Julia Bernal, Group Business Security & Data Protection Manager, Friends Life
April 18, 2012 17:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Julia Bernal, Group Business Security & Data Protection Manager, Friends Life
April 18, 2012 17:30
Julia Bernal, Group Business Security & Data Protection Manager, Friends Life
April 18, 2012 17:30
Yes, we were already talking about fast success and I would like to introduce Julia Benell from friends life, Julia around. Okay. Here you are. Welcome. Thank you. And you will talk to us about access governance case study at friends life. And I had the opportunity to a very quick chat with you earlier, already. And you mentioned to me that you were able to, to, to, to, to let's say, get this project work in a very, very short timeframe, so that meaning to show business success in a very short time. And I'm really curious to hear about that. Okay. Thank you. Can everybody hear me? Okay.
Fantastic. Okay. So thank you very much for that introduction has, has. I'm not sure if anyone's heard of a, a friend's life previously, but we're a UK based organization and we are one year old next month. We are the bringing together of three heritage organizations. That's friends, Providence, AXA, life, and pensions and Bupa life and pensions. And we're owned by the resolution group who have a, a plan to establish themselves with firmly within the top five UK life and pensions companies. We also have a presence here in Germany as part of our international business based in cologne.
So what I'm gonna talk to you today is about the journey that we've been on in relation to user access management over the past 12 months. And we've been very privileged to partner with vexa and used the tool that they offer. Okay. So there's some key drivers for initiating a user access management program within our organization.
And I'm sure some of you are very familiar with these bullets that are on the screen at the moment over the past five years, or for as long as I can remember, we've had a consistent theme of audit actions from both our internal and external auditors as part of the, as part of the annual it general controls review. We've been trying to resolve those issues every year, but very quickly we realized that we couldn't apply a sticking plaster approach. So where we, what we were doing previously was to just try and solve the problem for this year. It would come back and bite us in following years.
It just simply wasn't working and it wasn't sustainable. At that time. We also had some regulatory guidance from the financial services authority, which whilst it was very challenging, it did help to raise the profile at a very senior level in relation to user access controls. And that's something that I think that was, was talked about at the previous previous session. So initially what we looked to do was to initiate a program and we had to engage the business, our business units and subsidiaries in that program.
And initially we thought that the improvement activities would be met with some cynicism and not another it project as a, as is quite often seen by our business units. However, once we started to engage with key stakeholders, they started to see the benefits. Things was particularly difficult for them, labor intensive and very, very time consuming and a busy time for them. And as I mentioned earlier, the sticking PLA approach is not, not sustainable. It's not resource effective. And we can't guarantee the integrity of the operation of manual processes.
And also what we found is as we bring three organizations together under one umbrella of friends, life subject matter expertise moved around the company or it in fact left entirely. So we needed a sustainable approach and we needed a very quick return on investment because of the regulatory pressure. So if I talk a little bit about the process before we, we partnered with vexa Three key, key steps collection review and remediation taking us approximately 15 weeks to complete that's over three months worth of effort per application.
So what we simply did before was to collect data from various sources and it was a best endeavors approach. So we didn't have any formalized subject matter expertise or roles within our business units, or it, we then collected data from those subject matter experts and then sorted it into a single spreadsheet per application. So very labor intensive to get that data and put it into a spreadsheet. We manually initiated reviews via email and simply attached the spreadsheet to the email, to application owners that we'd personally identified within the, within it or the business.
And we diarized chasers manually, as well. As I said, application owners were, were identified via our own internal knowledge. So luckily I had somebody that worked in my team at that time who was particularly interested in this and had some good contacts within it and within the business. And it was a case of I'll go and see my friend who sits upstairs on desk B, C, D, and I'll, I'll go and talk to them and, and ask them a favor if they can, if they can do this work for us. Once the review was completed, remediation was manually requested via a ticketing system.
So again, we were reliant on a ticket being raised for each revocation. And at that point we lost oversight of the process. So we asked the application owner to request the revocation.
And again, we were reliant on them doing that, which wasn't an ideal situation. So the major issues with our manual process is that we couldn't guarantee the integrity of data because we were reliant on somebody, extracting it from a, from a application, sending it to us in a spreadsheet, we would then manipulate it into another spreadsheet, send it via email. It could be manipulated again. So we couldn't rely on the integrity of data. We also were reliant on best endeavors. And if somebody decided to take a sabbatical or go on paternity or maternity leave again, we had a problem.
And also the review that we operated didn't didn't allow a review to take place at a local level. So typically an application owner was somebody that was a subject matter in that expert, in that application, they didn't know the people whose access they were re-certifying. They could be from a different business unit, a different part of the organization.
So it, it wasn't an intelligent review. It was simply a tick box exercise. Do they still work here? Do they not? And what we saw was some application owners would simply look at the list of, of people that had access to their application and go onto the outlook staff directory. And if somebody had an outlook account, well, yeah, they still need their access. So the review wasn't intelligent, and that was something that was picked up by our auditors. So as I mentioned previously, we needed to have a more strategic approach.
So our approach was we took advice and guidance from a third party consultancy and also our internal audit team. We also identified peers within other organizations that were also on the same journey. And we did some research and development by them to understand what other people were doing at that time. It was very clear to us that we could, again, start to improve our manual processes and, and improve the governance around it. But actually we may solve the problem for a few years and then we'd lose momentum and we'd be straight back to square one again.
So the key for us was to actually purchase a tool that could automate things for us and therefore guarantee or take that responsibility away from us and provide that assurance over the operation of the process. So we initiated a project with support from a third party consultancy company, and that was purely due to the resource and, and skill constraints within my team. At the time we engaged the internal project life cycle, which was very, very key because it enabled us to not manage the project internally because there's a number of, of key work streams relating to it human resources.
And we also engaged our procurement team as well, who were able to support the vendor selection process, which ran very smoothly. So during that time, what we also did was take an extensive review of our manual processes, cuz I was effectively going to our senior management team asking for some money for a tool they'd never heard of. I was asking them to support me because what we would need is their support in terms of communication and governance long term. And what they needed to see Was that we were gonna get a very quick return on investment and that we were gonna get it right.
We weren't gonna be spending money and time and then have the same problem in two years. So what we did was to review our manual processes to make sure that could we really do it? Could we not do it? And one of the things that we looked at was to add an additional step within the process, regardless of whether it's manual or, or automated. And I'll go into that second step in a, in a few slides time, but it was essentially around solving the local problem. So we had people that knew the people whose access they were reviewing.
And that was a line manager As a slide suggest of exa configured the application from the day the, the box arrived in our data center. It took 17 days till we hit the go live button. And that was absolutely essential to us. I had some very, very tight deadlines to meet. We had some regulatory pressure. We went live with 10 applications within 17 days of the, the, the tool arriving vexa helped us by attending our site on several occasions. They held workshops and had one-to-one sessions with our business application owners and it application owners.
We know we knew what we wanted from the tool, our business users didn't, but it was important that we, we brought them along the journey with us. We wanted their buy-in right from the beginning rather than to just deliver something to them via a web browser that they had to get on with.
And, and, and, and action. So apologies, I've skipped through a few slides there. Okay. So as I said of exo work very closely with us and we had good feedback from our business units and they were bought in right from the very beginning. So this is what we do now, The same three, three steps collection review and remediation, but we're now down to an eight week cycle. So we can dictate the SI the cycle period ourselves we could go for four weeks is entirely up to ourselves, or we could extend it.
But eight weeks felt like a good time period, simply because of the, the, the review that we were doing. And also because we didn't lose momentum, then we kept the review review cycle working quickly. And we were able to essentially conduct a review over two months, the eight week period, and then ensure that revocations were done within the following month, which we tied things up to a quarterly review cycle.
So what we do now is the of exo tool, collates application, active directory and HR data automatically it reconciles that information and enables the review to be completed via a go interface that's available via a web browser. So what we simply do is we email line managers and ask them to click on a link. We provide them with a log on ID and password, and they connect the at tool and conduct their review. And the way that we've tailored the, the interface is something that they're very familiar with. That's easy to use.
And of course, they've got a user guide and had some training if they wanted it. So that review, firstly goes to line managers.
And, and as I said earlier, enables the local knowledge to be applied to the review. And this is the biggest change that we've introduced. In addition to the automation, all the information is displayed for them. They literally see all of the employees that work for them and what access they have. And they simply click a yes, I want to keep it or no, I don't want them to have that access anymore. And it's displayed in including segregation of Duty's roles as well. So they can, they can review access at that level.
Once a line manager review has completed, what they then do is the, the next phase is for the business application owner to review that access. They simply sign off the line manager review and any orphaned accounts are then reviewed or, or, or approved. So an orphaned account is where we don't have a lime, a line manager relationship to an employee, and the application owner then reviews that access. What's really great for my team and for senior management, is that any point in time, we can log onto the tool and via our dashboards, see progress against any review in real time.
What we've also done is work very closely with vexa to produce some MI and some dashboards, which I can print off and take straight to my director. And it's an absolute winner, so she can see the return on investments straight away. We can see the progress that's being made. What we can also do is log on and see who hasn't been progressing their reviews, and simply drop them an email to say, is everything okay? Can we help you with anything or pick up the phone to them? Once that the, the application owner has completed their review, it enables us to revoke the access.
So we simply get a list of all of the revocations that need to take place for, for that particular application. At the moment we don't automate revocation. That's something we are looking to do this year, but what it enables us to do is rather than raise an individual ticket for each person, we can bulk effectively cut and paste from vexa into our ticketing system. That enables us to make a bulk request that then goes to our admin team to revoke access. And we can track the progress of one ticket rather than several hundred. It creates a closed loop in the process, an end to end loop.
What then happens is when the review is initiated again, OFA, reconciles, the revocations against the live accounts and will flag to me if our admin team haven't closed an account down properly, or if we need to go back to the application owner and get them to check anything again. So as I said, we've gone from 15 weeks plus down to eight weeks, which is a massive improvement. So the benefits that we've realized, and I won't go through all of the detail on this slide, Cuz I want to have some opportunity for questions at the end.
But as I said, we now have a closed loop process that we can have complete oversight of and we can imply automatically introduce governance over so we can automatically send reminders. We can set reminders to go on a certain date and we can see what anyone's doing at any one time. We can also initiate reviews whenever we want to as well. So if we are a bit concerned that there might be an audit report coming up, we could initiate a quick review or we could, we could select some users to be reviewed by particular segregation of duties.
If we feel that there's a concern at any time, We've demonstrated our strategic approach approach to user access management. And we've had instant recognition from the financial services authority of that. Our auditors have also done what we call a light touch audit this year. This year will be the first round of doing the auditors come back in in September. And they will have seen the, the tool working for several review cycles on these incap applications. And already they've taken massive comfort from the fact that we have an automated solution simply by purchasing at all.
We've enabled them to understand all the business processes that sit around that tool and this year's audit will be much, much less painful than it has been in previous years. We've also had the return on investment, seen at a very senior level as well because the financial services authority and the auditors are not beating up the director, the board of directors. And that's a huge buy-in for them. And it's a huge success for my team as it enables us to demonstrate a business as usual process working very, very quickly. Okay. So here's some top tips from me.
Who's been through this journey over the, the past 12 months. It is a painful journey, but it's definitely worth it. I think the key steps are you need to identify your key stakeholders. You need to get senior management buy-in for this effectively, you are asking people to do something for free. So those application owners and line managers out there, they're terribly busy people. They've got better things to do than review access. And it's not the most exciting thing in the world to do either.
So you need to get senior management by and right from the beginning and get a really good communications plan written. And we, what we did is we, we had a communications plan that included webinars, phone conferences. We had weekly articles going on our internet site, introducing the project and the program, right from the beginning, we needed to seek approval of our priorities as well. So it's very easy for the business to say, oh, review our application first, because it's really important to us.
We want to make this a smoother process for ourselves, but actually you need to get your priorities validated by your auditors or your regulators. Because as I said in the beginning, the, the managers senior management need to see a return on investment and there's nothing worse than, than delivering a wonderful program, but actually you've still got all of those horrible audit actions to deal with this year. You also need to have a really risk, really robust risk assessment process for each application.
So we use the information security forum tools, the IRA tools to assess the business impact assessment and threat and vulnerability assessment to those applications. And that of course includes data, data risk as well. You need to implement some really good governance processes internally and externally. So externally with your vendors, making sure that they deliver on time and internally with your it suppliers as well.
Also, this isn't something that we could have managed internally within our team, within our information security team, we initiated a project using our internal project life cycle processes. And typically your team should be made up of obviously your security team, human resources, it and business unit representation as well. You need to define and appoint roles within that project team and make sure that responsibilities are understood right from the beginning. And as I've, as I've mentioned throughout this whole, this whole presentation, you need to achieve business buy-in.
And that was actually quite easy for us. Once we got our foot in the door with those business application owners, we were able to talk them through the tool and show them the tool. And they realized how much easier it was going to make their life a access review time. We also incentivized the business application owner role as well. So we formalized the role and therefore it became an objective in everyone's performance agreement who took on that role and therefore, if they did well, which of course they all did, we, then it went towards their bonus. So they were quite happy about that.
Also, I think you need to be really realistic about what you can achieve. We had a really quick turnaround in terms of the time that the, of exe tool was implemented, but really took the time and the effort was getting these business processes accurate. And what we would we did is, is we can, we, we had a phased approach. So we took 10 applications and went live with those very, very quickly. But those applications were users of typically four or 500 people per application in our phase two, which launched in March this year, we've got over 6,000 entitlements that are being reviewed.
So go for low density applications, first of all. Okay. So next steps for, for friends life, we're currently writing our strategy for the next 12 months, but what we're looking to do is onboard and additional 20 applications onboarding is still being determined by our auditors because what we're looking to do is bring on the heritage organ. Other organizations audit in scope, audit applications. Our application landscape is also ever-changing as we bring three organizations together and try and get all three on one system.
And we've also signed a large outsourcing agreement with dent who are part of tarter to manage all of our operations. So systems will move over to them. So our landscape is ever changing, which kind of iterates what I say about the, the, having a really good risk assessment process in place. In addition, what we're going to do is still work very closely with vexa to look at what more functionality we can use within the tool. We've simply skimmed the surface really. And there's a lot more that we could Do.
We're going to specifically look at automating the collection of data from the applications and the HR and active directory systems. And we're also looking to automate the revocation of access as well, so that we, again continue that closed loop process, but we don't have to manually raise a, a ticket. And we're also embarking on a huge review of our joiner lever processes, which I'm sure everyone's familiar with. And what we're trying to do is onboard those processes and integrate them with the user access processes as well.
Again, that's another huge area that our auditors are interested in. So hopefully we'll tick a few more boxes with them over the next 12 months. That brings the presentation to a close. I was just wondering if anyone had any questions at all for me. Thanks Julia, for actually for this very impressive project description. Before I hand over to the audience. One question from my side, you mentioned, I guess 17 days after the tool has been delivered, you went live. Yeah. Obviously you were under a lot of pressure. If you had, let's say more time.
What would you think would've been a reasonable timeframe to do it? I think realistically, well, I, I certainly would've felt comfortable with having a timeframe of, of, of up to three months, but actually, because we worked closely with vexa right from the beginning, they knew what we wanted and they were able to turn around the configuration of the tool very, very quickly. What took the most time was actually getting people in a room and, and having a workshop with us.
And we changed our approach slightly, where, what we looked to do was to have webinars and phone conferences and let people connect directly from their desks rather than getting them in a room. But certainly we could have spent a lot more time with our business partners, but actually it worked out very well. Thank you for the answer. I was just told that no further questions are allowed. So I probably suggest if you have questions to Julia, you connect after this session. Yeah. But we should have enough time to give Julia a big hand for the presentation. Thank you.