Identity Built to Scale
“SailPoint is very reliable. It’s also easy to scale so we can easily manage more users if we complete an acquisition or if we need to do something from a business perspective that would require more resources.”
— Diego Galletti, Identity & Access Management Architect at Quad Graphics
Quad Graphics is a global leading provider of print and media who partners with their clients to provide fully integrated marketing solutions. The company has over 40 printing and service facilities around the globe.
Fresh off the heels of an acquisition, they needed an identity solution that would enable them to scale the growing business and allow them to manage all their accounts in one place.
- Built a centralized view of accounts across the business
- Streamlined joiner-mover-leaver processes
- Improved operational efficiency through automating access requests
- Reduced risk by managing user access privileges
Quad Graphics now has a centralized identity program that will scale with the business. The entire user lifecycle is automated, which has saved time and mitigated risk for the organization.
A Conversation with Quad and SailPoint
Diego Galletti: I started working at Quad about 15 years ago when I moved to the United States for a few years. Initially I joined the IT security team where I was able to basically expand my experience with cybersecurity and risk in general. But at the same time I also work with the Windows network services team which is responsible to manage Active Directory and the technology related to Microsoft. So between these two teams I was also involved in Barrios IT assessment of the acquisition that Quad was doing at the time all around the world. And because of that I was involved also in architectural redesign and everything related to the IT aspect. At that point I think much from 2016 I started focusing only on identity and access governance where I am now driving the implementation of an identity and access management solution in the company.
Describe your identity journey at Quad
I think we started in 2016 pretty much at the same time when there was an increasing auditing and compliance requirements. Also because we were maintaining a lot of domains because of the acquisition we were doing. So at the time we were looking for a solution to manage all these accounts in one place, streamline the access request process and in a way that could be basically audited and automated easily. We spent some time in 2016 working on the RFP process. At that time many people best from different teams in Quad work on the process together with me. And we try to identify a vendor and a solution that will meet the criteria we wanted.
In 2017 after evaluating a lot of different solution, we decided to go with SailPoint IdentityIQ especially because IdentityIQ because it was the perfect solution for the amount of application that we have on prem versus cloud. So we split that implementation basically multiple phases and we worked closely with Optiv which is a SailPoint implementation partner. The first phase was to implement user lifecycle. So everything from the birthright to the termination of the user. And together with that we were able to introduce password management service.
The second phase was basically moving more into access requests and access review and the automation of this process obviously. And then because the third phase was more on the Quad side to continue onboarding applications and expanding features of the product in the company. When I look at that it’s three years and we were able to onboard. I think around 100 applications right now. Few of these are also third party ones so it’s quite a lot of work to do these ones. We have a lot of cloud applications, Salesforce, Office 365, Box. We also managing I think 10 to 12 active directory domains and over 150 database servers where we maintain obviously the identities for password management or met entities locally on the service side. The other thing that is interesting we automated over 50 quarterly access review that we were doing manually before. And that’s all now automated in SailPoint.
What is the overall impact you have seen so far in your identity program?
Access request originally was all done manually. Somebody was placing a request. And then there was a team obviously taking care of this request manually, seeking approval and granting access. This was taking quite a lot of time sometimes we were going from days to weeks. So there was a lot of delay obviously waiting for application access.
The other thing that was also different was access review that was done manually. So the removal of the access was actually done from another team applied after working access. All of these two were basically changed in automated process right now with SailPoint.
How has your team reduced risk for your organization?
Now the access requests and review are all automated. It’s not taking a lot of time but it’s also making sure that we’re not taking the risk anymore to grant access without seeking the correct approval from everybody. And we are also basically able to manage a lot of other automation like multifactor authentication right now, it’s a process that we can enable right away at birthright that we know when the new accounts are created. We have a lot of other process that we actually automated with SailPoint, for example another one is disabling account for an activity. All those process were not basically in place before with quad. And now we are able to basically just disable account they don’t use anymore.
Another one is really interesting is also that we are now automating the access to be for managers when their users are moving. So it will automatically trigger access review for managers and they can actually look at the access that they have and what they need to maintain when they’re moving to another unit.
What’s on the horizon for identity at Quad?
One that is really interesting it’s obviously AI, artificial intelligence. We want to seek and continue looking at that to see if we can actually improve the access request, helping users deciding what other people already have and what the pattern should be to request access. Although it’s in the access review they would probably help much more the users understanding if it’s appropriate or not but socially either sides of the same team. We’re working on orphan accounts, automated access review for database and other systems to make sure the accounts are not sitting there with nobody as an owner.
There’s a lot of improvements on the catalog of SailPoint that we’re trying to do so that we can actually show the access you should be requesting instead of showing a much bigger catalog but with access you don’t need to request. And then single sign-on on that we’re working already this quarter. And then a lot of other automated roles and business roles to basically decrease the amount of access review that people should do in the quarterly access review.
What about SailPoint stood out for you?
From a technical standpoint it is very reliable. It’s also easy to scale so we can easily go to manage then a lot of more users if we need to do an acquisition, if we need to do something from a business perspective that would require more resources. And I think the other thing we like is the community where we can find a lot of information but at the same time we can engage with other users and other companies and maybe either work on similar issues or work together on how other people that are implementing features. So that helps exchanging obviously experience.