22
1 Learning to Dance Like an Elephant A Case Study in Identity and Access Management at Tabcorp Darren Lang Service Management Technology Manager
1
Learning to Dance Like an Elephant
A Case Study in Identity and Access Management at Tabcorp
Darren Lang Service Management Technology Manager
2
Our Journey as a Case Study
Ø This is about our overall IDAM journey
Ø This is not about a single project or activity
Ø Let’s talk about: § Area’s of IDAM we implemented § Lesson’s we learned § How we broke up the work § Mindset to approach IDAM
3
Who is Tabcorp
Ø Tabcorp manages leading customer brands in Australia, including TAB, Luxbet, Sky Racing, Sky Sports Radio, Tabcorp Gaming Solutions (TGS), and Keno, serving millions of customers every year
Ø Wagering and Gaming offerings are subject to laws and regulations within most States, as well as Federal laws
Ø Tabcorp Technology (IT) is also ISO9001 & ISO 27000 certified
Ø Net result can be DEATH BY AUDIT!!!
4
Old Tabcorp Challenges - Users
Ø Challenges: § Long delays for some staff onboarding tasks § Many difficult and confusing request processes § Confusion around owners/approvers § A terrible overall on-boarding experience
Ø Causes: § Many unrelated processes § Lots of owners and stakeholders § Archaic and complicated paper forms
5
Old Tabcorp Challenges - Security
Ø Challenges: § Access management risks, both known and unknown § User access was extremely difficult to audit § Inconsistent & manual user off-boarding § Inappropriate long term hoarding of access
Ø Causes: § Limited visibility of accesses in place § Many inconsistent authorization processes § Lack of data store for accesses and authorizations § Using a ‘same access as’ approach to access requests
6
What is IDAM?
Access Management – is the process of granting authorized users the right to use a service, while preventing access to non-authorized users.
*ITIL Service Operations 2011 Edition, from Best Management Practice
Identity management is a term that refers broadly to the administration of individual identities within a system, such as a company, a network or even a country. In enterprise IT, identity management is about establishing and managing the roles and access privileges of individual network users.
“One identity per individual”
*Article: The ABC’s of Identity Management, by John K. Water
7
Why IDAM at Tabcorp?
Ø Users objectives: § Automate on-boarding § Centralize a place to request access § Standardize our approach to access fulfillment § Put ‘help’ and ‘knowledge’ of processes and approvers
within reach § User friendly self-service approach
Ø Security objectives: § Consistent approach to user off-boarding § Central repository of known access per IDENTITY § Easily auditable data store of requests and approvals
for auditing
8
Dancing Like an Elephant – Inspiration & Insight
Ø Don’t lose the forest for the trees. Look small but think big.
Ø Understand the value in the big picture, and rework the small pieces to maximize that value.
Ø Focus value on the people that matter; your customers.
Ø Not everyone needs to understand the big picture, provided people that do, set up the small pieces right.
9
IDAM Areas of Focus
Ø Areas we have chosen IDAM to help Tabcorp § Birthright Provisioning (On-Boarding) § Identity Administration § User Access Requests § Access Certification/Audit § Termination and De-provisioning (Off-Boarding) Symbol Legend: SailPoint ServiceNow Semi-Automated Process
10
Birthright Provisioning
Ø Integrate with HR DBoR for staff details & triggers for: § New starters § People leaving
Ø Automatically create unique staff Identities Ø Automatically provision basic accounts and objects
§ Active Directory (LAN) account, § HR Management account § Intranet Account § Exchange email-boxes § Share drive access
11
User Access Requests
Ø Implemented self service requests for specific access areas § Using workflows to assign and complete authorization
and provisioning steps § Providing a central repository for storage of auditable
requests and authorizations Ø Provided transparent progress through self service
tickets or IT Service Desk (ITSD) query Ø Created a central point of contact for help and advice
(ITSD)
12
Identity Administration
Ø Implemented ‘Correlation’ rules to link access to Identities using: § Attribute synching § Manual correlation processes
Ø Directly integrated with systems to record what user access people actually have (based on ‘Correlation’)
Ø Set up process triggers on changes in Identity or access
Ø Implemented the ability to synchronize passwords across live systems. (i.e. same sign-on)
13
Ø Allow the creation of regular, automated certification activities to: § Regularly certify the continued authorization for
access via line managers § Flag unauthorized access § Pass de-provisioning activities to appropriate
processes for removal of access
Ø Allows the grouping of certification activities together by system to allow easier scheduling, reporting and management.
User Certification/Audit
14
Ø Automated removal of unauthorized access: § Flagged by Certification/Audit § For individuals leaving the company
Ø Creation of Service Requests for manual removal of unauthorized access: § Flagged by Certification/Audit § For individuals leaving the company
Ø Provided a process for Emergency Cessation or Suspension of staff
Termination & De-provisioning
15
Our Current System Landscape
Oracle HR
ServiceNow
AD AD AD
FTP
Indirect Apps & Hosts
Direct Apps & Hosts
SailPoint
16
Our Current Stakeholders
Service Management Technology
Security
IT Service Desk
HR
IT Support Groups
17
Overall achievements - summary
Ø Known, repeatable processes……that users can rely on!!! Ø Recordable and repeatable method for appropriate
authorization of access Ø Central repository of user access associated to Individuals Ø Ability to better quantify and manage risks around access
management Ø A better overall customer experience, driven by:
§ Better fulfillment times § More request transparency § Accessible help
18
How have we delivered this?
Ø By remembering that IDAM is bigger than just one: § Group of people § Process § Tool or Technology Platform
Ø By selecting the right method of delivery § Projects § Internal initiatives (BAU Minor Enhancement) § BAU Requests
19
How can YOU start with IDAM?
Assuming you don’t have a critical need already Ø Review your User and/or Security drivers
§ User experience issues § Productivity loss § Audit needs § Major security risks
Ø Pick a focused list of those drivers and assess ROI Ø Look at how existing tools and processes can be
enhanced to gain measurable wins Ø Develop a cadence of visible success Ø Consider a project vs. BAU approach
20
Top Takeaways
Ø Identity and Access Management is about bringing together lots of pieces. Always keep the big picture in mind.
Ø Security and risk management are goals, but never forget the customer experience.
Ø If you make sure all teams are aligned to the same outcomes getting the big picture in place will be easier.
Ø Start small if you can. Show some success, then choose to expand carefully.
21
Questions
22
Final Thoughts
With planning, With perseverance,
Always keeping the big picture in mind, You too can learn to dance like an Elephant!!!
