Fail-safe compliance for an energy ISO
Closing the loop on access, risk, and strategy
This customer is one of nine energy sector Independent System Operators (ISO) in North America, responsible for the transmission, distribution, and monitoring of the electrical power grid and energy producers in its region. Although it has fewer than 1,000 employees, including contractors, it operates very much like a typical Fortune 500 enterprise. Because it falls under the jurisdiction of the Federal Energy Regulatory Commission (FERC) and is classified as a public utility, it must adhere to stringent government compliance requirements.
Reliability and affordability were this customer’s primary concerns. Technology solutions cannot fail or disrupt the business, and the organization must maintain compliance with NERC CIP (critical infrastructure protection) requirements or risk fines of up to $1M per day. It was also imperative that any new technology project stay within the budget approved by its executive steering committee.
The customer was having trouble identifying an identity governance platform that was both affordable and met its needs for providing the right access, to the right people, at the right time. Compliance concerns had driven this customer to rely on in-house solutions for access governance and administration, rather than off-the-shelf tools. Its aging, highly customized system made onboarding and integrating new technology challenging. In fact, access to the few commercial SaaS tools its Finance and HR departments were using was not tracked, because of organizational resistance to adopting the legacy tool. To complicate matters, the tool was written in an archaic language that had become painfully convoluted. As a result, the organization was missing out on many of the business benefits newer IAM technology solutions can provide.
Recognizing its aging product set and relative IAM immaturity, the organization brought in Integral Partners advisory experts to help map a way forward. Experts reviewed the IAM program governance, architecture, applications, policies, workflows, and business processes in privileged access management (PAM), access enforcement, and identity governance and administration (IGA); then helped the organization develop and prioritize a three-year maturity roadmap.
In high-compliance environments, we often counsel customers to lead with PAM: it addresses the core vulnerabilities to high-risk, high-value assets, and provides quick business value. Customers with strict compliance needs have reporting requirements, and most commercial IAM tools offer advanced IAM reporting. More important is identifying a tool that meets a customer’s specific business use cases with flexibility and reliability.
Compliance and auditing activities typically require auditors to request access to rights and access data, then check for proof that the rights match the level of approved access. In this situation an IGA tool can provide closed-loop monitoring: it integrates with a target system—such a server, database, or network device—allowing users to connect and read rights on that system back into the tool, then provision based on approved access. But this customer had a one-way system rather than a closed loop, so every time it had an audit, systems administrators manually wrote scripts to verify access. IP advisors recommended a commercial IGA tool to not only automate this audit process, but also close the gaps in risk that accompany manual processes and matched the customer’s 99.9 percent accuracy record.
Another challenge the advisors helped resolve was to automate the lifecycle management of the customer’s many service accounts. The organization was managing three types of generic accounts: default (jboss account on Linux, Win Guest account); shared (two or more people sharing the account); and service (machine-based bots, as for DevOps). It used to manage these generic accounts on paper in a laborious, manual process. Integral Partners advisors developed a unique SailPoint customization allowing the customer to easily request accounts, re-assign ownership of them, and retire them as needed.
As part of their work the advisors also identified critical communication barriers: for example, the customer’s project team avoided agile and relied on a strictly waterfall methodology. In addition, it had developed an internal IAM vocabulary that differed from common IAM vocabulary used industry-wide. Fortunately, Integral Partners advisors have worked with a variety of people across different roles, cultures, and aptitudes. This deep industry experience gives us the ability to adapt and work well with a range of clients—in this case, accommodating the customer’s internal values, project methodology, language, and the extensive testing timeline required by its waterfall processes.
- Full feature replacement and upgrade of legacy IGA tool
- Privileged account management (PAM) tooling
- Vaulting and password rotation for privileged accounts in the CIP program
- Access enforcement tooling
- AD-based SSO for SaaS applications
- No more manual script-writing for access audits
- “Generic account management” customization
- Customized configuration management database (CMDB) integration with automatic connection to inventory of all IT assets
Industry:Energy / Utilities
Services/Solutions:Strategy & Roadmap