Rethinking Your IGA Strategy: How to Adapt and Succeed in the Modern Identity Era

MJ Kaufmann

MJ Kaufmann

Security Specialist

MassMutual was founded on May 15, 1851. And from the beginning, they’ve championed the goal of helping people secure their future and protect their loved ones. Even more than 160 years later, that commitment remains a guiding principle. Securing the future for their customers is the driving force behind MassMutual. Thus, it stands to reason that a company that focuses so intently on the financial security of the people they serve would take a proactive approach to the security of its identity governance administration by partnering with Saviynt.

Attendees at CONVERGE 20 enjoyed an in-depth breakout session where Jackie Grochowalski, Head of Identity and Access Management at MassMutual, discussed important lessons learned during MassMutual’s identity journey. Jackie’s team adapted its previous identity strategy and recently implemented peer group analytics, automation, and risk-based decision-making. During this panel, she shared actionable insights on rethinking your current identity & access strategy and simplifying complexity in 2021 and beyond. 

 In her talk, Jackie addressed many obstacles and challenges that enterprises face from a security and identity governance perspective when transitioning to a cloud identity platform like Saviynt, including:

  • Accelerating Automation
  • Building intelligent rulesets for provisioning
  • Managing non-human accounts
  • Ensuring Zero-trust

If you missed the session, you can watch it on-demand to get a better understanding of MassMutual’s IGA implementation journey – including a discussion about the importance of the need for dynamic access, provisioning, and control. Filled with clear takeaways and actionable advice, Jackie covers everything from how a cohesive vision helps maintain the right path to the usefulness of User Behavior Analytics (UBA). For your convenience, the transcript is included below the video.

ffff

Watch the Breakout Session

Read the Transcript

Ellen Hamlin: 

Hello everyone, and welcome to Rethinking Your IGA Strategy. Today, I’ll be your host for the session. My name is Ellen Hamlin. I am the senior director of customer operations, customer office operations, and I’ll be having a conversation with Jackie Grochowalski from Mass Mutual. And our intent is to talk to you about how we have adapted our strategy and methodology to succeed in the modern identity era.

Today, we hope to share some adaptations that Mass Mutual has made to implement peer group analytics, automation, and risk-based decisions to help enhance their original legacy identity management system. Our hope is that you will walk away from today’s session with some key insights that will help you rethink your identity management strategy and be able to incorporate them into your own organizations.

So before we begin, I have a few housekeeping items to address. If I can get my screen to progress. There we go. First of all, we are live. So as you can see, there are real-time situations that can happen. If you hear dogs barking, or potentially ninjas attacking, beware. Hopefully, it will be short-lived. We will have the recording available on-demand for you, so please feel free to peruse them later. And lastly, please submit questions at any time. We want to be able to make sure you’re getting the most out of this session. So please add any questions that you might have.

So I guess with that, I’d like to start by introducing Jackie Grochowalski. Jackie and I have worked together for about three years. And in that time, I’ve seen Mass Mutual really blossom from an organization that only had straight certification for their home office to an organization that has deployed enterprise-wide and has done deep birthright provisioning as well as added a deep integration with Service Now. Mass Mutual is one of the customers that have really pushed the boundaries of Saviynt. They have helped Saviynt adopt new and exciting features, specifically, as I mentioned, some user behavior integrations that we’ve done with Mass Mutual.

The person who’s been driving this effort is with us here today. Jackie is a leader that is a great visionary as far as identity management is concerned. You can see some of Jackie’s background on the screen. She has 15 years of experience in IT. She’s responsible for strategy and implementation. She holds a BS in communication, an MS in communications, and information management. And she’s pursuing an MBA as well as a mother of two happy children. So it is my pleasure to introduce my friend and partner, a great golfer, and an IM visionary with uncommon bravery, Jackie Grochowalski.

Jackie Grochowalski:

Hi Ellen. How are you? Thank you for that introduction. That was amazing. Thank you. And I am not a great golfer, but I do have very happy children. So that sounds good.

Ellen Hamlin:

Oh, I’ve golfed with you. I know you’ve got a lot of skill. Jackie, I’m so glad you could join us today here. I know that the journey with Mass Mutual has been a multi-year journey, and you haven’t accomplished any accomplishments in a single step. Can you share with us your journey and how it has evolved over the last few years?

Jackie Grochowalski:

Absolutely. And it’s been a long journey. You’re saying that you’ve been with us for about three years. That’s about how long I’ve been with Mass Mutual, a little over three years. And we started this journey before COVID, before we were all stuck in our homes with our ninja children. You might see him running back and forth at some point. Being able to take on this program was one of the highlights of my career at Mass Mutual. When I first started, the program was going, and it was in motion. Really what we were trying to do, the problems that we were trying to solve, were something that every single company sees, whether you’re a company with a lot of technical debt, you’ve been around for a while, or even companies that are just starting up and they want to make sure that their processes are streamlined.

But the Mass Mutual problem was not going to be uncommon to everyone here. It was a bunch of disconnected systems; identity feeds from several different places, certifications that had bad descriptions, maybe entitlements that people didn’t know what they were, and people that were over-provisioned in access. So we looked at that as a whole. And as I mentioned, the program was already starting to go before I took it over to join the team, a great team at Mass Mutual, by the way. We were looking to fix all those problems. And we have about 10,000 home office employees at Mass Mutual, a field population of about 35,000. Then obviously, all those nonhuman accounts are sitting out in our active directory and on our network. So our goal and our vision was to get everybody into the same platform.

“We had several different feeds from areas, from the field, from the home office, from our contractor population, from our subsidiary populations. And we wanted to get them all into that one hub where we could onboard them and take a lot of manual processes and make them automated.”

As I mentioned, we had several different feeds from areas, from the field, from the home office, from our contractor population, from our subsidiary populations. And we wanted to get them all into that one hub where we could onboard them and take a lot of manual processes and make them automated. And then, through their life cycle at Mass Mutual, provision their access, take away the manual efforts, and then de-provision them and terminate them appropriately so that we don’t have those people that come back and haunt us.

So really, what Saviynt did, the progress that we made was astounding. After I joined the team, it took the team about six months to stand up and get all the home office employees onto Saviynt overnight. It was a long weekend, and we had a huge success with that. After that, we looked at the field, and the field was really complex with our field, our brokers, our agents, our GAs. So then we looked at, set our sights towards that field population to get all of them onboarded and all of those feeds into Saviynt.

“What Saviynt did, the progress that we made, was astounding.”

And then, after that, we really set our sights on certifications. And certifications are probably one of the proudest things that we’ve done that I’m so proud of at Mass Mutual. That onboarding and offboarding, it was fantastic, but certifications, what we’ve been able to transform at Mass Mutual, has been really, really fantastic. We’ve been able to take certifications that you would certify all the users access a few times a year, all their application access. I think we had about 120 something certifications a year that we would go through with all the extra ones that we had to make sure for audit wise and whatnot. We not only trimmed that number, but we also trimmed the number of entitlements that our managers see. And we did it slowly over time. So our first certifications that went through Saviynt, we essentially had them all almost look like they did a little bit in our old system, but a little bit more accurate of entitlements and descriptions and things like that.

And then we followed up with our peer groups, as Ellen was mentioning, which was such a big win for us to use those peer group analytics and look at … We had a thumbs-up and a thumbs-down. And if everybody in your peer group had that access, your manager could see that access and say, “Oh, well, that’s a green thumbs-up. Everybody has that,” and really concentrate on that outlier access and remove access. And we saw a huge amount of revokes. I think we went from like a 1.4% up to like a 3.2%, which doesn’t sound like a lot, but when you’re talking about thousands and thousands of entitlements, it was really, really large.

And then our next step on that journey was actually to take in risk. So we were able to take the high-risk items only, along with those outliers, and we reduced our number of entitlements that our managers were able to see by 1300 down to 300. I mean, that’s so significant. It wasn’t pages and pages. It wasn’t 130 pages anymore. It was just the 300 entitlements that we looked at for our users. And that was based on managers with about an average of 10 people. We were only looking at high-risk and outlier access. The number of revokes went up to over 14% when we did that. It was amazing, and it was a great journey to get there. And really, that’s where we are today. It’s been a long journey, but it’s been really fulfilling, and we have a great team behind us.

“We reduced our number of entitlements that our managers were able to see by 1300 down to 300. I mean, that’s so significant.”

 

Ellen Hamlin:

Oh my God, those are really amazing stats. It’s so nice to see the vision coming into reality. So I know this journey probably has been fraught with some obstacles along the way, as successful as it’s been, things like the constantly changing business world, accelerating automation, trying to drive that speed and aggressiveness, trying to implement a Zero Trust methodology. Can you share some of the obstacles your team has had to overcome and how you’ve overcome them?

Jackie Grochowalski: 

Yeah, absolutely. One of the biggest ones has been, which we’re actually still living through it so I think it’s fresh on my mind, is the disconnected applications. We all know in an IGA system; your AD and your LDAP groups are going to be easy. Those are easy to provision. But we have a vision at Mass Mutual where we want to go to automated provisioning, take away that manual, and dynamically provision the access. So not just those static roles or static access, but dynamically do it, but we need the applications connected in order to do that.

So we’ve gone through, I think the number that we’ve talked about recently was about 850 applications that we’ve gone through, looked to see if there were connections available, directly connected them when possible using different methods. API is probably the one that we want to use the most, but we’ve resorted to things like ETL and RPA as well. But really, we’ve gone through 850 apps, and now we’re actually going back through them to see what we can do and to see where we can really look at getting those connections. Starting with things like enterprise architecture to create patterns like skim connections.

And really, Ellen and I talk about this all the time, a grassroots effort. It has to start there. Create the pattern. When you bring in an application, if it doesn’t have the pattern we need to connect to Saviynt, then you shouldn’t be able to bring it in. I don’t know if I’m going to get that buy-in from the company, but I am certainly going to try because this is one of the hardest things that we’ve dealt with and one of our roadblocks along the way. So, still a problem we’re trying to overcome, but the team working on it is great, and I know we’ll get there eventually.

Ellen Hamlin:

That’s really awesome. Excuse me, thank you. I know you’ve talked about some of the reduction in entitlements. Can you talk about some of the other value that Saviynt has brought to MassMutual?

Jackie Grochowalski:

Absolutely. So again, I mentioned we took all these manual efforts when it came to onboarding and terminating. So it was all manual. It was someone going in there. Think back to the days where you’d actually have to go into someone’s active directory account and terminate them. And the risk that lies in that. At the end of the day, you have these mini terminations. You go in there. You maybe run a script or something, but I do remember the days I had to go back and actually click on the person, disable the account, and then remove all the access.

So it’s really just that. It’s all that manual effort. We took the timing of onboarding people that was about two and a half hours for the onboarding team. It’s in minutes now. Our field teams alone; they had a lot of complex access. They had paper forms they would submit or emails. We’ve been able to automate all of that. Whether it’s automatically provisioning or creating a task, which then goes into a queue and can be managed. So the work effort that we’ve automated as well as organized and processes that we’ve done have been huge for those onboarding teams.

Ellen Hamlin:

So what advice would you give to different organizations that are trying to demonstrate value, and how were you able to do that?

Jackie Grochowalski:

So I would say, take the high-level look. One of the things that we had seen when we set out to do the strategy was really… I mean, think about it, it was back in 2017, and you get this strategy, and you start going down that path, and things change, landscape changes, the threat landscape changes, your priorities, your audits, everything changes and drives that roadmap. And I think where we would get hung up often as we’d see these dates and these capabilities that we really want to implement, and we’d have to revisit it and take a pause and look at that.

So I think that’s so important when you’re dealing with something that’s enterprise-wide. It’s such an important thing to be able to think broadly about the whole enterprise. In IT, we think in terms of our world sometimes, and when you’re rolling out these types of platforms, it’s affecting everyone from IT to law, to compliance, and even HR. A business like MassMutual specifically, we have our retirement businesses and all of these different life insurance businesses. So it’s really important to take all that feedback from all those areas when you’re developing your road-mapping capabilities and make sure it’s the right timing for everyone.

Ellen Hamlin:

Yeah. Awesome. Timing is everything, I guess. Speaking of timing, MassMutual really seems to be poised at a pivotal point with Saviynt. Can you talk about where you see this relationship and the interaction of our teams going in the future?

Jackie Grochowalski:

2021 is really exciting for us at MassMutual. We worked really hard this year in 2020 to create the foundation of UBA for all of our IM capabilities. It’s really the core of everything we’re doing. User behavior analytics and machine learning, and Saviynt is our hub. So it onboards our employees, it off boards, and it’s that provisioning in the middle that really will create the dynamic provisioning that we see as our vision.

“Saviynt is our hub. So it onboards our employees, it off boards, and it’s that provisioning in the middle that really will create the dynamic provisioning that we see as our vision.”

So we’ve always had the vision to go take away manual efforts. Automatically provision, take away the static access, don’t look only rules-based, look risk-based, and 2021 we’ll be able to actually do all of that with the capabilities in our environment now and partnering with Saviynt to do all of that. I’ll give a few examples. Things like our certifications, we talked about peer group analytics and the risk, but now we’ll be able to bring any usage. Usage not only from a day to day what people are doing, but creating a control or creating the certifications based on, okay, this is what your people are using, this is what the peer groups have, this is the risk, and this is how long ago they’ve used it and really looking at it from a completely different lens in that aspect.

Beyond 2021 most likely, what we’ll be looking to do is really certifying the policies around what we’re doing with certifications. So not so much, Ellen Hamlin has 130 entitlements, and this is what she uses, and this is what she doesn’t. But more of these are the policies that we’ve created that show the access that Ellen should have, whether it be by user segmentation, like when I onboard someone, they need the access that’s in my group. Then maybe they’re a solutions architect, and they need the access over there.

So being able to create those policies that give the access and then certify that access, then we’re going to be looking into really just certify those policies and then anything that’s a really high risk for our users. So that’ll be our journey through 2021 as well as creating controls around when we give access and when we remove it by using that usage there. So if someone hasn’t used something for 90 days, we want to create a policy that says you lose it. It’s gone.

There will be scenarios where people will need that. I do have to have that talk once in a while, but by creating that control, we’re removing the access when people truly don’t need it and then being able to give it back when they do. That’s going to be really, really big for access and management.

Ellen Hamlin:

Really getting down to that level of Zero Trust.

Jackie Grochowalski:

Exactly. We’re on our way.

Ellen Hamlin:

That’s wonderful. I have one last question, and then we’ll open it up to some group questions. So like I said, this has really been a long journey for you. What would be the takeaways or lessons learned that you would give to people starting on this journey, and what do you think would help them make sure that they’re successful on their path?

Jackie Grochowalski:

We talked a little bit about this, and it’s been really important to take that pause. So, in the beginning of our program, we took a few of them. I can really, really say that Saviynt was such a great partner and all of the people we had on our team at Saviynt as well as MassMutual, because when we saw we weren’t going down the right path or Saviynt recognized, our team would recognize that. They throw up their hands and go, “Hey, you’re getting away from that vision.” So I think the vision piece is so important because if you have a vision, you have something to look at and to work towards. If you don’t, everybody just seems to go off in different directions.

So with Saviynt understanding what our vision was to be, all the things we talked about – use behavior, use automation, use the analytics risk-based – and being able to do all of that. They were able to interject at times when we needed them to say, you’re going off the path here, or I get that this is maybe an odd item that you need to do. Still, if we make these changes, it impacts all of these things.

So being able to take those pauses, bring in the right stakeholders, have those whiteboarding sessions that we used to be able to have. I guess we could do something maybe behind me.

Ellen Hamlin:

Some day.

Jackie Grochowalski:

Someday we’ll be back, but we had some great, great whiteboarding sessions and strategy sessions with all of our stakeholders and our Saviynt partners. We were able to take those pauses along the way to really ensure that our strategy lined up with that vision. So I talk about this all the time, I’m super passionate about it, and I think that’s one of the most important things to stay on track and really execute that implementation.

Ellen Hamlin:

Begin with the end in mind. It still is a great metaphor. I love it. Well, Jackie, thank you. Let’s turn to the Q&A section of our session today. 

{End of Transcript}

Want more CONVERGE 20 insights? Watch all customer sessions on demand here.

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

#1 IGA Solution. New Identity Leader for the Cloud Era.

Gartner | 2021 IGA Solution Scorecard