Salvation Army safeguards trust through identity security

An organization built on trust

The Salvation Army is a charitable organization recognized around the world for its positive impact on people and communities. In Australia, it employs around 10,000 personnel across 3,000 sites nationwide, delivering the whole gamut of social services every minute of every day. It also manages more than 25,000 volunteers.

As the General Manager of Cyber Risk and Compliance, industry veteran Lachlan McGill is well aware of the importance of his six-strong cybersecurity team to the organization’s mission.

“The trust of the community is everything to the Salvation Army, and cybersecurity is vital to that trust,” he says. “Especially since the outset of the pandemic, we have to be able to empower our people to access applications and data from anywhere, on any device. This means we can no longer rely on security controls at the perimeter or in office locations. Security today is all about securing the identity.”

Rising risk amid complexity

Major security incidents in Australia in the recent past underscore this shift. Poor password hygiene, a lack of multi-factor authentication (MFA) and stale user accounts have all been implicated in major incidents, emphasizing the critical role of identity security.

“The impact of identity compromise on an organization like the Salvation Army cannot be understated. We rely on our trusted reputation to attract donations and government funding to keep our community programs running. It was clear to us that our current system – without strong passwords and MFA controls and effective offboarding processes – was leaving us susceptible to criminal elements” McGill explains.

At the same time, there were major challenges to identity management at the Salvation Army. The organization runs a lot of legacy applications and disparate systems with their own user account databases and no MFA. It was difficult to monitor access from a holistic perspective. Data quality was also an issue. The team struggled to ensure data consistency when different systems, such as the human resources identity system, the service management tool and Active Directory, all had different details for the same identity.

The team was running multiple custom-built scripts to manage these synchronization issues. This caused administrative headaches and impacted the ability of the business to provision access for new starters in a timely way and to determine what privileged access departing staff members had been granted.

An organization built on trust

McGill was looking for an identity and access management (IAM) solution with the three key attributes:

• It had to be easy to manage, with a number of out-of-the-box integrations and connectors. McGill’s team needed to integrate systems at the core of the identity workflow, like Workday HCM, ServiceNow, Active Directory and Microsoft Entra ID. It also needed connectors for other applications, like Kronos and CyberArk, as well as the ability to build custom connectors for a number of less well-known and home-grown applications. 
• It had to offer a very capable software-as-a-service (SaaS) platform. Salvation Army has moved all its core workloads to the cloud in recent years as part of a far-reaching digital transformation initiative. “We don’t put anything on-prem unless there is a very compelling reason to do so,” McGill shares. 
• Finally, there had to be support for the product in the marketplace. McGill did not want to have to develop a lot of new skills in-house, so there had to be readily available support of a high standard for the business to draw on to develop and manage the product in the longer term.  

SailPoint exceeded these criteria.

Says McGill: “The comprehensiveness of the SailPoint integrations was very important to us, as was the ability to easily build custom connectors. SailPoint also has a fully functioning SaaS platform. Most critical though was the strength of the relationship we had with SailPoint locally in Australia. When I first encountered SailPoint two decades ago, it was a disruptor in the market. SailPoint is today’s market leader, with the best support and the most qualified resources in Australia – that was a big motivating factor for us to choose SailPoint as our identity partner.”

Rapid onboarding

With the SailPoint solution, turnaround time for access creation for new starters has gone from several days, or even weeks, to one day. Previously, the hiring manager would have no way of knowing all of the systems and applications that a new staff member would require access to – or all of the different teams to contact to put this access in place.

“Now, we set up birthright access prior to day one, allowing the new colleague to get core access right away with MFA. We also have the systems to ensure that access for all the different custom apps goes to the right teams and can get set up quickly. This frees up the manager for more mission-focused activities – which is a key objective of our digital business transformation program – and takes the pressure off the Service Desk too,” McGill says.

With identity-related tasks automated at the SailPoint backend, the Service Desk is no longer getting tickets to perform identity-related tasks.

Centralized control

The SailPoint platform has also eliminated the organization’s data synchronization problem. Now that identity and access management is controlled by SailPoint, McGill and his team can have complete confidence that their data is synched across different applications. Custom scripting is no longer needed to sync data.

This has eliminated the issue of privileged accounts remaining enabled when staff leave the organization. Because SailPoint has the ability to analyze access across all of the Salvation Army apps, privileged accounts are assigned to one identity and easily disabled when that staff member leaves the organization.

“Having a centralized view of access across our hybrid infrastructure is really a game changer for me as the Head of Cybersecurity,” McGill says. “It’s great to be able to review privileged access so easily too. At the click of a button, I can review access and approve modification or removal, triggering automation and mitigating access issues in minutes instead of waiting days or weeks to get it rectified.”

Verified value

The operational benefits of the SailPoint solution, like onboarding automation, are a great way to demonstrate the value of the investment in identity management to the board. They also help to create support and appreciation for the work of the cybersecurity team among colleagues, which is good for morale.

“It’s great to be able to report to the Board and senior executives about the controls we have around identity. SailPoint is one of those rare security products that both makes things easier for the business and delivers strategic value. When the Board asks what we are doing to protect ourselves from an identity compromise, I can talk about what SailPoint is doing for us, and this gives them a level of confidence. They can see that the money they have spent on this is well spent,” McGill continues.

He also appreciates that SailPoint provides support for compliance. It is critical that an organization like the Salvation Army, which receives government funding, can prove that it has strong access controls in place to demonstrate the security of its processes and procedures.

Future focus

Looking to the future of the Salvation Army’s IAM program, McGill has three goals. He will outsource management of the SailPoint solution to a third-party service provider, which has been the plan from the start. He will implement role-based service access, developing personas as part of business as usual (BAU). And he will develop architectural security principles that make it mandatory for new applications and initiatives to integrate with SailPoint.

“By embedding the requirement to use SailPoint and identity services into the architectural governance process, we will protect the investment we have in made in SailPoint and maintain our stronger security posture to safeguard our trusted reputation,” he concludes.