Dirk Venzke - Identity & Access Process Automation: Improving Business Alignment & Reducing Digital Risk

The next presentation is now going to be from someone who is within an organization who is heavily under attack. Not because it's a special company having, being under attack, but because the, the industry that company is situated in is one of the areas. One of the, the business areas where hackers have concentrated most in the earlier days, not a little bit changing, but still there's a, there's, there's an ongoing battle in that field. And that industry has built up much stronger and better information security practices than most others. So it's still very important for us to learn from them. Please welcome, dear transcript. So you're with command span, right? Yes, that's right. So, and your responsibility at command span is
Divisional head for governance and authorization management.
Okay.
So with having global functional lead in this topic.
Okay. So how important is this in the context of the risk management from the board in view of cybersecurity?
Yes, very important. And I think you will see in a few minutes we found a channel based on risk to our board members to report regularly to this or on this topics.
Okay. Very interesting. So please go ahead.
Thanks. So thank you. Good morning, everybody. What I would like to share with you this morning is what is our approach in identity and access management and what is our optimization in the processes we have made over the last years within this. But first the short look, what is the situation of our company, as you might probably know, we are leading international bank located in over 50 locations worldwide with approximately 50,000 employees. All over basic business is based on these five columns or pillars, as you can see from private customers over corporates and markets down to non-car assets and achieving a leading position in private and corporate customers.
But in this quite complex and international environment, what is the contribution of identity and access management? Let's start with a short look. What is our fundamental understanding of this? As you can see here quite easy to write down. So yes, to provide every of our employees with the necessary access rights he needs to fulfill his job properly, not more, not less. And yes, we did this by risk based approach. We will see a bit more later on how this works by different instruments. We combined together join a mover, lever processes, weer, recertifications, sod checks, and so on, and an operat termination strategy, which is continuously ongoing and improved. And as you can see here on the right side, yes, quite well, governed by regular reportings, up to a board as well.
What is the strategy we have decided to embed all our activities in these classic three lines of defense model, you might all know. So it starts on the left side. In the first line with our joiner mover, lever controls goes on with regular and continuous re-certification processes. Then second line and continuous segregation of duty check, which we performed by automatically basis and processes, additional quality checks made by my new department. And last, not least of course, all the things and tasks around logging, monitoring, cm infrastructure, and in the last line audit. And as you can see in the bottom, by doing these combined activities, we do a risk mitigation, but to be fair, and you can see, this is not going down to zero, cause this is I think a good link to this session. I attended yesterday evening here when the colleagues were talking about yes, is risk a bad word or not. And I think, yes, it's not, but you have to be aware of the risk. And there will always be a remaining risk in your business. Otherwise you don't make any business, but you have to be aware of it and have to make a assessment for yourself. Is this risk okay to be taken? Or is it not okay?
We embedded these activities. And over the last years, we started with an global strategic program on this topic. We shifted this program now into a regular line organization. You can see here in a chart of my division and you see my division, we combined different governance activities in there. So not being only responsible for I am topics as well as for governance framework, quality control checks, and even up to safety and eco management. And what you can see here as well is not only being responsible for the line organizational part, but as well for the remaining project part. And if these projects are coming to an end and running out and achieve their goal, we will shift this again into my line organization. So this governance and organization or authorization division is building the, the link about these two topics, original line management with four departments and remaining project streams.
But now a bit more in detail to the different activities of the three lines of defense model, we embedded join a move lever processes. What have we done here? We made an assessment for all our applications and decided by them and evaluated them by criteria. Are these so-called sensible applications or are they less important? And if they are less important, do they contain even less risk? And for all our sensitive applications, we decided on board level that it is mandatory, that they have a connection to one of our IDM systems. Cause this has the great benefit IDM systems provide the necessary access rights and roles automatically based on job profiles. And if there is a joiner mover or lever taking place, the necessary adjustments are done automatically recertification
In this activity. We've chosen the risk based approach. Again, as you can see here, we decided for, so so-called very critical it applications. We do a re-certification twice a year for all our sensitive ones yearly the important ones. And here you can see a bit downsizing of it only in remarks in the three years shuffle principle and then the remaining rest by random, over the years. Cause they contain lower risk and not so risky. As you can see under one, the critical ones, which we do BI by annual, and you can see here as well. We already achieved here in a process and come up to a regular operation.
We started to be honest, quite pragmatic in this doing the first recertification task. I think one or two, roughly three years ago by yes, Excel spreadsheets and SharePoint support. And then after having clear the processes, what or how is information and data running and who is responsible and set up all these responsibilities in the organization and embedded this into the business, we decided for tool support. And now we can proudly say this year, we are going to re-certify over 1,200 applications by this schedule. And not only doing this on application sites for so-called it manage applications and business manage application, same approach for our infrastructure components and same methodology here again. So critical. It authorizations such one, like let's say domain admins or something around that twice a year, privileged it authorizations database admins, for example, yearly. Then we are doing complete platform. Re-certifications including all the applications running on these platforms again in the three year shuffle principle. And yes, last not least you can see a blank line here in the bottom. So-called standard. It authorizations. We don't do any re-certification either. Cause to be honest, the risk level is very low. What is the risk of having an office right. Of using a Excel or something like that?
Second line we established a very tight and strict process for cleaning up, probably occurring. Em discrepancies. As you can see here, what is the automation behind this? Every employee in our company is located in one organizational unit and this organizational unit belongs to a yes, specific to civics part of our organization, let's say finance marked trade settlement and so on. And by belonging to one of these organizational part, we give a so-called yes, let's say earmarked to each of our employees. So with certain flag, if he is trade, he gots and tea. If he is settlement, he gots an S finance for F and so on and on the other side reflect our authorizations and the documentation in the same way. So we can easily compare. Do the access rights of these employee fit to his organizational position? Yes or no. Or do we have found a combination where perhaps the trade and settlement is coming together, which is of course an discrepancy and having detected such one, we clear it up quite closely. Within two days
Short profile of my new group, our new department governance, quality controls. This is giving a helping hand to the business. Cause as we heard already yesterday, you have to embed and embrace the business within this topics and not to leave it alone here. So this department is going to the business like in a kind of an audit function. But before audit comes in place asking questions to the business and helping the business to improve their IM processes, to describe in the business languages, what are the authorizations good for? And not remaining on such area script titles for authorizations. Cause if I ask you, what is your authorization group perhaps called R two D two good for no one can answer, but if you have a proper description in business language with this authorization group, you can change customer or credit limits or whatever. Then you can assess if one of your employees needs this or needs this, not for doing his job properly
Risk based channel to the board. We just heard, this is our approach we found. So yes, sport is interested in risk is interested in how is, or how do we spend our capital in what topics? And what we set up is you can see here briefly on the chart, some key key risk indicators, measuring risk, and you can see our set is consisting of some risk indicators for it, changes and incidents for it, security and in the bottom of identity and access management. And by these indicators being in red, yellow, or green traffic light, these are affecting our so-called operas capital less or more. And this is a good channel to report to our board members.
So coming to the end, in, in a nutshell, what is my journey and my lessons learned in this topic. So if you want to set up something like this and have to do this, choose a sustainable approach, cause this lasts a bit longer, choose it risk based. You can't do, or you can't solve any problem at the same time. As you could see and be aware, there is still a remaining risk in your business. You can't size it down to zero. This is hardly not true. Go into dialogue with business, make them partners, embrace them, try to win them to do this with you together and give them a benefit for business like talking in business languages to him or to them as I just described for the documentation of authorization rights and business language. So it makes it better understandable for them. And then they can do the re-certification in a proper way.
Then in the process, my lessons learned is, is good to start with, with focus on policies, processes, and people. Cause as you haven't set your processes, your responsibilities within the business in place. Well, and you don't know and not be aware how these things and information is running any tool won't help you in this. But if you have in place, a tool support is quite good and can automate your process and make it more efficient. And last, not least we saw it on the last slides. Some yes controls and key indicators are quite good to steer. Yes. These topics all over, even up to board level so far in short and nutshell from my side. Thank you.
Thank you very much, dear. Maybe I've missed it, but do you, do you run cloud services?
No, not really.
Okay. So everything is in-house so it is running in is, is outsource or do you have an service provider helping?
We have service providers, but mainly in-house yes.
Okay. So this is all working for your internal operations. Yes. Do you have external people as well? So like, like customers, are you covering customers in this as well? So all your customers are covered with the IM solution. Yes. So there's a real outreach, even if you're not using cloud, you're all also covering all the external access.
That's true. The great benefit is what we have that all our yes, internal staff and even external staff has a so-called specific ID within our HR system. And the HR system is delivering data into our IM system. So we can cover the whole from internal to external.
So you have one source? Yes, this is excellent. I mean, many customers, probably many organizations would benefit a lot of that from that. So we're having one source is probably key for the success as well. Yeah. That's true. Thank you again.
Thanks. Alright.