Published on 14-Mar-2013
"With Tivoli Identity Manager, we have an absolute fail safe that as associates leave, their access is removed. The process is instantaneous." - Kyle F. Kennedy, Director of Global Directory and Identity Services, ADP
Computer Services, Professional Services
IBM Business Partner:
For many companies, it can take days or weeks when an employee departs to revoke his or her access to buildings and IT systems. At ADP, the process is instantaneous thanks to its work with IBM and IBM Business Partner Pontis Research
Manual identity management processes made it time-consuming and costly to track when and if access rights are revoked.
With a view to becoming “identity aware,” ADP worked with IBM Business Partner Pontis Research and IBM to automate processes for user account provisioning, de-provisioning and access management in its Active Directory, remote access and facility management systems.
● Vastly increases security by reducing time to revoke access from weeks to seconds ● Reduces administration and help-desk costs while enhancing visibility of user access ● Provides zero-day and zero-based provisioning and federated access to resources ● Enables identity awareness
Automatic Data Processing (ADP) is one of the world's largest providers of business outsourcing solutions—including HR, payroll, tax and benefits administration solutions—with nearly USD10 billion in revenues and about 600,000 clients.
At many companies, it can take days or weeks when an employee departs to revoke his or her access to buildings and IT systems. And ADP was no exception. When ADP associates left, revoking their access rights was predominantly a manual process that depended on each system administrator’s schedule and availability. What’s more, without a centralized, consolidated approach to identity management it was time-consuming and challenging for staff to confirm compliance for regulatory requirements, such as the Sarbanes-Oxley Act, SAS 70 and ISO 27001.
“We had a lot of manual processes that created significant overhead and took staff away from other critical projects and support work,” says Kyle F. Kennedy, director, Global Directory and Identity Services, ADP.
With a view to becoming “identity aware,” ADP worked with IBM Business Partner Pontis Research to design an identity management solution using IBM® Tivoli® Identity Manager software. The solution automates processes for user account provisioning, de-provisioning and access management in its Microsoft Active Directory, remote access and facility management systems.
ADP was already familiar with IBM identity and access management (IAM) solutions, having successfully implemented IBM Tivoli Access Manager for Enterprise Single Sign-On software six years earlier. Following its deployment of Tivoli Identity Manager software, ADP implemented IBM Tivoli Federated Identity Manager software to provide federated access for SaaS solutions.
Efficiently managing user roles and access rights
The solution embedded IBM Tivoli Identity Manager software within the ADP employee portal to automate and standardize the process for granting and revoking access rights to ADP associates and consultants. Through the portal ADP managers can now view all the associates and contractors they’re responsible for, confirm that they have the appropriate access, and request changes.
Behind the scenes, Tivoli Identity Manager software automates approval and notification workflows along with provisioning and de-provisioning processes to reduce the time, cost and potential for human error. As a result, as HR staff input personnel changes into the HR system, the company can efficiently manage user roles and access rights in tandem.
This has helped ADP confirm that access to vital systems and buildings is revoked immediately upon an associate’s departure and that new associates are only granted access to the buildings and systems they need, once they’ve completed the necessary background checks.
Quickly confirming who has access to what
The enterprise-wide implementation of the IBM identity and access management solution also helped staff members identify orphan accounts not associated with valid users—many of which were test accounts within the perimeter systems that had been set up as part of the initial enterprise integration of the IAM solution.
Additionally, security administrators can more quickly produce reports on who has access to what and confirm access changes and authorizations for regulatory requirements.
“Pontis provided the expertise to help us design, implement and support a Tivoli Identity Manager solution within our environment,” says Kennedy. “Before this, nobody knew when or if departing associates were de-provisioned from our systems. With Tivoli Identity Manager, we have an absolute fail safe that as associates leave, their access is removed. The process is instantaneous.”
Targeting key systems
During the first phase of the project, Pontis helped ADP automate identity management processes for 27,000 U.S.-based employees (each has two or more accounts) in four key areas: Microsoft Active Directory, Microsoft Exchange, the company’s virtual private network, and facility badge access systems.
With its open framework, Tivoli Identity Manager software can control access to several different badge systems, some of which have published interfaces and some of which don’t.
“These four target areas are critical in securing the perimeter of our organization,” says Kennedy. “Once access is revoked in these areas, an associate can’t get into an ADP facility, they can’t access the network, either on-site or remotely, and they can’t forward any emails.”
Enabling zero-day-based provisioning
Kennedy adds: “Furthermore, as part of the initial provisioning process and integrating additional layers of the IBM IAM solution, ADP now has the ability to implement zero-day-based provisioning for key applications and enable federated access to SaaS vendors that enrich the associate’s day-one experience at ADP.”
He explains: “Zero-based provisioning is the ability to provide access to applications and systems without the associate and or consultant knowing what their credential information is for those respective systems and applications. With zero-based provisioning implemented, privileged system and application access is significantly secured from internal and external attacks during and after the associate’s or consultant’s engagement with ADP.”
As part of its evaluation of identity management solutions, ADP invited IBM and several large IAM vendors to participate in an on-site Proof of Concept demonstration. “IBM separated itself from the crowd,” says Kennedy. “Tivoli Identity Manager was up and running within two days even though we gave each vendor a week to complete the Proof of Concept.”
● Vastly increases security by reducing time to revoke access from weeks to seconds
● Reduces administration and help-desk costs while enhancing visibility of user access
● Provides zero-day and zero-based provisioning and federated access to resources
● Enables identity awareness
● IBM® Tivoli® Identity Manager
● IBM Tivoli Access Manager for Enterprise Single Sign-On
● IBM Tivoli Federated Identity Manager
IBM Business Partner
● Pontis Research
For more information
To increase the business value of your IBM security solutions, participate in an online community. Join the IBM security community at: http://instituteforadvancedsecurity.com
For more information about Pontis Research, visit: www.pontisresearch.com
For more information about ADP, visit: www.adp.com
Products and services used
IBM products and services that were used in this case study.
Tivoli Federated Identity Manager
© Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America February 2013 IBM, the IBM logo, ibm.com, and Tivoli are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Microsoft and Active Directory are trademarks of Microsoft Corporation in the United States, other countries, or both. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. WGC12351-USEN-00