Transcript
services and I work at Swisspost. Swisspost is a nationwide company. We operate a critical infrastructure in the field of logistics and financials and also mobility services. We have the whole Switzerland as customers because we deliver letters and parcels and our company has about 40,000, 45,000 employees. We choose one identity for our provider because one identity manager, the solution provides a good governance framework and it's quite flexible and scalable and that's very important for us, for Swisspost because we have a large number of applications, different applications and also of user types and one identity manager allows us to manage all this variety. The greatest security risk we face in Swisspost are cyberattacks on our critical infrastructure, but we have also issues with supply chain vulnerabilities and also fraud, social engineering against our digital channels. Our governance and provisioning process before identity solution was quite manually and not trackable, so we had a lot of manual effort to provision all the access rights and also to manage the identities. We see clear benefits of the identity manager solution. We have faster on and off boarding of employees, then we have fewer manual IT tickets, we have clear, better transparency for the manager and the application owner and we have reduced risks due to automated workflows, approval workflows and red certification. The onboarding of applications in EM or one identity manager is quite structured. We have several steps for that. So at first, we meet the application owner and define the entitlement and also the ownership of this entitlement. After that, we do a risk classification of this entitlement and define the approval workflow and also the red certifications. And for that reason, the application owner has every time access to the one identity manager solution and think they can have transparency or they can transparency which employee person has access to what from his application. We perform red certification checks for highly critical roles once a year, because this is a balance between usability and security. So if you do it too often, then the employees will be used and they click it away anyway. But when we do it once a year, then they have pay attention to this red certification. And I think this is then quite effective. If someone is concerned about identity security, we have some lessons learned. We did for ourselves. So a major point is to define the governance before you automate, because if you automate something you don't know, then you have a mess in the end. Very important and a very good or a very important base for the whole identity and access management is of course the data quality and also the role structure, that you have a clean role structure. And furthermore, IEM is not only an IT service, it is also a business enabler. So therefore, stakeholder management is a very important point. The lessons learned with our stakeholder regarding the identity security is that we explain to stakeholders what value we generate for the business. It is compliance and security, so that the stakeholders from the business can perform their business processes in a secure way. I can recommend One Identity Manager. The number one reason is the very good governance framework, but also the flexibility they have. And that is very important for a diverse and large company like Swisspost, so that we can deploy all the processes securely and compliantly.