FINANCIAL SERVICES CASE STUDY: Improving Compliance & Risk Posture With Next-gen IAM
Speaker: Jennifer Darwin, Manager of IAM, Corporate Information Security
CLOUD IDENTITY SUMMIT JULY 2013
2
ABOUT SALLIE MAE
▶ The nation’s #1 financial services company specializing in education
▶ Over 10 million student and parent customers, more than 9,000 employees and 2,000 contractors
▶ Manages $207 billion in education loans & 529 college-savings plans
▶ The company’s saving programs, planning resources and financing options have helped more than 31 million people make the investment in higher education
3
▶ Comply With Major Regulations – FISMA, SOX, GLBA, PCI and SAS-70’s (Sallie Mae) – FFIEC and State of Utah (Sallie Mae Bank ) – SEC, FINRA & FTC (Upromise Rewards and Investments )
▶ Enhance Efficiencies Through Automated Provisioning – Some relatively high turnover functions create demand for more rapid SLAs – Restructuring creates short-term demand – New business initiatives require rapid but controlled response
▶ Reduce Operational Risk – Eliminate redundant, sub-optimal processes and centralize controls in one place
across the enterprise – Prevent/detect fraud - manual processes and hand-offs make security policy
enforcement challenging
KEY BUSINESS DRIVERS
4
▶ Increase efficiency through Automation
▶ Improve effectiveness through process Optimization
▶ Improve Quality of compliance activities
PROJECT STRATEGY
Ariba
ADP
Workday
Databases
Mainframe
Exchange
AD
App 1
App 2
App 3
Etc.
5
PROJECT OVERVIEW
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
6
PROJECT OVERVIEW: IMPLEMENT ROLE-BASED ACCESS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Enterprise Roles
7
PROJECT OVERVIEW: STREAMLINE ACCESS CERTIFICATIONS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Automated Access
Certification
8
PROJECT OVERVIEW: FOCUS ON ACCESS REQUEST FORMS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Application Access Request
Form
9
RESULTS: CLEARLY DEFINED USER ROLES
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
250 25005000
60006500
# of Users with Enterprise Roles# of Users
10
RESULTS: ENHANCED PROVISIONING
Original State
Current State
Future State
Request
Request
Request
Provision
Provision
Provision
Duration
Provisioning Efficiencies
33% Reduction
60% Reduction (est.)
11
RESULTS: STREAMLINED ACCESS CERTIFICATION PROCESS
12
RESULTS: 64% IMPROVEMENT ACHIEVED, EXCEEDING EXPECTATIONS!
Separate, manual spreadsheets Single repository, solution enabled
Before After
INTEGRATED 400
• 64% overlap removed • 400 Integrated Requirements • Common Framework using 16 Functional
Risk Areas • Full traceability to 160+ mandates • Includes FISMA, ICE, PCI DSS, GLBA, etc.
• Over 1100 Controls • Different frameworks; different risk
areas • Inconsistent traceability to mandates • Incomplete coverage of mandates
PCI 240
FISMA 200
ICE (for IT)
400
GLBA / FFIEC
250 FACTA
14
13
▶ More than 700 applications on-boarded
▶ Over 6,500 users in a job role (approximately 75% of the company)
▶ Seven segregation of duty or monitoring processes implemented
▶ Access certification improvements institutionalized – This consists of over 20,000 user entitlements to
be reviewed this year
WHERE WE ARE NOW
14
▶ Continue to expand current project scope – Goal is to have 90% of the company in enterprise roles – Goal is to have 24 certifications scheduled
▶ Continue expanding project scope to include even more SaaS and hosted apps – ADP, Ariba, Workday – Looking at externally hosted apps too (FIS, FNI, FDR)
▶ Moving to make Workday becoming our authoritative source – Corporate HR system moving to Workday – tentatively
scheduled for Q4 2014
WHERE WE WANT TO BE BY Q4 2013
15
▶ Do Enterprise Roles First – Simplifies the implementation of
all IAM components and reduces future rework
– Team MUST include someone who has successfully deployed Enterprise Roles
▶ Well Defined Roadmap – Requires shared vision from
business and executives – Part of broader program
▶ Achieve Quick Wins – Showing results is critical to
keep momentum of multi-year program
LESSONS LEARNED/BEST PRACTICES
User Provisioning
Enterprise Roles
Access Requests
Access Certification
Can be leveraged across…
