learning to dance like an elephant - service management 2019smconference.com.au › 2015 ›...

1

Learning to Dance Like an Elephant

A Case Study in Identity and Access Management at Tabcorp

Darren Lang Service Management Technology Manager

2

Our Journey as a Case Study

Ø  This is about our overall IDAM journey

Ø  This is not about a single project or activity

Ø  Let’s talk about: §  Area’s of IDAM we implemented §  Lesson’s we learned §  How we broke up the work §  Mindset to approach IDAM

3

Who is Tabcorp

Ø  Tabcorp manages leading customer brands in Australia, including TAB, Luxbet, Sky Racing, Sky Sports Radio, Tabcorp Gaming Solutions (TGS), and Keno, serving millions of customers every year

Ø Wagering and Gaming offerings are subject to laws and regulations within most States, as well as Federal laws

Ø  Tabcorp Technology (IT) is also ISO9001 & ISO 27000 certified

Ø Net result can be DEATH BY AUDIT!!!

4

Old Tabcorp Challenges - Users

Ø Challenges: §  Long delays for some staff onboarding tasks §  Many difficult and confusing request processes §  Confusion around owners/approvers §  A terrible overall on-boarding experience

Ø Causes: §  Many unrelated processes §  Lots of owners and stakeholders §  Archaic and complicated paper forms

5

Old Tabcorp Challenges - Security

Ø Challenges: §  Access management risks, both known and unknown §  User access was extremely difficult to audit §  Inconsistent & manual user off-boarding §  Inappropriate long term hoarding of access

Ø Causes: §  Limited visibility of accesses in place §  Many inconsistent authorization processes §  Lack of data store for accesses and authorizations §  Using a ‘same access as’ approach to access requests

6

What is IDAM?

Access Management – is the process of granting authorized users the right to use a service, while preventing access to non-authorized users.

*ITIL Service Operations 2011 Edition, from Best Management Practice

Identity management is a term that refers broadly to the administration of individual identities within a system, such as a company, a network or even a country. In enterprise IT, identity management is about establishing and managing the roles and access privileges of individual network users.

“One identity per individual”

*Article: The ABC’s of Identity Management, by John K. Water

7

Why IDAM at Tabcorp?

Ø Users objectives: §  Automate on-boarding §  Centralize a place to request access §  Standardize our approach to access fulfillment §  Put ‘help’ and ‘knowledge’ of processes and approvers

within reach §  User friendly self-service approach

Ø Security objectives: §  Consistent approach to user off-boarding §  Central repository of known access per IDENTITY §  Easily auditable data store of requests and approvals

for auditing

8

Dancing Like an Elephant – Inspiration & Insight

Ø Don’t lose the forest for the trees. Look small but think big.

Ø Understand the value in the big picture, and rework the small pieces to maximize that value.

Ø  Focus value on the people that matter; your customers.

Ø Not everyone needs to understand the big picture, provided people that do, set up the small pieces right.

9

IDAM Areas of Focus

Ø Areas we have chosen IDAM to help Tabcorp §  Birthright Provisioning (On-Boarding) §  Identity Administration §  User Access Requests §  Access Certification/Audit §  Termination and De-provisioning (Off-Boarding) Symbol Legend: SailPoint ServiceNow Semi-Automated Process

10

Birthright Provisioning

Ø  Integrate with HR DBoR for staff details & triggers for: §  New starters §  People leaving

Ø Automatically create unique staff Identities Ø Automatically provision basic accounts and objects

§  Active Directory (LAN) account, §  HR Management account §  Intranet Account §  Exchange email-boxes §  Share drive access

11

User Access Requests

Ø  Implemented self service requests for specific access areas §  Using workflows to assign and complete authorization

and provisioning steps §  Providing a central repository for storage of auditable

requests and authorizations Ø Provided transparent progress through self service

tickets or IT Service Desk (ITSD) query Ø Created a central point of contact for help and advice

(ITSD)

12

Identity Administration

Ø  Implemented ‘Correlation’ rules to link access to Identities using: §  Attribute synching §  Manual correlation processes

Ø Directly integrated with systems to record what user access people actually have (based on ‘Correlation’)

Ø Set up process triggers on changes in Identity or access

Ø  Implemented the ability to synchronize passwords across live systems. (i.e. same sign-on)

13

Ø Allow the creation of regular, automated certification activities to: §  Regularly certify the continued authorization for

access via line managers §  Flag unauthorized access §  Pass de-provisioning activities to appropriate

processes for removal of access

Ø Allows the grouping of certification activities together by system to allow easier scheduling, reporting and management.

User Certification/Audit

14

Ø Automated removal of unauthorized access: §  Flagged by Certification/Audit §  For individuals leaving the company

Ø Creation of Service Requests for manual removal of unauthorized access: §  Flagged by Certification/Audit §  For individuals leaving the company

Ø Provided a process for Emergency Cessation or Suspension of staff

Termination & De-provisioning

15

Our Current System Landscape

Oracle HR

ServiceNow

AD AD AD

FTP

Indirect Apps & Hosts

Direct Apps & Hosts

SailPoint

16

Our Current Stakeholders

Service Management Technology

Security

IT Service Desk

HR

IT Support Groups

17

Overall achievements - summary

Ø Known, repeatable processes……that users can rely on!!! Ø Recordable and repeatable method for appropriate

authorization of access Ø Central repository of user access associated to Individuals Ø Ability to better quantify and manage risks around access

management Ø A better overall customer experience, driven by:

§  Better fulfillment times §  More request transparency §  Accessible help

18

How have we delivered this?

Ø By remembering that IDAM is bigger than just one: §  Group of people §  Process §  Tool or Technology Platform

Ø By selecting the right method of delivery §  Projects §  Internal initiatives (BAU Minor Enhancement) §  BAU Requests

19

How can YOU start with IDAM?

Assuming you don’t have a critical need already Ø Review your User and/or Security drivers

§  User experience issues §  Productivity loss §  Audit needs §  Major security risks

Ø Pick a focused list of those drivers and assess ROI Ø  Look at how existing tools and processes can be

enhanced to gain measurable wins Ø Develop a cadence of visible success Ø Consider a project vs. BAU approach

20

Top Takeaways

Ø  Identity and Access Management is about bringing together lots of pieces. Always keep the big picture in mind.

Ø Security and risk management are goals, but never forget the customer experience.

Ø  If you make sure all teams are aligned to the same outcomes getting the big picture in place will be easier.

Ø Start small if you can. Show some success, then choose to expand carefully.

21

Questions

22

Final Thoughts

With planning, With perseverance,

Always keeping the big picture in mind, You too can learn to dance like an Elephant!!!