Summary
The problem
As the number of relevant regulations increases and as a direct conclusion of the .... the banks in the Czech Republic are required to restrict the access to information to the authorized users only. Additionally, the banks are now using more and more applications; a fact that has a direct impact on the time it takes to process a request to change access privileges and the number of employees who perform this activity. Both these factors force the banks to actively solve the question of the access privileges management.
The solution
ČSOB has decided to solve this problem efficiently and has implemented a product that automates the processes relating to the management of access privileges. Trask solutions was chosen to be the implementer due to its long-term cooperation with ČSOB. IBM Tivoli Identity Management (hereinafter referred to as ITIM) was chosen to be the platform for the process automation as it has proved to be fit both functionality-wise and efficiency-wise.
Key benefits
The project has enabled the customer to map the access privileges to all the ČSOB information systems and to set the necessary control mechanisms. Responsibilities were assigned to all users, supervisors and administrators of the access privileges. Thanks to the high level of automation including the connection of ITIM to the bank's HR system the helpdesk workload was reduced (the number of phone calls dropped). Also the processing of the access-privileges-related requests now takes much less time (hours vs. days at it used to be in the past). Jiří Pospíchal, ČSOB executive manager, adds: "The primary advantage of this solution is the fact that even when the number of applications grows, the costs on access privileges managements do not and even with the current number of employees we manage to improve the quality of this service."
ITIM implementation
Initial situation
ČSOB, as the largest retail bank in the Czech Republic, had over 9,000 users both in the Czech and the Slovak Republic, approximately 280 branch offices and about 100 centralized applications and systems. The most significant applications of the time were the banking systems - Profile/ IBS, IBIS and SAP. ČSOB as the leader in the field of banking services was of course planning to introduce other critical applications as well. There was a specialized department to take care of the management of the access privileges. This department was, at the time, was overloaded with "paper agenda" and a growing number of applications that had to be managed. As a result the time necessary to process some of the non-critical access privilege requests was gradually increasing. It was apparent that the situation is not sustainable if more employees are not hired to the access privileges management team. On the contrary, the other goal was to reduce the costs of IT operations, i.e. to reduce the number of IT employees.
The scope of the solution
To solve this conflicting tendencies ČSOB has decided, as the first of the major financial institutions in the Czech Republic, to implement an Identity Management solution. Business-critical applications were selected for the project implementation. The basic characteristics of these applications can be found below (on the next page).
Selecting the implementation partner
"The implementation of the ITIM system required the system to be integrated with the bank's fundamental banking systems. Selecting the right partner was therefore a key decision," says Petr Český, ČSOB project manager. Trask solutions won the tender and became the implementer of this project. ČSOB was well aware of the quality and proficiency of the services provided by Trask solutions thanks to their long-term cooperation on other projects. It was also convenient that the partner had detailed knowledge of the specific environment of ČSOB.
Advantages of the ITIM system
Improved efficiency and easier maintenance
As the ITIM system is connected to the HR system, it enables the automation of such processes as creating (or revoking) of accounts or access privileges when an employee joins (or leaves) ČSOB. Therefore, the end users only have to place requests and approve such changes. With this process, the key to success is to create a perfect link to the HR system that provides information on the employees and the organizational structure. Therefore, the direct supervisor is responsible for the access privileges granted, having the possibility to delegate the responsibility to a selected deputy.
No more paperwork
The applications listed in the table above are directly controlled by the ITIM system, i.e. the management of accounts on a target system is fully automatic, without the need of an administrator interaction. However, during the project all applications used by ČSOB have been registered in the system - ITIM works as a central registry of all access privileges to all applications within ČSOB. Roles were defined for these "registered" (i.e. not directly controlled) systems as well, therefore the resulting environment can be audited clearly.
Less bureaucracy and delegation of responsibility
The key point of the implementation was when the solution was introduced to the end users - the managers. They were given a new application to control the access privileges. It enables them to place new requests and monitor their status themselves. All the processes for the management of access privileges have been modeled using ITIM-workflow. As a result, the number of the phone calls received by helpdesk was reduced and the whole process was sped up. "It was apparent that simplification and clarification of the current processes relating to access rights privileges would be the critical point of the project. The joint project team (ČSOB and Trask) have promptly analyzed the situation and created a series of web-based applications (wizards) in the requested graphical format. Some of the processes were re-designed and simplified during this stage - including their technological implementation (for example the approval request - the manager receives it in his mailbox and can either approve or decline it with just two clicks). All these precautions have proven to be very helpful and have met with acclaim. Nowadays, the employees are using the ITIM application with all its extensions and other critical systems in ČSOB are being connected to the solution.
Improvement to security, savings on monitoring
The solution has a significant impact on the auditing area as well. Miroslav Neřold, an internal auditor with ČSOB, says: "The auditor has gained a powerful tool for monitoring the access privileges into the IT systems. In the past it took much effort to list all the given user's privileges and cooperation with various system administrators was necessary. And even then the auditor could not have been sure whether the list he got was complete. Now it is possible to get these kinds of information from the ITIM solution in just a few moments." The solution takes the auditing possibilities to a whole new level - ITIM cannot just manage the access privileges but also compare its own privilege database with the real database within an application. Therefore, it can find any discrepancy that might have been created manually.
Other possibilities to boost security and productivity
With the implementation of this project, ČSOB created an environment suitable for an introduction of a central authorization database which would mean another step ahead in the quality of the centralized management of users and applications. Using Tivoli Access Manager, ČSOB can standardize user authentication and authorization in critical environments and make another step on the way to implementing modern SOA principles in their environment.