OCG has been working with a large apparel retailer on their identity and access strategy for over three years, starting with a MIM implementation. Now, the retailer needed to lay the foundation for a robust identity governance infrastructure to simplify the roles and access of user accounts in their critical business applications.
To remain compliant with SOX and PCI, the retailer must complete access reviews. This was a mostly manual process involving many spreadsheets and emails out to business owners and managers. The process was time consuming and susceptible to errors, which affected user productivity and impeded organizational agility.
The lack of automation around business-critical systems and the lack of integration with authoritative sources of data could result in incorrect or stale information, which in turn could lead to expensive remediation efforts following audit failures.
The retailer decided to implement Saviynt to streamline access reviews and identity governance, bringing OCG on to implement the solution and integrate it with Microsoft Azure Active Directory (Azure AD). Saviynt will be used to provide insight and govern their entitlements and roles throughout the organization’s application landscape.
OCG implemented Saviynt Enterprise Identity Cloud (EIC) to support the following scenarios:
- Source Of Truth for Users: Employees, Contractors, and Vendors imported from Active Directory into Saviynt EIC.
- Single Sign-On (SSO): Azure AD integrated to provide SSO into Saviynt EIC.
- Accounts & Entitlements: Saviynt EIC imports accounts and entitlement data from key applications, including Active Directory and Azure AD
- Access Certifications: Saviynt EIC creates access certifications for managers to review existing access within specified applications. Managers will approve or revoke access for their direct reports within each application.
- Campaign Summary: Access Certifications generate campaign summaries. This provides the retailer a list of access permissions requiring removal in referenced applications.
- Analytics: Saviynt EIC comes with pre-canned analytic reports that the retailer may be able to use out-of-the-box. OCG built additional custom analytic reports for the retailer to provide useful and actionable data and demonstrate Saviynt EIC’s utility.
OCG provided robust technical and operations documentation, along with multiple knowledge transfer and training sessions for the retailer’s identity team to enable them to continue to gain business value from their IGA investment.
Benefits and Outcomes
- Increased regulatory compliance within SOX and PCI regulations through analytic reports and the periodic review of access to critical business applications that are regularly audited.
- Streamlined access removal or modification that comes directly out of access reviews completed in Saviynt EIC to the retailer’s application owners and service desk team.
- Lowered administrative costs, by replacing the manual process of doing access reviews involving many spreadsheets and emails out to business owners and managers.
- Improved user experience, by ensuring that certifiers have a consistent experience and the appropriate level of detail to correctly review access across multiple applications.
- Standardized the retailer on a single identity governance and administration platform, by establishing an IGA framework solution in which all future and current applications and identity repositories utilize as part of the identity lifecycle.
Now that the retailer has implemented Saviynt EIC for access reviews to meet compliance regulations across seven of their most critical applications, they are looking to onboard additional applications into Saviynt EIC that have similar requirements for access reviews.
In addition, the retailer is looking to replace their on-premises MIM implementation with Saviynt EIC’s Identity Lifecycle Management (ILM) capabilities.