In the Fast Lane to Introducing a Proper IAM Solution at IFB Hamburg

“BaFin’s banking supervisory requirements for IT provided the impetus for looking into the acquisition of an IAM solution,” explains the responsible sub-project manager Volker Loebel, Deputy Head of the Finance and Accounting Department and Team Leader for Balance Sheets/Reporting at Hamburgische Investitions- und Förderbank (IFB). That’s why IFB commissioned PWC with an audit to find out how well it was doing in terms of meeting these provisions. Authorization management emerged as the largest subitem on the to-do list for achieving compliance. A well-defined structure was already in place.

Previously, the bank had handled authorization via authorization concepts, Excel lists and manual processes for IT applications. Authorization requests were processed using templates that were printed out and signed; Windows authorizations were dealt with in Active Directory, where groups, or “pseudo-roles,” had already been configured. Things looked similar in SAP, where certain collective roles existed for departments and teams.

And while IFB had defined roles for the various applications, this did not mean that all employees automatically had the same permissions. The actual roles were put together individually. Whenever an employee received a new assignment, his or her authorization was essentially based on the individual rather than on their role. This also meant that various individual and group authorizations existed side by side. However, BAIT defines that rights must arise from employee duties. Therefore, the roles should be defined and assigned in the departments themselves. At IFB, authorization concepts had previously been the domain of the IT department for the most part.

One requirement of BAIT is the assignment of authorizations based on specialist tasks. IFB had followed the MaRisk regulation that allows for combining rights into roles to the letter. However, the roles must be derived from the tasks, and certain constraints regarding how rights may be combined into roles – such as the separation of functions – must be observed. Owing to this approach, the bank was able to provide the Beta Systems team with a complete rule set for the segregation of duties.

The project team was also very fast when it came to implementing special workflows for critical authorizations. Under MaRisk, different rules apply to these as opposed to normal authorizations; for example, they must be processed separately and are subject to tighter control cycles. In its set of rules, IFB defined critical authorizations in advance and also specified whether they should be managed at the individual rights level or the specialist role level. The financial service provider finally opted for the latter. Consequently, the individual critical authorizations were bundled into a single critical specialist role.

“Taking this approach allowed us to avoid having to add additional processes and authorization roles to the identity management software that might not be needed after all,” explains Jochen Schneider. The introduction of the software was the third and final leg of the journey. The Beta Systems team was given 103 ready-made specialist roles, including the specifications as to who may request and approve authorizations for a new employee – essentially the entire rule set. The only task that remained was to store this information in the Garancy® Identity Manager. Because of the deliberate decision to keep the processes simple, they could be mapped using Garancy®’s standard transactions.

As an additional benefit, this enabled the team to work with and test the real processes right away. Consultant Jochen Schneider: “That’s precisely what makes this project stand out. Most other banks first pick a technology before getting their internal processes in order. In this case it was the other way around.”

Solution went live after only 5 months: Beta Systems did the customizing itself and delivered the configured software to the customer a few weeks later. This also kept the project costs within reasonable limits, because hardly any travel costs were incurred and very few internal resources were tied up at IFB. On 28 June 2019, IFB was able to take its new identity management system live. The total duration of the IDM implementation project was only five months – this may be a record in the industry.

Over the course of the project, IFB also defined a new function: The authorization manager, who is a member of the technical operations department, acts as a go-between for this and the specialist departments. He also oversees the release of authorization concepts and serves as a secondary reviewer in some release processes when it comes to role assignment or changes.

In early September 2019, the first recertification campaign was launched with the Garancy® Recertification Center, another component of the Garancy® IAM Portal from Beta Systems. During the three weeks of the campaign, several workshops were held to generate a lot of attention. The workshops explained how to release specialist roles and employees assigned to them in SAP and Windows, and, in a second follow-up round, also in the order-to-admin systems.

So the new era of IDM has only just begun at IFB, but an initial opinion has already been forming after the first few months: “The Beta Systems software is technically mature and runs extremely reliably,” says Volker Loebel. “We are also highly pleased with the excellent cooperation with the consulting team. Whenever we had any questions or problems, competent information was provided promptly.” So the bank is more than ready for the next audit: when it comes to authorization management, IFB is now a step ahead.