RWE moves to SaaS-based, AI-driven identity security in less than 6 months
RWE is a leading international energy company. Headquartered in Germany, where it was founded 125 years ago, it is on a mission to lead the global energy transformation. Renewable energy is a core part of its business, alongside electricity and gas storage and innovative energy solutions for industry. It also trades energy-related commodities in key markets worldwide.
Challenge
With a complex, heterogenous business environment, spanning multiple entities and branches, RWE needed to consolidate and automate its identity security program to enhance efficiency and the employee experience in line with its cloud-first strategy.
Solution
After a decade of success with SailPoint, RWE migrated to the SailPoint SaaS solution for enterprise-wide identity governance at scale. The number of users increased tenfold and standardised processes replaced manual onboarding. Using automation, AI and a sophisticated internal communication campaign, RWE reduced onboarding time from up to 25 days to less than three hours.
Industry
Energy & Utilities
Company size
25,000 employees
While IdentityIQ is able to scale, it was quicker and cheaper for us to use a SaaS solution. We are now servicing ten times as many people as before, and building new processes and use cases, with production, staging and development environments
Sue Walker, CyberSecurity Manager, RWE
10x
increase in users, from 2,500 to about 30,0003 hours
onboarding lead time, down from 25 days<6 months
to migrate to cloudWith a ‘Growing Green’ investment and growth strategy, international energy company RWE has greatly expanded its market position and global reach in recent decades. Today, the group has annual revenue of $40.3 billion, a workforce of more than 19,000 employees and multiple subsidiaries, branches, offices, power stations, wind and solar farms, and other facilities in more than 80 locations worldwide.
Under the leadership of Cyber Security Manager Sue Walker, RWE has built a mature identity program that allowed them to migrate smoothly from on-prem SailPoint IdentityIQ to cloud-based SailPoint IdentityNow and AI Driven Identity Security at scale.
Getting started with identity and access governance
RWE deployed IdentityIQ as an on-premises solution more than a decade ago to ensure regulatory compliance in its Supply & Trading business. It leveraged the SailPoint technology to automate provisioning and access requests and certification, with stellar results.
In line with company’s overall cloud-first strategy, RWE subsequently moved IdentityIQ to a high-performance AWS environment. With meticulous planning over three months, the system was successfully switched to being cloud hosted over one weekend, with significant benefits from day one.
By getting IdentityIQ data to AWS, RWE successfully completed the first step of their migration to Cloud.
At this point, the rest of the RWE group was still manually creating user profiles and entering them into bespoke systems, but this was about to change.
Scaling up with SaaS
“Five years ago, we decided that we needed to build on our success with IdentityIQ and centralize identity management across the whole organization. This would mean scaling from about 2,500 users up to about 25,000 to 30,000 users,” Walker explains.
The complexity of the organization was a key challenge. Following a series of acquisitions in the early 2000s, RWE comprised close to 90 organizations. Following consolidation and divestiture, there are around 30 operating companies within RWE today, and each can have multiple departments and geographical locations.
Drawing on the team’s AWS cloud migration experience and its decade of success with SailPoint IdentityIQ, the next step for Walker was to move to a fully SaaS solution for company-wide identity governance. It would work alongside IdentityIQ, which would draw data from IdentityNow and be retained as a tailored solution for the Supply & Trading business.
“While IdentityIQ is able to scale, it was quicker and cheaper for us to use a SaaS solution. We are now servicing ten times as many people as before, and building new processes and use cases, with production, staging and development environments,” she explains.
Moving to SailPoint IdentityNow enabled RWE to avoid scaling up its infrastructure, such as task servers, and focus on the vital work of standardizing processes and educating users. Around-the-clock support from SailPoint was also a key benefit. Walker says it is operationally much easier to manage a SaaS solution because she can rely on SailPoint to handle all of the end-of-landing infrastructure.
Overall, the migration to the SailPoint SaaS solution took less than six months. This included auditing, redeveloping and, in some cases, replacing onboarding and offboarding processes for joiners, movers and leavers (JMLs). Today, all of the RWE operating companies work on the same domain with the same processes, with a total of around 1800 access profiles. Automation was a huge part of the project.
“The migration made a huge difference from a cost and support perspective. Managing identities in the Cloud changed the way we consumed data and brought down costs. We also did not have to manage the underlying architecture, freeing us to focus our operational efforts elsewhere. And users saw no difference at all,” Walker says.
Saving time with automation
“When we started, the manual onboarding lead time was around 15 to 25 days. With SailPoint, we initially reduced that to two days. Now, it’s down to within three hours,” Walker recalls.
RWE now schedules identity processing to run twice a day. Instead of line managers being responsible for entering the data to trigger onboarding, birthright access is automated. This not only ensures consistent data quality and reduces human error, but also has operational benefits. The IT team is no longer chasing down tickets and users can hit the ground running from day one. To ensure a good onboarding experience for new hires, it is important that there is enough time for the Human Resources (HR) team to requisition hardware, schedule training and make other orientation arrangements.
With SailPoint IdentityNow RWE’s new hires now have access from Day 1, and it’s a fully automated process.
Walker says, “That's always the aim: with everything we're doing, we want reduce operational effort when it's not needed.”
Gaining visibility with AI
Improving the synchronization between HR and IT systems further enables RWE to apply SailPoint’s artificial intelligence (AI)-driven identity security solutions to its IdentityIQ and IdentityNow deployments. It has made good use of Access Insights while also using Access Modeling and getting started with Access Recommendations.
- Access Insights and Data Explore were adopted to look at data quality, but have brought a lot of operational benefits too. Walker’s team uses dashboards to explore different JML metrics and provide data visualizations for decision makers in different departments. For example, the software licensing team can better regulate costs when they can forecast employee changes and how a big project may impact licensing. SailPoint also helped RWE create dashboards on Data Explore to allow the IT and operational teams to check whether window functional groups entitlements have been brought over to the SailPoint solution from a legacy system. It provides an overview of which entitlement is behind which access profile and which applications they link to, allowing users to raise a self-service request if required.
- Access Modeling helps the team review, evaluate and refine roles. It tracks local administrators and privileged accounts so that corrective action can be taken if abnormal entitlements or dormant or orphaned accounts are identified.
- Access Recommendations is being implemented to empower users and certifier. It is at an early stage and will take time to set benchmarks and get it up to speed on product sets.
“Overall, it has been beneficial to add AI to our program because it gives us more visibility into what's going on in our systems and within our environments, bringing us insights into how we can continue to improve,” Walker explains.
Communication & training go a long way toward broad-based success
Walker is adamant about the importance of moving into the business-as-usual (BAU) phase of an IT project at the right time and with the right objectives in place.
“You’ve got a good project plan. You’ve got the right people. You’ve got your use cases and deliverables. Now, you’ve got to take them into BAU and achieve continuous improvement. We are just as busy in BAU as we are in project mode, but with different objectives.”
Moving into BAU, Walker’s team carefully considered the mindset of its users – colleagues who use its SailPoint identity management systems every day – and the challenges they would face as they adopted the new standardized processes with SailPoint SaaS solution.
As a result, it has developed sophisticated marketing plans, incorporating awareness-building campaigns and training in multiple languages. The team sends out a steady stream of highly relevant targeted communications via RWE’s internal messaging app and has recently done a very well-received IdentityNow ad campaign that is being shown on video screens around company offices.
The Cyber Security team has also set up a central platform as a repository of information, including support videos, that users can check or be referred to. Stakeholders can also book meetings with IT team members on this platform, getting fast access to the expert that can best help them.
Walker attributes the Identity and access management team’s Karsten Weber, Khaled Mosharraf, Iyad Habra and Andre Bornhoff success to its close relationships with colleagues from HR, Compliance, Audit and more. She gets them involved at every step of the IT project lifecycle – from building use cases to crafting marketing messages – and asks for help and support before work begins to anticipate and avoid missteps. She also always conducts pilots with people who know their business and are willing to give honest feedback.
“Identity and access management is not IT. It’s a living process that will happen whether you like it or not. You need to build relationships with the right teams and make sure you have data flowing into your system from an authoritative source,” Walker concludes.
“We are always looking to make improvements in our identity space. We’re grateful to partner with SailPoint and to continue to be an early adopter of new features and technologies.