Identity and Access Management: Winning hearts and minds, all while saving money

Published 2/14/22, 6:00pm

As a consultant, one of the things I love to do is help a customer improve a process, save money, and enhance their operations. Sometimes, the opportunity comes along to do all three. This is a story of how I was able to do this for a Fortune 500 financial firm in under three months.

The customer in question was concerned about the rising number of calls coming into their Service Desk for password resets, specifically for Active Directory (AD)/Elevated AD and RACF (Mainframe). This customer has several call centers with hundreds of accounts employees who take payments for end-users on their store cards. If an Accounts person could not log in because of a forgotten password, it resulted in a call to the Service Desk, where they would be in queue until a tech could reset the password(s). This time in the queue could sometimes be more than 10 minutes, during which the agent was not taking customer calls. This resulted in long wait times for customers trying to pay a bill or request an increase, mounting abandoned calls, and ultimately the tarnishing of the brand.

Quick calculations of the number of resets done per month x the average hourly rate per employee x the average call-in queue time of 8 minutes proved that every password reset completed by the Service Desk cost the organization 36 dollars. 

This particular organization was using SailPoint’s IdentityNow (SaaS) solution, which offers a considerable amount of flexibility in tackling this issue.  I proposed simply leveraging the password reset module in IdN, making a connection to not only AD /elevated AD, but also to RACF. It’s nice not having to reinvent a solution but rather use an existing product in a different way.

After presenting my plan, getting it blessed by this organization’s leadership (and after the proper communications were sent to all users), and testing the heck out of the process with a set of test users, I brought the standard AD accounts into IdN. This allowed me to send registration requests to over 10k users, which–after the end-users accepted and set a security question–allowed these users to manage their passwords on their own. 

Next was the password resets for elevated accounts. For these, I worked with this organization’s AD team to leverage an open attribute (attribute 8) and used that to tie these high-value accounts to that user’s “normal” ID. From there it was a simple matter of creating an identity profile for these types of accounts, aggregating these user accounts and then having IdN send the registrations to each owner of the high-value accounts.

Speaking of high-value, I leveraged a custom filter to exclude service accounts, training accounts, training room accounts, and bot-accounts from being brought into IdN, preventing these accounts from being negatively impacted.

Then came adding in the RACF accounts. This part required the assistance of SailPoint PS (Professional Services) for the connector and the organization’s MSP (Managed Service Provider), who controlled the mainframe and could modify the necessary PARM libraries. There was no additional cost as the organization had purchased expert services hours, which covered the work completed on the SailPoint side. 

A different password policy for RACF was created in IdentityNow, as this platform had a fixed number of characters (8) that could be used for a password, and some special characters could not be used. After testing the RACF solution for a test group of users, it was then released to that organization’s general population. And it worked like a champ. It worked so well and SailPoint liked the solution so much that I was asked to present this very use case at their Navigate User Conference in Austin.

The best part? In the first three months, the Service Desk had an 86% decrease in password reset calls, and the organization saved $86,000 in the first year. Process improvement, happy employees, and saving real dollars. That’s a win in my book.