Nedbank: From legacy identity tools to cutting-edge identity governance

Nedbank is a risk-averse South African-based bank that employs over 33 000 people. The company focuses on helping clients achieve their business vision and expand on opportunities through tailored solutions.

In 2018, we awarded Nedbank with the SailPoint Customer Impact Award, which honours customers for their focused identity strategy that has made a direct impact to the organisation and delivered measurable results. We are quite proud of the tireless work Nedbank has put in to get where they are today, and we congratulate them on their success. This blog explores the identity journey they are on and the path they have taken to generate impactful results leveraging an identity platform.

Legacy environments burden IT staff and users

Financial institutions often have legacy and mainframe solutions for their backend systems. Over the years, technology piles on top of these legacy systems, becoming increasingly difficult to maintain and manage. As additional functionality is added, maintenance costs increase and the complexities of the environment create inefficiencies. To build a secure and efficient identity program at Nedbank, foundational changes needed to be made.

Nedbank was experiencing several issues managing identity within the organisation. Identity roles and permissions were being added based on individual project needs. This caused the number of roles to proliferate at an increasing rate – often referred to as “role explosion”. The lack of a clear view of access across teams and specific job roles because of their disparate systems, and the dependency on outdated legacy tools, became a top concern for the bank. In addition, the level of technical complexity required to grant and certify access prevented business owners from taking on accountability for the access that their teams had. Nedbank needed a clearer understanding of access defined for each role and what was actually being assigned.

On top of this, the demand on two IT staff members who understood the layers of systems and how they interacted was also becoming unmanageable. The years of knowledge these two people had acquired being involved in many projects and the various application security layers was difficult to transfer to new staff.

“A few years ago, a team was adding functionality to a client servicing platform, which added access to 35 roles. They inadvertently attempted to assign credit override capabilities to the call centre agents. This was a wake-up call for us,” said Louise van Schalkwyk, Head: Centre for Access Governance at Nedbank.

This complex IT environment, as well as the immense regulatory pressure to secure valuable client information in the financial services industry, drove Van Schalkwyk to elevate the situation to the Nedbank executive team. They agreed that disparate systems left them without a protection layer and standardising on a consistent and modern identity governance platform was a necessary investment in the company’s security program.

Investing in the future

SailPoint became the foundation of their identity governance program that would soon alleviate the pains of issuing access, provide a clear path and history of access approvals, as well as give the company a solution to construct and evolve their digital footprint. From this program, the Centre for Access Governance (CAG) at Nedbank was also born, a department Van Schalkwyk leads. The CAG is the bridge between the business and technical configuration for the identity program.

Van Schalkwyk set out to integrate SAP with their HR system, to help drive all downstream activities and implement provisioning and decommissioning capabilities, to serve as the foundation of the identity governance strategy that would grow with them. Prior to SailPoint, Nedbank was running manual certification campaigns on their legacy environment, which has now been replaced with automated quarterly access reviews in SailPoint. Since implementation, they have achieved a 92% completion rate for entitlements pushed out for review to be approved or revoked. “The access reviewers have shared how quick and easy certifications are with SailPoint,” Van Schalkwyk shared. About 200 users per month are experiencing a change in access – usually access to certain applications and data being decommissioned.

“By provisioning access through SailPoint, we’ve seen the set-up time for the initial employee access to systems and data dramatically improve. It used to take six weeks to get staff members up and running and now we see that in a day. This provides huge business value.” As the number of applications onboarded onto SailPoint increases, capacity is created for the reallocation of headcount and capacity to other security functions. Nedbank now has a clearer vision for the access their workforce has and continues to increase the precision of what is necessary for each job function, ensuring a least-privileged system.

Another result from the program is an improvement in user experience. “SailPoint’s user interface is simple, clean and easy to use. We knew it would instantly improve the employees' and managers' experience, especially where direct provisioning happens,” Van Schalkwyk shared.

From a security perspective, the Nedbank termination process has significantly improved towards full automation. Since the implementation of SailPoint, manual scripts are constantly replacing the need to build a report and then manually removing the access of terminated employees.

The CAG continues to evolve and improve the end-to-end processes under Van Schalkwyk’s leadership. “My team has spent quite a bit of time on change management and developing training materials to help the staff and managers understand the importance of the identity program and aid them though adopting the tool. In the bigger organisation, the CAG helps to keep the focus on risk and risk mitigation, especially where it relates to unauthorised access.”

Protecting data within the enterprise

Data management and security has recently become a large focus at Nedbank. “We need to protect unstructured data lying around on file shares and other sites across the organisation. We extended our identity governance program to help data owners to manage secure access to their data. I see tremendous value in governing access to data as part of our single, integrated identity platform.” SailPoint allows Nedbank to actively manage access to shares and files and not let that access go stale.