GaVI is a leading IT service provider for the German public insurance industry. The company has its head office in Mannheim, and operates from 12 sites across the country. It employs 500 people and generated revenues of €180 million in 2009.
GaVI works with large insurance companies, and needs to be able to provide more than 22,500 users with reliable, secure access to business-critical systems. Some of its clients have more than 200 different applications, and managing and securing user identities and access rights was a complex task.
"We were relying on manual, paper-based processes for user administration, and it just wasn't scalable," said Christine Deger, Head of Engineering Networks at GaVI. "As the number of users, systems and companies grew, we were spending too much time on basic things like the creation of new user accounts and resetting forgotten passwords."
The company also faced a regulatory challenge: in 2009, the German government released MaRisk VA, a new directive on risk management in the insurance industry, which increased the need for a more auditable approach to IT security and access management.
GaVI decided to create a centralized identity and security management solution that would automate most user management processes and provide greater insight into which users were accessing which systems.
A key requirement was that the solution should be capable of integrating with different applications to meet the requirements of GaVI's different clients. For example, some clients were using SAP Human Capital Management as their main HR system, while others were using PeopleSoft HRMS. It was important to find a solution that would be flexible enough to work with either of these applications, giving GaVI a single method of managing user identities regardless of its clients' specific infrastructure.
"We knew Novell's (now a part of Micro Focus) reputation as a leading provider of identity management and security solutions," said Albert Harz, Head of Networks and Telephony at GaVI. "We evaluated Identity Manager and Sentinel, and saw that they were the right products to meet our needs."
The GaVI team worked with us to implement Identity Manager and integrate it with hundreds of systems for its various clients—including SAP HCM and ESS, PeopleSoft HRMS and CRM, IBM Lotus Notes, IBM DB2, Oracle, NetIQ eDirectory™, Open LDAP, and many custom-developed applications. When a new employee is created in a client's HR system, the solution automatically creates the appropriate user accounts in other systems, based on the employee's role.
GaVI then worked with DIDAS, a Partner, to integrate the solution with Sentinel, which consolidates access logs from all the different systems for real-time analysis and reporting. This provides a full audit trail and helps to reduce the risk of unauthorized or malicious users accessing systems: if unusual activity is detected, Sentinel can alert administrators and enable them to revoke access privileges in Identity Manager.
By automating the creation and deletion of user accounts, and by providing a self-service portal that allows users to reset their own forgotten passwords, our solution has reduced the amount of time GaVI needs to spend on basic user management work.
"Identity Manager has eliminated the manual, paper-based processes for setting up new users, which gives us a more cost-effective and scalable way of working," said Harz. "It also eliminates delays, helping us provide better service to our clients. When a new employee joins one of our clients, we can provide access to systems within minutes, instead of days. Equally, if we need to block a user, we can do it in seconds—in one case, a user's laptop was stolen, and we were able to temporarily deactivate their account with a single click."
The combination of Identity Manager and Sentinel™ makes it easier for GaVI to demonstrate compliance with IT security and risk management legislation, and also provides greater visibility of user activity.
"As well as enhancing security, the reports that Sentinel generates can be useful in many other ways," said Deger. "For example, one client discovered that 17 percent of their user accounts were actually inactive. Deleting these accounts enabled them to reduce software licensing costs for several applications."
GaVI is highly satisfied with the solution, and confident that it is the right platform to support its clients for the future.
"Novell and DIDAS have both been excellent partners in this project, and we look forward to working with them to extend the solution further," said Harz. "We now plan to implement Access Governance Suite to control access requests, and Privileged User Manager for policy-based control of UNIX and Linux systems."