From Local to Global: ABB's New Platform-First IGA Program

Well, good. After noon, I hope you could enjoy your cake and, and a coffee or water, whatever. So I would like to tell you a little bit about our journey introducing ServiceNow as a platform for an IGA solution. I'll have 20 minutes. We did it in three years, so it's pretty hard to compensate that. But I hope I can tell you a little bit and give you a feeling about what the journey was.

Actually, a little bit about abb, maybe not everybody of you knows what ABB is. We are, we are, well, one of the biggest companies in the, in the world building robots, electronic things, even for the, for the housekeeping part, et cetera. Big machines.

And so we, we are operating in more than a hundred countries across the globe. And then you can imagine if you translate that into identity management challenges, while it's about different cultures, it's about different languages, it's about different whatever, whatever, whatever you can think about.

Yeah, we are even not organically grown over a hundred years, no. We are grown by acquisitions and divests, et cetera as a lot of the other big companies are doing typically. And with that you, you get a lot of technology into your business and you always have to integrate it and you have to separate these things. That makes it quite quite challenging.

I want to give you a little bit insight on how we try to maximize our technical investment into ServiceNow and how we could start reducing siloed tools in that and well at least even deliver something which is easy to use from several angles looked at. So from user's perspective but also from IT perspective. So little bit about our, our landscape. We just heard in the, in the former presentation, something about identities, et cetera. So we are still dealing today with 170 different HR clients in the company.

They all somehow consolidated in one central, let's, let me call it database with a limited set of common attributes. But there's still different processes on how to manage people, internals, externals. But there are also requests, Hey, I have a machine here. We just heard something about robots, et cetera, things like that. And that is really challenging for us on the one side. On the other side we have around six and a half thousand applications we need to deal with for sure.

We have cluster categorize them in critical, less critical central tools, core common, distinct, everything you can think about how you can cluster tools and applications and you will see that there are certain things quite important for you that you need to get under control. The way we get that under control need to get it under control is that 500,000, approximately 500,000 people have access to these applications.

And while we are having around 190,000 internals, externals, including some divested partners that still have access to our systems, but there are also customers accessing more and more and the more we move into the cloud of our infrastructure environment, there's a potential risk that people can access this data even that they are customer. And we heard about things like privileged access management, et cetera. So who ensures that we do not grant the wrong person access to an application. So that is a very critical thing for us as well. For sure.

We classify these users in different categories. We have these normal users, privileged users and all that stuff. But you first need to get it in hand. And as I said at the beginning, we are still a little bit federated. We have a lot of entities that are operating their own environments inside the companies and we need to get that somehow under control and we need to get it under, yeah, first of all, transparent and then under control for sure.

So where we are coming from is on the bottom side here, we still have a lot of M tools because with every application that you invent, you think about how you grant access to this application. And if an application was invented 20 years ago, there's still a process to grant access to this application. And it was also invented 20 years ago when we did that.

So, and you can imagine there are lot of these tools across any company in an enterprise company and each one is better than the other. Yeah. So it's not about technology. We are talking about here, it's more about governance. This organization changes you need to cont to drive to make these changes happen. On the right hand side of this picture, we see that we are having a lot of interfaces. How do we consume in identity data from this global source, from local sources.

One of these hundred 70, maybe there are a few other people in this 170 HR systems that are not replicated into this global store, et cetera. You can imagine there's a lot of things you need to look at at the end. And I also also in one of the speeches before, there is a lack of central identity management that you have. Nobody can tell you which access right do I have in this company in this moment because there might be tools or whatever we do not have under control. So we try to get that under control and I think we built the technical basis for that.

And you, I will show you on the next slide that it's still a journey we are doing to integrate all of that into this one common approach. Oh yeah, sorry.

As I said, it's a journey. Journey is similar like a road and we started somewhere at in in 2020 when everybody knows 2020. That was a year when this stupid pandemic started. And that also hit a little bit our project approach because we started exactly when this thing came up and we had to think about do we still wanna run the project? Do we want to invest? I think all of you and the, the companies had similar discussions about what is it that we really want to do? Yeah. Will we do this project or not? Et cetera.

At the end, we convinced our stakeholders up to the EC as as lease that we wanna do that and that we want spend the money for doing such a project. We also thought about what do we need to do? So we made a pre-study and I will show you on the next slide then the result of this pre-study where we build a capability model and based on this capability model, we thought about what approach do we want to go? And the idea was to reuse what we have already in place at this time it was like, can we do something with ServiceNow?

So we had a lot of discussions with ServiceNow as a company itself, thinking, well what of this model can you support? And I will show you, as I said on the next slide, what exactly that meant. After a year approximately when we really implemented certain things, we realized that we did a lot of customization in this tool.

It worked, but it was heavily customized. And then we thought, okay, is that really the right approach? And it was a time when even ServiceNow came up in S Hey, please take a look at at an I G A solution on our platform, clear Sky.

And we, we did that and we made at least in, it was in, in July 21 when we did another proof of concept and implemented within approximately two months what we have done a year before on the ServiceNow platform, just to show that the whole thing is up and running. And the result was that well we could go live with the first applications after two months in time, even having a much bigger functionality in available than we had with our customization approach on the platform.

And that was a little bit the start of this, this success story when we started to onboard a few additional additional other services at the same time, we also had a project to look at. Our GSE was just mentioned as well before. So risk and compliance topics. We are SOX regulated company, so we had to implement certain things and we got a huge, huge amount of requirements into the project to show that certain controls can be executed of that.

We, we had this discussion about, yeah, about the different types of controls that we need to, to execute and we, we, we started to implement and it was quite successful. So all of these requirements could be easily, well easily it could, they could be implemented at least with some configuration effort, but, but it is working and today we are full compliant with the platform. Even for other applications we are onboarding. We can ensure that these are SOX compliantly operated on the platform.

Another thing that at the same time was started was a privileged access management tool based on the beyond trust platform. And we integrated both the application, the IGA solution with Clear Sky to manage the access coming with knowing the identities managed from an HR perspective and having the full life cycle of these insights, the IGA tool to ensure that people get access revoked when they leave the company and all that stuff. So that's happening. So that is fully integrated and we are productive with that from the beginning of the last year.

Besides that, we started some additional other onboardings of applications, also mainly applications that are connected to active directory. We, we have not that many of them, so we like to develop applications by ourself.

Yeah, this is much more fancy than taking something out of the box here. So a lot of applications are really self-made and there are no connectors or whatever available. So you really need to ensure that this is somehow developed web services and all that is is possible.

Right now we are implementing additional other use cases on the service now on the, from the active directory scope, even here we have an active directory, 20 years old designed and you can with a good structure, but with each good structure you also have a lot of exceptions and these exceptions need to be somehow implemented into this platform. And there's no platform on the world that can, where you can press a button and say, Hey, it's there.

No, no platform does, knows your, your environment. So we need to really ensure that we get it and then we're doing that step by step now and it's pretty well working. On the other side, our HR decided to run a project to implement one HR system looking at Workday and, and that's something where we are also involved, which on the one height side makes our life a little bit easier from the data that we can get on the other side. It's also that we need to take over certain aspects of the identity management part inside the application. I just mentioned this capability model.

That was something we have developed at the very early beginning and we thought about what is it when talking about IM that we need to really consider. As I said in the past, we had some teams that looked at doing user access management as I saw, okay, well I wanna grant access. So it's catalog where you can offer access for one application doing approval and request it and forget about it. That's how we did it in the past typically. But now we thought, okay, what is everything that we need to think about? And that was our answer on that. It's not maybe complete and it's not made in stones.

Maybe we need to change that from time to time. Yeah. But it at least it gives us a guidance on what we are looking at when implementing this journey, doing that, everything which is now blue colored here is actually what we have implemented with Clear Sky on the ServiceNow platform. Other things, we have decided to use other tools and there are a few gray boxes which we haven't touched yet. So it doesn't mean that it's not possible, but we are, we have not yet fully integrated these things in the moment. On the right hand side, you also see the role lifecycle management.

I will come to that in a little bit later. Zap gsc. We've also made a decision that everything we are doing with sap, we will still do in the moment on on Zap GSC basis. So we have around 2000 employees, IT employees internally in abb and it's approximately half of them are doing e p. So you can imagine if you tell them I wanna replace something there from the first minute, then you have less chance to come through the door with such approaches Implementing such a tool.

It's not installing a tool, it's a, it's a, as I said, it's a journey and the introduction was, I'm coming from local or regional to global role. And that's something I realized. It's more about governance, it's a change project if you want to do that, you know, you need to really ensure it's, you can install every tool, but introducing that into a landscape that has grown over this many years is a pretty difficult thing. So you really need to ensure that you get it fully connected and the, the more you act on this global level, the more you need to connect to different other things.

And we started with that one here and doing that really on this, well, installing it, but then we realized it needs common process it, it needs an organization, it needs connections to other data. We have table of authorities telling us who is the CEO of that country to get an, to approve a certain request or to revalidate accesses, et cetera, et cetera. That's something we were looking at to implement in these three years. So it's not just a tool installed and running, it's a whole landscape that you need to integrate when doing something like that.

We also had a, just mentioned that before we had a discussion about role-based access and just a short one here. So in the moment we are still really looking to do the first steps, two steps out of this slide here, building transparency and getting control over it. I mentioned the six and a half thousand applications. We are not intending to onboard six and a half thousand applications in the next two years or something. But you cannot talk about role-based access if you don't know what you are operating. And that is exactly what we are doing at the moment.

We are building this transparency and this is working quite well. We have very easy way to integrate applications to onboard these applications and to operate them with that. We get the transparency to do some next step alignment, finding the same similarities in these tools and in the, let's say, well really next step with our HR project to integrate for example, Workday to really think about common roles in the company that ensure getting birthright rates for example, for excess in, in the system. But in the moment we are focusing on these first two things.

So user experience for employees and and IT people. So we have a very simple process with user access management, honestly. Well typically you have a, an identity that is somehow managed either in HR or we are doing that in the IGA solution for the robots, for service provisioners, for even customers. What we are now working at in the moment, and these are triggered by a lifecycle. So we have joined a move lever process's implemented for these ones and they react on a lifecycle.

If someone is moving from one department to the other, we just in ensure that we revalidate that with the new line manager. Hey, is it still okay having these excess rights or not? It's all reactive, but it's better than having nothing in the moment. Yeah.

So it's, it's, I think really the, the transparency that we need to build all the requests are coming from a central catalog. It's not free text anymore. What we are sending, so it's a structured catalog. We store this whole thing in a repository, which we then rely on and at the end we are also controlling that thing from a, this u m dashboard, how we call it centrally inside the tool. We know what's happening. Something we didn't have before centrally here. So now we have this, this view at least everything is, is, is documented with a ticket.

If it is the manual or automatic transaction provisioning, it's all in this case reportable so that we can see that we can check what's happening inside the application. We're doing reconciliation, having 10 people in the database, 12 people access, oh there's something wrong so we can correct it through the engine and doing a reg regular validation every three months or whatever is requested for this different applications to just say what it is, what we have at least.

And that is the, the key benefit that we have on the ServiceNow platform, which is clear Sky tool from a consumer's perspective is fully transparent. Consumers already know we, ServiceNow is a huge installation we have for eight years, eight or nine years already. We're using that also for hr, for finance, et cetera. So it's widely used in the company. People know how to use that. It's easy for them really to use and request access things inside this tool.

And from an IT perspective as well, I mentioned 2000 internal abb, IT people across the whole ABB world, but there are 5,000 others externally. So all them are working for years in service now and this was pretty easy to, for them to use that tool as well for using well ticket provisioning, re-validation task, et cetera. All that is quite simple to integrate. Last slide summary from my side, thinking about the maximization of the technical investment, well as I said, we could install it within two months and make it productive at least with a few simple tools. But it was, it was possible.

So we had the platform already there and it could be used eliminate multiple use X tools. We have started, I mentioned these 40 tools, we still have, none of them is really shut down, but we are working on it, you know, because they're typically not supporting only one tool and delivering easy familiar user experience for employees. Well less mini, less effort for training that we needed to spend in such a huge company made it quite, quite easy for us to implement it in business and is and that's it in 20 minutes. Thank you Stephen.

I think for some people three years may sound like a long time, but I think given the complexity of what you just described, I think it's actually impressive. Yeah, yeah. That you did it in three years. Yeah. Oh thanks. Yes. I've got in, I have actually a couple of questions. The first one is, how did you organize the change program? I e connect to all these stakeholders. Obviously you must have talked to a lot of people during that process.

Well yeah, right. Business as well as it and so on. When we started, we realized that our steering committee for the project was bigger than the people working inside the project. Yeah.

So, and it was not that bad because we, we could really involve them all and get help from their site into all directions. Yeah, Yeah, yeah. Okay. Yeah. To what degree do you enforce the MFA access?

Well, MFA is nothing that we have in the moment on, in our scope directly. So it's, no, it's, I would say no, it's, it's not in the moment in scope of what, what we are doing. We are really thinking about the data behind in the moment that we need to manage. Yeah. How did you, how did you succeed to teach and establish IGA at abb?

Well, this is difficult question. It's, as I said, it's a little bit a journey. You need to talk and talk and talk.

So as I, as I mentioned, doing something on this local level, typically when I started this 20 years ago, took us three days. Doing that on a regional level, took us three months. Doing that on a global level takes three years.

You now, we are in three years. So you always need to talk, talk, talk to people, and if you think you have spoken to everyone, you realize that there are others you'd still need to talk to.

That's a, that's a challenge. Yeah. Okay. Thank you very much. There are so as well, what questions? So perhaps if you can connect afterwards, I, I'm pretty happy to do that. You can also meet the people from Clear Sky downstairs in the four.

Alright, Thanks very. Thank you. It was very good. Thanks. Thank You. Thank you.