Managers at Pacific Gas and Electric Company (PG&E) were struggling with the quarterly process of certifying around 70,000 roles and entitlements for the company’s 24,000 employees. As a highly regulated utility, PG&E needed to stay on top of employee network and application access privileges. However, their existing identity management solution was not enabling an efficient process. “Certification fatigue” was setting in, a problem that could affect the company’s compliance and security.
The Challenge: An Excess of Manual Certifications
Every quarter, managers at PG&E must complete a certification of system access roles and entitlements for the employees who report to them. The certifications are required by regulations such as the Sarbanes Oxley Act (SOX), which deals with IT controls related to financial reporting, and the North American Electric Reliability Corporation (NERC), which sets out security requirements for utilities. In the case of SOX, managers must provide an “access attestation” that shows, in auditable form, which employees have access rights to specific information systems.
PG&E relied on employee roles and entitlements established in Oracle Identity Manager (OIM) for certification. The difficulty was that OIM made certification almost an entirely manual process. For each employee, his or her manager would have to check off, by hand, whether the employee should have entitlements to any one of over 100 applications in use at the company. With some managers handling certifications for dozens of employees, the reality was that a manager might have to track a thousand line items—and make a thousand judgement calls about entitlements—every quarter.
In practical terms, this situation led to the risk of “rubber stamping” roles and entitlements. PG&E senior leadership became concerned that managers might experience certification fatigue and simply do a blanket “approve all” without taking the time to investigate whether each grant of access entitlement was appropriate. One risk in this approach is the potential for employees to retain unneeded legacy access to PG&E systems. For instance, an employee who changed from the accounting department to operations might still be able to log into accounting systems after leaving the role. This would violate SOX controls, at a minimum, while exposing the company to the risk of fraud.
The Solution: AI-Driven Identity Security
PG&E wanted to reduce certification fatigue. The company also had the goal of cutting the amount of time managers were spending on certifications, while improving compliance and security at the same time. To achieve these goals, they came to the conclusion that they would have to replace OIM with a solution that went beyond human-based identity security.
Working with Integral Partners, PG&E began to migrate off OIM and adopt SailPoint IdentityAI, which leverages Artificial Intelligence (AI) and related technologies to automate most of the entitlement judgement calls required for certification. Simply put, SailPoint IdentityAI can do a lot of the “thinking” and cross-checking of roles and entitlements that previously went into certification. The solution assesses an employee’s entitlements in the context of other employees with similar roles, previous entitlements, log in histories and so forth. Its recommendations engine provides advice to certifiers on access decisions.
Integral collaborated with stakeholders at PG&E to devise a custom task/framework aimed at reducing certifier workloads. The framework automatically approves low risk items that do not have a legal and/or regulatory requirement for certification. It can also automatically revoke high risk items in specific cases. The framework is able to make these recommendations based on an analysis of usage data and metadata that helps determine regulatory needs. The solution can identify higher risk roles, such as those affected by SOX, as well.
Integral then went further, configuring IdentityAI to perform role management for PG&E. This meant setting up a role management practice. The role management practice can use IdentityAI to analyze user entitlement patterns and discern roles that should be created for certain groups of employees.
Getting the role management practice up and running involves training key personnel with role management workshops and conducting discovery sessions. The role management practice can then recommend setting up a role which grants or revokes entitlements for an entire group of employees. The process reduces the individual entitlement certifications into one role certification.
For instance, IdentityAI might determine that some employees in multiple departments have access to a similar group of apps because their work requires it. There is an implicit role, even if the org chart or HR department has not specified it. Entitlement access is built into these inferred roles. Making this work means establishing a product agnostic business process for role lifecycle management. Departments at PG&E can then set up “birthright access” by role, which reduces onboarding delays.
PG&E is seeing improvements in its certification process with the new IdentityAI-based solution. They are experiencing less “certification fatigue.” Compliance audits promise to cause less strain on everyone in the coming year. Integral Partners continues to work with the PG&E team on additional integrations between IdentityAI and a variety of applications. There is also a continuous process of refining the AI-driven frameworks for recommending entitlements and roles.