Case Studies

Centerpoint Energy

Automating IT Security with SailPoint’s IdentityIQ™
Using IdentityIQ™ technology to automate compliance, provisioning, and policy monitoring results in significant cost savings
One of our Fortune 500 customers and 200 year old utilities/energy company has existing investments in identity and access governance technology. As with many large corporations, managing the movement of people across the company presents serious challenges to their business units and IT staff in safeguarding their IT assets. Thus far, they have been successful in implementing best practices in business processes and technology to implement IT security controls across their organization. However, before deploying IdentityIQ™ manual efforts were still largely in place which had created excessive costs of ownership for many of their security services.

Challenges
The enhancements in security automation are very effective in ensuring that HR events such as hiring and termination result in automatic creation or disabling of accounts as necessary. Typical of many similar efforts, however, some operational costs remain, and some new costs are even created. Examples of these costs include:

Ongoing access requests

Entitlement changes due to transfers

Detecting policy violations in entitlement combinations

Certifying and attesting to granted entitlements

Ongoing Access Requests
Advancement in career, capabilities, or experience typically leads to more responsibility for many people in the workforce. In addition, people sometimes transfer around an organization in and out of different departments. As the responsibilities increase/change, additional entitlements are often required to access business applications or systems for their job function.

When a job function depends on access to a system, but is not immediately granted, a loss of productivity usually results. Our analysis concluded that our customer was experiencing rampant losses in productivity across their 15,000 person organization at a cost of roughly $500/person affected by lack of timely granting of access.

Entitlement Changes Due To Transfers
Not surprisingly, department transfers are less common than advancement in career, but as in the case of our customer, 10-15% is estimated to transfer in and out of departments each year. Additionally, many more with specific skills are assigned to cross-functional teams for temporary project purposes.

In many cases, additional entitlements are granted to these individuals using an access request form, or in our customer’s case, a custom application developed for routing requests to system administrators. In almost every company we’ve worked with, including this customer, people are granted the temporary access but it is never revoked. This results in people having much more access than they need.

This condition poses real threats to the security of intellectual property as well as data integrity.

Detecting Policy Violations In Entitlement Combinations
To prevent corporate fraud and comply with certain governmental regulations, companies establish lists of forbidden combinations of access that might allow an attacker or rogue user to thwart proper business procedures for personal gain or malicious intent.

This process of defining Separation of Duties (SoD) policies results in list of policies that are difficult to enforce through manual efforts. As an example, one of our customers in the Insurance industry was spending over 400 hours each year on manually validating compliance with their SoD policies. Our customer as mentioned above was facing similar challenges.

Certifying And Attesting To Granted Entitlements
Self-assessments are a key aspect of regulatory compliance. Ultimately, every publicly traded company must be able to swear to their shareholders and regulatory commissions that they have made reasonable and proper attempts to ensure they have safeguarded their assets such as personally identifiable information (PII), intellectual property (IP), and other physical assets that may either be critical to financial well-being or even a risk to national security.

A critical component to assessing a corporation’s progress towards safeguarding systems lies in the regular self-assessment of access that has been granted to users across the board. In a mature organization such as our customer’s organization, no one entity or department can validate that all access is true and correct. So managers of small groups of people are relied upon to perform these assessments on an annual or semi-annual basis.

Our customer, like many others today, performed these assessments manually. These manual processes are very costly to an organization. In each cycle, they cause IT administrators to pull current access data for all users from each of their critical systems (these can number in the hundreds or even over one thousand). All of the data must be manually correlated together to build a snapshot of access for a single employee or contractor. Then managers (sometimes, hundreds of them) are required to spend a great deal of time devoted to reviewing access for each user. This process leads to several major concerns:

It can take weeks or even months to get all of the data needed across the required systems into a consolidated list

Managers have to sift through mountains of entitlement data that they don’t understand and must forego productive work time to analyze data to attest to its accuracy

Often, the manual process is so counter-productive that many simply don’t bother to analyze the data carefully and blindly “rubber-stamp” the data to get it off of their list of things to accomplish

Solution

With our assistance, our customer was able to address each of these areas in the following ways:

Integrated critical, at-risk, or financially significant applications into IIQ for centralized monitoring and management

Automated certification activities to significantly reduce IT involvement and provide easy tracking of progress at all levels of management

Fully automated the remediation of access errors or violations identified across systems

Eliminated audit exceptions or risks due to human errors in gathering and organizing data

Configured policy monitoring and real-time reporting to enable prompt security procedures as high-risk conditions occur

Established critical business and IT roles to greatly simplify access certification, policy monitoring, and user provisioning

Put into operation a fine tuned methodology for efficiently managing the lifecycle of business and IT roles

Developed self service based, access request processes that leverage the automation and policy violation functionality of IIQ to minimize granting of unneeded access

Implementation of the IdentityIQ™ solution has enabled our customer to truly reengineer their IT security processes and streamline them to better leverage their investments in automation technology. PCSG was able to apply our 5DMethodology™ for implementation to enable them to achieve high-value quick-wins.

About Us Partners delivers this level of value with all of our clients using our experience and knowledge of the domain as well as our proven 5DMethodology™ for ensuring success. We are recognized leaders in the Identity and Access Governance space with service offerings that range from defining a corporate vision to full implementation to supporting an operational program.

click here to download the case study

» For more information
» See our complete list of Case Studies