Financial services group Liberty Life offers a range of long-term insurance products and services to the individual and corporate markets, and distributes risk, investment, retirement and health products through a network of licensed financial advisers.
The company's systems are accessed by some internal employees as well as its broker workforce, further adding to the complexity of an already complicated environment.
The company has introduced the 2010 Project that will see it decommission its mainframe entirely by 2010. As part of this initiative, Liberty Life is refocusing its security architecture, including identity management (IDM).
Says Liberty Life head of information security Trevor Williams: "IDM is a big word. There are few local success stories. To couple that with decommissioning the Liberty mainframe is a big thing, but we couldn't ignore the opportunity presented to us in terms of redefining our entire security architecture.
"We believe that if we put a fancy IDM process in place and do not deal with the issues regarding ownership of data, or have well defined processes, we'll just be adding another problem to the environment. We've spent the last few years tidying up our processes, and while these are very manual at the moment, we have ownership sorted out and procedures have been improved."
Pain points
That done, Liberty Life's IT department took a closer look at its security architecture and decided to tackle "the areas causing us the most pain from a user management point of view", says Williams. This it did with a firm eye on its strategic decision to standardise on Microsoft products, part of the bigger 2010 Project.
"Our business model is really in distributed technologies," explains Williams. "In terms of getting to market quickly, we need to have open systems, so we are doing away with legacy applications and Web-enabling other applications.
IDM is a big word. There are few local success stories.
Trevor Williams, head of information security, Liberty Life.
"A key driver is the 2010 Project. We've had to look at taking all the security controls on the mainframe and moving them across to our core business applications. If they cannot be catered for there, they will be moved onto other platforms with either improved security or access control and provisioning.
"Liberty Life has a single platform strategy: Compass [a Sungard solution that manages pension and savings, life, disability, dental, vision and group health], which runs on an Oracle platform," he says. "Those systems that cannot be accommodated on Compass will either be decommissioned or rewritten to new platforms. This has forced us look at our key architecture and strategy leading up to 2010 and beyond."
Drop the pilot
Liberty Life uses Microsoft Active Directory as its primary directory for access control, and its SAP directory as the primary directory for personal customer information.
"We're also trying to reduce the number of user repositories," says Williams, who adds this was a further key driver.
"Eventually," he says, "the approach was to consider a directory integration solution that met our need of cost-effectiveness and interoperability. All major vendors were considered. The mandate in terms of the 2010 Project is to try not run up a bill of millions and millions of rand, but rather move everything off the mainframe at the least cost."
It was the cost consideration that drove Liberty Life to decide to decommission the mainframe in the first place, as Williams states: "We don't believe Liberty Life is a big enough organisation to warrant us paying huge sums of money in order to keep the mainframe going.
"Essentially we're looking at reducing the number of user repositories and synchronising data within those repositories, while at the same time improving provisioning, as well as synchronising with our strategic business systems," he states.
Proof and support
Liberty Life has selected two products for directory integration and is now in a proof of concept phase. In the meantime, the company has built a schema and is moving all user information into it. Thereafter it will be setting up rules, then look at its processes and map the tool according to those processes.
"We have a couple of environments that we protect with second-level authentication: our SAP financial system, the Compass environment, the mainframe (which will fall away) and our dial-up infrastructure. Our model is for people to come through an ISP and then into us through our secure VPN infrastructure. RSA security tokens are maintained in those environments as a stronger level of authentication.
"The nice thing," he adds, "is that these fit in well with all major IDM vendors who cater for RSA technology. We still see it as key to our operations to protect people with a high level of access with a second level of authentication."
Rolling on out
Williams says Liberty Life is soon going to make a decision concerning its preferred choice of an IDM integration tool, and then start rolling out the solution on the architecture that has already been signed off.
"We're not waiting for 2010," he says.
Liberty Life has milestones that it must achieve over the next few months and years leading up to 2010, which is when Williams hopes to be off the mainframe with a far better way of managing its users' lifecycles.
Share