Why One of the UK’s Largest Banks Chose Saviynt To Modernize and Scale its IAM Controls
For many organizations, digital transformation begins with a simple question: “What can we do better?” But as anyone in financial services knows, that answer can be pretty complicated.
With over 26 million customers, 120,000 permanent and contract employees, and 4000 applications under its purview, Lloyds Banking Group (LBG) is one of the biggest High Street banks in the UK. In early 2020, they faced the equally sizable task of modernizing their Cloud Identity Access Management (IAM) controls. Which vendor would they trust with this massive cloud transformation journey?
Last month at Whitehall Media’s annual Identity Management conference, I got the chance to sit down with David Queen, Head of Cloud Identity at LBG. I was excited to learn more about his team’s implementation journey, the challenges and discoveries they encountered, and why a two-year search led them to Saviynt.
Taking The First Steps
In early 2020, David’s cloud identity team began re-engineering their identity and access controls in support of the bank’s cloud-first strategy. Thousands of applications will be migrated to Google Cloud Platform (GCP), and access for tens of thousands of engineers — and eventually an exponential number of users — will need to be seamlessly enabled.
To do this, they needed a cloud IAM strategy that would align closely with their existing IAM controls — but without the on-prem constraints on scale and agility. This required a cloud Privilege Access Management (PAM) solution that could keep their data fully secure on a public cloud platform while delivering an ideal user experience for everyone.
Shrinking The Attack Surface
LBG was originally working on-prem with a lot of shared accounts — ”and a lot of privileged access,” David says. “We’d noticed that most of the security attacks in our industry stemmed from compromised user accounts where privileged access moved laterally through the organization, creating a huge blast radius. We knew we didn’t want to continue managing that on our own.”
Eliminating standing access was the first step. They decided early that they needed zero standing privilege with just enough access, scaling, and the ability to put privileged access behind the just-in-time (JIT) process — and to provision and remove the credentials on a timebound basis.
A Fresh Start in The Cloud
When his role began, David had an array of tools that didn’t easily lend themselves to managing privileged identities within cloud environments.
“The processes we had in place weren’t tied back to our master set of controls,” he says. “They were highly manual, and not very well integrated into our enterprise toolset. Our existing enterprise tools didn’t easily connect with our public cloud platforms and wouldn’t be able to scale to our ambitions.
Rather than build, David went to the market for help with the challenge. During the 2-year process of evaluating vendors, he learned to keep an open mind.
“The requirements that we set out in our original RFI changed significantly because our understanding of cloud and cloud use cases evolved, expanded, and became a lot more nuanced. It’s not just the problems you’re trying to solve today — it’s how you might need to adapt in the future.”
They discovered that effective transformation wasn’t just about selecting the right platform or the vendor — it was about selecting the right partner. In a dynamic industry where clouds are changing all the time, you need new API’s, new capabilities, and a guide to help you through the maze.
The Right Vendor For The Job
David’s team chose Saviynt’s Enterprise Identity Cloud (EIC) as an all-in-one converged solution. Saviynt’s Identity Governance provided the lifecycle management, controls, and certifications they required; Cloud Privileged Access Management (CPAM) delivered just in time, just enough capabilities. With the rise of third-party threats, the Third Party Access Governance (TPAG) module was an added bonus.
“Saviynt has been incredibly easy to implement,” David says, “Very user-friendly and intuitive. We’ve been able to get it spun up fairly quickly and massively improve the process that we used to run.”
One of the additional benefits of choosing Saviynt is access to industry insight. “Saviynt has visibility into what other organizations are doing, how the industry is moving, emerging security threats, and new strategies to adapt to them.”
Lloyds spent the last six months working with Saviynt and their developer community around privileged access and broke ground on the actual engineering around February 2022. As part of this large-scale data migration, they’re expecting to migrate a few thousand users to this suite of data tools Q1 of 2023.
For David’s team, one of the main criteria demonstrating success is SOX compliance. As anyone in financial services knows, it’s easy to have audit finding after audit finding because organizations simply lack real-time visibility into their actual compliance posture.
Saviynt has over 1500 different controls for different cloud platforms aligned to regulations like CIS CSA, SOC, and FedRAMP — and mapped to multiple compliance standards. This feature allows them to bring out-of-the-box control frameworks together into a single dashboard.
“It’s configuration, not code,” David says. “That’s what makes implementation of Saviynt straightforward.”
Using Saviynt’s data, reports, and analysis prior to audit has been a huge benefit, allowing them to pre-mitigate missing controls, walk away with fewer audit findings, and lower compliance costs.
“Rather than crossing our fingers and hoping for the best,” David says, “we can look at the dashboard and say, ‘Ok this is where we’ve got an issue, and this is how we need to fix it.’”
Now, when their internal auditors request formal access control lists and spreadsheets, David points them to Saviynt’s cloud console and upskills them on the workflows his team has in place that now replace the detailed documents.
Frictionless User XP
Another key concern David had during this process was user experience: would his developers resist the transition away from standing entitlements and a “put all privileged things in a vault” mentality? Many had expressed concerns that repeatedly having to raise JIT requests would constrain progress and create an overall drag on productivity and effectiveness. But that wasn’t the case. Saviynt eliminated the need to check out credentials, log into a series of applications, check them back in, rotate, rinse and repeat.
“Users who were skeptical about having to provision and de-provision privileged accounts on the fly have been proven wrong,” says David. “Saviynt’s JIT features didn’t hamper users’ abilities to develop and use tools or applications, and the feedback was excellent.”
To make sure LBG is capturing all the data that Saviynt is supplying, the bank is now looking to integrate Saviynt more heavily into its existing infrastructure, including ServiceNow — an integral component of their Security Operations Centre.
“Our goal is to create a single privilege access management journey across all clouds,” says David. “Looking forward, this journey is about creating a single process, a single set of controls, and hopefully, a single customer journey.”
With Saviynt’s help, they’re on track for success.
For more information, stream David’s talk from the Whitehall Media IDM UK event on demand.