To some people, the challenges placed on corporate IT by access management resemble an iceberg. “At first, you can only see a small fraction of the actual size, because most of it is below the waterline,” says Carsten Heitmann, an expert at Avanade, which is a joint venture between Accenture and Microsoft. “When you start working on the details,” he adds, “that’s when you become aware of the real scope of an issue.”
Access control is hugely important
The comparison comes up short in one aspect, however. With the iceberg, 10 percent of the whole is visible; in access management on the other hand, it’s even less – as exemplified by DekaBank, the investment firm of the German Savings Banks Finance Group (Sparkassen-Finanzgruppe). In setting up its identity management system, it sought assistance from Avanade to meet the Federal Ministry of Finance’s minimum requirements for risk management (MaRisk) as well as its own controlling
and compliance specifications. According to these, access to internal IT systems is to be governed, documented and audited in a transparent and traceable manner. The DekaBank has 4,180 employees, but manages several hundred thousand authorizations. And then, there are also the external employees and their IT access. In 2010, the DekaBank decided to overhaul its user and access management system. Its programs, which had been developed in-house, could no longer properly meet the requirements, such as automatic user and authorization lifecycles, a complete overview of authorizations and clearances, and clear verification procedures. Changes to user authorizations and access rights had to be implemented and documented manually. For those individuals who were issued new PCs or transferred to other departments, associated adjustments to access rights had to be entered manually – a time-consuming and error-prone procedure. For larger-scale changes, the individuals in question had to wait longer until access rights were stored in the systems and they could take over their
new roles. A complete assessment, including a review of all authorizations, must be performed at least once annually according to MaRisk guidelines, and even on a semiannual basis for key IT systems.
Central program for system control
For that reason, DekaBank opted for an identity management system (IDM) based on the Omada Identity Suite and the Microsoft Forefront Identity Manager (FIM). Advantages include compliance reporting, data auditing, ease of use, strict and role-based access verification with an approval workflow, as well as comprehensive management of the entire lifecycle of user identities and associated authorizations. “The objective was to make IDM processes more transparent,” emphasizes Stefan Böhm, DekaBank’s project manager. “We wanted to be able to approve or delete authorizations with the push of a button. We also wanted to control lifecycles, safeguard approvals, monitor all processes and
Read more ...