Arla Foods maintains compliance with identity management initiative

Published on 31-Oct-2010

"Before, it could take weeks for a new employee to receive access. Now, once the line of business approves the request, the system grants access immediately.”" - —Torben Dyrholm, Security Manager, Arla Foodsx

Customer:
Arla Foods

Industry:
Consumer Products

Deployment country:
Denmark

IBM Business Partner:
MN Security

Overview

Arla Foods is one of Europe’s largest dairy companies. This cooperative of nearly 8,000 milk farmers and producers sells its products in more than 100 countries and accounts for 80 percent of all milk sold in Sweden and Denmark.

Business need:
SAP Business Suite is at the heart of Arla Foods’ operations—making the security of the system of paramount importance to company executives. The company used BMC security software to manage user identities but found that without automated workflows and self-service capabilities, identity management processes were time-consuming, costly and error-prone.

Solution:
IBM and MN Security worked with Arla to define and document user roles and approval processes. IBM® Tivoli® Identity Manager was then implemented to automate life cycle management of user roles, identities and access rights. As employees are hired, change jobs or leave, access rights are automatically updated. Staff can confirm that access rights are applied globally and separate duties to prevent conflicts of interest.

Benefits:
·Able to quickly connect users to resources and revoke access—reducing the time in some cases from weeks to minutes; Expected 50 percent reduction in number of service desk calls; Improves employee productivity for greater operational efficiency

Case Study

Arla Foods is one of Europe’s largest dairy companies. This cooperative of nearly 8,000 milk farmers and producers sells its products in more than 100 countries and accounts for 80 percent of all milk sold in Sweden and Denmark.

Challenge

SAP Business Suite is at the heart of Arla Foods’ operations—making the security of the system of paramount importance to company executives. “Pretty much everything—manufacturing, purchasing, shipments— is dependent on the SAP system,” says Torben Dyrholm, security manager, Arla Foods. “So we have to know exactly who does what in the system and be able to show that to auditors.”

However, using BMC security software, the company faced numerous challenges in managing user roles, identities and access rights. It could take several weeks for new employees to gain access to the SAP system as line of business managers coordinated requests with human resources, IT and service desk personnel via phone and email. In the meantime, employees often borrowed access credentials from colleagues to do their jobs. Updating or revoking access rights when employees changed jobs or left the company was time-consuming and error-prone. As a result, a significant number of SAP accounts were orphan or invalid accounts.

Solution

In 2006, Arla Foods outsourced its IT infrastructure to IBM, reaping significant cost savings to help it grow and strengthen its leadership in the dairy industry. In conjunction, the company sought IBM’s guidance on improving identity management. “While our steering committee initially focused on auditing concerns, we were able to show them how having roles streamlined could improve employee productivity and this became a significant focus as well,” says Dyrholm.

IBM and IBM Business Partner MN Security helped Arla line of business and security staff define and document user roles and approval processes, and identify areas that required separation of duties. This enabled the company to reduce the number of roles under management by 95 percent and confirm that access rights could be applied globally—for example, that accounts receivable (AR) personnel in the UK would have the same SAP access rights as AR staff in Denmark. It also helped to remove possible conflicts of interest—such as preventing a purchaser from being able to both approve a purchase order and issue payment for that order. IBM® Tivoli® Identity Manager software was then implemented to automate provisioning and de-provisioning processes, including approvals, based on these policies. “Before, it could take weeks for a new employee to receive access,” says Dyrholm. “Now, once the line of business approves the request, the system grants access immediately.”

About 10,000 user accounts are currently being managed with Tivoli Identity Manager software, which is integrated with SAP ERP Human Capital Management software so that as employees are hired, change jobs or leave, access rights are automatically updated. This automation helps to simplify identity management processes and strengthen compliance. Separation of duty features help prevent access conflicts as roles change. Self-service features enable employees to reset their passwords without administrative support—an important step in reducing service desk costs. Auditing and reporting mechanisms enable staff to easily confirm compliance, and Arla’s auditors have taken notice. “KPMG followed the project closely and have been very satisfied with our work maintaining compliance,” says Dyrholm. “With Tivoli Identity Manager, we can focus our time on how we utilize the system instead of trying to understand who has access to what and why.”

With the project’s success, the company has expanded its use of Tivoli Identity Manager software to Microsoft® Active Directory® and plans to expand support to IBM Lotus Notes® and physical assets, such as PCs, mobile phones and corporate credit cards. “Our vision is that whatever you’re given when you’re hired will be managed through Tivoli Identity Manager,” says Dyrholm.

Benefits

• Able to quickly connect users to resources and revoke access—reducing the time in some cases from weeks to minutes
• Expected 50 percent reduction in number of service desk calls
• Improves employee productivity for greater operational efficiency
• Enables staff to easily confirm compliance with regulatory requirements

For more information

To learn more about IBM Tivoli Identity Manager, please contact your IBM sales representative or IBM Business Partner, or visit the following website: ibm.com/tivoli

Products and services used

IBM products and services that were used in this case study.

Software:
Tivoli Identity Manager

Service:
GTS Strategic Outsourcing: IT Outsourcing Services

Legal Information

© Copyright IBM Corporation 2010 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America October 2010 All Rights Reserved IBM, the IBM logo, ibm.com and Tivoli are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Microsoft and Active Directory are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. TIC14152-DKEN-00