It's understood that a fledgling six year old bank would prefer to spruce up its core banking systems instead of considering an identity and access management (IAM) system. But in the case of Yes Bank, it took expansions and an increasing number of systems to realize the need to protect its database and applications from being accessed by unauthorized people.
Yes Bank has approximately 80-plus systems and around 3,200 employees. It earlier adopted a manual process to identity people and their entitlements; one that was laborious, vulnerable and likely inaccurate. The IT team would send dumps from each system to 300 different managers for review. The bank needed an automated solution to manage employees' identity in the organization. "To manage the identity of individuals, authenticate him in a unique and secure fashion, as well as ensure that he is only entitled to information he is supposed to, were some of our requirements," says Umesh Jain, the CIO of Yes Bank.
The IAM system for a bank can become a very complex implementation due to the sheer number of business applications. Jain had some prior IAM deployment experience, and knew the pain areas well. Most IAM systems available in the market offer good functionality, but their rollouts run into several years, making it a costly preposition. This is due to the philosophy on which current IAM systems work. The typical IAM system has a central repository for identification and entitlement, while other systems are required to integrate with it, calling for alteration in these systems. So Yes Bank needed an IAM system that was affordable, and faster to deploy. Realizing that no solutions met this criterion, the bank decided to develop its own IAM system.
Yes Bank needed a beginning. Its IAM system used Microsoft Active Directory as a central repository for identification and authentication. Other applications were soon integrated with Active Directory. This meant that all new systems have to be authenticated using the lightweight directory access protocol (LDAP), and older systems must migrate. LDAP integration has helped achieve single sign-on capabilities. So every Yes Bank employee now has single user ID and password for all applications.
The IAM system's second aspect was entitlement provisioning and de-provisioning. The bank prepared a basic template defining employees' role, KRAs, and access requirements taking data from the HR system. All information regarding that individual is directly fed into the work flow which uses a .Net framework, thus creating multiple requests for required access. Yes Bank's managed service provider, Wipro, provides and manages privilege account management, hitherto not covered under this initiative. The bank's core IT team takes quarterly reviews of privileged IDs and its structure.
Rolled out in April 2010, the unique aspect about Yes Bank's IAM system is that it works on a "push" mechanism, while other systems in the market work on "pull". The typical IAM solution has a central console and pulls signals from applications like Oracle Flexcube and Microsoft Exchange (among others). In case of such IAM solutions, existing applications need to learn to talk with IAM central console requiring alteration in applications. In case of Yes bank's IAM solution, the changes are restricted to a central console. So when a user logs into Windows and wants to log in to Exchange, he has to resupply the user ID and password. "Rather than have Exchange pull information, we are pushing ID and password to get entitlements," explains Jain. This pull mechanism is one of the main reasons behind Yes Bank's faster and cost effective IAM implementation.
Jain claims that Yes Bank has achieved the critical 80% functionality of any standard IAM system. The remaining 20% includes applications that cannot be integrated. ID creation and rights entitlement remains manual in case of such applications. Flexcube, the bank's core banking application, has not yet been completely integrated with Active Directory, since its upgrade is expected in 2011.
The challenging job took Yes Bank just three months. Apart from LDAP integration challenges, Yes Bank faced structural issues. Hitesh Mulani, the CISO of Yes Bank explains, "Our earlier structure demanded that an individual's ID is reviewed by his immediate senior. We soon realized that it was probably too much information in the hands of people (some quite new) in the organization. So we changed the structure and confined IDs review to just a few senior people."
Standardization of IDs and automation of entitlement review has made the process simpler. By not choosing a readymade IAM solution, Yes Bank will save almost Rs 2 crore over a period of five years. Employee on-boarding and off-boarding processes which used to last for days have been shortened to few hours. Jain believes that the bank will save at least Rs 40,00,000 (conservative estimate) per year in just the on-boarding process.
Yes Bank is now looking at covering the remaining 20% functionality of its IAM system. It hopes to avoid manual intervention. The bank also wants to automate log review of security administration, so that every system change is registered, and changes in rights generate audit trails.