cis13: how iam improved sallie mae's compliance and risk posture
DESCRIPTION
Jennifer Darwin, Senior Manager, Sallie Mae Jennifer Darwin will discuss how Sallie Mae used identity management to address its compliance and security challenges. This identity governance case study will discuss how Sallie Mae was able to address more than 3,000 security controls (including FISMA and FFIEC regulations), while simultaneously eliminating critical security vulnerabilities associated with user access privileges, including SoD policy violations, entitlement creep and orphan accounts. She will also provide best practices to help companies achieve the same results.TRANSCRIPT
FINANCIAL SERVICES CASE STUDY: Improving Compliance & Risk Posture With Next-gen IAM
Speaker: Jennifer Darwin, Manager of IAM, Corporate Information Security
CLOUD IDENTITY SUMMIT JULY 2013
2
ABOUT SALLIE MAE
▶ The nation’s #1 financial services company specializing in education
▶ Over 10 million student and parent customers, more than 9,000 employees and 2,000 contractors
▶ Manages $207 billion in education loans & 529 college-savings plans
▶ The company’s saving programs, planning resources and financing options have helped more than 31 million people make the investment in higher education
3
▶ Comply With Major Regulations – FISMA, SOX, GLBA, PCI and SAS-70’s (Sallie Mae) – FFIEC and State of Utah (Sallie Mae Bank ) – SEC, FINRA & FTC (Upromise Rewards and Investments )
▶ Enhance Efficiencies Through Automated Provisioning – Some relatively high turnover functions create demand for more rapid SLAs – Restructuring creates short-term demand – New business initiatives require rapid but controlled response
▶ Reduce Operational Risk – Eliminate redundant, sub-optimal processes and centralize controls in one place
across the enterprise – Prevent/detect fraud - manual processes and hand-offs make security policy
enforcement challenging
KEY BUSINESS DRIVERS
4
▶ Increase efficiency through Automation
▶ Improve effectiveness through process Optimization
▶ Improve Quality of compliance activities
PROJECT STRATEGY
Ariba
ADP
Workday
Databases
Mainframe
Exchange
AD
App 1
App 2
App 3
Etc.
5
PROJECT OVERVIEW
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
6
PROJECT OVERVIEW: IMPLEMENT ROLE-BASED ACCESS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Enterprise Roles
7
PROJECT OVERVIEW: STREAMLINE ACCESS CERTIFICATIONS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Automated Access
Certification
8
PROJECT OVERVIEW: FOCUS ON ACCESS REQUEST FORMS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Application Access Request
Form
9
RESULTS: CLEARLY DEFINED USER ROLES
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
250 25005000
60006500
# of Users with Enterprise Roles# of Users
10
RESULTS: ENHANCED PROVISIONING
Original State
Current State
Future State
Request
Request
Request
Provision
Provision
Provision
Duration
Provisioning Efficiencies
33% Reduction
60% Reduction (est.)
11
RESULTS: STREAMLINED ACCESS CERTIFICATION PROCESS
12
RESULTS: 64% IMPROVEMENT ACHIEVED, EXCEEDING EXPECTATIONS!
Separate, manual spreadsheets Single repository, solution enabled
Before After
INTEGRATED 400
• 64% overlap removed • 400 Integrated Requirements • Common Framework using 16 Functional
Risk Areas • Full traceability to 160+ mandates • Includes FISMA, ICE, PCI DSS, GLBA, etc.
• Over 1100 Controls • Different frameworks; different risk
areas • Inconsistent traceability to mandates • Incomplete coverage of mandates
PCI 240
FISMA 200
ICE (for IT)
400
GLBA / FFIEC
250 FACTA
14
13
▶ More than 700 applications on-boarded
▶ Over 6,500 users in a job role (approximately 75% of the company)
▶ Seven segregation of duty or monitoring processes implemented
▶ Access certification improvements institutionalized – This consists of over 20,000 user entitlements to
be reviewed this year
WHERE WE ARE NOW
14
▶ Continue to expand current project scope – Goal is to have 90% of the company in enterprise roles – Goal is to have 24 certifications scheduled
▶ Continue expanding project scope to include even more SaaS and hosted apps – ADP, Ariba, Workday – Looking at externally hosted apps too (FIS, FNI, FDR)
▶ Moving to make Workday becoming our authoritative source – Corporate HR system moving to Workday – tentatively
scheduled for Q4 2014
WHERE WE WANT TO BE BY Q4 2013
15
▶ Do Enterprise Roles First – Simplifies the implementation of
all IAM components and reduces future rework
– Team MUST include someone who has successfully deployed Enterprise Roles
▶ Well Defined Roadmap – Requires shared vision from
business and executives – Part of broader program
▶ Achieve Quick Wins – Showing results is critical to
keep momentum of multi-year program
LESSONS LEARNED/BEST PRACTICES
User Provisioning
Enterprise Roles
Access Requests
Access Certification
Can be leveraged across…