With a new regulatory requirement for internal controls similar to those required for public companies by the Sarbanes-Oxley
Act (SOX), privately held Western & Southern Financial Group realized it needed to boost its ability to verify user IT access rights.
The Cincinnati-based Fortune 500 company, which provides life insurance, retirement planning and investment products, used the COBIT and COSO frameworks to develop general IT controls to comply with the amended Model Audit Rule from the National Association of Insurance Commissioners (NAIC).
In the process, it found areas it needed to focus on, said Mark Pfefferman, assistant vice president and director of the identity and access management program at Western & Southern Financial Group. One area was making sure employees have appropriate access rights, and monitoring and certifying those access rights, he said.
The company decided to build out its identity management platform by implementing the Novell Access Governance Suite. The product, based on an OEM partnership that Provo, Utah-based Novell has with access governance vendor Aveska, provides automated access certification. (Novell agreed to be acquired by Attachmate Corp. last week). Western & Southern also is working with Deloitte & Touche LLP, which provides an enterprise roles management methodology.
The software allows Western & Southern to validate a user has the correct role and access rights by having the user's manager verify them. The suite, which consists of the Novell Roles Lifecycle Manager and the Novell Compliance Certification Manager, also enables the company to verify access rights for users who don't have roles, but do have access to sensitive systems. "Access Governance Suite is flexible enough to allow us to do that," Pfefferman said.
In addition to helping with compliance through access certification, the suite helps with role management. Previously, Pfefferman's engineering team was producing voluminous paper documentation of roles and all the systems the role can access, but now the team puts all those roles and entitlements directly into Access Governance Suite.
"So we skip that big pile of paper up front," Pfefferman said. "It's been a good tool for managing that whole role creation and maintenance process."
Western & Southern uses the suite in combination with Novell Identity Manager, which provides provisioning and de-provisioning functionality. The company uses Identity Manager to automatically synchronize user identity information across multiple systems.
Newly hired associates in the home office are automatically provisioned with the appropriate access rights before they show up for work, for what Pfefferman describes as "day zero productivity." Terminated associates are automatically de-provisoned. He estimates that the software has reduced the time spent on user provisioning by 80%.
Western & Southern evaluated a couple other provisioning platforms but chose Novell because its product was the most cost effective, Pfefferman said. Plus, the company was already a Novell customer. The Novell products integrated well together and also integrated with third-party packages, such as the Serena Software Inc. workflow system Western & Southern uses for the roles-based access process, he added.
Gartner Inc. estimated earlier this year that the worldwide identity and access management software market will grow from $9.2 billion last year to $9.9 billion this year. Compliance, audit and analytics requirements are the main factors driving IAM purchases, along with operational efficiency and improved integration across IAM products, according to Gartner.
Bruce Spooner, product manager of Access Governance Suite at Novell, said vendors like Aveska developed access certification technology in response to customers needing help with meeting auditors' requirements.
While the suite provides role lifecycle management, enterprises can't think of it as a magic button for role development; companies need to layer over an enterprise role methodology, which professional services firms can help with, Spooner said.
For his part, Pfefferman is pleased that his company didn't have to go through the pain other companies did when SOX first came out.
"When SOX came into existence, the technology wasn't there to help. Companies had to staff up to cover a lot of those reporting requirements," he said. "We feel fortunate that there is technology available, based on lessons learned from Sarbanes-Oxley [compliance]. We haven't had to staff up dramatically to cover these regulatory requirements."