Spirit AeroSystems Chooses SailPoint to Streamline User Provisioning and Identity Management

Spirit AeroSystems is one of the largest designers and manufacturers of aerostructures in the world. Based in Wichita, KS, the company designs structures for commercial, military and business/regional jets. With more than 80 years of experience to draw on, Spirit AeroSystems serves such high-profile customers as Boeing and Airbus.

The Challenge

The Computer Security team at Spirit AeroSystems had to cope with an antiquated identity management system. They knew they needed to update it eventually, but what forced their hand was an internal audit that showed a lack of access certifications.

It was all too common for an employee to leave but never get de-provisioned, so someone who had been out of the company for six or eight months could still have an active account. Obviously, this creates numerous risks, including everything from IP theft to regulatory non-compliance.

“My group is responsible for risk assessment, and we knew identity management was a major risk. After the internal audit, upgrading identity management became a project we knew we needed to fast track,” said Ronald Shuck, Global Computing Security Manager for Spirit AeroSystems.

Shuck and his team did a thorough analysis, spending more than six months to figure out the requirements for the new system.

Selection Criteria Emphasize End Users

While access certification requirements drove the project, Shuck kept his sights on end users. “My vision was to move away from our existing cumbersome system to one that enabled self-service end-user provisioning and one which emphasized ease of use overall,” he said.

Another critical consideration was that whatever tools they chose had to be able to support Spirit Aerosystem’s existing applications and tools, such as SAP.

Finally, with all of those issues out of the way, Spirit AeroSystems would be able to once again focus on access certification requirements.

Settling on a Short List

Initially, Spirit AeroSystems narrowed its options down to Oracle or IBM for the back end, which included user provisioning, while SailPoint and Aveksa (which was acquired by RSA in 2013) would be considered for the user-facing front end.

Spirit AeroSystems eventually settled on Oracle for its back end and SailPoint for the front end. They would also bring in a third-party technology consultant to help them with the deployment.

The deployment ended up being difficult, though, as the consultant recommended specific product types and versions. And, at the time, SailPoint IdentityIQ did not have a connector for Spirit’s provisioning vendor. However, SailPoint agreed to do whatever it took to create that connector and get the project up and running for Spirit within their time constraints.

SailPoint Takes over Both the Front End and Back End

Up until this point, SailPoint hadn’t yet played a big role in the deployment. “They wrote a custom connector for us and met their target date, which was good, but I didn’t have an established relationship with them, yet,” Shuck said.

Shuck didn’t have many options at this point, so he contacted SailPoint directly to see if they could do more to help out our identity management program.

“To be honest, I really didn’t know what I was going to do. I didn’t even know if SailPoint could handle the whole project,” Shuck said. “I reached out to them, told them the whole long story about what we wanted. SailPoint immediately engaged with the project and started to turn it around.”

Initially, Spirit AeroSystems was going to try to fix everything that was broken. SailPoint investigated the scope of the project and advised them to start over. Architecturally, the back end was beyond repair, especially since the critical components that were causing problems could not be re-architected.

“Key SailPoint team members told me that the company could handle provisioning, and if they did, those integration issues would disappear,” Shuck said.

Better yet, once SailPoint ran the numbers on what it would cost to start over, Shuck learned that he could implement SailPoint provisioning for roughly the cost of a one-year maintenance license with the previous supplier.

“We will achieve significant ROI in a year and a half. After that, we’ll save $180,000 each and every year since SailPoint’s licensing and maintenance contracts are so much more affordable,” Shuck said.

Customer Service as a Core Value

Spirit AeroSystems still encountered a couple of speed bumps along the way as most companies do with any large-scale enterprise deployment, but SailPoint worked diligently to overcome them all.

“The best way to judge a company is by how well they perform when things don’t go well,” Shuck said. “SailPoint stepped up. They worked long hours, and helped me stay within my budget. In fact, they worked so hard to make everything work that I told them that if they needed more budget, I’d figure out a way to scrounge it up, but they never took me up on that.”

For instance, Spirit AeroSystems uses a very old version of SAP, one that is no longer supported. SailPoint built a custom integration for it. This sort of service is considered standard by the SailPoint team.

Benefits Include Faster Onboarding and More Efficient Workflows

With SailPoint IdentityIQ in place, Spirit AeroSystems’ whole user provisioning and onboarding process is now much easier, faster and more efficient.

Previously, IT had to handle a request for each person. This was manual and labor-intensive. Now, much of this is handled through end-user self-service, but when IT has to sign off on something, that process is also streamlined. IT managers have shopping cart-style interface, through which they can just click on various privileges to set the user up.

“The biggest accomplishment for my team is that now, finally, we can begin working on the access certification process that prompted this change in the first place. We also keep adding new applications and systems, and we can do so with no vendor involvement and no professional services,” Shuck said.

Security workflows are more efficient, faster and more streamlined. And as business requirements change, Shuck and his team can add more application targets and more role-based controls with ease.