Case Study

Comprehensive Identity Governance at a Top 5 Global Bank

This is how we helped one of the world's leading financial institutions resolve their identity governance challenges

TL;DR

How it started

The client needed to improve its regulatory compliance efforts whilst optimising its operational processes. To do this, an identity governance solution was required to automate access certifications, provide consistent controls across multiple locations and support a complete identity governance lifecycle.

As with any financial services organisation, the Bank is subject to several regulations across its various divisions in multiple countries. To achieve compliance, it needed to provide detailed auditing and oversight into who has access to sensitive applications and data, as well as who granted or approved that access.

In addition, the bank realised that the manual process of access review and certification that they had used for years was grossly inefficient and inadequate to meet its needs. For example, their quarterly reviews for privileged access took the entire quarter to process, so preparation became a year-round task. Other compliance reviews added further to that workload.

The bank needed an efficient – yet cost-effective – way to fully address these rigorous mandates.

The Results

Replacement of legacy systems and automation of manual procedures

The effective implementation of a modern identity governance solution allowed the client to decommission several legacy systems, consolidate technology and implement automated processes to govern the entire identity lifecycle. In addition, service levels improved dramatically leading to improved user confidence.

Improved visibility of user access based on enhanced access governance

The success of the project enabled the Bank to close some long-standing audit remarks while also improving it’s overall regulatory compliance posture. By enabling a holistic view of user access and related lifecycle events, related initiatives such as privileged access management (PAM) became more efficient to implement as they were deployed on a foundation of clean access and identity data.

Cost reduction through automation

The bank achieved significant cost-reduction through the project in two significant areas:

  • A dramatic reduction in the number of service desk requests relating to access request and password management
  • Automation of user access provisioning which not only provided timely changes but, also, significant reductions in the amount of access being granted

The Full Story

A top 5 global financial institution with a large team of internal resources faced significant challenges with its existing identity management processes. The client’s team leveraged a set of internal tools and manually-generated spreadsheets to conduct various annual and quarterly access reviews.

However, the highly fragmented and inconsistent processes increased maintenance costs year on year. In addition, the user experience was becoming a source of significant frustration for both the client’s user community and internal compliance.

Access requests and reviews were also partially tracked and approved using out-of-date internal tools, resulting in a significant level of “rubber-stamping” of access reviews where reviewers were approving access without understanding the implications. This led to several open audit remarks and a significant amount of unnecessary access being granted.

The client engaged Onaware to implement a new identity governance (IAG) solution and to compile a 5-year identity management roadmap. The client also sought assistance in designing and rolling out new processes and controls that leveraged the new toolset’s abilities to the maximum.

The client had four critical goals in mind:

  • On-demand visibility into “who has access to what”
  • Streamlined identity management processes
  • Reduction in cost while improving compliance
  • Increase security

How we did it

The client engaged Onaware to implement a new identity governance (IAG) solution and to compile a 5-year identity management roadmap. The client also sought assistance in designing and rolling out new processes and controls that leveraged the new toolset’s abilities to the maximum.

Onaware worked closely with the client to develop a comprehensive project plan that addressed their critical goals. The first step was to implement a large-scale identity governance solution (Sailpoint IdentityIQ) that would provide on-demand visibility into user access across applications and systems. To achieve this, Onaware cleansed, normalised, and aggregated user access data, improving its reliability and usefulness. This was done by collecting and analysing user data from different sources such as HR systems, directories, and business applications. The data was then correlated and normalised to create a comprehensive view of user access across the organisation. The solution was designed to support the complex access needs of the financial institution, with a focus on improving user experience and reducing the level of manual intervention required.

The entire suite of existing identity management processes was then automated and enhanced, consolidating highly fragmented and inconsistent processes, and making them consistent across applications, business policies, and compliance procedures. By automating annual and quarterly access reviews and minimising ad hoc data and report requests, costs were contained while reducing the risk of non-compliance. The account revocation and termination process were also automated, with audit trails to verify results, increasing security. The solution was designed to be highly flexible and adaptable, with the ability to accommodate changes in the client’s business processes and regulatory requirements.

The implementation of the new identity governance solution was accompanied by a comprehensive change management program, which ensured that the client’s employees were adequately trained and supported during the transition. This helped to minimise disruption to the client’s business operations and ensure a smooth and successful implementation.

By implementing the identity governance solution and achieving the four critical goals, the client was able to meet its compliance obligations and mature its identity management operations. The technical changes brought about cultural changes within the Bank, shifting the culture towards a more compliance-focused approach. The new processes and controls helped to ensure that all access reviews were conducted thoroughly, reducing the risk of non-compliance, and increasing accountability. The Bank was able to save costs while improving compliance, and the user experience was significantly improved.

As part of the implementation process, Onaware worked closely with the client’s team to ensure the solution met their specific requirements. This involved configuring the system to integrate with the bank’s existing applications, systems, and business processes. Onaware also provided extensive training to the bank’s internal team to ensure they were equipped to manage and maintain the new system once it was up and running.

The implementation of the new identity governance solution resulted in significant improvements for the bank. These outcomes include:

  1. Improved visibility and control over user access: The new system allowed the bank to quickly determine who had access to what resources, enabling it to ensure that only the right people had access to the right resources.
  2. Streamlined identity management processes: The automation and standardisation of identity management processes allowed the bank to manage resources more effectively, reducing the risk of non-compliance and improving overall efficiency.
  3. Cost reduction and improved compliance: By automating end-of-period reports and eliminating ad hoc data and report requests, the bank was able to contain costs while improving compliance.
  4. Increased security: The automation of the account revocation and termination process, along with the implementation of audit trails, improved security and ensured that access was removed when it was no longer required.
  5. A cultural shift towards accountability and responsibility: The new system fostered a culture of awareness, accountability, and responsibility among employees, leading to greater security and compliance.
  6. Valuable insights for better business decisions: The data and insights provided by the new system enabled the bank to make better business decisions, identify areas of potential risk, and take action to mitigate those risks.

Summary

Overall, the implementation of the new identity governance solution was a major success for the bank. By working closely with Onaware, the bank was able to achieve its critical goals, reduce costs, improve compliance and security, and foster a culture of accountability and responsibility. The new system also provided the bank with valuable insights into its identity management practices, enabling it to make better business decisions and manage risk more effectively.