The Sarbanes-Oxley Act of 2002 requires any business listed in the US to have clear visibility into which employees are allowed to access which IT systems, and to ensure that the access rights of employees are regularly updated, or "recertified".
The purprose of these rules is to make sure the internal controls that prevent rogue staff from approving illegal or risky transactions are kept up to date. It applies to IT workers and the infrastructure systems they can access, as well as banking staff and the applications they are allowed to use.
Rabobank International, the global division of the Dutch financial services giant, is not listed in the US, but it has voluntarily adopted the access management best practices mandated by Sarbanes-Oxley, and the company is regularly audited for ‘SOx’ compliance.
To meet its compliance requirements, Rabobank International introduced a process that requires managers to check the current access rights associated with a given system, and confirm that employees have an appropriate level of access based on their job role.
This process had a significant admin overhead. One division of the company had to employee two full-time staff just to manage the recertification process.
Not all the systems allow access rights information to extracted easily. Sometimes it requires software developers to extract it by hand, explains Jethro Cornelissen, global head of security operations at the company. "Sometimes we have to take a screenshot of the application."
Furthermore, the information that is sent to the managers for recertification is often highly technical, and it is not always certain that managers have understood what they have approved. "When you send a list of 100 roles and permissions to be recertified, and they send a response back in a short amount of time, you have to challenge whether they’ve seen the complete picture," says Cornelissen.
Two things happened that prompted Rabobank International to improve the situation. First, the scope of the process was to increase from 90 systems in the Netherlands-based division by at least 130 more. With the existing process, this would make the administrational burden unbearable.
Secondly, an auditor suggested that Rabobank could further enhance the operational processes by recertifying approvers of roles.
Cornelissen was obliged to resolve this "audit point". At the time, the process of recertification was not his responsilibity, but he felt that the best way to resolve the issue to was bring under his wing.
"By taking full ownership of this process, I could resolve my audit point by adding the things I needed to add," he said. "Plus, having heard people complain about the process for years and having used it myself, I knew we could do it better."
Access governance
Cornelissen’s first thought was to develop a new system internally, but a developer told him that there were commercial providers already offering the functionality that the company required.
Gartner defines this market as identity and access governance (IAG). "IAG tools seek to deliver identity and access management directly to the business or end user, rather than the operational IT administrator," the analyst company says.
Rabobank International chose IAG provider SailPoint. One reason was that the bank uses Controls SA, an identity and access management tool that was formerly sold by BMC but which SailPoint took over in 2011. This means integrating the two systems can be automated, says Cornelissen.
SailPoint’s tool allows managers to see information about access rights, Cornelissen says. "There is one dashboard where they can see in one view what access people have, and a description of every job role."
To justify the investment, Cornelissen ran a proof-of-concept that looked at the amount of time that was spent simply managing the process. He did not include any benefits to the business, as they would have taken months to calculate. Cornelissen found that using the tool would save the company the equivalent of four full time employees, just by making the recertification process easier to manage.
Rabobank is currently in the process of rolling SailPoint out in Europe. The primary drivers are cost reduction and simplifying compliance, says Cornelissen, but by making identity and access data more comprehensible, it will also make the recertfication process is more meaningful.
"Nobody will admit to this, but I think at the moment when certain people approve access, they do not know completely what they are approving as the roles are described in a too technical manner."