Garancy® IdM Solution for Kombank: Abolish IT Access chaos with Well-Structured Profiles

First, the European Bank for Reconstruction & Development became a shareholder of Kombank, and together with this new partner came a whole new IT strategy. “We had already started to focus more strongly on security and compliance a few years earlier, for example by introducing the first authorization policies,” explains Vesna Martinović, Head of IT Process Management at Kombank who managed the IdM project. “This included a new user request management scheme for requesting new rights from the administrators of the individual target systems.

In each case the superior had to sign off the assignment, so this represented the precursor of how we now handle the process using Garancy® .” IT assessments by the European Bank for Reconstruction & Development and internal requirements prompted the new IdM strategy.Previously, the bank had handled authorization via authorization concepts, Excel lists and manual processes for IT applications. Authorization requests were processed using templates that were printed out and signed; Windows authorizations were dealt with in Active Directory, where groups, or “pseudo-roles,” had already been configured. Things looked similar in SAP, where certain collective roles existed for departments and teams.

And while IFB had defined roles for the various applications, this did not mean that all employees automatically had the same permissions. The actual roles were put together individually. Whenever an employee received a new assignment, his or her authorization was essentially based on the individual rather than on their role. This also meant that various individual and group authorizations existed side by side. However, BAIT defines that rights must arise from employee duties. Therefore, the roles should be defined and assigned in the departments themselves. At IFB, authorization concepts had previously been the domain of the IT department for the most part.

A highly heterogeneous IT landscape including proprietary user administration solutions had led to an uncontrolled growth of authorizations and looming security risks at Kombank.

“With the realignment of our IT strategy also came a whole new approach to identity management,” explains Vojislav Stojić, IT Security Manager at Kombank. “The new shareholder, European Bank for Reconstruction & Development, introduced highly constructive demands and innovations to the bank.”

Following an extensive IT assessment, the IT strategy was completely realigned, from changing the core banking system to restructuring the telecommunications, disaster recovery and reporting areas through to implementing identity management. The latter item also served to answer the growing internal need for further consolidating user rights and creating uniform profiles.

Several IdM systems were scrutinized in detail before the decision was made to use Garancy®. The IT experts of Kombank were particularly impressed with the Garancy® reference installation at the Slovakian VUB bank based in Bratislava.

The recommendation of Accenture business consultancy, who had found the Beta Systems solution to best match the requirements, also played an important role. This recommendation was founded on the flexible connection capabilities, mixed Windows and mainframe systems as well as the solution’s ability to quickly achieve the IT administration security goals. The opinion and experience of the Prague Komercni Banka, who has been using Beta Systems products for many years, was also considered by Ivan Vasić and his team during the decision-making stage.

Kombank ended up purchasing a total of roughly 3,200 Garancy® licenses plus 300 licenses for technical accounts and external users. The implementation was preceded by a detailed, three-month planning phase. The good cooperation between both companies certainly also had a bearing on selecting this product and manufacturer. “The Beta Systems experts have been supporting our zSeries landscape for many years in a highly reliable manner, and they are also very experienced in the area of RACF,” explains Ivan Vasić.

During this time, Vasić and his colleagues have grown to appreciate the flexibility and reliability of the Beta 88 zSecurity RACF mainframe administration tool and Beta 92 Process History Manager, the job and process log management system that serves as their audit repository.

User and user ID consolidation with Garancy® has greatly improved the transparency of IT system administration at Kombank. Previously, basically every employee had their own profile, and many even had multiple ones. Garancy® has helped to streamline rights allocation, reducing the number to about ten typical user profiles for each logical job per business line – in addition to superordinate group profiles.

As a result, the wild growth of 3,500 “profiles” has been cut down to less than 300 proper roles. When a new employee joins the company or changes to a different department, the IT administration is now able to provide him or her with access to all applications needed to perform their new duties in just a few seconds by assigning the appropriate role and then letting Garancy®, which automatically connects with the HR application, do the rest.

Previously, assignment took place in a time-consuming manual process that involved several administrators. “Garancy® does away with the previous problem that employees changing their job roles accumulated access rights for many applications in an uncontrolled manner,” says Vojislav Stojić. Now the bank has largely eliminated this access security risk. The solution also generates detailed reports providing information on when a given administrator assigned what rights to whom. This means that the activities of the security administrators are permanently logged in an audit-compliant manner.

This has made Kombank’s IT department more efficient, has introduced transparent audit compliance and, on top of that, has helped to save costs. Ever since the complicated, separate user administration for the individual applications was replaced with Garancy®, the whole process has become much simpler, faster and can be handled by less tech-savvy staff. As a result, the IT department now fulfills all security- and compliance-relevant requirements of the bank.