Legal & General streamlines resources by 72%

As one of the UK’s leading financial services groups and a major global investor, Legal & General knows a thing or two about the importance of efficiency and cost savings. Founded in 1836 by six lawyers in a London coffee shop, today the group supports over 10 million people with savings, retirement, and life insurance. It’s also one of the world’s largest asset managers and provides powerful asset origination capabilities.

As a financial services organisation, trusted with the financial futures of millions of people and businesses worldwide, Legal & General faces extra strict safety and security responsibilities. Improper access to the business creates widespread vulnerabilities and compliance risks in terms of toxic combinations. Access needs to be quickly provided to the right people at the right time and swiftly removed when not required. Plus, being able to understand how data and processes flow between infrastructure and applications is fundamental to understanding how identities impact business operations, as well as highlighting where the risk to service resides.

Persistent identity challenges

In the past, Legal & General faced several key Identity and Access Management (IAM) challenges. “Our identity journey was sparked by a need to mature our security”, said Mark Ward, Head of Identity & Access Management at Legal & General. “Access was federated and we weren’t certifying critical business systems. Meanwhile, the company had changed managed service providers while also trying to accelerate its application movement to the cloud.”

Previously, the company’s provision and deprovision, and management of joiners, movers, extensions, and leavers (JMeL), relied on a lengthy and complicated manual request and fulfilment process. Multiple accounts, across multiple systems, were not mapped to any single identity and shared, or service accounts were difficult to track and understand.

Access was related to individuals and prone to access retention or unnecessary remaining entitlements. Giving each new joiner access took between 10 and 100 tickets, with each ticket adding an associated third-party cost. The process also often took a number of weeks, which meant a new joiner couldn’t actually start work on their start date, and any mistakes would cause a longer delay in granting correct access.

As a result, the long and manual access process was exhausting company resources and impacting new employees’ ability to provide customers with any service at all, much less a positive one. Similarly, the time it took to remove access for leavers from the business risked security and confidentiality. According to John Heal, IAM & PAM Platform Lead at Legal & General, “When I first joined, the company would’ve sat well below one on the Gartner Identity and Access Management Program Maturity Model. We were at the place where we almost didn't even know what we didn't know.”

Yet with some practical, impactful changes, the company has the clear potential to unlock incredible new levels of efficiency and cost savings. As a result, Mark, John, and Legal & General began researching IAM support.

Turning identity into business enablement

Legal & General soon discovered SailPoint when it was recommended in Gartner’s Magic Quadrant reviews as an IAM leader with fast implementation capabilities. The team was searching for a cloud-based solution that could reduce reliance on internal resources and provide out-of-the-box infrastructure and apps. So, SailPoint’s identity security solution instantly stood out.

Legal & General promptly invested in the solution and began its process of recertification. The team decided not to try to solve everything at once but carried out a phased delivery, beginning with its most critical applications. 23 applications were selected that needed to have certification campaigns and control, and the team started divisionally looking at auto provisioning and auto de-provisioning. It wasn’t long before the auditors and the business were happy. But the IAM team didn’t want their journey to end there – they realised there was also an opportunity to transform new joiner provisioning and leaver processing, and maximise business resources.

“Knowing what our businesses wanted, and when they wanted it, was really difficult to understand. So, we started to actually partner with our business, and instead of just being a technology team, we started to be a business enabler. Our expertise meant the organisation wanted the IAM team’s services to become more centralised. So, with the help of SailPoint’s identity security solution, we began to provide our businesses with even more technical support.”

The impact of SailPoint

Thanks to the cloud capabilities of Sailpoint’s identity security solution, Legal & General’s IAM team has been able to scale the program to provision for the whole of the organisation internationally. It leverages SailPoint support for certification of up to 500 campaigns a year, and around 400 role-based access controls across multiple connected systems.

All Legal & General staff and suppliers are now subject to a monitored and controlled JMeL process, with automation at each stage of JMeL transactions, post ServiceNow requests, and approvals all via the identity security solution. The average provision time has reduced from five days to minutes, with deprovision now happening upon leave dates. Plus, emergency, high-security-risk leaver requests are now automatically processed almost instantly, down from around seven hours. Thanks to SailPoint’s automation, Legal & General enjoys greater efficiencies than ever, and saves on countless costs as a result – which enables the company to use these resources to excel in other areas.

“Every Legal & General department gains from the identity solution’s implementation because every department has new joiners and access requests,” said John. “There's a great benefit with regards to finance and audit, because we've been able to provide the audit information that is required in our financially regulated industries.

A rejuvenated identity team

Over the last 12 months, more than 3,800 joiners, over 3,500 leavers, and over 100 emergency leavers have all been automatically provisioned, each within minutes. Over 14,000 group/folder requests have also been processed by the platform, saving huge amounts in overheads and enabling workers to pivot to other business-critical projects.

Automation now gives Legal & General’s new joiners instant access to important tools and services, helping more employees to start supporting external clients, and provide great customer experiences – from day one. Automation has also taken the risk of human error out of controls, and reduced operational costs for the business. According to Mark, “We’ve reduced our team of more than twenty access workers to seven – not only are we providing Legal & General with an essential service for a lot less money, but people in our business can also get started on day one.” John added, “Almost all of our implementations with SailPoint have been cost-neutral or cost-saving.”

Meanwhile, the organisation’s auditors and the Board continue to be satisfied. Access provision and deprovision via RBACs has strengthened its controls and reduced the risk to the business. Knowing what identities are, who owns them, what they are for, and mapping multiple accounts to single identities has all provided a robust audit posture. The business is now more agile because security is factored in from the start of any technology project. As Mark says, “It can’t be an IT issue on one hand and a business issue on the other. There has to be a joined-up approach to identity – and getting the Board onside is crucial.”

Today, the IAM team enjoys a fruitful partnership with SailPoint, together driving multiple improvements to security and access processes. “Our relationship with SailPoint is very symbiotic”, John said. “We're all in with SailPoint, and we feel that SailPoint is all in with us as well.”

What’s next for SailPoint and Legal & General

A key future focus for Legal & General’s IAM team is gaining more control of unstructured data and harnessing artificial intelligence (AI) and machine learning (ML) automation capabilities. The team is looking into access insights to be able to maintain RBAC structure and implement new RBACs based on user activity. This will reveal important new data on cross application and infra-activity, user behaviors, and certification recommendations. The team are implementing cloud infrastructure entitlement management (CIEM) to help them better control identities and access privileges in multi-cloud environments. After all, even at Legal & General, there are always more cost savings, greater resource efficiencies and better customer experiences to achieve.

Above all, the IAM team has earned the freedom from the Board to take identity and access in whatever direction it thinks best. As Mark said, “Ever since the identity security solution was implemented, we’ve been more agile and mature. We’ve achieved so much; getting the business buy-in and getting the costs sorted takes a long time, but identity should be at the start and the end of any software delivery lifecycle. It’s a business enablement service we’re providing, and we make it even more secure.”