About four years ago, Chief Information Security Officer Denise DeAmore took a hard look at the number of people accessing State Street Bank's applications and told herself there had to be a better way. Keeping tabs on user access had become unmanageable.
DeAmore began searching for products to ensure that only the right people were viewing the right information. She was looking for identity management before the term was even coined. "The vendors knew what we were talking about, but our ideas were probably ahead of their time," DeAmore says.
Like many other financial services companies, State Street Bank became an early adopter of identity management to protect and control access to financial and personal information. In the case of State Street, which provides investment servicing and management, the bank must grant access to clients such as a mutual fund manager who would need a view into back-end operations to make investment decisions. Meanwhile, the mutual fund's customers require access to monitor their portfolio's value.
"Information security is all about access, who can get in and who can't," DeAmore says. "Protecting that is absolutely fundamental to the way we operate."
Today, State Street has 460,000 identities under management, using tools such as Courion's PasswordCourier to let users reset their own passwords. Citing Gartner estimates that the average password reset call to an organization's help desk costs the company between US$10 and $30, DeAmore says the rollout has helped the company cut costs. "If you can take 25 percent of what's being managed (by people) and automate it, that's huge," she says. State Street's identity management system also includes a provisioning product from IBM Tivoli, a homegrown workflow program developed with Lotus Domino and certificate authority services from Betrusted US.
At investment bank Lehman Brothers Holdings, new employees are assigned what Vice President of Information Security Ramin Safai calls a Day One identity. This provides the worker with about 60 percent of the access required to do the job. The team that implements identity management worked into the equation the fact that it wouldn't know all the access a new employee requires.
The new employee can request additional access -- referred to as Day Two identity -- by visiting an internal Web site that uses identity management software to automatically route the request to the right manager, who then decides whether access is granted. On an employee's last day, that software also automatically cancels all access to the corporate applications, Safai says.
Identity management products provide reporting capabilities that keep track of which employees have had access to what data, proving particularly useful when these companies are audited for regulatory compliance.
When Lehman Brothers embarked on its identity management implementation about two and a half years ago, intrusion detection was the primary reason, Safai says. But now Sarbanes-Oxley compliance has become one of the project's most important aspects. "You have to show that you have control over the systems, and you have to demonstrate that you know how people got access and why people got access, and show the appropriate workflow," Safai says.
"Identity management means a good bit more to financial services companies because it gives them an insurance policy to ensure they're complying with regulations," says Earl Perkins, a security analyst with Meta Group Inc. "It's a big issue for financial services. If they don't get it right the CEO can go to jail."
While identity management has become a critical technology for financial services companies, these products are often expensive -- Perkins says the average implementation for a Fortune 500 company enters the six-digit range -- and might take years to deploy.
Rolling out new capabilities one at a time was a key aspect to State Street's successful identity management implementation. This made the project a series of small victories in which users saw immediate benefits. "You need to be able to lay out a plan, go at it logically and prove your success along the way," DeAmore says. "People have to see the wins as you're moving along. You can't wait until the very end."
At The Guardian Life Insurance Co. of America, which offers group and individual insurance, group pensions and equities, the move to identity management came as part of a major overhaul of the company's technology architecture about three years ago. Instead of having to retrofit connections, the company ensured its identity management products from IBM Tivoli would work within the overall architecture, says Jaime Sguerra, second vice president and chief architect at Guardian Life in New York.
The insurance company currently manages the identities of its 5,000 employees plus 2,800 agents. This year, the company plans to offer policyholders access to information via the Web, adding another 40,000 identities to be managed, Sguerra says.
The fact that Tivoli Directory Integrator, Tivoli Directory Server, and Tivoli Identity Manager for Applications and Infrastructure come in an integrated suite was not crucial to his decision, Sguerra says, but turned out to be an added benefit. "IBM already had all those products talking to each other, and they showed us a road map of how they will get tighter integration."
A large chunk of the 31.5 percent cost savings Guardian Life has reaped since overhauling its technology infrastructure came from implementing identity management, Sguerra says. Because the two projects happened simultaneously he can't pinpoint how much money identity management has saved the company, but considering that the company's saving even more than the projected 30 percent, he's not complaining.