The light. Okay, good day everyone. My name's Mito mentioned. I have two roles within Phillips. I'm domain lead identity and access management. So I'm part of the group security information. And next to that I'm also the business process owner identity and access management. And that's an independent role within the Phillips organization. And it's also focusing really about improving that response standard process when in Phillips. So it helps our people to have a good user experience. And if you look it like that, it should be feeling like this.
So you're drinking your smoothie and it should be the same experience. It should be perfect for your, and please. So if you look at identity and access management, it's an umbrella terminology. It's focusing on authentication and authorization. Today. Today I will focus only on the IGA part. Now you all know Phillips, of course. Maybe you have even products at home from Phillips, like a television or a vacuum cleaner, a radio, other parts. But that's not a light bulbs, but that's not Phillips anymore. So Phillips is nowadays really a company which is focusing on health technology only.
So we strive to make the world healthier and more sustainable through innovations. So we want to improve the life of people by 2030 for 2.5 billion people a year. So borderline, we need to sell a lot of products according to our ceo. So how does that look? So at the center of our, at our strategy is the health journey. So we have healthy living.
So, so we are define, sorry. So we are, we're defining our products on innovation for during this entire life life cycle here, which you can see that means we need to develop products on our customer and consumer needs. We want to live healthy, we want to prevent diseases. So that's focusing on the personal health. But in case if something happened with you as a person, you need to go maybe to a medical center hospital. So where we have clinicians and the clinicians of course are using Phillips products and to see how what's happening with your health.
We also have then other products which can help you during the treatment. So you get better once it's getting better. We have also products in the connected care so we can monitor your health. Sorry if you're lying in the hospital, they can monitor your, how your house, your health is going, but could be as well from home. So once you're fully recovered, again, you start at the beginning where you have your healthy living. And if you look at this, there are a lot of identities here, but there's also a huge data flow.
So that means our identity and access management landscape is large and very complex. We have identities, we have information assets, people wants to get access to that. So we need to bridge that gap. And that's true access. If you look at the workforce. So that's the people with the working in Phillips employees contained workers, contractors, mna S, they need to get access to our Phillips application landscape and who is not in control.
And here Phillips is in control who has access to our data. Then we have partners b2b.
So like IT partner business partners, innovation entrepreneurs, dealers, distributors, suppliers. They also need to get access to our application landscape. And also here Phillips is in control who has access to our data. Then we have our customers. That's called when Phillips D two B. But normally it's D two C but it's a Phillips definition. So that's our hospitals medical centers and the health professionals. They need to get access to our products and marketplace applications, which we offer.
And there the customer is in control who get access to their data, but they also need to get access to Phillips data because maybe they need to get the latest manual to how they need to operate a machine or they need to do some certain training. Then we have consumers, like I mentioned, you have to Phillips branded consumers for your televisions.
But also we still have other products like your toothbrush or a shaver. So today we'll go for example to the shop from Phillips and we have consumer applications and there our consumer is in control who has access to our data.
And the last one, which I have here on the slide for today is our patients from B2B two C, they have a relationship with the hospital or the medical center and where the medical center is in control, we'll get access to that data. You're missing here on the slide I, OT and ot. But that's on purpose for today. So if you look from security perspective, identity security is really key. Who has access to what and why? But what I also mentioned, we want to enable our business and we have process in place.
So it's also a foundational element to give our people a great user experience for the B two E and the B2B part, not everything.
So it's around 115,000 identities. We need to manage, we need to get access. We have more than thousand applications, but we think it's around 1000 applications. So if you want to go into the details for Phillips application, we have between five and 10,000 applications. But there are probably a lot of tools. So where we think, whereas user management is around 1000 applications. So that means we need to have a proper identification in place.
So we need to ensure that only the good people will get access to Phillips and we keep the bad people out. Then we also, the authentication part, cause people needs to get access to our intellectual property and we need to protect that. So we have also keys to manage if they want to get access. What yesterday was also mentioned, you only want to provide people access based on neither know and least privilege.
Less is more. So our business is really in control. We'll get access to our data because in the end they are responsible for that.
We only provide the tools and the process, but the business is managing we'll get access to what and why we need to lower our risk within Phillips. So we need to do some use investments there as well in case if there is a breach happening that the data loss and the impact on organization will be lower. But it also have financial benefits and everything what we do because we can save cost.
But how do we get in control? Because here I focus on three risks and authorize use application access, control, failure and excessive access.
And we do not have a, we did not have to say have a proper standardized access request process in place. We do not revoke or do not timely revoke access. So if people are changing role within the organization or leaving the organization. So if you're 30 or 40 years within Phillips, probably you have during your entire career you collected many entitlements and you have it. So also we do not review the access rights. So if somebody has the access, we should review these, how we want to improve this. So we want to improve it by implementing, implementing an IGA service to get in control.
So also if you will make use of that service for your applications, you will comply to our access control policy or standard which is defined in the security management framework.
But that covers around 80% of the controls. So there are still some controls of course, which are not covered then via the IJ server. So think about you need to have an authorization model template in place and fill out it. So who get access to what, what are conditions for people who need to approve it. So also this kind of stuff needs to be defined and that you will not cover which your IJ solution of course.
And then we have our PPF process. That's Phillips process framework. Not sure if people are aware of the pqc, but that's an protocol where, which standard protocol around the globe to define your business processes. And Phillip is about ID to market mark to order and order cash and supported by functions. And the identity and access management process is connecting to all these processes. Cause we want to ensure that the right people, what they get the right access at the right time.
So if you make use of the IJ services, the business also getting control has access to our data.
So we improve our compliance security, we improve also the user experience. I will come back a that later. And we also have cost reduction. Now what kind of features do we enable or have we enabled to get in control with access to what and why? So we need to onboard applications. I will come back to that later on, but that's a very challenging stuff. And you also knew we need to manage to use the lifecycle and not only on and onboarding, but also when they change the relationship, the role within the organization or the relationship with Phillips will change access requests and approval.
So the businesses in control who can request the access, who approves the, and also they need to check each time what are the conditions if you provide a person access to the organization.
And therefore you need to have, for example, the authorization rule in place. We can provide access based on rules.
So bird, right provisioning. So if you start your relationship, you get the rules based on the rule which you need to have. You can also define other rules, segregation of duties and ensure that there will be no conflicts. There's also a discussion about as a p, G or C, we also onboarded that, but we keep the strength of as a p GRC role management, we do not believe in role management. But in some parts in the organization you can apply role-based X control. But that's very minimal periodic and event-based certification. And that's very a fatigue of course for every end user.
But it helps to improve really the security posture within Phillips. And we do that also differently. So if you look at the open text today at the keynote we do the same.
So first time we enforce everyone to review the access, we have two kind of certification. One is for the en entitlement owners to review and and the managers. But the managers, we only allowed to review the access on application level because they do not understand anything of entitlements of course. So we want to keep it simple for them. But after the fact, after that we do periodic certification, but only the delta.
So the delta means only what happens, what are the changes? So did this rule change? Did you work in a different location?
If not, or maybe other attributes. If any of these attributes didn't change, why do we need to review his exercise rights? Because otherwise it'll become a rubber stamping exercise. And that's what try to avoid. And we also have event based certification and that's also related to native change detection. So if people are executing processes outside the standardized process, we want to detect this. And then we are going to enforce an access review for example, to show like, okay, are we sure that you want to give this person access?
The green ones are currently implemented, the number ones are in progress. And the red one is, I will come back to that on the next slide. So how did we pave our pad then to get in control and also help us to enable our, really our business. So it started in 2017. We selected a product with one of the vendors here and then Phillips decided to split the organization.
And now, so they want to keep the old solution. We want to move out because we were a separate company so we want to move from health tech. So in the end we were overruled and we needed to do a one-on-one replacement. Never do that, I can tell you so. But we have integrated our HR system at active directory. In 2018 we moved our IJ product to the cloud. It was first in the physical data center. We were the first customer to move our solution in the cloud, which cause it'll help us with the performance. And the end is related to the next one.
In 2019, we finally could start where what we want to do in 2017 enable centralized access request, manage the account lyo and start with onboarding applications. And we started with five applications. So we picked the most easy ones. Also where we have the best relationship with in 2020 till 2022 we onboarded around 250 applications. And that were our most critical applications. That's based on the CIA rating. But also we had sessions with within Phillips with our people to understand what are your most critical information assets.
We also onboarded as A P G C, but we want to use the capabilities of S A P G or C itself because they're really good in that.
Now in 2023, where are we today? So we enabled periodic and we are going to enable later on the event based certification native change. But also we are, we will onboard the Azure ID to get the risk score because in Azure D there's a risk score and then we can make use of that. And further on we want to streamline our non-employee management, enable predictive access and also make integrations with Kim and not Pam for requesting access to the PAM solution.
But the capabilities in pam, cause there are some other vendor which we have, they have some tools where we can do some integration sets. Now what are the results so far? So we have more than 250 applications onboarded. We managed 115,000 identities. We came to go to conclusion that for 100, 250 applications we have 1.6 million accounts. And we still didn't onboard the other applications.
We reduced from three to five days to one day. So people had, or one hour I need to say. So if you request access, you get it in one day. And that's based on, because we only want direct integrations.
So, and a lot of applications do not have a scam connector or whatever available. So they specifically build for Phillips, these kind of connectors user experience. So we are productive now in one day and we have a lot of cost savings. I cannot say the number, but I can tell you we have a lot of cost savings. So from stakeholders perspective, some feedback which we get. So from non proactive to automatically onboarding, they were really happy with that. They improved our quality and also prevent from making mistakes.
So in the past they create an account, assign the exercises, oh this was a little bit too much or not the correct exercises assigned, which was related to the risk. Of course it frees up time for our service partners to improve the quality, huh? Because now they can focus on other stuff. Now they have finally time to improve the quality of their applications.
There's a huge reduction on the service request for the respective to support teams. And also they said, hey industrial foundational element for driving role-based access.
We don't believe in it from security, but we can help with them if they want to drive this cause it's their responsibility. I see you have three minutes left. So what are our critical success factors? So commitment and not only commitment from top layer that it'll be pushed on because that will helps you. You need to get it on all layers, get commitment from everyone, change management, implement change management. Cause some people will embrace it and will be really happy with that one. But there will be also people pushing back. Why do we need to implement this process?
We already have a process in place. We already comply to controls. The artists are not complaining about anything. So you get a lot of feedback pushback from people embrace organizational changes.
So during that journey of five six year, which we have Phillip split multiple times in different companies. So it was not only signify last, last one, also our domestic compliances. It's now different name also split. So we need to embrace these. So we have our north star, we will go there but will be never going in one direction. So embrace it and deal with it. I have to write people in out.
So ensure that you have skilled and experienced people. Project manager, the proper project management, that's a critical one. So also select a good project manager, define clear roles and responsibilities, not only within a team for implementing them, but what are the roles and responsibilities within the business? What will change for them?
Architectural principles are also very important because we wanted to have direct integrations. Stick to those principles, which you have, do not deviate from it because in in the future you will be have twice as much as work as you want to do.
Create a standardized process around in your organization. We are using hours. But if you have other tooling where you define your process, make use of it and communicate this to your stakeholders and share your policy are up to date because no more, they're always defined in the ivory tower from security. But also communicate this clearly to the stakeholders. Do not define them, publish them somewhere and say it's here. So really ensure that the stakeholders understand as well. These start with easy applications. Do not start with A G or C, for example.
Just pick the easy application, small application, not too many users get experience how you want to do it. And of course the last one is follow the IT change management process. Are there any questions?
Thank you very much. First of all, thank you. Yes. Finally it worked out. We have a question coming in through the chat. Finally. We've managed to get that. So we picked that up and it's a good one. You've mentioned that a bit on your slide, but the question is really something that is on my mind as well, when the business is in control, and I really like that idea.
How did you manage to educate business and how painful was that?
Yeah, so the good one was we started with ours. So that's from the processes. And they also created work instructions and they communicated really to their people what they need to do. So they based on that, so we help them, but they did the real communication. So each time the applications itself did the communication to their stakeholders. So we only helped them to define these work instruction, for example. Okay. And all the changes
Is there question, so
The applications were driving this.
Okay,
That's that's great to hear then, because then really the business is driving because they want to achieve something. Yes.
Right.
Any other questions in the room? Otherwise I ask but your questions are more important. Okay.
Then I, how do you, as you said, the the organization is very much diverse and split up and, and and, and tessellated, and how do you measure your improvement? How, how can you say, okay, how, how do you have KPIs in place that you really can say, yep, we are getting better.
We have KPI dashboard, but we are still yeah, working on to get the data really out of the product itself. Because that's challenging because we have and a challenge from the vendor, which we have to say like that. But we see that there are improvements, but it's very hard to get the data outta the system itself. Right.
Especially when they're in different ownerships. Yes.
Yeah.
Okay then thanks again Mihi for that great presentation for that insight into a real live scenario. Thank you.
