Event Recording

Stephanie van der Loos: Seamless Employee Access Lifecycle


So thank you for having me again. I would like to take this 15 minutes to take you along on the AB and M road journey on seamless employee identity life cycles. So join me a, the onboarding of a new employee member or a team member within your team. How do you feel when you're a new employee and you wanna work within your new team within the, on the job that you've been work wanting to have for a long period of time, you're anxious to start your first day, right? You wanna enter a building and you hope that's all working. So there you go on your first day entering the building and it's going exactly as planned this, the lady at the desk actually expects you already and has your, your pass, where you can enter the building and ready as, as, as, and go. And you can go in your computers there, your applications are there.
The first applications that you need when you open your computer like internet and the usage of 365, it's all there then, because you are a developer, the special rights and are needed as well, right? Because you really want to deliver your rights and you are at its value straight away from the first day. And those were there as well. Isn't that a great thing that actually on your first day, you could access all the applications that you need. That's just the first time, right? Principle, it's automated. And you actually exceed all the expectations because you can start and working already. That's the happy flow. That's where we at a em, strive for, of course, because people are biggest assets. Imagine the, the other way around, when you wanna start working, people don't know you're coming. Your access is not ready. It's difficult to actually find applications you need to work on.
And the development rates, well, those take forever. That's actually the road. You do not want to go and from, okay, this is really exaggerated, of course, but from the negative view to the positive view, that's the journey we've been making for maybe an EMRO in the last period of time, but why is a seamless employee life cycle important? I already said, so the positive user experience, getting everything the first time, right, is immensely important. People love it when they could actually do what they're paid for, right? And exceed expectations to, to get that seamless employee lifecycle. You need process governance. So who's responsible for what, and in which period of in the whole process, does, does a line manager need to do something. For example, control is important and reviewing the access and the rights that people have are explicitly important as well, to meet the audit purposes and audits, to see how people are having access. And if it's really going as it should be, or if there might be some breaches, if you have a seamless employee life cycle efficiencies in, in time. But as well as in costs are really visible.
And of course we had some challenges, the challenges were numbers. Maybe it looked a bit like the bridge we're trying to, to cross on the picture below on the back, but now I'll take you along. The, some of the challenges that we actually had first, it starts with having an identity life cycle. Of course, we had a life cycle already, but it wasn't a hundred percent catering for all the new, the new requirements we have. It needs to be easy to use because the more difficult it gets, the, the less controlled it gets. And of course, identity is key. So the quality of the identity data and the setup of the data needs to be a hundred percent to ensure automation. And of course it needs to cater for all needs. We have on-premise tooling. We have clouds. We have even, we have legacy tooling still. So those you need to, with the, with the setup and the, and the life cycle, you need to cater for all those needs.
So let me take you along in the identity life cycle of Emeral on the left, you see setup, that's where you come in. As in person, as in a human person, wanting to work within the EMRO, you get your HR data filled, you get your contracts filled with your contract, start date and the position where you're going to work within the team. You are going to work. And that's part of the whole setup. And as well as the rule, then we go a bit more to the right. And that's when you actually start working for the organization and you have your Xs and your applications, and we're still at the other ring when you just have one position with the bank, which usually isn't the case because we as Adrian and I were like the job rotation model, where you have different jobs within a period of time, and you could actually learn and improve yourself all the time.
If that's the case, you don't go to the exit in the outer ring, which you go on into the, to the maintaining part. Again, that's when you become from a joiner, you become a mover within the organization. So you move to a different role, but again, the outer ring stays the same. If you step in one, ring more to the middle, you actually see the, the is connected. So you start in the organization, you get to find a role with axis and you get provisioned the access. So you actually could do something and it's controlled and reviewed. And one step in even more so is identification authentication and authorization because when you're in every day or every half a day, or whenever the, whatever the application requires, you need to identify authenticate and a, your excesses. So this is the identity life cycle we've set up and how we control our identities.
And of course, when you leave the organization you exit and all the Xs gets revoked. So it's a really clear model and it's really insightful and it helped to build the governance and processes around it. So one of those we really needed to overcome was the ease of use. You really wanna have clear responsibilities. It starts always, of course, with the policies and the standards. And in those, we wrote down very insightful. If you ask me, I wrote it with myself. So that's why I could say who is responsible for which step in the process within EMRO. The line manager is responsible for almost everything regarding the axis of an identity and of the whole life cycle. So we made an embedded joiner mover and lever process. It's, it's all connected and it's all automated. And it's all requested by the line manager to go to the next step within the process to is this person really coming within your organization and when this role, and then you grant the axis, or you revoked the axis again, when the, when the authorizations are given, they're not open forever, right?
You need to have a review process around this, and it needs to refute. We automated this process, depending on your role. The minimum is twice a year, but those review responsibilities need to be easy. They need to be sent to the manager and your employee needs to know so they can help improve this process. So it actually gets reviewed. We're really proud to say that 99.99% reviewed their access and the access that did not has been reviewed has been revoked. So really clear responsibilities and really clear control. That's the, the bridge to another one, the control, of course, it starts again with policies and standards and auditability of the data. You can set up your process really, really well, and it could be easy to use, but what if it, if you can't audit the data, you don't have the data flow behind it. So all the review data, all the joiner movers and levers data is auditable. We have everything and we could see who granted access. We could see revoke the access, and it's all really auditable. So that's, that's really nice to have an, a necessity as well. And with this doesn't, it doesn't really matter on the application or if it's infrastructure or not. We could, we can deliver this data. So control challenge is covered.
How did we overcome the identity data quality challenge? And that's something we can improve daily because they're coming new requirements every day. But the collaboration within HR is fantastic and it's required as well. Like I already said, you come in as a natural person, which you overly, obviously always stay, but you need a digital identity to be granted access within Nero. So an employee is connected to an organizational structure, and that would be, for example, in my case, would be B Nero, CSO, identity, and access. And then within, within the team of governance, the organizational structure again, is connected to an Airbook a functional role. So I work within the EMRO identity and access governance team. And I have a specific role. Why is that important? All the applications connected to this role are there straight away from day one? So I have 10 applications that I need to use because of the standard function I have and maybe two, because I have a really explicit role. And those were already on the first day I started. So I'm really happy. We could say we centralized the, the automated provisioning by using the Inna tooling. So the manager granted access on my first day. So I could actually start, when I leave the bank, he will revoke my or leave to a different role. He will revoke my access straight away and the data quality improvements and the connection with HR is key to actually make this happen.
So how did we overcome the cater for all needs challenge, maybe the pictures behind it already reflected, right? Identity just needs to be there. And it needs to be really catering for all needs. But how did we do this? I already set organizational structures, organizational hierarchies, they're set up in different forms to be able to cater for those because you have DA's way of working, which is not a fixed line hierarchy, but a more collaborative way of working. So that needs to be possible. And the cloud and on-prem tooling needs to be there. So actually we need to cater with all those organizational Strat structures for devs, way of working and air book way of working. And then of course there are self organizing teams. So this keeps on, on improving. So the organizational structures are, are fluid in that sense, they need to be strict, but they need to be improved and on a regular basis to see if they still cater for the needs.
So how do we grant the axis? You're one person just like in the Eddie move. I forgot his name in, in the movie, but he comes in different features. So you're one person with the role and you get an organizational role, then you're working in a specific function. You get the air bug with which all the applications connected, but what if you're in a DevOps team, that's exactly where we all wanna go, right? Working DevOps really automated and really without any restrictions. So what we did is we have the organizational structure connected to the DevOps way of working and with the five different roles within a team. What we did is we have applications connected to all those different five roles. The most important of course, are the developer and operations role. And for all those, for those specific functions, there are applications connected straight away because we connected the application of the team and the, the function of the employee.
We could actually grant access straight away on the first day for the specific role when it's T-shaped, which we really want the developer and the operations roles are connected. So again, those will be granted on the day start and revoked straight away. And with this, we actually cater for all needs with data and control in a layered, layered role model. But then will this journey be finished while I would love to say yes, because we've come a long way and we can cater for a lot of needs, but I think environments will always innovate. New requirements will be asked such as for example, self organizing teams or Def sec up state way of working. So it's a never ending journey, but I'm, it's safe to say that we've been gone come a long way and that automation and control is key. And that's how we try to make it safe and easy as I wonder if you have any questions on our journey. So if so, please let me know.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #151: Identity Governance and Administration

Identity Governance and Administration (IGA) combines the traditional User Access Provisioning (UAP) and Identity and Access Governance (IAG) markets. Nitish Deshpande joins Matthias for the first time on the occasion of the publication of the Leadership Compass IGA 2022 , which he has…

Webinar Recording

Multi-Cloud Identity Governance 101

In an effort to cut costs, improve efficiencies, and cater for a mobile and remote workforce, businesses are adopting cloud services from multiple providers. This has created a host of challenges in managing identity and access across multiple clouds, and has introduced several risks that…

Webinar Recording

Dealing Effectively with Modern, Industrialized Cyber Threats

The cyber threat landscape has become very complex, with state-of-the-art intrusion, ransomware, and cryptocurrency mining tools now readily available through online stores and service providers, and an expanding attack surface due to increased cloud computing and remote working. Keeping…

Webinar Recording

Mitigate Risks, Cut Cost, and Achieve Compliance With AI-Driven IGA

Effective Identity Governance and Administration (IGA) is becoming increasingly important as digital transformation, cloud computing, and remote working increase the scope and complexity of Identity and Access Management (IAM) to new levels. But legacy role-based access control (RBAC)…

Webinar Recording

Sicherheit für SAP und mehr: Wie IGA-Systeme unterstützen können

Access Governance-Tools sind in der heutigen Business-IT ein unverzichtbares Element. Sie dienen dem Management von Benutzer- und Berechtigungsworkflows, der Vergabe von Zugangsrechten, der Durchführung von Kampagnen zur Zugriffszertifizierung und der Implementierung und Prüfung…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00