When it comes to identity access management, large companies should begin by delineating each of the roles an employee plays, rather than relying on a job title.
Just ask Craig Shumard, chief information security officer at Cigna Corp. He's at the forefront of a more granular approach to roles-based access that ensures Cigna employees can use the many systems they need -- and the company is in compliance with its many regulatory obligations.
The Philadelphia-based health insurer covers 47 million people worldwide; works with some 500,000 physicians, 85,000 dentists, 57,000 drugstore pharmacies and 55,000 behavioral health providers; and does business with 90 of the Fortune 100. It has a lot of data to protect and is heavily regulated, both on the health and financial fronts.
Cigna employees must have access to the data they need to do their jobs -- but only what they need, Shumard said. This policy is known as "minimum necessary" and is a cornerstone of the Health Insurance Portability and Accountability Act. "So how do you get to an environment where you have minimum necessary?" he said.
Cigna took an important step in that direction by moving to roles-based access control, Shumard said. The company had been using a "model-me-after" approach to identity access management, the practice of provisioning a new employee's access to systems by modeling it after an employee who does roughly the same job. But because old employees often bring their past access rights to systems along with them to each new position, the model-me-after approach for new employees is a security and compliance landmine waiting to be tripped.
"What it does is explode the amount of inappropriate access that somebody could have to systems," Shumard said.
Identity access management compliance starts with the business, not IT, defining work roles and the access needed to perform that work. Employees are identified by the roles they perform to ensure that they get access to all the systems and applications they need to do their jobs, and only the ones they need. And, yes, in Cigna's case we're talking a cast of thousands -- 27,000 employees, more than 300 applications and millions of access entitlements. Today, with the input of business managers, the Cigna workforce comprises 1,800 roles, some 2,400 "sub-roles," and a category called "out of role," requests for those employees engaged in special projects for a specified time.
"When you take all those roles and the number of employees we have and the hundreds of systems we have in our environment, you can quickly see that when this scales up you're dealing with millions and millions of entitlements," Shumard said.
Cigna developed a homegrown workflow tool that initiates the provisioning of the systems as people come on board or change job roles. What it lacked was a way to audit the access rights of employees over time. The company needed to make sure that what it thought was provisioned was actually provisioned.
"We also wanted to make sure that we kept the roles as current and fresh as possible, because the maintenance of those roles improves the integrity of the overall access process," he said.
The company recently chose technology from Aveksa Inc., an enterprise access governance provider, to automate and audit the access process. Founded in 2004, Waltham, Mass.-based Aveksa specializes in technology that manages the security, compliance and regulatory risks associated with managing inappropriate access to information.
Cigna is using Aveksa technology to create a fully automated workflow for identity-driven business processes spanning IT departments, business line managers and compliance managers. The Aveksa tools help with Cigna's regulatory initiatives, including identity audit compliance, access certification and reporting, as well as role analysis, design and maintenance.
Brian Cleary, vice president of products and marketing at Aveksa, said the company was launched to fill a gap in the market. Identity and access management technologies did a fine job of enforcing access to information, he said, but they weren't designed for governance, and specifically to work with the business to instantiate a set of business policies and processes for governing users' access to information resources. Their yes-or-no authorization policies -- does this person have an account within the mainframe application or for Exchange or for the ERP application -- provide access that is too broad to meet today's requirements, he said.
"What you need now, in the regulatory climate businesses operate in now, are much finer-grained policies that can make determinations, for example, within the ERP application," Cleary said. To wit: An employee who has access privileges to post an invoice should not have access privileges to pay the invoice.
Putting the business in charge of identity management
The automation at Cigna reflects a more fundamental shift in identity management, from IT to the business, Shumard said.
"Too often over the last 15 years or so, a lot of business people have delegated the authority of access to IT people. That is not the proper place for it to be. It really needs to be back with the business," Shumard said.
"When we took our roles-based approach, that is exactly what we did. We got the business re-engaged with owning access to their systems, because they are the authorities in that area," he said.
Business people have probably always wanted that control of identity access provisioning, but the technology has made that difficult, because the names and naming conventions are "system-ese," Shumard said. "It becomes almost hieroglyphics for the business folks."
Shumard needed a tool that would make it easy for "role owners" to take responsibility for keeping the role definitions current and for managers to certify those roles on a regular basis. "That's what the Aveksa tool really helped us do from a compliance management standpoint," he said.
"What we have been able to do with some of our homegrown things, which have now been replaced by the Aveksa tool, is provide the managers with the tools to manage access provisioning, in terms, in words, in processes that are efficient for them, and easily understood by them -- and that is a huge step," he said.
We got the business re-engaged with owning access to their systems, because they are the authorities in that area.
Craig Shumard, CISO, Cigna Corp.
Kevin Kampman, a senior analyst in Midvale, Utah-based Burton Group's identity and privacy strategy service, said roles-based identity management cannot succeed unless it is a shared effort between business and technology. Indeed, roles management has historically gotten a bad rap because it lacked that joint ownership, he said.
"IT is very good at making the technology available and administering that, but they can't do it without business guidance," Kampman said.
Companies then need tools that help the business decide what those responsibilities are and how to map them to system access.
"Administrative people don't have to make decisions about who gets what toolbox. Managers determine that," Kampman said. That, in turn, supports compliance efforts. "As long as nothing changes, the compliance folks are much happier, because they understand, in working with the business, what has been given to people and who has said that the access is appropriate," Kampman said.
Shumard said automating roles-based management is good for IT. "It makes their jobs a lot easier, too, because now you've got clear rules and delineation and auditability standards. You've cleaned up a lot of holes in the system. There's a lot more definition for everybody."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.