How West Midlands police collared identity and access management vendors

Streamlining access is extremely important for the 15,000-person unit, particularly when dealing with information as sensitive as that in police records.

How do you ensure your 15,000 employees have proper access to the right systems and the right buildings, and that those rights are instantly updated when anyone joins the organisation, leaves or changes jobs?

The organisation is getting smaller; we are losing people with the government cutbacks, so we have to accommodate that through technology.

Paul Williamson, project manager, West Midlands police force 

That would be a big enough challenge for most organisations, but for the police, the problem is even tougher due to the kinds of data they handle.

Until recently, the West Midlands police force relied on tight administrative procedures to prevent overly broad systems access, but that created a slow-moving bureaucratic process that could result in a new recruit having to wait for up to six weeks to get all his or her access rights set up.

That’s all changing, however, with the deployment of a new identity and access management system that project manager and former police superintendent Paul Williamson says will bring the whole enrolment process down to just 10 minutes, and also massively reduce the administrative overhead.

That is good news for an organisation that is increasingly being asked to cut spending. “The organisation is getting smaller; we are losing people with the government cutbacks,” Williamson said, “so we have to accommodate that through technology.”

However, while the savings will come at a fortunate time, the implementation was not driven by penny pinching. West Midlands began a major review of its IAM processes four years ago, when senior management realised it was hard to get a clear and comprehensive picture of any force member’s access rights or activities, because information was spread around in disparate systems, and governed by various policies. What was needed was a single reference point, such as an IAM system, for personal information -- a "golden nominal" in police parlance – that would enable management to control who was allowed to access information more easily.

“The force wanted to streamline physical access to all buildings to provide single sign-on to systems, as well as improving visitor management,” Williamson said. “This would be done using smartcards with PKI for access both to our own systems, and national applications as well. It was therefore key to be able to identify the person through the golden nominal.”

That resulted in an ambitious programme of work involving 13 IT-related projects, all of which had identity and access management underpinning them. However, as Williamson explained, the choice of a provisioning system was delayed, in order to ensure the system would be able to integrate with all the other elements they chose, such as the smartcard and physical security systems.

“Some people do provisioning first, but we decided to get through procurement of the other processes and leave provisioning till the end,” Williamson said. “The whole purpose of IAM provisioning is to administer control, and to give us a clear picture of what people are doing: what access they have to buildings and systems, how we give them access quickly when they join, or move between roles, and, of course, removing access rights when they leave or change roles.”

As a large public body, the force is subject to open procurement rules. Around 80 identity and access management vendors replied to its initial request for tenders, and this was eventually whittled down to a short list of six suppliers (“all the major suppliers in the Gartner Magic Quadrant,” according to Williamson), who were invited to present and demonstrate their products.

From the demos, they were able to build a scoring matrix based on the products' functionality, ease of deployment and cost.

“We didn’t want a provisioning system that would require a lot of extra coding to make it work, and to make the connectors between the system itself and the systems it was linking to,” Williamson said. “Some of the bigger companies required a lot of background coding to be done. It was not a drag-and-drop operation. We wanted to avoid that.”

“Also, once we’d implemented, we didn’t want to have one of the supplier’s people on the premises doing maintenance and carrying out any changes we needed. We wanted the ability to do skills transfer so we could look after it ourselves.”

The product that scored best overall was the Courion Access Assurance Suite. As Williamson said, all the systems performed the basic requirements of an IAM system, but the Courion product stood out for its ease of deployment and ease of management.

“Courion’s implementation is much less complex than some of the other systems', and it was far easier to transfer the [product management] skills to our own people. So we don’t have to keep spending money every time we want to make a change,” Williamson said.

One key element of any chosen system was that it should allow West Midlands to easily create connectors to all of its existing applications. All the shortlisted vendors claimed to offer this functionality, but, as Williamson discovered after looking at the products in more detail, that was often far from the case.

With a go-live date set for September this year, the West Midlands team is creating connectors for the non-standard applications in the organisation so they come under control of the Courion system and accounts can be set up more quickly. “Our experience so far with Courion is that our people have picked it up fairly quickly. So we anticipate we will be able to integrate other applications quite easily,” Williamson said.

Next stop: Role mining
The first stage of the implementation is what he calls the birthright stage. That means that, as soon as someone is appointed to the force or to a new role, and an HR record is created, the process of giving the new recruit access will be mainly automated, generating an ID card, providing access to buildings, creating an email account and granting access to network domains on the police network.

Once that part of the system is up and running in September, Williamson says his next step will be to start a role-mining exercise that will eventually allow the force to exert more granular control over who accesses what files and applications.

Although the Courion suite includes role-mining functions, Williamson does not expect the process to be easy. “We are an organisation of 15,000 people. If I went out and interviewed them all, I know I would end up with 15,000 roles. They all think they are unique. We have an idea of what we’ll end up with, but we need to go through the process [of assessing access requirements]. I think that will be the hardest part,” he said.

The role-mining exercise will produce a picture of who currently accesses what files and applications, and then Williamson’s team will need to trawl through the information and establish some distinct roles with its own associated access rights and policies. This will make it easier in future to assign rights to people in new roles.

“Role mining will churn out a lot of data, but you have to go through it to try and discern some logic within it. It is not a silver bullet, but it will give us a good head start,” Williamson said. “In the meantime, we are working with departments developing policies, and going through a business analysis of what they do currently.”

Return on investment
The government has pledged to cut police funding by 20% in real terms by 2015, so any new investment has to deliver a clear return. Williamson concedes that, although many of the advantages of the new system are intangible, there will be opportunities to save on administrative overhead and to produce a more efficient operation.“The project has been reviewed on at least three occasions to make sure it still stacks up, both in terms of the costs and the kind of savings we are likely to get,” he said.

Nevertheless, he remains cautious about pushing ahead too fast. “IAM projects are notorious for failures and can be very expensive," Williamson said. "We did not want to implement everything at once.”

He said other features will be added later, such as the issue of equipment, mobile phones and uniforms as part of the on-boarding process, and each of these stages will create extra efficiency benefits across the organisation. “We are doing it in bite-sized chunks. We are in no massive rush,” Williamson said. “The big wins will come in the early phases. Then we can afford to do the other things properly without rushing.”

Read more on Identity and access management products