As the CISO at investment firm Lehman Brothers, Tom King had a wide range of goals to achieve when choosing a provisioning system for the 21,000 staff and half a million unique user accounts he oversees.
Not only did he need to make those accounts as secure as possible, but also ensure that users – situated around the globe – got access to some 650 critical applications and a variety of platforms to do their jobs. This meant, of course, that access had to be denied to any users attempting to see information for which they had no approval.
The solution, known as the Total Access Control provisioning system (TAC), was implemented using homegrown code based around an identity management solution from Thor Technologies. King says this was because Lehman needed a consistency between applications and between platforms.
Standardizing and automating TAC proved no easy task, but by November 2004 King and his security team had declared phase two of the project complete, automating access for all the critical applications, including email, online applications and more.
Obtaining company-wide support
"Designing and implementing the technology was the easy part," says King. "We had to change the culture of quite a few of our departments, and change significant, long-standing processes to enable us to implement TAC and achieve the goals of having an accurate accounting of who has what, and improving user access security."
Processes by which people were transferred, fired or hired, including notifications and other steps, had to be completely revamped, and required commitment from business units to be diligent about data and its ownership. This meant getting support from units and managers from the outset.
King says he did this by showing staff the bright light at the end of the tunnel. If they bought into TAC and committed to owning the data, keeping it clean, providing it to IT in timely fashion, and making sure it was accurate and correct, he would provide a streamlined and centrally-managed process that would let employees get to data more quickly.
Other benefits were just as easy to explain. For instance, TAC would enable an account to be set up in 20 minutes, rather than five days. Alternatively, managers would be able to shut down a person's entire access in 60 seconds, as opposed to one week.
They would also be able to get reports on a person's access to applications across the company instantly, rather than waiting five days to query people for reports, a need now all the more palpable as regulatory requirements such as the Gramm Leach Bliley Act (GLBA) and Sarbanes Oxley make firms provide detailed audits of how data is accessed and by whom. After seeing the benefits, business units became willing partners, says King.
Help with regulatory pressures
TAC will not only help with requirements set forth in GLBA or SOX, says King. Privacy mandates noted in the Basel II Accord and the E.U.'s Data Protection Directive will be more easily met. Calls from the FCC to segregate some parts of the business will also be easily achieved using TAC, since it lets the firm look at every attribute of a user and of the applications.
Because it has become the enterprise method by which Lehman provisions and deprovisions staff, every application built going forward has to be compliant with TAC. That, he adds, is a firm mandate.
"We are, far and away, the biggest provisioning deployment in the world. I don't think anyone comes close to this," says King. "Some people have a couple of platforms – you know, Windows and Solaris – and we've got everything from SecureID tokens all the way out to... accounts on our conference-calling system.
"What's innovative about TAC is that it's very flexible and it's very open. We sort of extracted a level above the Thor application so that we can talk to just about any application we need to."
A changing landscape
TAC has already had an impact on all application development going forward, he continues.
TAC's impact on compliance efforts going forward will also be beneficial, because the company now has a well-audited approval process. This will constantly be improved by going back and revamping the system to get additional data that might be required for regulatory inspection.
John Aisien, Thor Technologies' vice-president of marketing and business development, says there are real and effective identity management deployments happening today compared to one or two years ago.
"What IT has done very well for quite a while is help other functions automate their own business processes," he says. "What IT has never really done is deploy something like an ERP for IT itself, so a lot of IT processes are amazingly manual and security administration/identity management is a classic example of that."
He asked that his horror story, among the countless that have been shared with the media, be added to the mix: "Before I joined Thor, I used to be with a large global consulting firm whose name I shall not use. Two years after I left, I still had accounts and access rights in its infrastructure. That is a tremendous disservice that IT is providing in this case."
It is no wonder that implementations such as Lehman's have enhanced the profile of the CSO, he adds.
"I think all of a sudden the CSO or the CISO has a direct line to the CFO's function that is typically responsible for compliance efforts... There are not many hardcore IT infrastructure projects that are so visible to [managers and] the end-users."