KMD is one of Denmark’s largest IT and software companies, with some 3,200 employees.
It has developed and operates more than 400 IT systems that support the Danish welfare state. Each year its systems handle billions of kroner, equivalent to more than 20% of Denmark’s GDP. Key social security benefits are paid through systems developed by KMD.
Cyber security is a larger problem than ever, and KMD has a clear mission of being the market leading security software and service advisor, and partner of choice for private and public customers. KMD leads in areas such as proactive security excellence and intelligence with the most advanced Security Analytics Center in the Nordic, providing continuous surveillance with live monitoring, log analysis, threat prevention and action.
As the custodian of personal data for nearly all of Denmark’s 5.5 million citizens, and increasingly stringent EU regulations on data protection, KMD needs to prevent unauthorized access. Its identity management processes were therefore mature, but unfortunately also very manual, and time-intensive. As the organization grew, so did identity management requirements. Users required access to office automation systems, complex mainframe applications, and many SAP modules, operating in a multi-tenant SAP environment.
To provision access to over 200 systems for approximately 4,500 users in a complex infrastructure is hard, as Henrik Mohr, Department Manager IAM, at KMD, explains: “In a manual process, human error is always a possibility which we just cannot risk with the type of data we hold. We wanted to ensure that our business managers had the relevant information to make access decisions by using intuitive tools. Automation would also reduce the time it takes to bring people online with our systems.
In 2013 KMD investigated the market, as Mohr comments: “Micro Focus provided a good technical fit to our complex infrastructure, and a large number of our customers already use Micro Focus solutions.”
The previous provisioning process involved emailing approval forms to the identity management team, who would then have to log onto each individual target system to grant access. It was difficult for users to determine what system access they needed, as the technical descriptions bore no resemblance to the business function of the system.
With the introduction of a self-service portal, using NetIQ Identity Manager, approval flows and provisioning were automated and the technical entitlements were translated into user-friendly terms so that users, and managers, can make an informed access decision. Provisioning is tightly linked to the HR system so that accounts are immediately de-activated once a user leaves the organization.
High level, role-based provisioning was introduced, to ensure that a manager is automatically granted access to different systems from an employee, or an external contractor, making the system more adaptive to constantly changing needs.
It was now time to turn KMD’s attention to access review. Every six months managers would receive a list of their employees’ system access, to confirm or revoke access. This was a manual and tedious process, taking two people in the identity management team a month to complete for each review cycle. The access data would need to be exported from each target system, and summarized in a spreadsheet. It was complex to convert the results back into a structured format, and it was hard for managers to understand their actions, as the language was not user-friendly.
Mohr: “Building reports, getting business participation, and producing audit reports were painful processes which have all been automated using Micro Focus Access Review. A seamless portal provides access to Identity Manager and Access Review. Access Review will extract the entitlement directory from target systems, run the review, and then integrate with Identity Manager to process the results."
The implementation of Identity Manager and Access Review has delivered major cost and productivity savings, as Mohr explains: “Using Identity Manager, time to access a target system has been drastically reduced, from days to just hours. Through effective process automation, we’ve been able to redeploy half of our identity management team and have gained better visibility into system access. Reporting has been simplified and we have seen great efficiency benefits.
The feedback on Access Review has been overwhelmingly positive from our managers. With only a little introduction, they find the tool intuitive and are very clear on what their actions are".
Mohr concludes: “The partnership between KMD and Micro Focus has been great during the project. I feel our secret to success was to start small and slowly expand, a strategy fully supported by Micro Focus".
