Identity access management you can bank on

ING DIRECT is one of the country’s largest banks, with over 1.4 million customers. To ensure its operational environments are secure and robust and that it manages its IT risks effectively to achieve compliance, the bank partnered with First Point Global to deploy SailPoint’s next-generation identity governance solution, IdentityIQ.

“The main triggers for the project were satisfying our regulatory requirements and our own internal standards for access control, as well as improving the efficiency of managing appropriate access to our assets,” said Ann-Marie Bosco, manager, IT Risk Governance at ING DIRECT.

Historically, the bank assigned access rights to its applications and systems using a group and profile-based approach. However, a formal framework for the definition and maintenance of roles, groups and profiles had not been defined and documented. This affected the bank’s ability to readily assess the appropriateness of access rights to applications and systems based on users’ job functions and responsibilities.

Previously, the bank addressed risk management and compliance around user access and certification through a manual access review process. This was extremely labour-intensive with each new application under review requiring additional effort to prepare and undertake. It was cumbersome for business users to work with, where managers were emailed a spreadsheet per application under review and where the data from each system might be presented differently and with varying degrees of granularity.

In the first phase of the implementation, First Point Global installed IdentityIQ in one development environment and performed the necessary configurations to demonstrate functionality for a single, highly sensitive, custom application. Following the success of this proof of concept, IdentityIQ was expanded to 30 applications.

Critical to the success of the project was the mapping of users to positions and identifying appropriate profiles and permissions for each. During implementation, it became apparent that the detailed technical roles and policies previously defined by the bank were too restrictive and needed to be amended. As testimony to IdentityIQ’s flexibility and ease of use, the bank was able to revise them, with little external assistance, in under four weeks.

Once the bank had cleansed its data and automated key processes, it was able to further streamline the access certification process by enabling business managers to more efficiently perform user access reviews, enabling them to view the access people have and address remediation of access if need be with ease and consistency.

End users responsible for performing user access reviews have provided feedback that IdentityIQ is simple to use and that reviews can be undertaken quickly. In some cases, the information presented to the asset owner also helped to identify segregation of duty rules and subsequent application profile changes to clear the conflicts.

Within 90 days, ING DIRECT had set up core infrastructure and launched a fully automated user access certification process for 30 critical applications and 1200 active users. After completing the final phase of its project, the bank reported decreased risk, improved turnaround times and focus of responsibilities for IAM and IdentityIQ system operation to one internal role.

“In partnership with First Point Global and the introduction of Sailpoint IdentityIQ, we managed to get a large body of work done in record time, meeting the goals of our project,” said Bosco.

“We continue to have strong support for appropriate access control from our users, who now enjoy an improved end-user experience,” added Bosco. “We also continue to enjoy a strong working relationship with First Point Global, who not only offer support and advice when asked, but also keep us updated on relevant identity and access management developments across the industry.”