In today´s unpredictable business environment where change is the normal, it has become critical to have a manageable and scalable Identity & Access Management program in place. In this Best Practice Presentation, Leonardo Morales will talk about the challenges and his learnings from implementing state-of-the-art IAM at Siemens AG, and what the next steps will be.
I can hear you very well.
Hi, it's Paul Fisher here. I'm an Analyst with co welcome to EIC. I understand you're gonna be talking about the real world enterprise identity and access management at scale. So the floor is yours and off you go.
Yep. Thank you very much. Yeah, Siemens real world enterprise. I am at scale. My name is Leonardo Morales Simmonds architect, and would like to share, and I'm happy to do my experience on how Siemens started with this journey. I will move to the next slide because of multiple reasons like security, transparency, missing of data quality like enough, one day readiness among others, multiple reasons. Siemens had the urgency and necessity to accelerate, automate, and take the control of their entities and their service provisioning. Initially, we had a lot of concerns, especially regarding business impact because we wanted to enforce rules in their provision. Everything that is not compliant, any UN compliant and non-well managed identity will be affected. What could lead to disabling of user accounts, entities deprovision of entities in, in the end removal of, of excesses and permissions. That is, that was the main concerns we had.
Let's have a look at the content I prepare in, in this slide and, and go quick through with the most important aspects I, I wanted to highlight on this presentation. It is about the key message is about the motivation, how Siemens did it, the data. In fact, that was important for us. When we talk about at scale, how Siemens prepare for the identity access governance. And I think the most important thing for all you in the audience is the, the big challenges that we had. And the learnings from that during this journey, a key message that Siemens believes is identity is, is stressful. Only it has a life cycle, and this is all a all around our, our journey. We need to take the control to know the linked human body, to the identity, the provisioning, access, and permissions of data accounts, and how to deal with that. How to deal with, with the person who is leaving, that could be a potential impact on, on, on the company and the motivation as well. We need to accelerate the utilization. We need to do business becoming a better market. Competitor is bringing everything in, in the internet and bringing new solutions, internet of things. This is the motivation and the main driver at Siemens to, to start with this journey.
Yeah. Talking about identity governance at Siemens is yeah, you all know the life cycle management. That means the common popular join over lever processes for employees starting moving and leaving a company need to keep the transparency of who is joining, who is moving, who is leaving and need to design the principles. What is important for Siemens to take in consideration how to deal with this situation, keeping up business. That was the key re adjust services, access terminations, according to businesses, countries and security, depending on the access type is first. It was necessary to discover everything and collect everything from all the multiple systems, applications, creating joining rules and link those rule, those artifacts to the, to a well managed ad entity. That was the, the main ideas and the goal for Siemens, which sounds quite easy, but it wasn't. The reason is at Siemens at scale, we have, and still have no non homogenous data sources and the data quality, especially offering multiple type of accounts around 15 account types for different purposes for main user login, interactive login, secondary accounts, functional service accounts, admin accounts, provider accounts, with all the different characteristics and managed by different policies and rules.
This was the biggest effort we spend to design how a life cycle could look like having this, this, this artifact at Siemens, linked to entity, moving to the next slide. What is the biggest reasons why we thought and, and say at scale is about the identities at Siemens, where we have approximately have a million identities active, all active working in our, across the multiple hybrid environments, more than 1 million active accounts and more than one and a half million groups act all active interacting each other for service provision and, and in accesses and applications with this system established managing all the entities, knowing who belongs to which organization and the business they do. We designed around functionalities like password change to cover necessities and simplify the, the very hard, the difficult password change at Siemens, a password reset, a bit different, just moving forward, just setting a new password to accelerate the joiners in the new normal people, which usually doesn't come to the company.
They still at home and need to get access over the internet. That was the most important part, enabling accelerating, joining processes for Siemens to make faster and better businesses. And the Microsoft 365 license management fully automated done by, by the system, recognizing the joiners in the respective countries, according to the regulations of the businesses who is allowed to get which license compliant to the countries. And with more than 120 countries where Siemens employees are located, there is not one single rule that fits everything and the life cycle. That's what life cycle is so important because we, we see also in the monthly snapshots, how many joiners do we have? How many levers and how many movers around 300 movers a month, people that we know they need to continue doing business and try to readjust the services. According to the, to the divisions and countries saying accesses and license provisioning.
That is what we decide design now and have under control. Also, we see some, some types of accounts that we provision and offer to, to employees. And we manage in the same manner or what is related to a person to a human body is, is the focus, what Siemens see the necessity to deprovision immediately. And the non provisioning is what we reassigned to others to keep our business continuity. This is most important component of the lever process. We implemented the same for the groups, assuming any, anybody has responsibilities in services, provisioning, managing and dealing with multiple groups as owner. And we need to keep up the business, but all linked to a real managed identity. If someone is leaving all the artifacts and groups will be reassigned. If access control is still assigned to the person would retrieve those immediately because it comes regularly to rejoins and need to make sure that they start from, from the, not from the very beginning, but they have to re re review the accesses they had in the past and probably is joining as a different employee type. We need to consider that that is the most important part in piece of identity management. You see a lot of 84 and, and accounts and, and groups. That's everything we need to, to manage in, in a better way,
How we did that. And when the did, it started all started with an RSP looking for appropriate vendor who put in the focus on the management and service provision of active directory and cloud services. That was our main focus. Not only put that in identity creation, more in the provisioning of the accounts in services. And we ramped that in 2019, we started with the solution design, how this can look like ramp, connecting everything we want to get discovered and inventor in our system collected all the entities in Siemens. That means the Siemens internal entities managed for internal purpose and external employees, part of Siemens as well. Looking ahead, what is, what kind of additional identities we are consuming? And we are provision accesses to resources, having those artifacts, all connected. We, we defined rules and processes to bring everything in a relationship to an individual identity. That was the most difficult part, but we did it. It was the key part, the key essential part of how we can rely on a solid identity management to count on, on the confidentiality and the transparency of what is around an identity.
And last year in 2021, we, we saw the necessities to do some readjustment in the logic and they join the rules and the provisioning of services, because with the time we're increasing data quality to extend data, service provisioning and, and coverage to, to cover 90% of all the identities with their accounts, with their permissions in the system, it because of the complexity of the multiple systems, HR systems, ad system applications, not showing the same rules, the same principles of Siemens, that was, that was quite hard. And now we looking at 2022 where everything, and everyone is putting more attention on the identity, how trustful the identity, how we can protect the identity authentication method that is now the focus of this year. We would like to increase the trust of that entity and be confident that that identity use is, is linked to a real human person who is claiming that that is, that is now our next step.
Let's, let's move to the most exciting slide. I, I, I see from this presentation, the five biggest challenge that Siemens had starting clockwise with the direction ad data quality is, was it, was it consumed a lot of effort and time trying to enforcing rules that anyone also stick to and, and share with others, having more than 200 ID optic providers, not sharing the same processes, some of them doing things manually in, in their convenience, that is the painful exercise. We did try to get them, bring them their understanding. We need to share the same rules, stick to the naming conventions, the attributes provisioning, and attribute maintenance, according to the life cycle, to have all the accounts linked to one single identity and have the control of that.
The second one was the identity management and provisioning with lot of countries and where we have more than 150 identity suppliers with different processes. For one of them, some of them, they, some levers represented some, some, some levers represented a real lever in not, not understanding that the person is moving to another country with another HR system will take over. They are no processes such like this transferring identities from one HR system to another. This is the biggest challenge in, in, in that, in, in that particular one, try to understand, detect, discover it is about a mover and not deliver, not their provision. That person keep business up and try to readjust the services. According, according to the, to the divisions and, and country regulations, the next challenge, too many ad object providers, more than 200 providers doing what they consider convenient, but not for Siemens.
This also caused a lot of, of impact. And we had to put all of them, making them clear. We need that rules. We need to stick on the same rules to can share identities from one provider to another, to, to provide a mover in any, in any kind of, of aspect of the person. If this is in hybrid, this an on-premise readjust services, depending on the businesses, the account purposes is another challenge with, with those already mentioned 15 types, different types with different characteristics and maintenance ways and association to the person thinking of they are used for different purposes, but we need to identify what is personal and not. This was also challenge defining characteristics to identify those and link those to identity, to readjust the life cycle process. For those, for any kind of ID ID account in the identity. Trust is also also a challenge. It was a challenge for us to understand all the identities we consume, we produce will manage the access methods. They use the account type of the person getting access is what we try to put focus on. How much is the trust level on identities managed by Siemens, which obviously is different than consuming a business partner identity managed by, by others who has access to which application levels on, on, on security wise.
This is a part of the identity identification and access we want to provide to any identity type, according to the degree of, of trustful and, and trustworthy processes. What we see where there is a process we can trust more into the, than others. Now I'm coming to the end to the end of my presentation, this move one slide forward. If there's any question from the audience, curiosity, particular things you would like to to know, please,
Thank you. Thank you, Leonardo. Thank you for that presentation.
How can we help you