Putting users and trust at the centre

‘An Identity and Access Management model is like the urban blueprint of a big city’ – this was the statement of a senior security manager in a large and rapidly expanding bank, based in Southern Europe. He went on to say that ‘It gives us an overall vision of security and so enables us to control all the security-related activities and to drive their on-going development.

Banking on Success in Europe

The Bank’s current strong presence across both Western and Eastern Europe had its origins in 1998, when two largely domestic banks integrated their activities. This was rapidly followed by a merger with a third bank in 1999, which established it as the largest banking group in its domestic market and greatly strengthened its position as a major pan-European financial institution. As a result of continuing acquisitions, the international reach of the Group now extends well beyond the boundaries of Europe.

The bank has a business-oriented organisational structure, based on six clear areas of responsibility: a Central Structure (incorporating head office departments and infrastructure), four Business Divisions and the many individual Product Companies. One part of the Central Structure is the 1,100 person-strong IT systems and services organisation whose key mission is to help improve the Group’s ability to compete in the rapidly evolving global Financial Services sector. It aims to do this by integration and innovation of services, processes and technology, by leveraging economies of scale and by focusing on core competencies. Inside of this organisational unit is the Information Security Department whose responsibility it is to guarantee information security in the Group.

With Growth Comes Challenges

As the bank pursued its acquisition course, several challenges presented themselves. User identities had to be made consistent across all of the security systems installed. Extension of the central identity management competency area and internal authorisation controls was necessary. The current IT architecture needed to be changed and extended to support the evolution towards the web-based applications platform. The bank also needed to complement existing user and access rights administration with new web authorisation management, strong authentication and single-sign-on. And all of this for an organisation that had grown to over 82,000 user accounts in an IT environment consisting of 15 RACF systems, 73 Windows domains with 44,000 clients, numerous LDAP directories and several hundred Unix servers.

The obvious conclusion reached by the Security Department was that it needed to define an identity management model and implement a system, which was solid, yet flexible enough to meet both strategic and operational demands. The model devised by the bank had at its core a single security provisioning solution, performing the daily policy-controlled updating of user profiles using information received from the HR system, with centralised security administrators handling any residual ad-hoc changes. Targeted benefits were reduced administrative time and costs, increased user productivity and improved security.

Moving Forward

The complexity of the IT environment, the large number of users to be managed and an obvious preference for a solution from a vendor with other comparable successful installations, led to the selection of Beta’s SAM Jupiter. Additionally, the Group planned to leverage SAM’s flexibility to simplify system integration and empower their current architecture to support the evolution towards the web-based applications platform.

The overriding principle for the implementation of SAM Jupiter was that management of the user’s access to information systems must respect the ‘Need to Know’ rule. That is, the user must be able to access only those information resources necessary for the execution of their approved daily operations.

The main targets for the implementation were the Windows domains, the RACF systems and several LDAP directories. User profile administration was automated to a significant degree by providing SAM with a daily feed of information from the HR system, containing details of new members of staff, leavers and changes to existing staff’s attributes. SAM translates this information, using business rules, into user assignments to pre-defined roles, from which the user automatically receives the appropriate access rights on each of the connected platforms.

Some security functions are the responsibility of decentralised departments – for example some tasks are carried out on a regional level by HR personnel. SAM Jupiter’s ability to precisely scope administrative rights was ideal to support these delegated administration procedures.

The Role Concept

SAM Jupiter’s support for roles was used to enable maximum automation, to make manual administration more efficient and auditing easier. An existing resource profiling system was used for the creation of roles. This profiling applies the ‘Need to Know’ rule by classifying resources according to an incremental logic based on the validation of five parameters - organizational unit of the user, professional role, grade, attributes and function. During profiling, resource building blocks are created which are used to define roles and authorisations in SAM.

Complete Integration

SAM has become a seamlessly integrated core component of the extended identity management model which now also includes a web access control system and a meta directory. Synchronisation between SAM and the meta directory ensures timely updates of security definitions in the connected security systems.

Job Done!

In automating the process of updating and maintaining user profiles, the bank was able to significantly reduce the amount of time and number of administrators needed to perform user life-cycle management. Automating a high percentage of routine updates to user profile data has also reduced the potential for security breaches caused by human error. Employee productivity has greatly increased, because with centralised and automatic account provisioning, new users are quickly added to the relevant systems and applications.

Today, the bank has an efficient identity management architecture with seamlessly integrated products for administration, synchronisation, authentication, and authorisation of users in which SAM Jupiter is key to ensuring that users have access to only the data relevant to their work. This architecture serves as a solid foundation for potential future developments such as the integration of additional security systems and the support of provisioning for federated network identities with SAM Jupiter.