Illimity bank effortlessly manages ever-changing identities

In 2021, Illimity Bank faced a critical digital transformation challenge: securing and automating identity management across its rapidly growing operations. As a digital-first bank, Illimity needed to protect and enable access for users, applications, and data while maintaining stringent security and compliance standards. The envisioned solution to achieve all of this was to revolutionise its identity scenario by creating an identity security platform.

‘We are a new paradigm company, born to pursue a purely digital evolution: for us, understanding what our business users do and granting them the right access, in terms of minimum privilege and necessary knowledge, is extremely important for operational efficiency and risk management,’ says Luca Dozio, Head of ICT Security, Illimity Bank.

Yet, achieving this goal was far from a foregone conclusion. According to the most recent estimates, the average staff turnover rate [1] across all sectors stands at 18%, with banking leading the way [2].Internal mobility - the movement of an employee to a new job within the same company - is growing strongly [3] as well.

These phenomena lead to a proliferation of digital identities within a modern company, which in turn result into labor-intensive processes such as certifications, access requests, password management, and manual provisioning, which can result in heavy workloads and potential human error, with significant risks and loss of productivity.

‘Our group leverages an innovative cloud-based architecture that allows us to quickly and easily integrate third-party services, giving us unique flexibility in developing and customizing our banking platform. Initially, we implemented Microsoft Azure Active Directory to control and protect access to IT resources, but we realised we had to go one step further,’ highlights Dozio.

In such an extensive and constantly evolving IT environment, user identity security was crucial to keep the Group's ICT risk under control. This led Illimity Bank to create a true governance system and, in 2021, develop a conceptual framework that served as the basis for an IGA Request for Proposal, launched in 2022.

The choice, oriented from the start towards a SaaS solution, had to meet specific requirements: seamless synchronization with pre-existing applications and cloud environments, and ensuring authorization consistency in all movements made by employees within the company, with fully automated provisioning.

The challenge was overcome with the implementation and operation of Sailpoint Identity Security Cloud in less than a year.

A single point of view for changing identities

‘The choice of Sailpoint Identity Security Cloud was dictated by its ability to realise an immediate benefit: the centralisation in a single point of the user's identities, associated with the different digital identities on the various target systems,’ explains Luca Dozio. ‘SailPoint gave us the ability to see the individual user's permissions, their accesses; also allowing us to go and verify that the user's authority assignments reflect the right criteria or not’.

The solution was launched at the end of 2022, leading to the creation of an Identity Governance & Administration System in 2023, incorporating key functions such as:

• reducing the workload of the Cloud Engineering team with respect to user Joiner-Mover-Leaver (JML) processes through the automatic assignment of access rights
• ensuring compliance with the principles of least privilege and need-to-know, guaranteeing the confidentiality and integrity of company data; 
• ensuring that access to systems complies with internal and external regulations by applying Separation of Duty (SoD) controls; 
• enabling a more efficient response to incidents and data breaches; 
• finally, constant monitoring, through an IGA reporting engine that correlates user information by providing a list of permissions on accounts, the history of permissions assigned and who authorised those permissions.

Sailpoint Identity Security Cloud has thus enabled Illimity Bank to efficiently and cost-effectively manage and protect all identity access, balancing critical objectives such as reducing operational costs and risks while enhancing security, compliance, and audit performance.

Measuring the results: the strength of automation, the robustness of compliance.

Numbers can give an initial idea of the advantage that automation dictated.

Thanks to the solution, deployed in the period between February and September 2023:

• 1269 users were created in the Joiner phase during the period; 
• 1098 were deactivated in the Leaver phase; 
• 878 were transferred to another area in the Mover phase.

Additionally, many users with non-vital access to certain applications were excluded from the authorization refresh.

‘SailPoint's Identity Security Cloud solution allowed us to manage and protect real-time access to critical data and applications for each corporate identity with an intelligent, unified approach, primarily by automating the lifecycle management of user identities, including onboarding, role changes, and account deactivation. When a user changes departments or leaves the organisation, the system automatically adjusts his or her access according to the new requirements or revokes permissions,’ declares Luca Dozio.

Another core functionality highly appreciated by Illimity was the access history, helping the bank retrieve the history of entitlements assigned and lost by users and the reasons behind such events. This also allowed the bank to reconstruct the entire history of a digital identity in terms of both the assignment/withdrawal of privileges and profile changes read from the authoritative source.

Furthermore, with centralised governance and built-in compliance audits, SailPoint has also helped Illimity Bank automatically monitor and document access, simplifying audit processes and compliance with European and national regulations along with corporate and banking standards.

Looking to the future: competence-based access

‘Previously, access was granted based on hierarchy. C-levels could make use of any tool. Today, thanks to the implementation of our IGA system, this is no longer the case, but we want to go even further,' states Dozio.

Illimity's nearest goal is to address all of the bank's target systems through the SailPoint Identity Security Cloud solution, providing certified skills-based access that also includes Non-Employee Risk Management (NERM) functions designed to securely and automatically manage the identities of non-employees, such as contractors, suppliers, consultants, partners and external collaborators, who often access corporate resources.

‘So far, SailPoint’s NERM functions have enabled us to automate the JML cycle of consultants, allowing them to be managed directly by internal contacts, without going through any IT department, tickets or approvals, while securing and streamlining the collection of personal data needed for the most critical applications and making the employee himself autonomous in this step’, tells Luca Barezzani, ICT Security Senior Specialist at Illimity. 

Illimity is also exploring SailPoint’s AI modules to redefine least privilege profiles on some of its most critical applications, making role mining work faster and smoother.

The bank aims to gradually move from a traditional RBAC approach to a more sophisticated Attribute-Based Access Control (ABAC) model, thanks to AI's ability to handle greater complexities, such as dynamic attributes and variable contexts, while maintaining the simplicity and effectiveness of the role-based model (RBAC).

‘This shift will allow us to pursue an even more dynamic and context-aware security environment, where the use of multiple attributes for authorization will provide a more granular approach to access control’ concludes Barezzani.

Discover more customer stories.

1. Source: Human Capital Benchmarking Report, 2022, SHRM
2. Source:Compdata Survey & Consulting, 2024
3. Source: LinkedIn, 2024