Charlie’s presentation began with the intriguing comment “Roles are like communism. They sound pretty good on paper, but the real challenge is trying to implement them in the real world.” From this introduction, Charlie went on to describe how the bank embarked on the process of aggregating and correlating entitlements across 24 compliance-relevant applications and building roles to improve oversight during quarterly access certifications.

He shared several of the challenges that the bank had to overcome to better address its compliance and security requirements. Prior to implementing SailPoint IdentityIQ, the institution performed access certifications using “Excel over Outlook.” There was a lot of frustration in the various departments because managers were being hit constantly by differing organizations asking them to review and approve access privileges. Charlie also talked about the difficulty of certifying user access because reviewers could not understand cryptic entitlement descriptions. Two of the bigger takeaways from his presentation were the need (and challenge) of getting businesspeople to participate in role definition and maintenance and the importance of cleansing data before mining for roles.

Charlie summed up the results of the bank’s role management project as “making compliance simpler, reducing corporate risk from proliferation of access privileges, and improving control of the entire account lifecycle.” After completing his presentation, he took quite a few questions from the audience and shared some valuable insights. Here are a few of the questions – along with Charlie’s answers.

Question: Did you use role mining to create roles?

Answer: We created our initial set of roles using an interactive process between IT and business groups, in parallel with doing entitlement aggregation and cleanup. SailPoint IdentityIQ supports role mining, but in my opinion mining is not effective until after you’ve gone through and cleaned up your identity data. Dirty data yields dirty results, so it’s important to go through a certification and cleanup cycle before you do role mining.

Question: How many roles did you create?

Answer: I’m not sure of the total number. It really depends on what parts of the organization you’re talking about. For example, in our branches, we need only a limited number of roles, like 5. It’s completely different in our back-office environment, where we have many more systems and functional groups and the number and complexity of roles is a lot greater.

Question: How do you get business users to maintain roles over time?

Answer: We are using the access certification process to ensure regular oversight of roles. SailPoint IdentityIQ automates the certification of both role contents (entitlements that make up a role) and role membership.

Question: How long did this project take?

Answer: It took us about 6 months from the initial design through the final user acceptance testing.

As you can see, Charlie presented a pragmatic example of implementing role management in the financial services world. And as Charlie pointed out, success comes by defining a working process between business and IT and deploying the right tools for people to accomplish defined objectives.

I’ll end with another quote about communism (this time from Will Rogers): “Communism to me is one-third practice and two-thirds explanation.” Continuing with the analogy to roles, I say let’s cut down on the explaining and focus on the practice!

What do you think?

One of the most interesting questions was posed by a gentleman from Alcatel-Lucent. He wanted to know whether there was an ROI associated with role management, or whether it was more the case that roles simply transferred the cost burden from IT to the business. This generated a very lively debate amongst the panelists. Some good points were raised, including the opinion that role management is not simply about cost efficiency but about improving the effectiveness of preventive and detective controls and providing greater transparency to identity data.

I think Darran was on the right track when he pointed out that roles are a vehicle for better understanding and improving how people and assets work to together. (Burton Group calls this “Return on Organization.”). As Darran pointed out, a role management solution should allow organizations to better understand how people and responsibilities are structured and to promote improvements in that structure, for the benefit of increased security and better all around identity controls. In difficult times, understanding the relationship between people, functional duties and the resources needed to carry out those duties is a critical business management process.

In addition to Darran’s sessions, we had lots of customer and partner demos in our booth, where we showcased our integration to Tivoli Identity Manager, Tivoli Access Manager, and Tivoli Compliance Manager (TIM, TAM, and TCIM). Quite a few IBMers stopped by to see firsthand how IdentityIQ integrates with the Tivoli identity suite. We had lots of great feedback on how well our role engineering and lifecycle management complements the TIM static and dynamic role model.

So the team had a busy second day at the event. The show has been great, and we have blisters on our feet to prove it!