Identity Governance Administration Modernization for Financial Services
Highlights from Simeio’s August 5th “Ask Me Anything Coffee Talk Series”
Last Wednesday’s Coffee Talk was another timely and informative session. The topic was “Modernizing IGA for Financial Services.” The session hosts were Dave Culbertson, Sr. Solutions Strategist at Saviynt, and Andrew Ehrlich, Sr. VP – IAM at Jefferies. Here are some of the session highlights.
What does IGA modernization mean to you?
IGA is not a new domain. It’s really decades old. Modern IGA still manages legacy technologies, even though it’s not a completely effective solution. As enterprises move through their digital transformation journey, and to the cloud, the same level of governance and security needs to be in place, as in on-premises environments.
Taking traditional IAM, and moving it from a purely governance perspective, to a service platform with automated processes and self-service capabilities, enables better business operations with faster turnaround times.
Modern IGA is about moving legacy IAM and security to the cloud as a service. This approach is relatively new, having emerged within the past 3-5 years. Turning over the “keys to the kingdom” to a third-party was once a big concern but has now become mainstream and easily adopted.
How is Saviynt enabling organizations toward modernized IGA?
Our clients either already have automated solutions through a third-party, homegrown solution, or they are accomplishing it manually. Smaller financial institutions still have a lot of manual processes, as do some larger institutions. However, larger organizations typically have one or more legacy tools with automated processes.
What Saviynt brings to the table is the “as a service” approach. We enable the ability to turn on a service and immediately have all the IGA processes they’ve been doing, but without the maintenance, upkeep, and responsibility for middleware and infrastructure technologies that can breakdown while IGA programs are running.
Installing a modern IGA solution isn’t going to magically solve all of your problems. It’s a perpetual program that needs to be funded and staffed properly. You don’t want all funding and staffing to go toward maintaining hardware infrastructure, databases, and application servers, which larger companies typically manage with different teams. The coordination effort and time lost is hugely detractive of the full value proposition that IGA promises, like managing access review certifications, and automating life-cycle HR events for employees and contractors.
We enable that value by taking all of the heavy lifting of the infrastructure off the customer’s plate. Our service now gives them all the capabilities they need by just “wiring” them into their environment. They don’t need to worry about maintenance or upgrades.
From a customer standpoint with a modernized IGA, what are some KPI’s that you use to measure success?
Much of what we do at Jefferies is automation. KPIs come down to automation information, like the number of connected endpoints. The managed systems, processes, and onboarded applications, whether they connect to our PAM, SSO, or self-service portals, all have a common solution for oversight management. Every endpoint that we connect through automation represents an additional risk that we mitigate. When we measure KPIs, we’re looking at our number of connected systems. Automation reduces risks, eliminates mistakes, and provides us with better insights into what is being completed.
Certification attestation is a good use case example. If you have a request platform that automates user provisioning, the chance of the attestation being out-of-sync with what you requested is slim. Especially if you have a robust policy management process.
We also consider solicited feedback we collect from other departments, including ITSC, CMDB, and application teams. We measure against the number of our applications at Jefferies. We evaluate how many, and what percentage of those applications are actually connected to our systems, from an oversight and management perspective. We know if an endpoint checks off certain boxes that have been automated, provisioned, and integrated into our reporting systems, we can see access and activity. We know that the risk is mitigated, and all the other functions will meet our review process.
All the critical KPIs that an organization tracks, stem from automation. It’s important to have a strong CMDB that maintains company profiles, applications, what they do, what regulatory requirements are against them, if they handle trade data, or hold PII and financial data. Understanding this is key to helping us to target the applications.
From a vendor perspective, can you build on that?
Saviynt looks at it as a measurement of risk. You can’t eliminate 100 percent of risk. The reality is, you want to manage risk so you can discern what is acceptable, versus what needs to be mitigated, with automation, monitoring, and review controls in place. We can classify risk and manage and monitor it from an automation standpoint. KPIs measure risk levels and how well the systems handle them.
How do you build a business case to justify this process?
An IGA modernization program is not a one-time solution. It’s a continuous automation process. No organization can transform IAM into one program, with a single budget and board presentation. Understanding where your risks are, self-review, where your organization excels, and where it’s weak is the first step.
You have to sell the business benefits, like faster turnaround to market. Let’s say you have a new trainer that comes in, and they need quick access to the training platform. By implementing a modern IAM platform, you can now turnaround that provisioning time in a fraction of what it was before.
A modern IGA provides the COO and business teams with better insights into how people are using their systems. Everything has a cost, whether it’s for a license or infrastructure. Greater visibility into business systems not only helps offset costs, it provides information back to the business teams, to help them improve processes. Visibility is completely underrated until you actually have a report or show the COO the money that can be saved on an application. Building a case for IAM is not a one-size-fits-all proposal. You need to know your audience and tailor your message. It’s important to remember, IAM as a service is not a cliché. It’s actually the way you need to sell a modern IGA solution.
What should companies expect from vendors to help them make their business cases?
There are three things I look at when selling an IAM solution to leadership; economics, efficiency, and security as a by-product of the solution. Vendors should help their customers with an ROI analysis that spans all three. Regarding a legacy IAM system and technology already in place, to refresh a homegrown system that costs hundreds of thousands or millions of dollars to maintain every year, you are already in the ballpark of having a license and services from Saviynt delivered with new technology. If you are looking at a legacy vendor, to stay current with the latest features and capabilities, those fees can be quite sizable, just to support legacy technology and infrastructure.
The main theme that needs to be brought out is security or continuous compliance as a by-product of IGA modernization. It is critical to have the ability to manage high-risk assets continuously, inspect for segregation of duty, and look for sensitive information, like PII, PCI, and PHI, and have controls integrated into the processes. With this in place, you only need to conduct a periodic review on an annual basis for less sensitive assets and elevate the review process for higher risk assets.
Because of COVID-19, where do you see IGA modernization going in the future?
COVID-19 has greatly accelerated digital transformation for all digitally capable companies. Most employees, no longer working in the business office, are operating remotely. The oversight of remote workers doing mundane and redundant tasks is difficult to manage. Things like password authentication, automated credential distribution, and user verification, have been taken off the back burner, and are now being reviewed.
There are still many systems that aren’t integrated and need to be in order to be in compliance. Organizations need to consume them within a single platform, and data collected to collate back for making more informed decisions, continuous compliance, and the elimination of the rubber-stamped approach. It boils down to managing acceptable risk. That will require insights from data analytics, for decision-makers to make well-informed decisions.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
We hope you can join our next Coffee Talk, where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs and achieve greater security and privacy using IAM. Click here to sign-up.