Jennifer Darwin, Senior Manager, Sallie Mae
Jennifer Darwin will discuss how Sallie Mae used identity management to address its compliance and security challenges. This identity governance case study will discuss how Sallie Mae was able to address more than 3,000 security controls (including FISMA and FFIEC regulations), while simultaneously eliminating critical security vulnerabilities associated with user access privileges, including SoD policy violations, entitlement creep and orphan accounts. She will also provide best practices to help companies achieve the same results.
Scaling API-first – The story of a global engineering organization
CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture
1. FINANCIAL SERVICES CASE STUDY:
Improving Compliance & Risk Posture With Next-gen IAM
Speaker:
Jennifer Darwin, Manager of IAM, Corporate Information Security
CLOUD IDENTITY SUMMIT
JULY 2013
2. 2
ABOUT SALLIE MAE
▶ The nation’s #1 financial
services company specializing
in education
▶ Over 10 million student and
parent customers, more than
9,000 employees and 2,000
contractors
▶ Manages $207 billion in
education loans & 529 college-
savings plans
▶ The company’s saving
programs, planning resources
and financing options have
helped more than 31 million
people make the investment in
higher education
3. 3
▶ Comply With Major Regulations
– FISMA, SOX, GLBA, PCI and SAS-70’s (Sallie Mae)
– FFIEC and State of Utah (Sallie Mae Bank )
– SEC, FINRA & FTC (Upromise Rewards and Investments )
▶ Enhance Efficiencies Through Automated Provisioning
– Some relatively high turnover functions create demand for more rapid SLAs
– Restructuring creates short-term demand
– New business initiatives require rapid but controlled response
▶ Reduce Operational Risk
– Eliminate redundant, sub-optimal processes and centralize controls in one place
across the enterprise
– Prevent/detect fraud - manual processes and hand-offs make security policy
enforcement challenging
KEY BUSINESS DRIVERS
4. 4
▶ Increase efficiency
through Automation
▶ Improve effectiveness
through process
Optimization
▶ Improve Quality of
compliance activities
PROJECT STRATEGY
Ariba
ADP
Workday
Databases
Mainframe
Exchange
AD
App 1
App 2
App 3
Etc.
9. 9
RESULTS: CLEARLY DEFINED USER ROLES
Phase
1 Phase
2 Phase
3 Phase
4 Phase
5
250
2500
5000
6000
6500
#
of
Users
with
Enterprise
Roles
#
of
Users
10. 10
RESULTS: ENHANCED PROVISIONING
Original State
Current State
Future State
Request
Request
Request
Provision
Provision
Provision
Duration
Provisioning Efficiencies
33% Reduction
60% Reduction (est.)
12. 12
RESULTS: 64% IMPROVEMENT ACHIEVED, EXCEEDING EXPECTATIONS!
Separate, manual spreadsheets Single repository, solution enabled
Before After
INTEGRATED
400
• 64% overlap removed
• 400 Integrated Requirements
• Common Framework using 16 Functional
Risk Areas
• Full traceability to 160+ mandates
• Includes FISMA, ICE, PCI DSS, GLBA, etc.
• Over 1100 Controls
• Different frameworks; different risk
areas
• Inconsistent traceability to mandates
• Incomplete coverage of mandates
PCI
240
FISMA
200
ICE
(for IT)
400
GLBA /
FFIEC
250
FACTA
14
13. 13
▶ More than 700 applications on-boarded
▶ Over 6,500 users in a job role (approximately
75% of the company)
▶ Seven segregation of duty or monitoring
processes implemented
▶ Access certification improvements
institutionalized
– This consists of over 20,000 user entitlements to
be reviewed this year
WHERE WE ARE NOW
14. 14
▶ Continue to expand current project scope
– Goal is to have 90% of the company in enterprise roles
– Goal is to have 24 certifications scheduled
▶ Continue expanding project scope to include
even more SaaS and hosted apps
– ADP, Ariba, Workday
– Looking at externally hosted apps too (FIS, FNI, FDR)
▶ Moving to make Workday becoming our
authoritative source
– Corporate HR system moving to Workday – tentatively
scheduled for Q4 2014
WHERE WE WANT TO BE BY Q4 2013
15. 15
▶ Do Enterprise Roles First
– Simplifies the implementation of
all IAM components and reduces
future rework
– Team MUST include someone
who has successfully deployed
Enterprise Roles
▶ Well Defined Roadmap
– Requires shared vision from
business and executives
– Part of broader program
▶ Achieve Quick Wins
– Showing results is critical to
keep momentum of multi-year
program
LESSONS LEARNED/BEST PRACTICES
User
Provisioning
Enterprise
Roles
Access
Requests
Access
Certification
Can be leveraged across…