Founded in 1992, Discovery is a leading financial services company based in South Africa with additional operations in the UK and US. Locally, the company specialises in the health and life insurance markets, and is a pioneer in the emerging market for lifestyle and wellness products and benefits.
Discovery has operational centres throughout South Africa, and growing business interests in the UK and US, employing a total of approximately 7,000 people. Monthly staff turnover at Discovery is much lower than the industry average. Even so, each month between 60 and 100 people join the company and approximately the same number leave. This turnover of staff was putting a strain on Discovery's identity management processes.
The company had implemented Microsoft Identity Integration Server to synchronise its user directories and largely eliminate paper-based administration for additions, changes and deletions. However, as Discovery looked to introduce more sophisticated automation for identity management and role-based provisioning of new users, the Microsoft solution became increasingly inadequate.
The software had worked well as a pure synchronisation tool, but was limited in its scope, leaving a significant amount of manual work for administrators. It was also relatively complex and difficult to use, and Discovery had concerns about its scalability.
Discovery selected Identity Manager as the basis for its new automated provisioning system, and engaged Ubusha Technologies, a leading South African systems integrator, to provide training and guidance to its in-house IT team.
“Our existing Microsoft solution was not sophisticated enough to support our plans for identity management,” said Alwyn Van Niekerk, Systems Architect at Discovery. “ Identity Manager could do almost everything we needed 'out of the box', enabling us to keep our significant internal programming expertise focused on our core insurance systems. Ubusha Technologies provided excellent training; their technical consultants are highly competent and very knowledgeable about identity management.”
Discovery implemented Identity Manager on SUSE® Linux Enterprise Server, with a staged rollout taking around three months to completely replace the synchronisation previously handled by Microsoft Identity Integration Server. Identity Manager draws on the central human resources database as its master source of identity information, and synchronises a number of internal systems, including four Microsoft Active Directory domains.
To provision a new employee, Identity Manager uses predetermined criteria in their HR record to determine their role and organisational status, then automatically assigns the correct access rights for the relevant domains and applications.
“As we intended, the new identity management solution has not changed the process from HR's point of view - it's just that the downstream system is now much smarter,” said Van Niekerk. “Even with the Microsoft synchronisation tool, we were spending a lot of time and effort on manual changes to seven different systems each time something changed. The whole approach was quite chaotic. Identity Manager saves us a great amount of manual effort and potential confusion.”
The new solution synchronises information every 20 minutes across all systems. By contrast, the former solution had a 24-hour cycle, and Discovery needed to make further manual changes to ensure that user information and access rights were reflected accurately throughout the enterprise.
Discovery is using Identity Manager to pull some existing user self-service portals into the central identity management processes, and plans to introduce full password self-service in the near future.
The introduction of Identity Manager has radically simplified Discovery's identity management processes, eliminating the long development and testing cycles required by the former Microsoft solution.
“Identity Manager is a breeze to use: the toolset is very well developed and it is clearly a mature, user-friendly product,” said Van Niekerk. “Discovery is a dynamic business, and there are many moves and changes to handle, including a major re-organisation about once a year. Identity Manager gives us the power to automate all the complex data synchronisation needed to make that run smoothly.”
Discovery can now provision users in 20 minutes, rather than 24 hours, so new employees can use e-mail and access all relevant applications on their first day at work. Equally, the solution automatically removes all access rights from ex-employees as soon as their period of employment ends. Previously, an administrator could forget to manually remove an old user from some systems, potentially creating a security risk.
“Our users now have much better control over access rights, and they no longer need to contact several different people to make a change - all systems are automatically updated when the master record changes,” said Van Niekerk. “Our approach to security is now more consistent and requires less manual intervention, leaving us free to focus on our core business.”