Automating identity and access management across almost 220,000 employees at J.P. Morgan Chase & Co. should reap a return on investment of USD$3.5 million in the first year alone, company executives said.
The global financial firm began implementing the security management solution from CA Inc. in 2006, with the goal of eliminating the need for administrative staff to manually manage employee access across an array of IT systems in the organization.
“We wanted to change the way access administration was done at our firm, and change the way people thought about it,” said Betsy Willie, vice-president of security management at J.P. Morgan Chase.
Willie shared successes and challenges of the company’s ongoing global implementation at CA World 2007 in Las Vegas last month.
“For so long, the process was that an employee placed a request [for user access], someone approved it, and then someone granted it. It was a very manual, time-consuming process,” said Willie.
J.P. Morgan’s idea of eliminating that tedious human component meant not just automating the paper trail. It meant revamping the underlying business processes. And although the new setup is centrally managed, the company’s individual business lines still hold some degree of autonomy, the vice-president said.
“We needed some level of central management,” said Willie, “but wanted to be able to give the lines of business their control of roles, rules and users.”
The total budget for the project is US$7 million, and is a “truly global deployment,” according to Willie, because J.P. Morgan opted against implementing first in the U.S. then extending the system to other countries, as can often be the case. Although the term identity management has only begun to gain traction in the last five years, it’s a concept that holds immense value to the business, said Gerry Gebel, during another session at CA World 2007. Gebel is vice-president at Burton Group Inc., a research and advisor services firm based in Midvale, Utah. Automating administrative activities, such as J.P. Morgan’s very manual user access system, makes for more efficient IT, especially given businesses are typically driven to accomplish more with less, said Gebel.
In addition, identity management enhances user productivity because it minimizes time spent waiting for access to be granted via a slow people process. For instance, new hires receive their system access immediately; and contract workers hired for a limited time period can start working right away.
Improved security is another business benefit because the technology provides more granular control over what users are allowed to do in an IT system. For instance, identity management provides valuable statistics such as the number of transactions and other activities performed by a user in a particular role.
Gebel also suggested cleaning up user data in the system because automating the access process requires information to be accurate.
A centralized process, said Gebel, not only means audit trails can be produced, but also the business value of the technology can be measured. If such a project can prove itself a worthwhile investment of IT dollars, then that may make for easier project funding in the future, he added.