Provisioning new employees with IT access, making a fast, clean digital break with departing employees and keeping up with changing access rights is important, especially for organizations like Brookdale Senior Living Inc., which are subject to SOX and Health Insurance Portability and Accountability Act compliance. But is identity and access management (IAM) a job for seven full-time security professionals?
"In the senior living industry, at certain levels, there is quite a bit of turnover. In some jobs we have more than 100% turnover in a year," said Scott Ranson, CIO for the fast-growing Brookdale Senior Living, which employs about 32,000 people in 560 locations and manages them with an IT team of 95.
But keeping track of employees was not just an IT problem, as Ranson discovered when he convened the company's business process owners to talk about using technology to automate some of these transactions.
"Because of our turnover, there were people in the business who were spending a great deal of time approving new provisioning. By us investing the time in creating the recipe book, they were able to free up time to move forward in other areas," Ranson said. His "recipe book" is the outcome of a laborious effort to define job roles and map them to applications and systems.
Ranson is not alone in his push to find a way to automate the provisioning and management of user accounts. According to Forrester Research Inc. analyst Robert Whiteley, user demand for the identity and access management tools to do that is hot, sparking a "flurry" of new products that are competitively priced.
An uncertain economy will only fuel that demand, claims Forrester analyst Andras Cser, an expert on IAM and user account provisioning for the Cambridge, Mass.-based consultancy. Nervous employees are tempted to mine, steal or destroy critical information, writes Cser in a recent report.
Plus, as layoffs spread, more companies are turning to temporary employees and Software as a Service (SaaS) providers for application maintenance and support. Both tactics can save money but bring increased risks. Temp workers are less likely to notice and report inappropriate use of data. In addition, the "provisioning, modification and deletion of users in SaaS applications is often manual, delayed and error-prone," increasing the risk for data breaches, Cser warns.
In fact, the potential damage in reputation and money exacted by a data breach has helped protect security budgets in the recession. Forrester recently reported that security grabbed a bigger percentage of IT spend in 2008 and is expected to do so again in 2009. In addition, Forrester said many large IT security shops now report, either by dotted line or directly, to departments outside IT, further elevating security on the business agenda.
For Brookdale's Ranson, the primary goals for implementing identity and access management were to improve customer service while decreasing the amount of time IT spent ensuring employees had the access to the applications they needed to do their work -- and only those applications.
Managing accounts at a growing company
The need to automate identity management was driven not only by high turnover, but also by Brookdale's rapid growth. Among the nation's largest providers of senior housing, the publicly traded company grew from about $300 million to just under $2 billion in revenue since 2005 through three large acquisitions. Its IT budget is a modest 1.1% of sales.
IT can get 50 IAM-related transactions a day, each request requiring attention to multiple applications and systems. Those 50 transactions could each take days to complete when the tasks were handled manually.
"Having a new hire wait three or four and, in some cases, up to five days to log into the system and start doing work was not very good customer service," Ranson said.
The implementation required a group effort, with the security team, business process owners and the Courion consultant sitting down together to map all the roles and permissions for some 700 job titles.
The quest for better identity and access management led Ranson to a software solution from Courion Corp. in January 2008. Brookdale is an Oracle shop. "At the time, Courion did a better job than Oracle of controlling Oracle's PeopleSoft," he said. He estimates the total cost at about $400,000.
Since implementing the technology, the turnaround time on IAM requests is down to less than 24 hours for critical applications, Ranson said. He also was able to cut loose three full-time employees from the job, "simply because the product does it automatically." The product is notified nightly of new hires and does the provisioning then. Terminations happen immediately; changes are "a little more ad hoc."
A bonus? The product helps with several aspects of Sarbanes-Oxley (SOX) Act compliance, starting with the automation of individual employee permissions that business process owners previously had to handle.
"We have now rewritten our SOX controls so that business process owners do not have to approve every transaction but can approve the recipe book. And as long as there is a computer that's doing the provisioning, the likelihood of a misprovisioning error is much lower," Ranson explained. (When there is a change to the recipe book or application, the application must be tested and the business process owner has to sign off on it before it moves to production.)
In addition, the product can track employee roles and permissions across disparate applications, including Brookdale's custom-built billing system, meaning IT can now automatically produce the reports needed to comply with SOX segregation-of-duty requirements, Ranson said.
Getting the business people on board with IAM
The reality check to all these benefits? That "recipe book" that comes in so handy required a lot of hard work.
"There is a huge amount of work up front to get the rules right to actually start the programming," Ranson said.
Indeed, when asked how hard it was to get the Courion product up and running, Ranson likened it to a universal remote control. "If you know what you're doing, it is not hard. If you don't know what you're doing, it is almost impossible," he said.
A critical ingredient is getting the business on board, Ranson stressed. The implementation required a group effort, with the security team, business process owners and the Courion consultant sitting down together to map all the roles and permissions for the some 700 job titles at Brookdale. It took them six months.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
This was first published in March 2009