ING Direct tackles rogue user permissions
ING Direct is not a typical bank in that it has no branches, but it still has over 1200 employees — enough to make access control an issue, if it is not managed correctly.
Speaking at the Gartner Security and Risk Management Summit in Sydney this week, ING Direct head of IT performance Anthony Sestanovic outlined the bank's process in establishing its first access control framework.
Following an internal assessment by ING Direct's IT security and information risk management teams, the bank identified that certain members of staff had access to systems that they didn't need and, because it had no access control framework, the business had close to zero visibility over who had access to what.
"For a company of about 1000 people, we had about 300 business roles and 900 [Active Directory] permissions. For 1000 people, [it's] absolutely crazy. How do you manage that?" Sestanovic said.
The findings were then included in the report of an external auditor, which led to the risk being sent further up the chain to the regulator.
If ING Direct was found to be lacking the correct user access controls by the Australian Prudential Regution Authority, it could be prevented from operating as a bank in Australia. To make sure that the bank met its compliance requirements, Sestanovic could have implemented a bare-bones access control framework, which would have seen it continue its use of Excel spreadsheets to keep track of access control. But Sestanovic decided to use the need of compliance to push through a bells and whistles access framework and tool, to notify the bank of access issues.
"We actually played the audit-compliance blackjack card, in terms of putting up the actual business case," he said.
"I was upfront in saying that we need to do this piece of work, because it's a compliance and risk element. Within our organisation, that tends to make people pay attention, it gets them on side."
The project itself was split into three phases: designing the framework, gathering information from the business on what roles were required and the actual implementation.
The first phase lasted five months. Sestanovic brought in an external expert to engage stakeholders and help design the framework, creating a governance model in parallel that laid out who would be managing the framework.
The second phase of the project, which lasted three months, saw the bank set up a working group and engage external expertise again, to determine which business units really needed access to what systems.
Looking back on the project, Sestanovic said that it would have been easier if, at this point, a tool had been used to map out which access permissions should be given to which roles, because it became very complicated amongst the numerous roles.
The third phase of the project, implementation, saw the bank put together a project team, including the experts that it had engaged earlier, and go to tender for a product to implement its framework.
"We had the framework, we had the governance model, we knew what we wanted it to do, we had the control objectives identified and documented; we had the full list of requirements for our tooling solution. The beauty of this approach is that there's no more guess work. We knew exactly what we wanted the tool to do. We knew exactly what we wanted to actually see as an outcome. Now all we had to do was actually find it."
The bank also set out to look for an integrator to link the product it chose into its systems.
"Who can you work with effectively to implement the tool, to meet what your expectations are? To actually choose the right integrator is just as important, if not more important, than choosing the right tool for the job. Those two things have to go hand in hand."
After having a "bake-off" between two access management products, the bank decided on SailPoint's IdentityIQ product, and engaged First Point Global as a systems integrator.
Over a three month period, the bank rolled out the tool on a few of its key systems, including 30 of the applications residing on those systems.
"For the first time, for these key systems, people can see the access that their teams have got. They understand if there's segregation of duty issues between those roles, and they didn't have to fend through spreadsheets and work out what's what."
The tool also let the business users check the framework they helped create in steps one and two, showing them what the employees were actually using their access permissions for. This lead to the business heads tweaking what access permissions they thought were necessary for certain roles.
"The business thought they understood what access they actually needed, but when they saw what access their staff had, it actually changed things around for them."
Sestanovic was mindful that not all organisations are as highly regulated as the finance industry. He said, however, that the benefits of the access project would still be enough to justify a three-year business case without an audit and compliance stick.