Nippon Express boosts security coverage, operational efficiency through Microsoft Entra Identity Governance

The “waste” and “risk” generated by the limitations of manual license management

The NX Group, represented by its core company, Nippon Express, has long paid serious attention to its IT operations and implemented security measures in different layers, such as networks and endpoints. As part of this effort, the Group implemented a request/approval system for line-of-business system access permissions and application usage. It based the system on access request workflows to manage the lifecycle of access to its IT assets and limit use to only those who require access for business operations.

Takaaki Matsunaga, Project Chief at NX Information Systems and in charge of the NX Group’s IT management, recalls that IT access lifecycle management used to be inefficient because it could only be handled manually. “Nippon Express and the NX Group have deployed different systems and applications in their long history, and the products and services of various providers are associated with their respective authentication infrastructure. Because of this, there was no system to comprehensively operate or manage the entire license,” Matsunaga says. “The Group had no choice but to use manual methods, like printed documents and Excel files, which inevitably causes unevenness in our comprehension of license operation. I had long looked for a solution for it.”

Manual inventory of IT assets has been the approach at many companies following their procurement of packaged office automation products. And as Matsunaga points out, it’s not unusual for an organization to discover unused licenses that are retained for nothing. 

License contracts with no active users lead to wasted costs. In addition, they can be vulnerable points that threaten an organization’s information security because retired employees may access the system using these unused licenses. If nobody knows who is using or managing it, a system can provide clues for a malicious attacker to use to break through an organization’s security defenses.

Looking for a way to address these issues, the NX Group gradually began taking advantage of innovative solutions in its fiscal year 2019 (FY19). This led to the Group using Microsoft Entra Identity Governance (originally Azure Active Directory) for entitlement management, spurred by the deployment of Microsoft 365 E3 in FY19.

License management to support the NX Group’s rapid growth

As a result of its Microsoft 365 deployment in FY19, the NX Group expected to gradually unify the communications environments of approximately 50,000 to 60,000 users in both domestic and overseas group companies within SharePoint Online and Exchange Online. It wanted to operate and manage the authentication process for the NX Group’s user groups on a global scale.

Nobuyuki Otsuka at NX Information Systems notes that it was difficult to operate and manage such a large-scale authentication process. “An authentication process for about 20,000 users is simply a lot of work. In traditional operations, it would take two to three weeks from request and approval to license allocation. It does not provide the speed or other benefits the cloud should offer. If we wanted to scale out to 50,000 to 60,000 global users, we knew we needed a solution that could automate the authentication process. So, we consulted with Microsoft Japan, and they told us about Microsoft Entra Identity Governance.”

Microsoft Entra Identity Governance offers identity governance that supports identity and access lifecycle management at large scale by automating access request workflows, access permission allocation, and review and revocation processes. With this identity governance, HR or General Affairs department staff with no expertise can create access packages according to the target employees’ job titles and departments. To operate and manage appropriate access permissions across the whole Group, they just need to specify items like which access permissions are granted to which roles and for how long. 

Matsunaga explains, “I think automating access permission management based on user roles offers significant benefits, both from security and cost control perspectives. For example, suppose an official needs to view files containing classified information. It’s unlikely that you grant such a high privilege to this person for an indefinite period. By using entitlement management, we can grant limited access permissions from the beginning based on the assigned terms for the job, and we can review the renewal status when the applicable expiration date draws near. This is a huge benefit.”

In April 2020, the Group first experienced the positive impacts of Microsoft Entra Identity Governance when the government declared a state of emergency for seven prefectures in Japan due to the COVID-19 outbreak. This caused many companies to shift to remote work.

To facilitate telework for its employees, Nippon Express deployed Microsoft Teams, a collaboration platform that it had originally planned to roll out in 2021, and implemented Microsoft Entra Identity Governance for users who submit their telework applications. Because no human intervention was needed for this authentication process, Nippon Express approved access requests efficiently even when requests flooded in, and it successfully and automatically activated licenses for those employees. Once they received notifications about their activated licenses, employees installed Teams from the Microsoft website and got started working remotely.

Having successfully distributed an essential tool for telework in an emergency, Nippon Express implemented a bring your own device (BYOD) application policy designed for managers. “At first, we ran the conventional authentication process using Excel and mailing lists, anticipating only a few applications for BYOD from managers,” says Otsuka. “Once we started accepting applications, however, the applications flooded in, probably due to the COVID-19 crisis. So, we switched to entitlement management. The shift was quick and successful because we could create access packages so easily.”

Nippon Express has since deployed Microsoft 365 F3, a licensing suite for frontline workers, in conjunction with its BYOD policy for technical professionals. This move, along with the advanced authentication management from Azure Active Directory, helped expand its highly secure and easy-to-use environment.

Get more from Microsoft cloud technologies to drive efficiency

The Microsoft 365 deployment at the NX Group is still underway. While continuing to provide implementation support for each group company, the Group has a vision to gradually expand its entitlement management across the Group and achieve enhanced business efficiency.

“We’re investigating whether we can migrate our existing on-premises Active Directory to Azure AD and also looking to automate device deployment with Windows Autopilot. And although it would take some time, we’re also thinking about automating part of our IT support with AI-based chatbots built using Power Virtual Agents,” concludes Matsunaga.