One of the things I enjoy most about Burton Catalyst is the chance to hear first-hand from client organizations about their identity management deployments. For the most part, these sessions deal honestly with issues and challenges, are relatively hype-free, and focus on the pragmatic vs. the visionary. This year’s Catalyst featured an interesting set of customer speakers, including the vice president of enterprise security at one of the world’s 10 largest banks (we’re not allowed to promote the company as a customer, so I’ve done previously, I’ll refer to him as “Charlie Iso”).
Charlie’s presentation began with the intriguing comment “Roles are like communism. They sound pretty good on paper, but the real challenge is trying to implement them in the real world.” From this introduction, Charlie went on to describe how the bank embarked on the process of aggregating and correlating entitlements across 24 compliance-relevant applications and building roles to improve oversight during quarterly access certifications.
He shared several of the challenges that the bank had to overcome to better address its compliance and security requirements. Prior to implementing SailPoint IdentityIQ, the institution performed access certifications using “Excel over Outlook.” There was a lot of frustration in the various departments because managers were being hit constantly by differing organizations asking them to review and approve access privileges. Charlie also talked about the difficulty of certifying user access because reviewers could not understand cryptic entitlement descriptions. Two of the bigger takeaways from his presentation were the need (and challenge) of getting businesspeople to participate in role definition and maintenance and the importance of cleansing data before mining for roles.
Charlie summed up the results of the bank’s role management project as “making compliance simpler, reducing corporate risk from proliferation of access privileges, and improving control of the entire account lifecycle.” After completing his presentation, he took quite a few questions from the audience and shared some valuable insights. Here are a few of the questions – along with Charlie’s answers.
Question: Did you use role mining to create roles?
Answer: We created our initial set of roles using an interactive process between IT and business groups, in parallel with doing entitlement aggregation and cleanup. SailPoint IdentityIQ supports role mining, but in my opinion mining is not effective until after you’ve gone through and cleaned up your identity data. Dirty data yields dirty results, so it’s important to go through a certification and cleanup cycle before you do role mining.
Question: How many roles did you create?
Answer: I’m not sure of the total number. It really depends on what parts of the organization you’re talking about. For example, in our branches, we need only a limited number of roles, like 5. It’s completely different in our back-office environment, where we have many more systems and functional groups and the number and complexity of roles is a lot greater.
Question: How do you get business users to maintain roles over time?
Answer: We are using the access certification process to ensure regular oversight of roles. SailPoint IdentityIQ automates the certification of both role contents (entitlements that make up a role) and role membership.
Question: How long did this project take?
Answer: It took us about 6 months from the initial design through the final user acceptance testing.
As you can see, Charlie presented a pragmatic example of implementing role management in the financial services world. And as Charlie pointed out, success comes by defining a working process between business and IT and deploying the right tools for people to accomplish defined objectives.
I’ll end with another quote about communism (this time from Will Rogers): “Communism to me is one-third practice and two-thirds explanation.” Continuing with the analogy to roles, I say let’s cut down on the explaining and focus on the practice!
What do you think?