In the fast lane to a functioning IAM solution - IFB Hamburg

Initial situation

“The reason for considering the acquisition of IAM software was BaFin’s banking supervisory requirements for IT,” explains the responsible subproject manager Volker Loebel, deputy head of the Finance and Accounting department and team leader for balance sheets/reporting at Hamburgische Investitions- und Förderbank (IFB). For this reason, IFB underwent an audit by PWC to find out where it stood in this regard. Authorization management was the largest subproject within these requirements. A well-thought-out structure was already in place.

Until now, the bank had organized the issue via authorization concepts, Excel lists, and manual processes for the IT applications. There were templates for authorization requests that were printed out and signed, and groupings, or roles, had already been set up for Windows authorizations in Active Directory. Similarly, on the SAP side, where certain collective roles existed for departments and teams.

At IFB, there were roles for the various applications, but this did not mean that all employees automatically had the same authorizations. The roles were combined individually. If an employee received a new task, his authorization was person-related rather than role-related. Thus, various individual and group authorizations existed in parallel. BAIT also requires that rights be derived from the tasks of the employees. For this reason, the roles are to come from the departments, which are thus responsible for defining them. At IFB, the authorization concepts were previously primarily driven out of IT.

The Challenge

One requirement of the BAIT is the assignment of authorizations along the lines of business tasks. IFB has taken the MaRisk regulations at their word: Rights may be grouped into roles. However, these must be derived from the tasks and certain limits must not be exceeded when combining rights into roles, such as the separation of functions. Because of this approach, the bank was already able to provide the Beta Systems team with a complete set of rules for the Segregation of Duties.

Implementation

The project team also quickly worked on the special treatment of critical authorizations. MaRisk distinguishes these from normal authorizations; for example, they must be processed separately and are subject to tighter control cycles. In its rules and regulations, IFB defined in advance what critical authorizations are and also specified whether they should be managed at the individual rights level or at the level of the specialist role. The second alternative was chosen. The individual critical authorizations were thus bundled into one, then critical, specialist role.

“In this way, we avoided having to equip the identity management software with additional processes and authorization roles that were not needed later on,” as Jochen Schneider explains. Finally, the implementation of the software was the third strand. The Beta Systems team received 103 ready-made roles, including the specifications as to who is allowed to request and approve authorizations for a new employee – in other words, the entire set of rules. During customizing, this only had to be stored in the GARANCY Identity Manager. Because the processes were deliberately kept simple, they could also be represented with the standard GARANCY transactions.

Another advantage: It was already possible to work and test with the real processes. Consultant Jochen Schneider: “This is exactly what distinguishes this project. Other banks first select the technology before they define their internal processes. Here it was the other way around.”

Solution productive after only five months

IAM Solution IFB Hamburg; Beta Systems carried out the customizing itself and delivered the configured software to the customer a few weeks later. This also kept the project costs within reasonable limits, as hardly any travel costs were incurred and fewer internal resources were tied up at IFB. On June 28, 2019, IFB was able to go live with its new identity management system – with a total project duration of only five months for the IDM implementation, probably an industry-wide record.

As part of the project, IFB also created a new role: The authorization manager is based in the technical operations department and mediates between it and the business departments. He also monitors the release of authorization concepts and is the second pair of eyes in some release processes as far as role assignment or change is concerned.

At the beginning of September 2019, the first recertification campaign started with the “GARANCY Recertification Center“, another component of the Garancy IAM Portal from Beta Systems. It lasted three weeks and was accompanied by several workshops to generate a high response. There, it was explained how to release specialist roles and employees assigned to them, initially in SAP and Windows, and later, in a second round, in the order-to-admin systems.

The IDM future at IFB has only just begun, but after the first few months, an initial summary is already emerging: “The software from Beta Systems is technically mature and runs extremely stably,” says Volker Loebel. “We are also very pleased with the cooperation with the consulting team. In case of queries or problems, they provided information very quickly and competently.” So the next audit can come – in terms of authorization management, IFB is now state of the art.