St. James’s Place 藉由身分治理提高安全性
St. James’s Place (SJP) is a UK-based wealth management company listed on the London Stock Exchange (STJ). SJP specialises in delivering face-to-face, personalised wealth management advice through their expert advisory arm, the Partnership.
This 28-year-old financial services company is no stranger to the regulatory pressure that the industry faces. After manually managing identities for this growing public company, the IT organization saw the need for an automated identity program. “Regulatory compliance pressure fueled our search for a better way to manage identities in the organisation, but we also knew the cost savings and employee experience upside possible from a governance-based identity approach,” Tari Dogra, Head of Division – IT Service Management, St James’s Place. SJP is also a cloud-first company and being able to deploy in the cloud was important.
Demonstrating a Compliant Business
Tari and his team partnered with SailPoint in late 2016 choosing to deploy their program in Amazon Web Services (AWS) to gain all of the advantages of a cloud-first environment. Automating their certification program was their number one priority. “Our Partnership community is responsible for generating business for SJP and includes our highest-risk access owners accessing financial services and client data. SJP is regulated under the Financial Conduct Authority (FCA) which asked us to have sufficient controls in place to manage access by third parties which our Partnership division falls under,” Tari shared. Previously this group of users was managed directly by the Partnership Support Staff team, and IT had zero oversight into a user’s access at any stage of their employment. When it came to certification campaigns, verifying access was constant chase with partners and they never achieved 100% completion on their campaigns.
By automating this process with SailPoint, SJP now has a scalable, repeatable model for each certification campaign and are meeting requirements set by the FCA. “Our automated certification campaigns now take one month to complete – a process that previously took one year,” Tari reflected. “After our last certification campaign, 640 accounts were deleted, and 380 accounts had access revoked. This is exactly the kind of visibility we were hoping for. Not only is it reducing risk, but also driving down costs associated with maintaining access no longer needed.”
This improved certification process has been expanded to employees of various critical applications and data areas on their systems, as well as contractors. Access for data areas is reviewed monthly by the data owner to ensure appropriate access.
What You Need, When You Need It
Tari and the team then turned their focus to building an automated joiner, mover, leaver process for the entire company with SailPoint. “Our goal was to speed the access process up by automating it and minimizing the manual account creation, processing and granting additional access for accounts, while implementing a least privileged access policy company-wide,” Tari shared.
They worked with HR to evaluate the data in their HR system, ensuring it was maintained and cleaned before feeding the data into SailPoint. A major player in the program, HR has ownership of the data, and is responsible for ensuring it will be kept up to date.
They started with the leavers process, terminating employees promptly when they departed SJP. When the HR system notifies SailPoint that a user is the leaving, the leaver is then processed by removing entitlements and inclusion in distribution lists and disables the account on the date of termination. 30 days later, the account is deleted.
“Now that this process is automated, we are no longer dependent on the human factor and the risk of lingering access is mitigated. Prior to SailPoint, some accounts were still active well after 30 days following termination. Automation has also kept license costs under control,” Tari reflected.
The joiner process has also been established which contributes to SJP’s mission to enable a more efficient workforce. Employees are now able to access systems deemed necessary by job role on day one of employment. This will then be extended to employees who move job roles in the organisation, removing access that is no longer needed and granting application access for the new role. “We are thrilled with the success we have had thus far from our partnership with SailPoint. We look forward to continuing to innovate our identity program,” Tari concluded.