Automated User Provisioning

Similar documents
Identity and Access Management: The Promise and the Payoff

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

How can Identity and Access Management help me to improve compliance and drive business performance?

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Quest One Identity Solution. Simplifying Identity and Access Management

Enterprise Management Solutions Protection Profiles

Cayosoft Administrator. Modern Administration. Cayosoft.com. Unify, Simplify and Secure Microsoft Administration. Features at a Glance

<Insert Picture Here> Oracle Identity And Access Management

Customizing Identity Management to fit complex ecosystems

Business-Driven, Compliant Identity Management

Identity Management. Presented by Richard Brown. November November MILCIS IdM

NOMINATION FORM. Category for judging: 5 - Digital Government: Government to Government (G to G)

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

Integrated Identity and Access Management Architectural Patterns

Oracle Role Manager. An Oracle White Paper Updated June 2009

Business-Driven, Compliant Identity Management

Foundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS HEALTHCARE: A UNIQUELY COMPLEX ENVIRONMENT

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Provide access control with innovative solutions from IBM.

Discussion Overview. Company Background. IAM Inertia. IAM at Chase. IAM Program Progress. IAM Tools Integration. Program Lessons Learned

Softerra Adaxes Enterprise Directory Solution

SailPoint IdentityIQ Managing the Business of Identity

Identity and Access Management

Identity and Access Management Memorial s Strategic Roadmap

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

SailPoint IdentityIQ Managing the Business of Identity

Enterprise Identity Management Reference Architecture

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing

Identity and Access Management Point of View

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Softchoice Solution Guide: five things you need to know about single-sign on

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Key New Capabilities Complete, Open, Integrated. Oracle Identity Analytics 11g: Identity Intelligence and Governance

Leveraging the Synergy between Identity Management and ITIL Processes

ADAPTABLE IDENTITY GOVERNANCE AND MANAGEMENT

Extending Identity and Access Management

Unleash the Full Value of Identity Data with an Identity-Aware Business Service Management Approach

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

The Challenges of Administering Active Directory

A Smarter Way to Manage Identity

SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Aurora Hosted Services Hosted AD, Identity Management & ADFS

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

Identity & Access Management

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress

RSA Identity Management & Governance (Aveksa)

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

The Return on Investment (ROI) for Forefront Identity Manager

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc.

HR Service Center James A. Honchar, SPHR

IBM Tivoli Identity Manager

The Top 5 Federated Single Sign-On Scenarios

Security management solutions White paper. Extend business reach with a robust security infrastructure.

IDENTITY & ACCESS MANAGEMENT

Michigan Criminal Justice Information Network (MiCJIN) State of Michigan Department of Information Technology & Michigan State Police

Identity and Access Management PI-1 Demo. December 2, 2014 Tuesday 10:00 A.M. 6 Story Street

Solving the Security Puzzle

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

CA Service Desk Manager

The Benefits of an Integrated Approach to Security in the Cloud

Simplify Identity Management with the CA Identity Suite

Bala Vellaiappan Shan Balasubramanian Suchitra Subbakrishna DTS-ESOD

Best Practices for Identity Management Projects

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

How To Manage A Public Safety Department Risk Management Program

How to Improve Service Quality through Service Desk Consolidation

8 Key Requirements of an IT Governance, Risk and Compliance Solution

The Unique Alternative to the Big Four. Identity and Access Management

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

Identity Management with midpoint. Radovan Semančík FOSDEM, January 2016

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

Five Business Drivers of Identity and Access Management

Identity and Access. Management Services. HCL Information Security Practice. Terrorist Sabotage. Identity Theft. Credit Card Fraud

Enterprise Security Tactical Plan

Talent Management Trends in Higher Education

IDIM CORPORATE PROVISIONING ARCHITECTURE Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation

SOLUTION WHITE PAPER. Remedyforce Powerful Platform

Transcription:

Automated User Provisioning NOMINATING CATEGORY: ENTERPRISE IT MANAGEMENT INITIATIVES NOMINATOR: TONY ENCINIAS, CHIEF TECHNOLOGY OFFICER COMMONWEALTH OF PENNSYLVANIA 1 TECHNOLOGY PARK HARRISBURG, PA 17110 717-772-8013 TENCINIAS@PA.GOV JUNE 2010 JUNE 2011

EXECUTIVE SUMMARY: The Commonwealth of Pennsylvania is entrusted with a wide variety of citizen, business and government data, some of which is highly sensitive and/or confidential; including Social Security numbers, as well as education, employment, health, tax and criminal records, to name a few. Ensuring that both internal workforce information and external stakeholder information are secure is critical to maintaining trust in government. Disparate, manual processes for managing access privileges for employees and contractors resulted in significant costs and inefficiencies, including help desk calls to reset lost or forgotten passwords, lost productivity as new employees waited for their accounts to be set up and potential security issues as users transferred to different positions or received new responsibilities, but retained old access privileges. The Commonwealth of Pennsylvania and its Office of Enterprise Technology Services recognized the need to have well-defined digital identity provisioning processes for its 85,000+ employees and contractors, many of whom have access to sensitive information, and undertook an initiative to implement an automated identity provisioning system to improve worker productivity, reduce costs, and improve the information security posture. After a review of available technology, the commonwealth selected IBM s Tivoli Identity Manager as the enterprise user provisioning solution. The solution kicked off in June, 2010 with an implementation for two agencies OA/OIT and the Department of Public Welfare. The initial implementation was completed in October 2010 and provided important considerations to help define the deployment approach for future deployments to the remaining 40 plus agencies. The approach was then exercised with a successful deployment to the Pennsylvania State Police, completing the project in June, 2011. A subsequent project to deploy the solution to the enterprise was kicked off in October 2011. As of May 2012, the solution is deployed to a total of ten agencies accounting for about 57,000 users, approximately twothirds of the total employee and contractor population. Deployment to the rest of the agencies is expected to be complete by June 2013. The solution has generated many positive results, including a 30-40% decrease in help desk calls, setting up accounts for new users in hours instead of days, eliminating time and errors associated with manual data entry and enhancing security through automatic and timely updates to user roles. 2

BUSINESS PROBLEM: Across commonwealth agencies, the user identity life cycle management processes varied by agency, resulting in complexity in the alignment of user access privileges with job and functional responsibilities, as well as lost productivity for employees, increased help desk costs for agencies and slow response times. Complaints such as: It takes too long for a new user to get all their accounts set up, It takes more than 4-5 days to get our employees and contractors productive! and More than 50%-60% of my help desk costs are related to resetting forgotten passwords! were consistently brought forward. Key challenges in different phases of the user account life cycle include: Other related issues included orphaned accounts and generally ensuring that the IT systems were compliant with auditing requirements. SOLUTION APPROACH: The Office of Administration, Office for Information Technology (OA/OIT) oversees investments in and performance of all IT systems across the commonwealth. The Office of Enterprise Technology Services (ETS) within OA/OIT supports enterprise-wide initiatives such as IT consolidation, shared services and IT support. The ETS Enterprise Information Security Office (EISO) manages all aspects of cyber-security, including identity and access management. The automated provisioning initiative is a large undertaking with many agencies and diverse stakeholders. The ETS approached the solution in a holistic manner, defining foundational Identity and Access Management (IAM) architecture and establishing a cross-functional IAM governance team under the commonwealth s Chief Information Security Officer (CISO) that included representatives from various state agencies. The IAM governance team is responsible for gathering requirements, identifying gaps, documenting processes and policies, architecting solutions, setting project deadlines, 3

and determining success metrics and milestones. The ETS was also uniquely positioned to integrate its statewide enterprise resource planning (ERP) system for human resources (HR) functions with the provisioning system to automate user provisioning and de-provisioning processes to realize cost savings, improved productivity and better security. The automated provisioning system is integrated with the enterprise ERP system as the authoritative data source. Changes to user records in the ERP system are auto-fed into the provisioning system, triggering further processing, e.g. granting or revoking of accounts and access to the downstream systems or IT resources. A new employee record created in the ERP system automatically generates a user account provisioning event, thereby greatly reducing the time it takes to get users productive. Similarly, changes in ERP status (e.g. separations, terminations, transfers, reassignments, promotions, etc.) may trigger changes to access privileges or the secure revocation of accounts when his or her relationship with the commonwealth ends. Data quality is improved by eliminating the need for manual data entry into numerous systems. The ETS also considered the long term scalability of the solution in order to allow agencies to extend the enterprise provisioning solution to implement agency-specific identity provisioning requirements. In this model, an agency-specific provisioning system integrates with the enterprise OA/OIT provisioning system to allow end-to-end automated provisioning and de-provisioning of an agency s employees and contractors to downstream access to applications and systems. The implementation of the new provisioning system has offered improved efficiencies by automating processes that were previously completed manually. The user onboarding process has been reduced to hours instead of days. In addition, the paper-based process was eliminated, resulting in cost savings and improved accuracy and efficiency. 4

Office of Administration HR Personnel Automated State Employees Hiring/ Termination/Updates Commonwealth Email Server HR Feed Automated Commonwealth HR System Password Self Service OA Automated User Provisioning System Hiring Contractor, Business Partner Additional Access Delegated Administration Agencies Commonwealth Active Directory End users (Employee, Contractors) Account Admin Agency Admin SIGNIFICANCE: The adoption of a centralized automated provisioning solution to automate user provisioning across commonwealth agencies is part of a logical solution to realize improvements in government operations. It maps to the strategic objectives for OA/OIT and those for the ETS: OA/OIT: Improve the delivery of services to our customers through increased and improved online functionality while reducing cost of delivery ETS: Improve customer experience when delivering IT solutions The solution provides for end user password self-service, improved efficiencies through automation, and greater accuracy by directly accessing the HR data. ETS: Achieve compliance in accordance with industry best practices The solution standardizes consistent provisioning activities across all agencies and allows for enterprise-wide enforcement of policies and the auditing of them. It also provides for more reliable and timely removal of user accounts when they are no longer required. OA/OIT: Reduce agency costs related to enterprise software by implementing core offerings as shared services. ETS: Identify true costs of enterprise services The costing model for the solution clearly identified deployment costs, licensing and infrastructure costs, and development and other support costs. In addition a model was implemented to provide agencies the opportunity to share in these costs through the shared-services model. ETS: Provide quality, cost-effective services to our customers to meet their business needs By leveraging virtualization technology and a shared services model, the solution delivers a quality, best of breed service to satisfy the account provisioning needs of state agencies. 5

BENEFITS: The primary financial benefits of the automated user provisioning across the commonwealth agencies is derived from the reduction in help desk calls. The solution has reduced the number of help desk calls related to password resets by 30-40% for one agency and has significantly reduced lost productivity from waiting for accounts to be created or for passwords to be reset. Key outcomes of the implementation include: Efficient User Setup and Faster Processing of Requests. Significant reductions from several days to a few hours in the time required to set up new users or to change user access levels, leading to increased user satisfaction and productivity. Lower Help Desk Call Volumes. With self-service password functions, the overall help desk call volume is reduced by 30-40% as users are able to reset their password using the secured challenge-response process. Improved User Profile Data Quality Management. Through the integration of the commonwealth s ERP system with the automated user provisioning system, user profile data stored in centralized LDAP and Email systems is in sync with the authoritative source (i.e. ERP system). Improved Security Posture. The automated provisioning system assigns or revokes user roles based on their status in the ERP system, reducing the risk of unauthorized access applications and systems. In addition, users are removed in a timely fashion from all integrated systems when their employment or contract ends. Improved Regulatory Compliance. The implementation of standardized provisioning processes ensures compliance with established account and password related policies and provides records for possible audits. The automated provisioning system provides for an approval workflow for all changes, enforces appropriate checks and balances before granting entitlements, and creates a corresponding audit trail. Improved Cost Saving. With the current economic situation, funding for any new resources is scarce. The centralized service facilitation model governed by the ETS alleviates the need to manage provisioning resources as fixed costs and helps to iron out some of the demand fluctuation as projects go through the lifecycle for each agency. Reduced Infrastructure. The consolidation of the automated user provisioning system into a single virtualized enterprise infrastructure resulted in reduced costs of new server purchases, cost of energy, and costs of other required infrastructure. With the centralized services model, agencies were able to realize reduced costs, better utilization and performance, and much easier maintenance. 6

Summary of projected cost-savings and other benefits for the commonwealth starting in July 2013: Before Automation After Automation Benefits Manual paper-/email-based process could take several days from the processing of an HR action in the ERP system to completion of the corresponding action for the user s accounts With the automated processes triggered by a feed from the ERP, account activities typically take a few hours or less New users waste less time waiting on account creation IT Account Admins spend less time manually entering data in response to HR requests More timely account modification and removals Greater accuracy Audit tracking ~120,000 helpdesk calls related to password reset issues, at a cost of about $1.2M* *Annually, extrapolated from Department of Public Welfare numbers (2,500 calls monthly for a total of ~22,000 users) and assuming a cost of $10 per instance for such calls. Provisioning processes varied from one agency to the next, agencies needed to support their own systems to provision their internal applications ~72,000 helpdesk calls related to password reset issues, at a cost of about $720k* (use of selfservice password reset) *Annually, extrapolated from Department of Public Welfare numbers (1,500 calls monthly for a total of ~22,000 users) and assuming a cost of $10 per instance for such calls. Standardized processes for enterprise applications, agencies can leverage local instances of the user provisioning system to manage access to their internal applications Improved convenience and response time for end users Reduction in helpdesk calls by about 40% Annual savings of ~$500k Standardized enforcement of security policies Shared service model resulting in lower cost to agencies for support and maintenance SUMMARY: The Commonwealth of Pennsylvania addressed a real problem of user management through an innovative, enterprise-wide automated provisioning system driven by the Commonwealth s Office of Enterprise Technology Services and its Enterprise Information Security Office, supported by the CTO Project Management Office and the Identity and Access Management Team. The innovative model of agency deployment in implementation phases and of agency funding of their respective implementation costs promotes the collaborative approach necessary for the successful conclusion of the project. The execution of the project by using a centralized services facilitation model to drive ongoing enterprise-wide transformation across over 40 agencies has allowed those agencies to benefit from OA/OIT s experience. By enhancing user provisioning and reaping the attendant benefits from it, the commonwealth can ultimately better and more securely serve its citizens and safeguard their data. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information