Subject to strict regulatory compliance, Medica conducts regular access reviews across its application landscape, to ensure that its 2,000 users have the correct access rights. This was done annually, but when a decision was made to move to quarterly reviews, in line with industry best practices, this posed a challenge for the IT Security team, as Brad Abbott, Senior Manager, IT Risk, Identity and Access Management for Medica, explains: “The access review process was manual, time-consuming, and labor-intensive. We would pull user access reports from our 30+ applications into a spreadsheet, identify each user’s manager, send them an email with the spreadsheet to verify access rights, correlate the response, chase any nonresponses, and then finalize a list of access removals and changes. It would take 6-8 weeks to complete the process. With this time-lag there was always the risk of errors.”
Clearly this was not sustainable on a quarterly basis. Medica also wanted to expand the number of applications included in the access audit which was not possible with the manual process. In consultation with its technology partner PDS, Abbott investigated Micro Focus Identity Governance.
Medica uses Micro Focus Identity Manager and Access Manager to manage the user base, as Abbott explains: “Identity Manager is used as our single source of truth. Fully integrated with our Human Resources (HR) systems, it automatically generates network IDs and email accounts for any new-hires. This streamlines the on boarding process and boosts new-hire productivity. Access Manager provides single sign-on capabilities for 30 Medica applications to all users, including any remote workers, such as clinical nurses working on location with our members. Access Manager also provides seamless access to our online portal applications for over 200,000 of our members.”
PDS supported the Identity Governance implementation and co-ordinated a pilot to ensure it offered Medica the functionality and integration required for streamlined access review. Following the successful pilot, PDS managed a handover to the Medica engineering team. Medica has now completed its first Identity Governance-driven access audit. This covered 200 managers, which represents close to 100 percent coverage. The number of audited applications increases with every audit round. Abbott comments: “The whole access audit process took just 13 business days, a phenomenal time saving for us. Of course, now the parameters are defined within Identity Governance, next quarter’s audit will require hardly any intervention from us, and will run mostly automatically.”
Medica identified 268 access removals which is higher than the average it previously captured. Identity Governance simplifies decisionmaking by providing business critical context to Medica business users conducting access certifications. The simple user-interface encourages participation. Abbott received great feedback from his business users: “We ensured this new process received executive buy-in, and the response from our business users has been overwhelmingly positive. The process was easy for them, and they much preferred it over having to provide their input via email and spreadsheets.”
For this audit cycle, Identity Governance tracks removals through manual fulfillment via ServiceNow, Medica’s service desk. In the near future, the team will introduce seamless closed-loop revocations, integrated with Identity Manager.
Having a unified identity and access management strategy has paid dividends for Medica. The integration between Identity Manager and HR has improved security and user productivity. Access Manager’s SSO capabilities have made life easier and more efficient for Medica staff, as well as members. Abbott has some future enhancements on his roadmap too: “We’re investigating role-based provisioning and have started a pilot within our call center, the department with traditionally the highest turnover. We have worked with the call center managers to define the roles and will now integrate this into our on boarding process to streamline the hiring of new call center staff.”
Medica is a fast-growing organization with ambitious plans for the IT team to support. Freeing up IT Security staff from spending 6-8 weeks on the access auditing process means Medica can provide value-add activities to its internal stakeholders, and expand its security program.
Abbott concludes: “Introducing Identity Governance ensures our continued compliance and automates a time-consuming and tedious process for us. We enjoy working with PDS and Micro Focus. PDS has extensive IAM experience within our industry and is a knowledgeable resource for our implementation and integration work. The partnership between the three of us works extremely well.”