All of us deal with risk every day, we just don’t necessarily quantify it or categorize it in making our decisions. Do we jaywalk the red light on the corner, because there isn’t any oncoming traffic? Do we forgo coffee because we are running late for work? Do we not tell one of our coworkers when they are engaging in particularly bad behavior? And so on.
When you are in the IAM space, though, you can’t be so cavalier, and risk quantification is the name of the game. We heard at the SailPoint Navigate conference from Graeme Payne, who runs the access management team for Equifax. He spoke about deliberately trying to reduce his risk portfolio when he had the opportunity to move from Sun’s Identity Manager to SailPoint’s IdentityIQ. Sun’s IdM was acquired by Oracle and like many other Sun products, is set to expire next year. Equifax is just one of numerous other users of the software that is looking to replace it.
Payne wanted not just to replace the Sun software, but replace it intelligently and use the changeover to re-examine all of his identity governance policies and procedures too. He had several points in his plan that he outlined with the conference attendees:
- Look at his certifications process. With Sun, he had 28 IT staffer as custodians for his entire employee certification program. Given that Equifax has 10,000 people that work for them, that was quite a burden for these custodians. Instead, he wanted to move that responsibility down to 900 managers, because “these managers have much better insight into what their employees have access to anyway.”
- Ranking their apps. Equifax ranked their apps according to risk, and picked the high risk ones running on their mainframes, along with Oracle Financials. They got engaged with their system integrator partner to help build the right connectors to these apps, and delayed their cutover from Sun until later this year to stage their implementations.
- Role development. Equifax wanted to understand where their most critical data access points were and their biggest gains if changed. They set up a role framework to structure things going forward, and they are planning to start deploying roles in areas of high gain, such as in their call centers.
- Event driven triggers. But roles can’t handle everything, such as when someone moves from one department to another or gets a promotion and changes their role. Equifax wrote special rules to handle these events, and these rules require a manager to re-certify a staffer’s access every six months if their role changes. One of the things that made this easier is that they have a single HR system that can easily keep track of this sort of stuff, and even includes contractors (who also get re-certified every six months too).
All of this had a big benefit. They have seen some big improvements and major risk reductions as a result. Take a look at the flow chart below which illustrates the process by which both Sun and SailPoint go through to certify access. You can see numerous boxes: each box is a step, and the steps that have been omitted by SailPoint’s IdentityIQ are crossed out. Those extra steps represent a big savings in time and money for Equifax.
UPDATE (SailPoint Editor’s Note): Since deploying SailPoint IdentityIQ, Equifax has been able to achieve a smooth transition from Sun IdM, their legacy provisioning solution provider, reduce the time spent on access certifications by more than 75%, and minimize audit errors by using closed-loop validations of revocations. Learn more about these achievements in a more detailed case study here.