Omada Identity Governance Solution as the Foundation for Digital Transformation
Digitization is a focal point in the finance industry. New technologies and services are continuously introduced via internet platforms and digital business models are consistently challenging the status quo.
The Deutsche Leasing Group facilitates asset investments for smaller and medium-sized enterprises in Germany. As asset finance partner for SMEs and the asset finance competence center for the Sparkassen-Finanzgruppe the focus is on forward-looking measures and new approaches to stay ahead of competitors by being ever more diversified, more digital, and more efficient.
Digitalization is not only changing the market, but internal processes as well. Keeping up with technology innovations in a fast-paced and competitive market present new challenges for organizations in the finance industry that needs to:
- Reduce the risk of security breaches and cybercrime while opening the doors for mobile and digital customer experiences
- Maintain compliance with regulatory requirements
- Leverage and introduce new technologies to achieve a competitive advantage
- Develop the infrastructure in line with business requirements to improve efficiency
Deutsche Leasing has seen it as a great opportunity to scrutinize internal processes, policies, and structures, to become more efficient, to understand customers’ needs better, and to develop appropriate offers for all target groups. To make this structural change and seize the opportunities it brings, Deutsche Leasing has ramped up its investments in information technology and data management. The accessibility of business application relies on consistent automated identity governance processes that ensure correct and compliant access for employees, customers, and business partners.
Optimized role and access rights management to meet compliance requirements
Deutsche Leasing operates an IT security management system in accordance with the ‘Secure IT Operations’ Framework (SITB) that is based on the internationally acknowledged standard ISO 27001 as well as the German ‘IT Baseline Protection’ standard set by the German Federal Office for Information Security (BSI). Other regulatory requirements and industry standards have been incorporated into the framework, such as the German ‘Supervisory Requirements for IT in Financial Institutions’ (Bankaufsichtliche Anforderungen an die IT – BAIT). This ensures, that technical and organizational security measures to specific aspects of information security are in line with the latest state of technology.
A key driver for Deutsche Leasing was the goal to implement a comprehensive Identity and Access Management (IAM) solution that would encompass the BAIT related requirements for auditing and user access management and to optimize the role and access rights management relating to the underlying identity management workflows.
The IAM project was set up with Omada to advise on all functional processes, technical specifications and migration plan from the existing legacy workflow system to the Omada Identity solution. To scale in the best way and bring in the best resources Omada involved resources from their strong partners IAM Consultant and Alegri. A successful IAM project requires good data quality, so besides the core services like implementation of the IAM system, Omada also supported in analyzing prerequisites for data quality and infrastructure.
From interim to automated solution
To enable reviewing and validation of access rights, roles and policies a first major milestone in the project was to establish automation of processes for scheduled recertification of all assignments for the most critical resources and systems. In total more than 400 target systems were included, most of them via generic DB, Active Directory, and an LDAP using the standard built-in connectors in Omada Identity. Current Recertification surveys included more than 10.000 questions for 85.000 assignments.
“The recertification processes enable our managers and system owners to take responsibility and attest whether access rights for identities, roles, or contexts are still valid or whether action should be taken to remove the access. It is a great benefit that we can perform recertification more efficiently now and that we have optimized the workload from interim processes in Excel, as we did previously. Throughout the project Omada’s consultants gave us expert guidance on the best practices for determining what kind of certification campaigns were needed, and the frequency we should run them at to ensure good governance. They clearly demonstrated their specialist knowledge about the regulative requirements such as BAIT, that we operate under.” – Marco Pluta, Project Manager of Deutsche Leasing.
Compliance reporting and auditing
As technology evolves compliance has become a more complex topic. As such, another key requirement from Deutsche Leasing was that all system and user activities, approval and implementation workflows, and all administrator actions should be monitored, logged and stored tamper-proof.
Omada Identity ensures that all identity and access related changes are now recorded in the identity database and can be evaluated by authorized persons directly in the dashboards. Advanced reports are available for in depth analysis in several formats and can be archived audit-proof for audits on-demand.
Omada Identity automated auditing processes includes:
- Detailed audit-ready reports
- Complete audit log and history
- Recording of changes to permissions, approvals, and recertifications
- Fine-grained reporting to facilitate auditors and managers assessment of the compliance status
The Deutsche Leasing audit processes cover:
- About 3.700 active identities
- 11.000 technical accounts
- More than 400 applications and services included in the compliance and audit processes
Advanced auditing capabilities supports the business policies and ensures data integrity by detecting and remediating exceptions, so the desired policy results are accomplished. Leveraging in depth reporting, analysis and evaluation of policies for identities, accounts, entitlements, segregation of duties, and privileged accounts provide effective auditing.
Automated audit processes provide the ability to compare the actual state of identities and access rights in comparison with the desired state, the capability to alert policy owners of violations and exceptions and deliver a workflow that facilitates a timely and orderly remediation.
Effective role management ensures compliance with regulations
The IT requirements for financial institutions concerning user access management are defined in detail by the German Financial Supervisory Authorities (BAIT). To comply with the BAIT regulation financial organization must have measures in place to manage the identity lifecycle management and ensure that user access rights are assigned according to the need-to-know principle, that the segregation of duties is observed, and that conflicts of interest are avoided.
For Deutsche Leasing it was essential to optimize access rights management and reduce the complexity of onboarding and managing employee access rights based on roles with predefined policies. Access rights are now ordered via the Omada portal which also makes it possible to reconcile the actual and the desired state. The defined roles, policies, and contexts are designed to reflect the business structure in the IAM solution. In the last annual audit in September 2019 no findings related to Identity and Access Management were filed, proving a state-of-the-art IAM system providing the ability to manage governance topics on roles and rights.
Future-proof IAM solution
In a highly competitive market Deutsche Leasing has strengthened its robust position by further diversifying its range of services. They have focused on increasing efficiency in respect of internal processes and fast efficient customer solutions. They have taken a major step forward in the field of digitization, in terms of increasing speed and efficiency and optimizing processes. Implementing essential IAM processes that includes identity governance capabilities supports organizational efficiency, maintains compliance, and facilitates the introduction of new technologies.
“The many built-in standard processes and comprehensive identity governance functionalities in Omada Identity are easily configurable and makes it easy for us to continuously adapt our IAM solution to our evolving business needs. This means that we have a futureproof solution that supports us on our digital journey.” – Marco Pluta, Project Manager of Deutsche Leasing.
About Deutsche Leasing
The Deutsche Leasing Group is the leading solutions-oriented asset finance partner for German medium-sized companies and offers a wide range of investment-related finance solutions (asset finance) and other complementary services (asset services). Within Sparkassen-Finanzgruppe, Deutsche Leasing is the competence center for leasing and factoring as well as other asset finance solutions and complementary services aimed at medium-sized companies both in Germany and abroad.
Founded in 1962, the Deutsche Leasing Group today employs more than 2,500 people from its nationwide network of branches. During the 2017/18 financial year (reporting date 30.09.2018), the Deutsche Leasing Group secured further growth in its new business in the amount of some 9.2 billion euros.
The Deutsche Leasing Group’s services range from finance solutions for machinery, vehicles, IT and property through to international investments and custom solutions (including transport and logistics, energy and healthcare) as well as factoring and receivables management. Its offering is complemented by ancillary services such as insurance and fleet management. In its international business, Deutsche Leasing supports its customers from Germany in 22 countries, including the most important export markets in Europe, China, Russia and the USA, as well as Canada and Brazil.