KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you very much. Right?
So, as I indicated, I'm gonna run through a number of slides. Oops, doesn't look like I'm changing, but there we go. Right. I'm just quickly gonna cover our identity access governance journey, specifically focusing then later on the staff and identity access that we've implemented. And then once again, just highlight some, some lessons learned we've included in the slides, some, some practical examples of the reports that we're busy generating at the moment in which we share with our business and with our risk community. There won't be time to work through those.
So you welcome to have a look at them after the presentation. So our journey started back in 2014.
We, we created what is known as a security foundation program. NetBank at the time was looking to refresh technology. And instead of doing a big bang approach, we agreed to follow what is known as a managed evolution approach to, to introducing some of the new technologies. One of those was the security foundation program.
And as you can see at the top there, we focused really on creating a new zone, some certificate management that we had to address specifically looking at that particular point of time at our services orientated, architecture security, then a very big component of what the team does is NetBank ID from a client perspective, and then also access governance, which is more focused on the staff side of things.
There was also quite a big piece of previous access management that we busy with at that school point in time, when we started in 2014, I think as many organizations we were following mostly a waterfall project management approach and also implementation strategy. And we have since migrated that into a more agile approach. And as you can see at the bottom year, we have now today, what is known as a security tribe, the security tribe consists of a number of squads that look after for example, the NetBank ID. So the N I D that really is our client identity provider.
So all our clients would use that with their username password and what we've introduced, what we've introduced with that as well, or a number of other authentication factors, and also including digital signatures. We are busy integrating facial biometrics and finger biometrics into that solution as well, to really make sure that we can enable our clients from a digital perspective all the way from the onboarding process, all the way through to, to servicing and transaction. We then have what we know, what, what we call a IME team we're identity and access management integration team.
That's a team that looks after a lot of the backend components from a IDP perspective. So mostly a lot of our I IBM technologies, as well as some of our mainframe technologies on which something like NetBank ID is built, and also which integrates into our access governance solution. We then have the care team or the center for access governance. This team looks off to this quote, looks off to the access governance and data access governance perspective, the Pam solution, the previous access management solution, although not directly maintained by them.
They integrate into that to obviously assist with the access governance solution or the access reviews on that side, we then have something which we call the event, logging pipeline. The event logging pipeline is really a central logging solution for, for the bank. In the past, all the different implications were logged to different databases. It was an absolute nightmare nightmare to correlate all this data. So we've created a event logging pipeline, we all the, the, the audit logs and also instrumentation logs are logged.
We've seen massive benefit from this as it's now in one area, we can do the correlation. And, and as I mentioned, massive benefits, the, the law squad that I wanna quickly mention is just the authorizations platform. The authorizations platform is really looking to externalized authorizations from applications and also giving the new API application architecture that's being adopted by the bank, externalizing it, and also then considering attribute based access control instead of just role based access control. Right?
Then moving on to staff and identity access specifically from a bank perspective, we've considered this across a number of architectural layers. So starting at the bottom physical access, that really just controls who's got access to our buildings. And also then to some sensitive equipment, obviously throughout the building. So we have a specific physical access management system that looks after that. But what we've done there is we've integrated that into our access governance solution as well.
Some learnings from that was that once we, or what we've learned once we've integrated it into the access governance solution was that that physical access management solution was very badly not maintained, but the access within that wasn't reviewed and therefore was also out of date. So the first access review from that perspective, really highlighted a number of people who had, who had incorrect access followed by quite a nice cleanup. So from their perspective, a massive benefit to the bank to try and clean that up. It also taughts us, some lessons.
We realized that we had many different security zones. These security zones obviously create lots of administration for, for the physical access management team. So the question at the time was, do we really need all these physical access management zones? And I think we went through a cleanup process there as well, really challenge the bank and the risk community to say, do we do, are we doing this correctly? The next typical layers that we then considered is really from a network operating system in a database layer.
And this is where previous access management plays role from a NetBank perspective, we've been through quite an extensive RSP process, and we ended up selecting the beyond trust previous access management solution. This is quite important from an identity and access management perspective. As at these layers, you typically bypass the application controls that are implemented with either all based access control or with access attribute based access control.
So the, the integration here or the, the, the controls here is, is key as access to these sensitive systems. Obviously bypass will, as other controls. Once again, what we've done here is we've integrated this into our access governance solution. And we now enable people to review access on a regular basis through our access governance solution. So the integration between the privileged access management solution and the access governance solu access governance solution is, is key. The next layer up from that then really speaks to the application layer.
Now, here, there are a number of ways to integrate into these applications. You can just sort of export the, the access control or the access rights into a Excel file, upload that into the solution. And you can then at least understand who's got access to that.
However, from an NetBank perspective, we've decided to take the longer route or the, the more difficult route we've decided to as far as possible integrate into these applications directly. Why is this important? This is important because once you start with access reviews, you need to typically go revoke access. Once people indicate that a staff member no no longer needs access to, to the application, by integrating directly into the solution, we enable the provisioning of access rights into these applications.
So therefore as people join the bank or leave the bank, we can automatically go revoke that access or based on access reviews, where people would then revoke access. We could also go and do that automatically. And more importantly, from a access request perspective, we've seen that there was massive benefit in automating some of these access request processes. So once again, through the access governance solution, the staff member would request access that would go through the approval process. And once that was done, we would then provision that automatically into the application.
Once again, massive benefit to our business, many of the applications that we've onboarded over the last couple of years followed fairly manual processes where pieces of paper had to be completed, then sent around, then signed off by the right people. Then it had to go to an administrator that administrator may have made some mistakes. So the benefit to, to NetBank to the NetBank business as a result of our identity and access management solution is, is evident to, to, to all, all around from a then at the very top layer, sort of the last piece that we've considered is the unstructured data.
This is typically files or, or documents created on file shares and SharePoint. And what we've done here is we've adopted the well we've selected the sale point file and access management solution. This solution really allows us to connect to all these files and SharePoint folders crawl these classify the data, and also determine who's got access to, to those files and folders.
This is quite important from a privacy perspective, as you can understand, you know, staff sometimes need to, to extract data from databases or via the applications run reports, and these typically end up on file schedule SharePoint. So once the data is classified and we know who's got access to, to, to the data, we then go back to our business counter reports and we spend quite a bit of time with them to work through the different, through the different folders and also understanding, excuse me, why some of the accesses there, or why some of the documents are there.
So there are a couple of ways you can address the, the unstructured data, but we work with the businesses to, to do that once again, with the file and access manage solution, this is integrated into our access governance solution. And this enables us then to also perform access reviews, as well as access requests to that data via that solution.
So it's the initial cleanup process takes a bit of time, but once it's up, up and running and onto the, the solution, it really helps us to, to, to keep the, the access current by having it reviewed and obviously, and following a, a proper access request process. So that sort of covers the, the left hand side of the slide. Then just talking around some of the specific controls. So starting at the top from a life cycle management perspective, we've integrated into our HR solution and our initial integration.
Let's, let's put it, let's put it this way. We obviously had a number of challenges to, to get it working at first. But once we had working, we then enabled what is known as the sort of join and mover lever processes. We have also recently simplified those processes. So unfortunately, because you rely on a different HR system, you need to also rely on their data and the controls that they have on that side. So we've simplified that process.
And we have over the last couple of years, or over the last two years, we've, we've actually have sort of 11,000 people or employees who we've enabled through this process. This process is also key when it comes to access request, right? Because we could, we, we went back to our risk community and to our, into our internal auditors at the time when we started with this, with these processes, monthly, monthly reviews were followed.
And by explaining to them that if you follow a strong joint and move liver process, you could actually reduce the number of reviews we had to perform on an annual basis. So we now are down to sort of three major reviews a year with a target of trying to get to every application at least once per right. So that is quite key. And also once again, saved our business line managers, lots of time in having to spend time on access reviews. The next important point really is around the segregation of duty policies.
Those are all configured inside the identity IQ solution, the sale point identity IQ solution. So once again, as people request access or as access reviews or, or performed, we can highlight to line managers and to store we, segregation duties are being created. Policies are being violated and the line manager that can then act accordingly on that basis. I've spoken quite a bit around the access request side of things.
So we've, we've processed a large number of, of access requests over the, over the last couple of years as well, and very successful in the business, really, really pleased with what we've managed to achieve there. This also allows us to keep a full audit trail of how did, how did somebody get to this particular piece of access access reviews? Once again, as I've mentioned, that's done three times a year now instead of a, a monthly review. And then when it comes to the analytics and the role engineering, there's more that we would like to do in that particular space.
And we are looking at how to do that. However, at this particular point in time, some of the reports further down in terms of the practical examples will highlight some of the reporting that we do back to our board of directors and also to the risk communities, internal auditors, our internal audit teams also now have access to the solutions. So they also make use of this to, to understand how they, how, how, how to audit some of the access across all the different applications.
They can also go back to line managers where appropriate and, and, and, and follow up with them while particular access was a site. Right? So then just moving on to some, some lessons learned in the journey, as I've mentioned, one of our big learnings was rather go a little bit slower to go faster later. So we spent more time on making sure that we integrate into the applications and that we can then as part of that process automate the access requests, as well as all the let's call it the provisioning, which is then a requirement from an access request perspective.
Also from an access review perspective, the next important point is ownership. It is critically important that the business keeps or sort of understands that they are the ultimate owners of this access. The tools provided by our team really just enables the processes. The ultimate ownership still remains with the business. They need to decide who's got access to what, and also when it comes to review time, they need to make sure that it's correct, and that the access is revoked accordingly. The other important point was to challenge the norm.
I think I've mentioned a couple of examples where from a physical access perspective or from an internal order perspective, they insisted that we do certain things. So the monthly reviews, for example, we challenge them quite hard on that to say, if all of these processes are in place and these risks are being managed, we believe that the, the risk is, is appropriately mitigated. The other important point is to just keep it simple, really try and keep it simple for, for the business line managers.
At the end of the day, they've gotta perform these reviews and they need to make sure that they do this correctly, and then just influence and empower as far as possible, make sure that you enable the business to, to do the, the access management or access governance themselves. Once again, we provide the tools and together with the, the bigger organization and the policies that we have in place, we can now effectively report on the status of, of our, of our applications. We have onboarded more than 80 applications at this particular point in time.
There is still a long list of them that we trying to get to. And once again, we've got some examples in the, in the slide deck of, of the roadmap that's that we've used.
