Identity automation caps Medibank’s three-year data overhaul

Private health insurer Medibank is reaping the benefits of faster, more effective user authentication as it nears the end of a three-year overhaul that spanned data discovery, technology simplification, and the introduction of an identity and access management (IAM) framework built around its streamlined data-management processes.

The project had broad scope but the focus on a few key deliverables helped focus the technology team as it worked through the process of reviewing and optimising its data protections, identity protections, and IAM processes to support those, CISO Stuart Harrison told CSO Australia.

“To address the inherent risk of holding very sensitive information, it was very important that we broke down the work into bite-sized milestones,” Harrison said, “and that we could measure and prove tangible value over time.”

“Fantastic” executive and board support throughout the project, Harrison said, reflected broad understanding of risk and reinforced the understanding that personally identifiable information (PII) about the company’s members was its most important asset.

That asset needed to be protected as such, both through policies and with technology – and in the third and most recent part of its project, Medibank ultimately engaged with SailPoint to implement an IAM platform based on that vendor’s open identity platform.

“We didn’t know all the answers, but we knew at the beginning what ‘good’ looks like,” he said. “We were looking to deliver a fair amount of functionality in a short time, so we had to develop a sound understanding of exactly what it was that we were trying to achieve.”

To facilitate adoption by the company’s 3500 users, the new platform had to be “business friendly pretty much out of the box”, Harrison said. This led to an extensive focus on automation, with strategic partners engaged and given bits of work to resolve various pieces of the infrastructure puzzle.

These pieces were assembled in an iterative fashion that helped complete the implementation in under 8 weeks, but Harrison admits it was a cultural change.

“Different versions of features and functions can be stood up, tested, and deployed into production in a number of days using patterns that allow onboarding of applications into SailPoint as an automated process,” he explained.

“It was a very different way of operating, and this can sometimes cause concern for people because it’s definitely quite far away from your typical waterfall delivery approach. There are lots of release going on all the time and the concept of it is no longer a user; a lot of your changes are code driven.”

The new data culture

By building on the company’s earlier efforts around data identification, Harrison is confident the company has constructed a framework that will preserve its data-handling policies and access controls across its environment.

Streamlined administration of applications and IAM processes has dramatically simplified the process of managing security rights to core data and applications.

“You’ve got to be very disciplined in what you deem to be your critical data,” Harrison said. “In a really data-centric world, you must understand where that data exists and who has access to it – and whether you are comfortable with that. If you are not, go mitigate that risk as quickly as you can.”

Automation has not only streamlined the management of applications within the Medibank Private environment, but provided the better visibility necessary to meet regulatory compliance and data privacy objectives.

User access reviews, for example, are much easier to conduct to ensure that legacy applications aren’t compromising controls around data protection and security.

“If you can form an understanding of the lifecycle of your data,” he said, “from creation through to usage and ultimately through to destruction, you can come up with a set of controls for that – a key one of which is identity. Then you’ve got a quantifiable position where you can start addressing the highest risk items first, and spotting any outliers.”

Over time, the IAM environment will facilitate the continuing rollout of new applications to users without sacrificing control over user access controls and data protections.

“A lot of people talk about identity management as a restricted control in the governance mechanism,” Harrison explained, “which is understandable. But there are a lot of mechanisms in this platform to service the business and preserve ease of use.

“By understanding how users behave on our network, we can take it forward to use that information to shape better controls and an easier user experience from the business side of things.”

Copyright © 2018 IDG Communications, Inc.

The 10 most powerful cybersecurity companies