Why GE consolidated its identity and access management infrastructure

A multi-year effort to centralize GE's IAM functionality has resulted in significant cost savings, improved onboarding and better ability to meet regulatory requirements.

facial recognition - biometric security identification
Thinkstock

GE has gained substantial cost efficiencies and performance benefits by centrally consolidating its once fragmented identity and access management (IAM) infrastructure. Over a nearly five-year period beginning in 2014, the company has integrated seven separate identity management systems across multiple business units into a single platform that currently governs how two million employees and contractors access GE applications.

The new system has eliminated costly redundancies and allowed GE to establish a standardized set of rules for enterprise-wide application access, claims Paul Bailey, leader of identity management services at GE. The centralized infrastructure has allowed GE to reduce the number of people needed to run the company's IAM program from 250 to half that number. GE has also been able to winnow down its access audit management team from a staff of 25 to just two globally.

Importantly, GE's new identity management platform has also made it easier for the company to onboard new applications, to grant, manage and terminate user access, and to ensure that identities are managed in compliance with regulatory requirements, Bailey says.

What drove GE to change its identity management infrastructure

GE's massive—and now nearly complete—undertaking is an example of how organizations are evolving their IAM capabilities to keep up with changing business requirements and other trends.

According to analyst group Gartner, the adoption of cloud and microservices architectures, increased digitalization, and the resulting spike in cyberthreats are rapidly expanding the use cases for better approaches to IAM. Gartner sees IT leaders over the next few years needing to tie their identity systems more closely with security and fraud systems, enable higher levels of automation and communication between IAM modules, and implement data management policies that are more respectful of customer consent.

"The growing scope and complexity of modern identity environments is becoming too difficult to manage in the usual ways," Gartner noted. The trend requires "IT leaders to evolve their identity and access management environments."

Bailey says GE's identity consolidation project grew out of a need for greater scalability, flexibility and speed. As a global conglomerate, GE operates in multiple industries, including aviation, healthcare, energy, capital, oil and gas, and power. Several of the areas that the company operates in are heavily regulated with strict requirements for IAM.

GE's aviation and energy business, for instance, needs to adhere to U.S. export controls regulating the sale or transfer of controlled software, technology and services out of the United States. Part of doing that involves making sure that only people with the right clearance have access to systems containing Department of Defense (DoD) data on them. GE has to adhere to similar requirements in other areas of its business including those related to SOX, HIPAA and the FDA.

Fragmented identity management infrastructure and other challenges

Five years ago, GE's identity management infrastructure was based on technology from Oracle. The platform was near end-of-life and didn't have the scalability and flexibility to support GE's evolving requirements for its identity management program.

At the time, each of GE’s business units had separate identity management systems—seven in all—with different teams managing them using different processes. "We had a huge team of folks across those seven instances handling many of the same underlying functions," Bailey says. "It was not cost effective."

Because GE didn't have a standard IAM configuration at the time, the company had no way to define and leverage centralized rules.

One of GE's primary requirements when looking for a new identity management system was scalability, Bailey says. The company wanted something that would allow it to consolidate all seven separate identity management systems into a single platform that could be centrally managed.

GE also wanted a system that would allow administrators to more easily configure business specific rules for individual identities. The company needed that flexibility to accommodate the unique access requirements of different businesses—such as the aviation unit's need to comply with DoD's access restrictions, Bailey notes. "With Oracle it was a lot of hard coding," to build these business rules into identities, he recalls.

Onboarding new apps enterprise wide was challenging as well given the highly fragmented nature of GE's identity management program five years ago. It was a process that could sometimes take up to five months. So GE wanted its next identity platform to support the ability to quickly onboard new applications.

The new identity management platform

GE's new IAM infrastructure is based on technology from SailPoint Technologies. The company's IdentityIQ platform supports all the requirements GE had in mind when looking for a consolidation platform, Bailey says. It is scalable, allows for access rules to be easily configured and importantly, supports GE's requirement for rapid application onboarding via so-called 'connectors' for quickly connecting to enterprise apps, cloud-hosted applications, databases and directories. In the Oracle environment, GE had to often build its own connectors and Web services to integrate with new applications, which contributed to lengthy app onboarding times.

There have been other benefits as well. GE now has better visibility into how, when and where people are accessing applications and services. GE administrators can quickly verify if people accessing an application are doing so in a compliant and fully auditable manner.

Employees in GE's healthcare business, for instance, are required to have FDA regulated training to access certain kinds of protected data. In the past, identity management staff had a hard time verifying if those accessing the data had indeed received the required training or were accessing it without completing that requirement. GE can now insert an API-based framework that allows the IAM team to connect directly to GE's training environment and verify if the correct courses have been completed, Bailey says.

In the future, Bailey and his team hope to be able to leverage SailPoint's identity analytics capabilities for role management, role mining, to conduct access audits, to manage risk and for other use cases. GE is also looking to increasingly move to more of a self-service model where apps consume identity management services in an automated fashion, Bailey says.

Business growth, enterprise digital transformation efforts and regulatory compliance requirements have outpaced the ability of legacy IAM systems to keep up, says Paul Trulove, SailPoint’s chief product officer. Many organizations are being forced to upgrade. "GE is similar to a lot of companies running out of steam with current commercial or homegrown identity management solutions," Trulove notes.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!