Silicon Valley Bank Innovates Identity
Silicon Valley Bank opened its first office in 1983, just before Silicon Valley became a household name. As a subsidiary of SVB Financial Group, Silicon Valley Bank focuses on high tech clients and has provided funding to more than 30,000 start-ups since its founding. With more than $51 billion in assets, Silicon Valley Bank is one of the largest banks in the United States.
As you might imagine, like any bank of this size, it faces considerable regulatory demands. “We’re financial services, and in financial services regulatory compliance touches everything we do,” says Shawn Lawson, head of IT at Silicon Valley Bank. “We’re constantly audited for everything. We have Gramm-Leach-Bliley, the Federal Reserve, the Payment Card Industry Data Security Standard, as well as compliance to secure financial messaging system SWIFT. We have just about every compliance mandate that has to be met. This means our identity program is highly driven by identity governance and compliance,” Lawson says.
But it wasn’t just compliance that drove Silicon Valley Bank to improve its identity and access management program, explains Lawson. The most pressing challenge: identity was managed in an ad hoc manner, with each group taking its own approach. “Sometimes, when it came to identity, what needed to get done, got done. However, sometimes it didn’t. We needed somebody who owned the identity program and standardized it across the organization,” he says.
Also, by improving access to resources, Silicon Valley Bank could increase productivity. In addition to the thousands of identities and associated access rights that must be managed to effectively meet regulatory mandates, effective identity and access management also helps to ensure employees and contractors get swift access to the resources they need.
Finally, and critically, there’s the improvement to cybersecurity brought by good identity management. “We have to be compliant to regulations, but we also need to actually mitigate the risk. There’s very real risk out there. We’ve all seen the news, and we needed to reduce those risks and not just check compliance boxes,” Lawson says.
Silicon Valley Bank Improves its Identity Governance Program
Lawson and his team got to work on improving governance over all of their identities and all of their unstructured data. They were able to improve their regulatory compliance and identity lifecycle management, and now have deep transparency into who can access their applications, cloud services, and all of unstructured files. They are now equipped to better manage when staff changes a job role within the bank.
One of the most significant benefits the team reaped with their new identity management initiative proved to be the elimination of time-consuming and frustrating manual certifications. For core applications, Silicon Valley Bank has long certified that users have access to only the proper applications and resources, and that their access entitlements within applications and services are appropriately set. Doing this manually was costly and ineffective.
“We recently launched automated certifications,” says Ryan Waltz, IAM program manager. Currently, the application certification period is about one month and the team is certifying approximately 46,000 entitlements.
Identity Governance Rapid Time to Value
In about a year, the team brought 165 applications into the program. That’s a phenomenal pace. “We put into place better self-service when it came to access requests, and we improved our lifecycle management,” Lawson says.
The improved identity lifecycle management was crucial for Silicon Valley Bank, with its very dynamic business.
“We have many new people coming on-board and existing staff changing jobs within Silicon Valley Bank all of the time,” says Waltz. “There has to be a good way to manage that in place,” he adds. For Silicon Valley Bank, that included an annual manager training program and putting into place a dedicated identity-management team. “We started with five team members, but now we have about twelve who help run the identity and access management program,” Waltz says.
As the system was built, the team found that they were not only able to automate their access certifications and more effectively manage the entire identity lifecycle, they were also able to improve their security posture. “We’ve gained both operational efficiencies and were able to reduce risk,” Lawson says.
That risk reduction included the reduction of orphaned accounts, the elimination of excessive access rights and privileges, reduction in regulatory risk, and more effective provisioning. “Once you start an identity program, you find a lot of messes that need to be cleaned up, like unused accounts, because these are the things attackers are going to look for in an attempt to run rampant in a network,” says Lawson.
Next up for the team, a deeper focus on privileged access management, role-based access control, and increased use of predictive analytics and AI. “I think it’s something that will help us considerably, especially when it comes to role-mining and seeing what access people have, or they should actually have,” says Lawson.
“The fact that we were able to bring 165 applications into our program — and do it in two years and under budget — is quite miraculous for an identity and access management program,” says Lawson.