'

CBA insources identity controls from EDS

The Commonwealth Bank (CBA) is rolling out new identity and access management controls for staff after it insourced some technology operations from outsourcer EDS. The bank is provisioning user access to dozens of systems via IBM's Tivoli identity and access management software.

The Commonwealth Bank (CBA) is rolling out new identity and access management controls for staff after it insourced some technology operations from outsourcer EDS.

The bank is provisioning user access to dozens of systems via IBM's Tivoli identity and access management software.

EDS has been responsible for the CBA's identity management under its long-standing outsourcing arrangement. However, the 10-year contract between the two expires in October next year, and recently the bank has been insourcing some operations.

Asked why the bank decided to reclaim the function, Commonwealth Bank executive manager, enterprise IT, Jon Davies said: "It's really key information and key data, so we brought it back in-house. How EDS managed it, I'm not totally aware. But it's been critical for us to bring that information in and leverage it."

Operational risk and security concerns were drivers in the decision, according to Davies. The bank could not respond to ZDNet Australia requests for more information by publication time.

Despite bringing the identity management project back in-house, an EDS spokesperson claimed the company still supported the new IBM infrastructure. The new identity set-up had so far been integrated with over 70 of the bank's more than 2000 systems.

The identity manager system connects to a PeopleSoft human resources system, "the source of truth" for identity at the bank, according to Davies.

"We then link [staff] identity to a role. Then [we link] from their role to their system access, what they can access, what they can see. A lot of it is done by [Microsoft] Active Directory," he said.

The project discovered some inefficiencies in CBA workflow.

"One of the challenges we had that we didn't realise when we first did the design for the system, was that actually an employee ID in HR is not created until HR receives back the offer letter," said Davies. "When we got the system up and going we sort of had a percentage of maybe 25-30 percent of people having access on day one. And that's terrible.

"We never really knew how bad it was until we put in a system like this. And a lot of that had to do with that people would turn up on their first day with their offer letter going 'yeah I've signed the offer letter', and the manager would go "oh cool, thanks, I'll send that back to HR. So it went in the post ... two weeks later they got their PeopleSoft ID."

The bank had since created the identification at the same time the letter of offer was sent, according to Davies.

The new system has a role management framework of 500 employee roles. However, this was not many in a company of around 35,000, according to Davies. The bank needs to keep the number of roles down to ensure the system is easy to maintain.