In order to protect and manage access to its data, Banque de Luxembourg wanted an identity and access management solution that would eliminate manual user provisioning processes and the inherent risks that threaten successful banking operations. By using Microsoft Forefront Identity Manager 2010 with Active Directory Domain Services, the bank increased productivity, simplified IT management, and improved compliance.
Banque de Luxembourg is a private bank that offers its clients wealth management services. In the bank’s core business, technology plays a primary role. The IT department maintains an IT infrastructure that provides tools to facilitate key banking tasks, including processing thousands of transactions on a daily basis. With this comes the task of managing the identities of 780 employees and the access they are granted to more than 50 line-of-business applications and to several heterogeneous databases. “Identity and access management is particularly important to our organization in order to control who has access to our data, including customer information and account data,” says René Chevremont, Head of Access Management at Banque de Luxembourg.
For each of its applications, the IT security department (Access Management) at Banque de Luxembourg relied on time-consuming, manual processes for managing employees’ identities and access. Using multiple spreadsheets—one for each of its Windows Server 2008 R2 Active Directory Domain Services directories—the Access Management department maintained access-rights information. Spreadsheets were passed to as many as 30 people via e-mail each time the bank hired a new employee, each time employee access rights changed, or each time an employee terminated employment. Not only did this method create lengthy delays and potential for inaccuracies, but it also increased the complexity of guaranteeing the security that the bank needed to protect access to critical data and applications.
Banque de Luxembourg sought a centralized solution for identity and access management: one that would work with its heterogeneous systems. It wanted to eliminate manual processes for provisioning user accounts in an effort to improve IT efficiency and internal compliance. Even more importantly, the bank wanted a solution that would give the Access Management department granular control over employees’ identity and access, enabling them to protect sensitive and confidential information that, if breached, could put operations at risk.
||With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations.
Head of Access Management, Banque de Luxembourg
Banque de Luxembourg decided to implement Microsoft Forefront Identity Manager 2010, which delivers policy-based identity and credential management across heterogeneous environments. The bank teamed with Microsoft Gold Certified Partner Telindus and deployed Forefront Identity Manager to the entire organization, representing 780 users, in February 2010.
The Access Management department identified more than 300 roles (covering the 20 most-used banking applications, as well as employee job roles) at the organization and defined policies for each of the roles, which determine each employee’s level of access and which applications and data they can access. Access Management personnel use a Microsoft Office SharePoint Server–based console in Forefront Identity Manager to easily create the rules that govern users and groups. Then, using Forefront Identity Manager, the bank takes employee information from its human resources database, PeopleSoft, automatically applies its defined policies, and then synchronizes the information with multiple Active Directory directories. It plans to synchronize data with its Avaloq banking solution based on Oracle and with its SunSystems phone system.
The bank also created policies to provision and de-provision user accounts. By using Forefront Identity Manager to apply policies, the bank can provide appropriate access to systems and data when new employees join the company. At the same time, when employees leave the company, the IT department can centrally and automatically de-provision user accounts to ensure that they no longer have access to sensitive banking and customer data, helping to ensure compliance with internal security policies.
In the future, the company plans to implement group management features in Forefront Identity Manager, which will enable employees to self-serve group membership requests, including distribution list management. In addition, Banque de Luxembourg is evaluating Microsoft Forefront Client Security. The unified virus and spyware protection will complement the bank’s identity and access management solution, helping to provide comprehensive coverage for security risks that could threaten operations.Benefits
As a result of implementing Forefront Identity Manager 2010, the bank increased employee productivity, simplified IT access management, and improved internal compliance. “With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations,” says René Chevremont.
Increased Employee Productivity
Now, the Access Management department can automatically provision and de-provision user accounts from a central location. Instead of waiting several days for access to various systems, the IT department can grant appropriate access to new employees in a matter of hours. “We’ve empowered employees by giving them the ability to start work on their first day and immediately be productive,” explains René Chevremont.
Simplified IT Management
With Forefront Identity Manager, the Access Management department at Banque de Luxembourg has eliminated time-consuming, often manual methods for tracking users and access. Instead of passing a spreadsheet between departments—a process that required one full-time IT staff member—the provisioning and de-provisioning process is automated with information in a central location. “By freeing one employee from managing the tedious spreadsheet process, that employee can now focus on more strategic IT-security tasks that support critical bank operations,” says René Chevremont.
By automatically de-provisioning user accounts when an employee leaves the company, the bank improves its internal compliance and simplifies the auditing process. The IT department has granular control over identities and access across the bank’s directories and applications, making it simple to revoke access rights. Also, data is synchronized across multiple directories, helping to ensure data consistency and accuracy. At the same time, because activities and historical states are logged, the bank can increase visibility into the compliance and security state of its system.
For more information about other Microsoft customer successes, please visit: