Life insurer TAL has standardised the way it manages identity and assigns access controls to enterprise applications for its 1800-strong internal workforce.
The company, which is part of Japan’s Dai-Ichi Life, has been on a multi-year digital transformation journey spanning multiple domains, including identity management.
TAL has two branches of identity management requirements: one for its internal workforce, and another for its life insurance customers.
The customer side is managed mostly using technology from vendor Okta.
But the branch of identity management and access controls for the internal workforce is more complex, involving technologies from Workday, Sailpoint and ServiceNow.
General manager of architecture Atul Sood told iTnews that TAL had traditionally treated types of internal workers differently, using separate sets of processes to manage who they were and what they were authorised to access.
“The complexity wasn’t provisioning access to systems, but primarily around following different processes for on-boarding, off-boarding and movements of the different types of workers - employees, contractors, third-parties and vendors,” Sood said.
The first step was to treat all different types of workers as one “internal workforce”.
That meant creating records for many of them in the company’s Workday HR system, which had previously been reserved only for regular employees.
“We architecturally made the call that if we want to solve this problem holistically and in a consistent manner, we need a single source of truth for our internal workforce,” Sood said.
“That means anybody who joins the organisation and anybody who leaves, whether they are temporary or permanent staff, or whether we need to track people moving between departments - all that needs to happen in one place, and that’s Workday.”
With every member of the new “internal workforce” being afforded their own record, the next step was to classify them using “job profiles”.
“Anyone who is in this system we will tag with a profile or set of job profiles which will be associated to this particular identity of the internal user,” Sood said.
TAL determined “a couple of hundred” job profiles for its 1800-plus internal workers, he said. This was low compared to other examples he had seen where the number of potential job profiles was higher than the total number of workers to which they were to be assigned.
“We are taking [the standard job profile definition] quite cautiously because we don’t want to blow it out of proportion,” he said.
However, in addition to the standard profiles, there are “exception profiles” to cater for users that have special system needs.
“We’re able to say, in addition to your normal profile you also have access to or are mapped to this exception profile of this nature, which will have one-off access to this type of system,” he said.
With the job profiles defined, Sood said the next step was mapping system access requirements against each profile.
“We started mapping the actual access to the systems against the job profiles so that we can cut out the complexity of mapping access for every single individual because the job profile helps us to fix that problem,” he said.
“Sailpoint came into play as the source of truth for mapping between the job profiles and the system access that job profile needed to have.”
Sailpoint handles what TAL calls “granular access controls”: it manages whether a particular job profile has access to “systems A, B and C, but not D".
Finer grade access controls are left to each individual system.
“For example, when you go into system A it says for this job profile you’ve got access to read-only information for this customer, but for another job profile you have access to read and write access to the system,” Sood said.
“This finer control is in the actual [enterprise application] itself. That complexity is hidden from Sailpoint.”
Once the mapping work was done, the remaining part of the project was making sure system access was provisioned as required.
For newer systems, such as Active Directory, the provisioning is automated. “There is a direct request that can go from Sailpoint to Active Directory,” Sood said.
However “like any other life insurance company we have a bit of a legacy [software] which does not support the automated provisioning for the job profiles", he noted.
For that, TAL uses ServiceNow to log and manage requests for system access to be manually provisioned.
“In some legacy environments Sailpoint talks to ServiceNow which generates a ticket to be handed manually into the targeted systems,” Sood said.
“That means we’ve got a complete audit track of who is getting provisioned in what system, and once that provisioning has happened we close the ticket formally to make sure we know [the work] has been completed.”
The new identity management and access control system is now in production. The company is already working on an enhancement, using a Sailpoint product feature to periodically review that access controls given to employees are still correct.
Sood said TAL was also keen to measure the “business benefit” of the project but that work to quantify “time and effort reductions” was ongoing.
He was hopeful that if the project reduced the time it took to get a new employee up and running with TAL’s systems, that would reflect in the company’s net promoter score (NPS).
“We are a very NPS-driven organisation so we’re saying if we are able to onboard people quickly that means they’re in front of the customer and productive fairly quickly, hence we are hoping it will contribute to our NPS,” he said.
