At Raymond James Financial Inc., about 27,000 users access its numerous software applications at any given tim...
These users include a mix of employees, contractors, executives and advisers who have different user-experience expectations and, of course, different access rights, said Jeff Brouette, manager of identity and access management engineering at Raymond James, based in St. Petersburg, Fla.
"We're not a gigantic company, but what makes it complex is the number of entitlements and applications we have," Brouette said.
The size and diversity of the firm's workforce created a challenge for Brouette and his team, as they sought to balance security and compliance requirements against business needs as part of their identity and access management (IAM) strategy.
As a financial services company, Raymond James operates under multiple regulatory compliance rules and related audit requirements that create layers of complexities that other companies might not experience, he said. For example, the company had to prohibit workers from accessing what he called "toxic combinations" of systems, such as the same individual having the ability to both authorize a trade and execute it.
Lacking IAM processes
The company's ongoing use of legacy systems created another layer of challenges to an efficient IAM strategy.
"We didn't have a single or consistent way of entitling applications," Brouette said, explaining that some apps used Microsoft Active Directory, while others used legacy systems or Windows-based entitlement systems.
Brouette acknowledged the company's past IAM processes had not effectively and efficiently managed those challenges. He pointed to the fact that, several years ago, onboarding new workers and getting them the access they needed took weeks, even up to a month.
Given such scenarios, Brouette said Raymond James has been committed to evolving its IAM governance program in recent years, using a variety of technologies to reduce the amount of manual work required, to create efficiencies and to best ensure adherence to security and regulatory requirements.
That's a smart move, because companies are well-served by a strong IAM strategy now more than ever, according to Merritt Maxim, a principal analyst at Forrester Research Inc.
"Companies are using more and more systems than they ever have before. They're collecting more data, [and] the employees' job roles are changing faster," he said, adding that identity access management sits at the nexus of all those dynamics.
Consider how an employee may require access to specific data or certain applications to work on a project, but will not need that access on an ongoing basis, he said. IT should be capable of changing access rights of not just that employee, but dozens, hundreds or even thousands of employees, as needed.
However, not all organizations are maturing their IAM practices, Maxim said.
"There are still a lot of companies that are doing very little with IAM -- they're working on spreadsheets, or they've reached a limit to what they could do with their homegrown systems," he said. However, he noted that many of them are "actively looking to find ways to streamline what they're doing."
Additionally, he said, the lack of a good IAM governance program supported by technology "leads to the risk of users having excess privileges that they abuse or that inadvertently increase the risk of a data breach."
Modernizing IAM policies
Collecting and organizing user entitlements was one of the earliest steps that Raymond James took as it modernized its IAM policies.
Brouette said he and the IAM team saw a need for "a tool that would help us organize the number of entitlements and applications we have and separate duties, because doing that manually was extremely complicated."
Jeff Brouettemanager of identity and access management engineering, Raymond James Financial Inc.
To handle that aspect of their IAM needs, they implemented SailPoint's IdentityIQ in 2012, replacing processes that, in some cases, had been done via spreadsheets. The IAM team started to implement SailPoint's SecurityIQ platform in late 2017 to further support its IAM governance work and provisioning.
Brouette said these technologies gave the company a platform that was more robust and offered more functions as the governance program matured.
"It is a constant evolution," he added.
Today, Raymond James has all its users' roles defined in IdentityIQ, and Brouette said the move to the SailPoint technologies has delivered some key returns.
Because they are commercial services, the SailPoint platforms have enabled easier integration with other systems than the company's prior, custom-built access management application, saving the company time and money, Brouette said.
More IAM processes, such as checks on potential entitlement conflicts, are also automated now that it's contained in one system. Similarly, the time needed to onboard new users has been cut from several weeks to less than a day.
These benefits have allowed the technical workers who work in identity management -- a group that includes an engineering team, the ops team, and governance and administration workers -- to focus on more advanced tasks that add even more business value to Raymond James.
"Now that we have these things in place and these core fundamental capabilities are being handled, we can stake a step back and ask what other ways we can mitigate risk," Brouette said. "Five or six years ago, we couldn't even do that, because we were trying to get everything organized and trying to stop doing everything manually. This has allowed us to think about how to wire things together, increase automation and reduce risk."