Identity Data Hygiene Initiative Reduces Costs

Challenge

A federal financial organization wanted to improve its identity governance and administration (IGA) system’s data hygiene. Prior to Guidehouse’s involvement, the organization had procured and implemented an IGA tool to provision and deprovision access for employees and contractors (e.g., onboarding, changing job function(s), offboarding). This tool also enabled access certification reviews, which are fundamental to identity governance and identity lifecycle management (ILM) capabilities. While these operational capabilities assisted with minimizing privilege creep and enforcing separation of duties, the absence of well-defined organizational data retention policies led to the unnecessary storage of large amounts of unstructured data. Objectives for this project were to better manage aging data through automated workflows and processes, make data management more cost-effective, and improve operational performance. In addition, the organization needed to comply with Executive Order (EO) 14028 "Improving the Nation’s Cybersecurity.”¹ To achieve these goals, the organization sought to improve data quality for identity and access management decisions — which required an organized approach to assessing and discarding old data, reducing the size of the database, and moving the IGA solution from on-prem to the cloud.

Solution

Guidehouse developed and implemented an identity hygiene strategy for the organization that included: identifying aging data, developing meaningful and actionable policies, creating rules based on organizational policies, and automating policy enforcement. This strategy included the following steps to rectify the organization’s identity data quality and data retention challenges:

• Reviewed and recommended updates to the organization’s data retention policy, developing parameters for the data housed in the IGA tool.
• Identified relevant data that fell outside the defined data retention policy.
• Evaluated existing identity and access data based on completeness, uniqueness, and maturity.
• Assessed risks and issues with retained data, including inaccuracy, duplicates, incorrect formats, incomplete events, and corrupt data or events.
• Architected a cloud-based solution and roadmap to move the tool to the cloud, using clean, relevant data that complied with the enacted data retention policy.
• Defined data maturity, creating a process for automating data clean-up, and incorporated the process into ongoing data analysis activities.

Guidehouse continues to support this organization, providing enhancement services, as well as operations and maintenance support (e.g., patching, updates) to manage and mitigate security risks.

Impact

The improved data environment enhanced the security posture of the organization with strong identity management, reducing risks associated with aging data and reducing the potential for credential theft and/or abuse. The new data retention policy enforces the automatic removal of old data from the IGA tool, that can slow data processing and increase licensing costs.  Once the data hygiene strategy implementation is complete, expected impacts include cutting the size of the database nearly in half and improved performance for workforce users. Additionally, the organization is saving money by reducing database storage and their software license tier therefore lowering the cost of using the identity provider solution.

The organization is now more resilient from a cybersecurity posture, has more confidence in the quality of its identity data, and maintains strong IGA and ILM capabilities which comply with EO 14028.

^1. Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021, Executive Order on Improving the Nation's Cybersecurity | The White House.