Case Study: People's United Bank Saves Time, Costs through Identity and Access Management

The bottom line was getting new employees up to speed. That was the final selling point for People's United Bank to implement an identity access management solution. People's United Bank has implemented an identity access management solution that now automatically provisions 3,000 of its nearly 5,000 employees on the bank's system

Identity access management (IAM) combines business processes, policies and technologies that enable institutions to provide secure access to any resource, efficiently control this access, respond faster to changing relationships, and -- most importantly -- protect confidential information from unauthorized users.

Greg Kyrytschenko, director of Information Security at the bank, explains that at the time work began on the project, People's United Bank was a $12 billion institution looking to grow through expansion. "Consequently, we needed the ability to rapidly provision users," he notes. Today, People's United, headquartered in Bridgeport, CT, has $21 billion in assets, with more than 300 branch locations in the Northeast.

Once People's United selected a solution for identity access management, the real work began. "We determined that first we needed to provision our retail branch staff, which at the time of initial deployment comprised 60 percent of the employee population," Kyrytschenko recalls. People's United partnered with the Courion Corporation (www.courion.com) to get the job done.

Getting Started
Kyrytschenko's team established roles for the bank's entire retail environment. During the onboarding process, a manager approves a new hire's access entitlements. The new employee then receives all of the appropriate access required to perform his/herjob. "One of the project goals was to get the user up and productive on their first day at work," Kyrytschenko notes.

An important part of the role management process is to periodically meet with each line of business to review defined access entitlements Kyrytschenko's team built the logic into the identity access management system, so that once the entitlements were determined, an employee could quickly and easily be provisioned. "We are now able to rapidly provision base level access (network and e-mail) for new employees," he explains. The Human Resource Information System, which determines an employee's employment status, is the authoritative source for the IAM solution.

Business Benefits
Kyrytschenko notes some of the immediate benefits from implementing IAM:

Time savings -- Provisioning a new employee used to take anywhere from 5 to 10 business days for People's United. Once a manager approves the access, "It's now a matter of less than five minutes," he says.
Reduced risk during terminations - With the IAM solution, the team has the ability to manage a normal termination (an employee providing two weeks' notice) or an immediate separation.."We can take immediate action to terminate access via a web browser, even after hours," Kyrytschenko states.
Centralized administration - People's United has centralized all of its security administration operations. Previously the bank had a distributed security administration model, which added time and complexity to the termination process. "Now every user access activity ('create', 'modify', 'deletion') funnels through my team and we can take the appropriate action to stay in compliance with our internal and external auditors," Kyrytschenko adds.
Streamlined processes - With the IAM solution, users are appropriately notified in a timely manner so they may take any additional actions required to provision other resources.

Kyrytschenko says the bank's long-term strategy is to begin to manage all resources in this manner, including Blackberries, phone lines, cellphones, and computer equipment such as laptops and desktops.

The bank's increased focus and defense in depth approach has, with the IAM, "kicked it up a couple of notches," he notes. "Our regulators, Office of Thrift Supervision (OTS) are happy with the progress, but as with any regulator, they always want more." Eventually, Kyrytschenko would want to have the "big picture" of what every individual user has access to in the bank's environment.

Lessons Learned:

Know your business - make sure you establish a business partnership and identify business needs upfront, not simply technology needs. "Speak in business terms, and promote the benefits to the business in ways that can be easily relate to," Kyrytschenko notes.
Sell Value and ROI - IAM is a big ticket item for any organization. "Do the numbers and be ready to show real tangible results for the cost. Originally we had 98 security administrators, now we have reduced that cost. I have four in my group, (two of them are interns) who are doing the administration of security access controls." From a resource/headcount standpoint, there was a significant cost savings for the bank.
Best practices - Be sure to demonstrate an internal success story with one of your business units. This is an excellent way to recruit other lines of business.. "We had a major success story with our retail environment, which we were then able to present to other lines of business," Kyrytschenko states.
Offer Enough Training -- Make sure your end users know how to use the solution. Host training and demonstrations for management and others who will be using the interface and follow up any feedback, questions or potential issues.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.