint automating everything from password synching to user provisioning.
The efficiency Rockwell Automation gained was impressive. In FY 2012, for instance, Rockwell Automation used 23 contractors to support 82,000 access requests. All of this work was done manually. After implementing SailPoint IdentityIQ, 62,000 requests were handled automatically – most through self-service request.
This allowed Rockwell Automation to cut back on a few contractors, while shifting the rest to new roles.
Savings Pile Up
Rockwell Automation estimates that it will save over $1 million annually by shifting to IdentityIQ. Some of the savings were fairly straightforward and easy to quantify. Automating the request process alone surfaced significant savings, as did automating provisioning and recertification.
Other “soft” savings are more difficult to quantify, but just as important. For instance, what’ s the raw dollar value of reallocating contractor resources? Depending on their new roles, it can be hard to tell, but if you’re paying contractors $50, $75, or even $100 per hour, then it’s obvious that those savings add up quickly, as well.
Another problem Rockwell Automation had been having was that its open ticket backlog was spiraling out of control. Often, the employees waiting for their request to be filled are stuck. They need access to do their work, and any delay results in lost productivity.
There are also soft benefits that accrue to the IT security team, since long delays sour employees on IT. Now, IT is seen more as a technology enabler than as an obstacle employees must clear to do their work.
Other soft savings include improved security (one data breach could pay for the new system many times over, after all), the ability to onboard future applications and handle their requests in a centralized fashion, and overall user satisfaction.
How to Find Your Own $1 Million in Savings
In order to get your organization to commit to shifting to an automated IAM platform, Lemery recommends that you quantify your baseline metrics. When Lemery and Wilcox totaled up the costs associated with handling requests, processing time, open ticket backlogs, and recertifications, it was obvious that IdentityIQ would pay for itself quickly and deliver savings each and every year.
“It’s important to quantify what you are doing now,” Lemery said. “How sustainable is the process you are currently using? And don’t forget to at least ballpark the soft costs of continuing to do what you’ve been doing. For instance, are you failing to meet SLAs you have with various business units? There may not be a dollar penalty for that in your organization, but there is certainly a cost to your group, even if it’s just a negative reputation.”
Lemery and Wilcox also recommended looking at any legacy technologies your organization will sunset, any new software you may be switching to (such as Office 365), and the regulatory requirements surrounding your applications and workflows.
“You don’t need to automate everything. Some things may be too small to bother with,” Wilcox added. Maybe recertification is fairly simple for your organization, for instance. “Nor do you need to onboard each and every applications. This isn’t an all-or-nothing shift. Rather, we recommend zeroing in on whatever will offer you the most value.”
And the only way to do that is to start collecting metrics. If you don’t know what the status-quo, manual processes costs, start figuring it out. You’ll be surprised how quickly the costs — and later the savings — add up.