Vodafone Turkey builds strong identity security program

Vodafone is no stranger to the growing number of compliance and regulatory audits required to assess things like information technology security vulnerabilities, software development practices, management system processes, safety and environmental practices, as well as a multitude of industry-specific scenarios.

In fact, Vodafone is required to meet a plethora of highly restrictive regulations from governmental organizations, independent organizations and internal dictates. Failure to comply not only results in massive fines, but also degrades customer confidence and corporate expectations.

Out of compliance and regulatory audit requirements for Vodafone Turkey, the result was the creation of an identity management journey to provide the company with a robust identity management system that not only addresses today’s compliance requirements, but those expected in the future.

“So we started researching the leading companies in access governance by looking at what Gartner and other companies were saying to determine the leaders and visionaries in the market, and we talked to other companies in Europe and Turkey that shared their experiences with us,” explained Serdar Calin, Access Governance and Identity Management Architect, Vodafone Turkey.

Calin’s team then developed a shortlist of companies that included SailPoint, and they were each asked to complete a proof of concept (POC) that contained more than 200 questions covering a number of complex access request workflows and customized certification scenarios, as well as things like customized birthright rules.

SailPoint experts then established a new, temporary POC environment for Vodafone Turkey to illustrate its proposed solutions.

“SailPoint experts answered these questions quickly, and they gave us some alternative ways to solve different scenarios and problems,” Calin said. “The result was that SailPoint received the highest scores from start to end of the POC process, meeting all of our necessary requirements for access governance across all of our business scenarios.”

A working relationship

The results of the POC led Vodafone Turkey to choose SailPoint for its identity and access management (IAM) needs.

“We use all of the functionalities of SailPoint – and we definitely push it to the limits,” Calin said. “SailPoint actually meets about 95 percent of our needs, but there have been a few occasions where we needed an enhancement. For example, we needed attachment functionality on the Access Request Forms, so we created a customized solution. By the next version of IdentityIQ, that feature was actually embedded in the SailPoint base.”

Calin described his experience as SailPoint architect and administrator for Vodafone Turkey as “awesome,” explaining that in the six years since initially choosing SailPoint, Vodafone Turkey has not experienced any unplanned service interruptions.

“Before we started this transformation with SailPoint, we used a customized access request record ticketing system,” he explains. “But it wasn’t a true access governance product, so the main focus was recording access requests on a platform. However, these access request counts were reduced by more than 1,000 when using the correct birthright roles on SailPoint. That was an extremely large, positive result for us.”

Likewise, Calin says SailPoint had a major impact on the company’s entrance provisioning and onboarding times.

“SailPoint reduced provisioning and onboarding time from as much as six hours to less than 10 minutes. That was a huge enhancement for our team. We also replaced our system of running manual audit reports with the auto-generated reports from SailPoint.”

“Before this transformation, we were running manual mover processes,” he explained, “but SailPoint enabled us to customize certification-based mover processes using automated provisioning. We now give all permissions to movers automatically, and we have more than 230,000 identities including full-time employees, contractors, third-party call center agents, Vodafone dealers and their employees, investors and service accounts. We also use the SAP HR product as the authoritative source for our SailPoint environment. When a user leaves the company, we can remove the old privileges almost instantly after the person leaves.”

But Calin says the greatest impact for all stakeholders has been the reduction of time spent in the onboarding process. “SailPoint has had a huge impact on our operations administrators because it enables automatic provisioning and de-provisioning without any intervention needed on their part.”

In the near future, Vodafone Turkey plans to integrate SailPoint’s Privileged Access Management (PAM) module with its CyberArk environment. Likewise, Calin says the company will extend its use of birthright roles based on human resources organization data and dormancy control on all applications that are integrated with SailPoint.
Calin also has advice for other companies that are considering solutions for access governance and identity management.

“These should be handled as a program, as opposed to a project,” he says, adding that patience is needed in the process, which can take years to finalize. “The program is not just about IT department or the privacy department or the information security department – it’s about the entire company. As such, it should incorporate all employees, and it should have the support of C-level leaders throughout the organization to show support for the program and ensure success.”