Jimmy Morin never expected to create a monster, but after cloning for too long he suddenly had one on his hands.
It was critical to the project manager of Quebec-based Desjardins Insurance Group to slay the beast of his own creation. It might not have been an actual monster – but a metaphor used to describe the haphazard mess of user roles he had created for employees to access sensitive data and business applications.
“It’s important for us to have the right IT controls in place,” Morin says. “We need to be in compliance with various financial standards.”
Morin presented at CA World in Las Vegas on May 18.
The largest cooperative financial group in Canada offers direct property and casualty insurance to the general public. Given the sensitivity of customer’s personal information on file, and Desjardins‘ perception of itself as “a leader in security”, the mess caused by cloning of access rights and excessive user privileges had to end.
Morin tapped software from CA Technologies to help.
CA’s Role & Compliance Manager (RCM) is a security product that’s billed as an identity and access management (IAM) tool. In essence, it allows for the creation of roles in an organization that are given to users in order to control the flow of sensitive data, and access certain applications. It also adds an auditing mechanism.
“We focus on the security of prevention,” explains Gijo Mathew, vice-president of security product marketing at CA. “We don’t secure information, we secure everything around the information.”
Instead of addressing malware and virus threats like security vendors such as Symantec Corp., IAM software limits the exposure of sensitive data only to those who need to access it, when they need to access it.
“It doesn’t matter if you’re an employee, or if you’re a contractor, or a customer,” Mathew adds. “If we know who you are and what your relationship to my organization is, then based on that I can give you appropriate access.”
That’s just the type of leash that Morin was looking for.
“We wanted to minimize the risk and exposure to unauthorized access,” he says. “We needed to provide identities to stakeholders with a lot of different needs.”
Quebec-based IT services firm Xpertics Solutions Inc. helped Desjardins roll out CA RCM. The firm also helped select the software by using existing benchmarks set by analyst firms for evaluation criteria.
That clean-up process found about 25 per cent to 30 per cent of data on Desjardins system wasn’t valid. This is typical for Xpertics’ cleanup methodology, explains CEO Mustapha Benmahbous.
“That doesn’t mean the company is at high risk,” he says. “But it means there are some orphan accounts.”
Before deploying the software, Xpertics went through a rigorous data clean-up process. It defined the data it was working with, prepared what it needed, and cleaned up what it didn’t. Then it tackled an implementation on a strict timeline – eight months with two full-time employees dedicated to the project.
“We tried to adopt an implementation road map that didn’t conflict with other projects for a smooth roll out,” Benmahbous says.
The project took about two years to complete, after starting in January 2008. That included full training of employees on the new system. Training was conducted across multiple Desjardins departments including managers, IT security, help desk, operations, internal auditors, and risk and compliance.
“It’s very important to tell employees about the new project and make them aware,” Morin says.
Xpertics continued to play a support role after finishing the installation of CA RCM, Benmahbous says. It also conducted training of non-IT employees on the new system.
“Before we left the company, we thought about how to keep it up to date, how to add new roles, and how to review any changes to the organization,” he says.
The project cost Desjardins $580,000 for software licences and implementation, Morin says. Employees seem satisfied with the new system and the firm has a new capability to view the historical access records for each user.
Currently Morin is managing 900 different roles with the software, but he plans to trim that down to about 400 roles for his 3,600 users.
“For some departments we can reduce the number of roles because they are similar and we’ll find the right mix of privileges,” he says.
So instead of cloning, Morin is now reducing. It looks like the monster has been tamed.