Central bank of major global economy strengthens its end-to-end identity lifecycle

Like many organizations, the bank was challenged when it came to managing access to its hundreds of systems and multitudes of data sources. Delivering accurate information and rock-solid financial services in today’s fast-moving world requires responsive and agile IT systems, yet compliance and security requirements have never been higher, especially for an organization like this that’s charged with setting regulatory standards for other banks.  

The bank needed a way to easily, quickly, and automatically control access to data and IT resources. One that wouldn’t require manual management and could automatically manage compliance requirements.  

“Our identity and access management governance at the bank was previously limited to a small number of systems,” said cyber security design team leader. “Instead, the vast majority of access to system services and data was managed through help desk processes and a broad range of products in a very ad hoc way. It was very inefficient. We had a lot of tools to operate, a lot of things to manage, and we didn’t have a centralized view.”  

The bank needed a way to automate end-to-end audit capabilities, lifecycle management, separation of duties, automated recertification processes, and much more that’s critical to creating a robust and resilient platform for more agile and secure application and data access. But finding an identity security solution wasn’t going to be easy, since it would need to address a complex range of systems—everything from mainframe services to custom applications to standard commercial and third-party products.  

The Yin and Yang of Risk and Access

To top it off, in addition to controlling access to critical payment and accounting systems, this Bank is also responsible for Interest Rate and policy decisions that rely on its extensive data sources, meaning that the bank must enable access to data, rather than restrict it—no simple process when that requires access to hundreds of systems and services via hundreds of different users and contract resources. 

“We have a complete yin and yang,” said cyber security design team leader. “On the payment side of the bank where we’re talking about the government’s balance sheets and payments, it’s vital to be heavily controlled. Yet when it comes to policy decisions, the biggest risk is that people don’t have access to the information they need to make the correct policy or rate-setting decision.” 

In addition, there was an increasing need for compliance and audit capabilities. Since the Bank sets the compliance rules for the banking sector, it knew it had to hold itself to the highest standards of accountability, including for regulations such as GDPR.   

“For the good of the people of the country it all depends on good identity and access management processes,” said cyber security design team leader. “We knew we couldn’t meet the levels of accountability and compliance we needed to if we didn’t have the appropriate tools in place.”  

An Identity Security Challenge and Solution

The bank set itself a challenge to find a centralized identity and access management solution that could integrate well and bring together the access risk view and automation, including provisioning and de-provisioning. 

After an extensive evaluation the Bank selected SailPoint to transform its identity security.  

“SailPoint was clearly the leader with its ability to integrate identity management into a broad range of our products and platforms,” said cyber security design team leader. “The bank runs hundreds of technology stacks and SailPoint definitely had the best solution with regards to integration. Ultimately, the key differentiator for us in choosing SailPoint as our identity management platform over incumbent tools and services we had was its ability to integrate into a large number of systems and services and provide end-to-end automation for our identity management processes.” 

Since initially deploying SailPoint in its top 21 systems, the bank has continued to expand and extend its use across the majority of its systems and data sources, as originally planned, integrating and automating as it goes. Now, more than 350 systems are integrated into the bank’s identity security platform. The bank has also built identity management into its standard delivery processes, so as it brings in new tools, systems, and services they’re integrated right into it. 

Metrics and Benefits 

The bank’s implementation of SailPoint has delivered a range of benefits.  

For example, prior to implementation, less than 50% of access reviews were completed, but with the new solution the bank is obtaining a minimum of 95% on access reviews, and the same for the amount of applications removal tracked.   

Importantly, the organization has also seen real buy-in from its most senior managers. In fact, a range of identity security metrics are provided to the bank’s governors and deputy governors and it’s also a standing agenda item at the bank’s audit and risk committee meetings.  

The identity management solution has become so ingrained into the organization’s processes that now, any time a new employee joins the bank, their account is provisioned and available before they’ve started work, saving significant time.  

Overall, the implementation has gone so well that the Bank has expanded it to include access management to unstructured data in its document management solution, using the same workflow, processes, and interface that are used for access management to its systems.  

Critically, by using the Identity Security platform the team was able to achieve all of these objectives without increasing its staffing resources. “We have a very small team and using SailPoint’s automation has enabled us to deliver a whole host of identity and access management processes and services,” said cyber security design team leader. “With a relatively small team we’ve been able to run a good identity security program.” 

Identity automation is also helping the Bank understand its risks better. “The risk modelling has been really important to us as an organization, and we’re still expanding our portfolio,” said cyber security design team leader. “Now, for the first time, we have a really good understanding of our access risk, and we have end-to-end identity lifecycle management really well nailed down. The experience has been a very positive one.” 

In short, this Bank’s deployment of SailPoint as its identity and access management platform has been a significant success. “We’re in a much better position now, with a single stop for access management and provisioning through a sign pane of glass across unstructured data and system services,” said cyber security design team leader. “We’re in a position where everything that matters is now automated through a single platform.” 

Greater Security Through Identity Management 

In addition to focusing on ways to improve its business processes, the Bank has identified new opportunities for expanding the value of its identity management capabilities. “With identity security, we’re in a much better position to adopt things like digital transformation and cloud services,” said cyber security design team leader.  

Interestingly, the bank will be extending identity management into non-human identities. “One of the key areas where we see a big transformation is in access to systems and entitlements via machine learning and AI,” says cyber security design team leader. “We expect to come up with a strategy for an identity overlay for machine learning AI in the next couple of years.” 

For this organisation, identity security isn’t just another nice-to-have capability—it’s the core to a carefully thought-out cybersecurity strategy that protects the bank and its customers. “Identity is going to be the heart of our cyber security strategy for the next three to five years, including a focus on zero trust principles,” cyber security design team leader concludes.