Case study overview

Project milestones:

  • Design and implement access management process by developing the algorithms and building the role-based model
  • Integrate with existing systems
  • Implement SoD conflict detection mechanisms
  • Launch the Self-Service Portal for corporate end users

Problem: A Conglomerate business in need to optimize access management for multiple IT systems, while retaining control over the infrastructure.

Result: The implemented solution based on One Identity Manager (IDM) allows the Customer to automate access management. Additional benefits include granular control and usage analytics.

Plans: Further solution development focuses on improving the role-based model, integration with new systems, and implementation of the new business processes based on One Identity Manager.

Customer profile:

The Customer is one of the world’s largest steel producers and holds leading positions among steel companies. The Company’s assets represent a large steelmaking complex with a full production cycle, from preproduction ore processing to iron, steel and rolled metal production. The Customer produces a wide range of steel products, predominant share of which are premium.

  • 35

    companies

  • Geographic dispersion – EMEA, USA, India.

  • 50

    thousand employees plus 8 thousand external contractors.

  • 70+

    target IT systems and resources.

Case study overview

Although the Customer had implemented centralized HR processes, the access management was facilitated by a legacy request processing system comprising both paper and electronic document management. The infrastructure included over 70 systems, each having separate sets of access management rules, privilege levels and lists of approvers, accompanied by a significant amount of paperwork that required constant maintenance and updating.

Access management process relied on multiple systems – synchronization software connecting Active Directory to HR-systems, unique in-house developed software for request processing, electronic document management and Service Desk solutions. Often enough the application approval route required manual governance based on the regulations for the target system. Another separate request processing system was implemented for processing access requests from external contractors.

Average access approval and provisioning required up to seven working days, which could be further extended in cases, when the approver was unavailable due to vacation or sick leaves, as only as much as 5% of the managers delegated their powers.

From the management point of view maintaining the transparency and correctness of the granted access privileges was near impossible due to the several facts. One, the existence of the SoD conflicts is mandated by to the large number of target systems. Two, changes in access privileges related to employee transfer often lead to users accumulating excessive access rights. Finally, dismissed employees’ credentials may be deleted with significant delay. The outcome of the situation is a decrease in overall Customer security posture.

The growth in the number of systems and end users has led to a significant increase in labor, required for access provisioning, including support and maintenance required by every related system.

The service desk handles about 18 thousand of requests every month. YoY growth in request number can be estimated at 30%.

Average time wasted by every manager on analysis and approval tasks amounts to approximately 300 hours every year.

Typical access request processing takes 7 days, which leads to a noticeable decrease in user productivity.

The growing number of the systems makes sufficient access control impossible, deepening the security risks, related to users having excessive or improper access privileges.

Every time an employee needs to access a new system, they have to look up the regulation governing the system in question, fill out the access request form, including correct access mode codes.

This request has to be authorized by their manager first, then they need to send it to the person responsible for managing the access to the target system (whom they need to look up manually).

And then the waiting game starts, which can take sometimes up to 2 weeks.

Access management lies at the very base of security.

Controlling who has access to which system and whether this access is both legitimate and necessary for the user to perform their job, requires access provisioning to be both transparent and manageable.

Implementation steps

  • 01

    Perform strict algorithmization defining the procedural steps in various conditions and possible system responses for all processes related to access provisioning.

  • 02

    Develop an RBAC (role-based access control) model to facilitate control over access provisioning process, including approvals.

  • 03

    Design a customized workflow for managing external contractors including verification and storage of the authorizing documents provided by the contractor, using One Identity Manager.

  • 04

    Implement privileged account lifecycle management in One Identity Manager.

  • 05

    Integrate One Identity Manager with existing IT systems to interconnect SAP-based HR systems (HCM, SRM, SF), access management systems (SOAR, AD, ISM Ivanti) and target IT systems.

  • 06

    Integrate the solution with SAP GRC to enable SoD conflict detection and resolution.

  • 07

    Integrate the solution with SAP Solution Manager to detect IT and IT Security incidents related to access provisioning.

  • 08

    Integrate the solution with SOAR to automate user credentials blocking and unblocking in case of a security incident.

  • 09

    Deploy a self-service portal with a directory of Company’s systems, resources and roles, streamlining both access request process for the end users and approval process for systems’ owners and managers.

Results

81
percent

less labor required for supporting access provisioning

2
hours

average time required for approved access provisioning

3
minutes

average time required for automated access provisioning based on RBAC model

One Identity Manager has become a single point of control for all access management and provisioning processes. Integration with existing IT systems and resources allowed to connect HR and access management events as well as to automate the processes of granting, review and revocation of access rights and credentials blocking and unblocking. Privileges, including approval, can now be delegated promptly and securely. The absence of the approver does not hinder the process.

One Identity Manager has become a versatile tool for generating various analytical information concerning employees, their access levels and visualizing access matrixes for each of the Company’s systems. IDM is also an important source of information required for IT and security incident investigation.

Requesting access for end users has been streamlined – an easy to use self-service portal eliminates the need for manual search of the regulations and approvers for each system.

During the 24 months that One Identity Manager has been in use the following outcomes were achieved:

  • Over 510 thousand of HR events processed.
  • 11306 domain credentials were processed, 81,8% of which were created automatically, the rest were created in automated mode.
  • Automatic access group assignment implemented for new end users: 4 groups common for all employees and 822 custom groups based on Employer, Location, category, etc.

  • All access approvals are handled via IDM.

Further plans

Further development of the IDM-based access management process includes fine-tuning of roles within the RBAC model, integrations with new IT systems and implementing new business processes using a built-in graphical editor. The access management system has proved to be a valuable tool and is planned for scaling in other divisions of the Customer’s conglomerate.

Contact us

CAPTCHA