Identity & Access Management Case Study & Lessons Learned. Prepared by Tariq Jan

Transcription

1 Identity & Access Management Case Study & Lessons Learned Prepared by Tariq Jan

2 Investment Bank Case Study Top 5 leading global financial services firm $116 billion in revenue $2 trillion in assets 220k + employees operating in 60 countries

3 Client Profile: Top 5 leading global financial services firm $116 billion in revenue $2 trillion in assets 220k + employees operating in 60 countries Case Study Problem Statement/Key Pain Points: Failed provisioning, leavers & transfers process and tools Ongoing exposure to audit deficiencies Heavy reliance on Inconsistent, ad-hoc & manual processes and multiple homegrown tools Cost of maintaining a compliant environment; Lines of business within the firm proceeding down different paths and making respective investments in certification tools, processes and support teams Inability to enforce preventive controls No control / visibility on privileged users; orphan or rogue accounts Huge gaps between business and IT groups leading to inconsistent and disjointed business user experience

4 Case Study Approach: Engagement of key stakeholders within the firm Requirements agreed for a 3 year strategy and roadmap 9 month firm-wide proof of concept to evaluate internal and external tools Buy vs. build analysis to select strategic tool Off shore team established to support product implementation and operate tasks Implementation / Achievements Loaded user data for 220k+ users (employees and contractors) Aggregated user entitlements by building feeds to 60% of application estate 400 application instances (1,200 data sources) with corresponding infrastructure (DB, Platform) certified Over 104k deletes raised for inappropriate access within 9 months 40% reduction in user support calls due to friendly user interface and ease of certification 60% reduction in operational cost and increase of number of applications certified by 150% Internal and external audit approval on process and implementation RBAC rollout of M&A applications Automating and consolidating compliance controls including: access recertification and SoD Policy enforcement and risk management by using policy violations and rules

5 Lessons Learned - What went well Project Sponsorship Engagement of a steering committee and working group consisting of LOB, Audit and other key stakeholders across the firm. Proof of Concept and Tool Selection Requirements evaluated against a 3 year road map & strategy. Governance Internal Audit team engaged during POC and governance audit on program delivery. Sign-off from audit prior to go-live and at the end of each recertification cycle. Weekly status reports to AD teams for on-boarding status of applications. Real-time dashboards / reports to LOB / Audit on certification status. 100% close out on each certification cycle. Program team / Vendor relationship 1 team, 1 goal mentality from internal and external resources. Vendors helpful and flexible in accommodating last minute changes, customization requests and providing support for infrastructure set up. Pilots 5 pilots to ensure all process related, customization, reporting and dashboard bugs and issues captured and resolved prior to Go-Live.

6 Lessons Learned - What went well Clean-Up Substantial number of deletes identified as part of recertification cycle. Application change management Create a tracker on status of all incoming feeds and identify / communicate breaks to appropriate parties. Process / Cert experience Well defined, robust and scalable process for on boarding, testing and roll-out to production. Data presented at entitlement level with clear English descriptions. S.O.D /policy violations identified upfront as part of cert cycle. Knowledge Gain Knowledge transfer during program roll out allowed internal team to take on responsibility of all activities from a build, test and operate perspective. Schedule & Delivery Exceeded expectations of LOB by delivering 20% applications above forecast and delivered within timelines and allocated budget. Reduction in calls to support team during cert cycles.

7 Lessons Learned - What didn t go well External factors Reduction in project funding due to financial crisis led to freeze on headcount hire. Internal resources utilized did not have appropriate skill set. Due to merger priorities for AD and other teams changed leading to a delay in turning around program requests. Application & Environment complexities Underestimated complexities of applications, internal infrastructure support processes and AD build team effort. Addition of db and os layers within the cert added additional dependencies and complexities to the overall program. Infrastructure set up Time taken to install and set-up infrastructure to meet program and tool requirements. Removal of inappropriate access Huge dependency on provisioning teams to remove inappropriate access within the required window of time and accuracy. Required program team to very closely manage and track status of deletes through the end to end process. Scope Management Applications prioritized for on-boarding constantly changing due to AD teams not being able to supply information on time; applications on-boarded decommissioned without notice; new merger applications added with RBAC complexities, LOB driven last minute inclusions.

8 Lessons Learned - What I would do differently Project Resourcing Ensure resources with appropriate skill set and experience are assigned to deliver program. Infrastructure Sizing Ensure infrastructure is sized to accommodate minimum of 12 months requirements upfront and performance tested with all reports / dashboards / cert loads prior to Go-Live. Identify all external factors and internal dependencies. Outsourced IT, hardware delivery or internal processes that may delay roll-out. Work more actively with Infra support teams to ensure timely availability of infra requirements and support Scope / Escalation Keep it contained and push back if required to ensure success of program. Ensure you have a contingency of applications in pipeline. Reduce number of reports / custom requests for initial stages of program. Reach out to senior management sooner regarding concerns with non-timely or lack of response from stakeholders.

9 Lessons Learned - What I would do differently AD Commitment & Engagement Considering the complexity and dependencies involved in this space, full engagement of AD teams with a committed completion date would be a great benefit. Maintain a better application inventory by ensuring AD teams provide accurate and accountable status of applications to be on-boarded. Funding Continuous program of work and funding. This is not a one off program with a start stop date. This will require funding and commitment from senior stakeholders and we need to ensure our steering committee members have the support to maintain the momentum of the program throughout the delivery of the defined program against the roadmap / strategy. Other Centralise the security admin team and ensure increase in accountability and reporting to key stakeholders. Ensure provisioning and movers & leavers program of works are governed by 1 program office. Look to move towards user centric view from app centric view as part of roadmap. Allow more time in schedule to test patches / bug fixes.