Pushed by SarboxBy Bob Violino | Posted 2006-12-22 Email Print
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Identity management software gives your company more control over who accesses business applications. It also makes it easier to add or cut off access on the fly. But why is that so difficult?
Pushed by Sarbox
MasterCard International began using CA's eTrust Identity and Access Management Suite in 2005 to simplify the process of managing the identities of its 4,300 employees worldwide.
In 2004, as the company worked on meeting the requirements of the Sarbanes-Oxley Act, including an audit of internal controls over financial reporting and other systems, it found that the task of managing identities manually—required to ensure that only authorized people had access to financial systems—was time consuming. At the time, staffers were keying in data detailing access privileges for each individual and for all types of systems.
Given the multiple identities that needed to be tracked—for example, one ID to access Windows-based systems, another for Unix, yet another for mainframes—MasterCard was dealing with more than 200,000 identities in all, says Malcolm McWhinnie, group head of global information security. "We wanted to simplify the management of all those identities and improve the cycle time" to grant and deny access, he says.
MasterCard looked at ID management products from multiple vendors before selecting eTrust. MasterCard managers believed that CA best understood the business requirements for implementing ID management, McWhinnie says. MasterCard declined to disclose other vendors considered.
MasterCard got its major computing platforms, including Windows and Unix, functioning under the system. The company initially chose 12 applications to put on the system, and has since expanded the effort to all production applications.
With CA's ID management software, "We related people to roles and roles to privileges," he says. "Before that, we were relating people to file names and it was quite complex."
Every employee is defined in the CA software, which is linked to a human-resources database that serves as a "directory of record," McWhinnie says. Now, when someone is hired at MasterCard, the HR department loads information about the newcomer into the database, and basic access rights—such as access to the corporate network—are granted to that employee. Other privileges are granted based on job role. When an employee leaves the company, access to applications is immediately ended.
Help with Sarbanes-Oxley compliance is a key benefit of the software, McWhinnie says. "Getting control over terminations and job-role changes is very important to SarbOx," he explains. "We were compliant long before we had identity management, but the amount of time it [took] to run manual systems begs some sort of automation."
The cycle time to fully grant or take away access is about 10 times faster with the software than with manual systems, he says. The new system sets up access requirements the same day they are requested; the old process took up to two weeks to complete. For removing access rights, "If someone had a complex role with a number of different IDs, the housekeeping might take several days" using the manual process. With the ID management software, it can be done instantly.
McWhinnie says MasterCard has invested "several million" dollars on the ID management project, including software, hardware and labor. He declines to specify how much the company expects to save.
One project challenge involved changing business processes related to ID management, McWhinnie says. For example, department managers had to learn new ways to provide access by defining roles in the organization and the corresponding access rights. Previously, the company gave workers access to all files and directories individually, which could amount to hundreds of access privileges for each person.
Is MasterCard any more secure with ID management? Not necessarily, according to McWhinnie: "But we are definitely more efficient with our ID management and compliance efforts, and our housekeeping is in better shape."