A focus on sustainability, automating identity security at scale
Founded in 1905 and originally called Ingersoll Rand, Trane Technologies produces products and services for residential, commercial, and industrial applications that create sustainable and efficient environments. From air conditioning systems to heat pumps, transportation refrigeration, building management systems, and more, Trane continues to innovate in climate control and energy management.
Challenge
With tens of thousands of users that include employees, partners, and customers, Trane needed a resilient identity governance and administration (IGA) solution that could enable all its users to work securely with the proper access at the right time. It also needed an IGA solution that would allow it to move as quickly as possible in deploying new features and scaling up as needed without breaking as demand increased over time.
Solution
Trane deployed SailPoint IdentityNow and SailPoint SaaS Workflows to provide an agile cloud-based identity governance and administration solution that could scale to meet the needs of 100,000 or more users securely. The solution has dramatically reduced manual support tickets from 100,000 per year to 60,000 and now enables cloud-based provisioning and automatic workflows.
Industry
Manufacturing
Company size
48,000 employees
Partner
Focal Point Data Risk (now CDW)
As a cloud-based identity management platform, SailPoint IdentityNow reduces our on-prem footprint while supporting our business in a sustainable way. When I think about IdentityNow, it’s all about efficiency
Prince Jones, Senior Identity Leader, Trane Technologies
70K
identities managed12k
workflows automatically managed40%
reduction in manually provisioned support ticketsWith a history that goes back to the last century, Trane Technologies knows something about manufacturing. Formerly Ingersoll Rand, Trane now focuses on heating, ventilation, air conditioning, and refrigeration systems. Revenues topped $15 billion in 2022, and the company has worldwide operations, with headquarters in Ireland, Belgium, Shanghai, and North Carolina.
Trane’s products serve residential, commercial, and industrial applications, with offerings that include air conditioning systems, heat pumps, chillers, controls and building management systems, transport refrigeration units, and services. The company has made a strong commitment to sustainability, both for itself and in helping customers find ways to reduce energy consumption and greenhouse gas emissions.
One of Trane’s internal initiatives to support sustainability was a corporate decision to move to a cloud-based IT infrastructure. The company recognized that it needed to be more agile and to do that it needed the ability to deliver secure access solutions to a broad spectrum of customers, employees, and other partners. The company’s partners need access to critical corporate tools and resources to serve customers, manage equipment, and order new products and services.
Given the rate of change in today’s business environment, Trane also knew that it needed a solution that would enable employee, partner, and customer access to the right resources on day one, as well as throughout their longer-term interactions with Trane, without requiring extensive and continual manual support for access granting, modification, and revocation.
“We needed an identity governance and administration (IGA) solution that would enable us to move as quickly with new technology as our customers could consume and one that would provide the infrastructure to scale without breaking a sweat as the demand increased over time,” said Prince Jones, Senior Identity Leader, Trane Technologies.
A growing identity and access management challenge
Trane had been managing all its access management and identity requirements manually for years. It had a sizeable 18-person support team that responded to identity management and access control support tickets. While the solution worked, it wasn’t sustainable, scalable, or cost-effective. As Trane continued to grow and take on new users and add functionality, the existing solution would be overly expensive and too slow to keep pace with Trane’s business objectives.
As a result, Trane needed an IGA solution that could scale, deploy new features, and support new integrations easily and quickly. It needed a way to provide users with the proper access from their initial sign-on, based on the principles of least privilege and need to know.
It also wanted an IGA solution that could help them make those access decisions quickly and accurately and provide robust monitoring and reporting capabilities to keep track of the solution’s effectiveness.
“Given our strong ambition to continue being the leader in delivering sustainable climate solutions to the world, we knew our back-end processes had to move at the speed of our business for us to remain competitive, innovative, and a leader,” said Jones.
Soup-to-nuts automation with IdentityNow
After a thorough analysis, Trane decided its best approach for IGA would be a cloud-first strategy based on its requirements. It worked to identify a partner that could deliver a world-class cloud-based IGA experience that was on par with existing on-premises solutions. But it also knew it wanted a partner that shared its values of putting the customer first and creating trust while keeping an innovation mindset.
After evaluating options and even listening in on earnings calls to understand future product roadmaps and features, Trane knew it liked SailPoint’s approach.
“Early on, we saw that SailPoint’s differentiator was delivering a cloud-based IGA solution built around the fundamentals of best of breed and making them work well together seamlessly,” said Jones. “We knew we had chosen a partner aligned with many of the outcomes we wanted to drive solutions to.”
Trane implemented SailPoint IdentityNow as well as SailPoint SaaS Workflows. It brought in a partner, Focal Point Data Risk (now part of CDW), to help them get the solution configured and deployed. However, Trane has since taken future expansions of the deployment in-house.
Trane started with complete Microsoft Active Directory management automation, from account creation to updates and ongoing maintenance. Now, SailPoint manages most of Trane’s Active Directory objects, such as users, service accounts, and more, using ServiceNow as the approval engine and front door.
“We are completely hands-off Active Directory,” said Jones. “It’s a great feeling. We don’t do anything with all those accounts. They’re either driven by PeopleSoft or ServiceNow. It’s all been automated with SailPoint IdentityNow.”
Prior to being able to provision from the cloud, Trane manually managed over 100,000 support tickets every year via its 18-person support team. IdentityNow is automatically processing over 40,000 of those previously manually managed support tickets. “SailPoint has allowed us to use our skilled resources in much more impactful ways,” said Jones.
The company is working on expanding its IdentityNow deployment, with a large number of applications already enabled in production and continuing their onboarding journey over the next year.
Like many organizations, Trane has services deployed to all major cloud providers based on specific application requirements. Regardless, its SailPoint implementation plays a role in governing each of them.
The company also relied on SailPoint’s extensive integration capabilities. It rapidly deployed integrations with infrastructure components like Active Directory and Azure by taking advantage of SailPoint’s out-of-the-box connectors. It has also relied extensively on the product’s JDBC integration for extending capabilities to other systems. Jones and his team provided governance features for the remaining applications that don’t have modern integration capabilities by allowing the applications to send a file in any format and training IdentityNow processes to read and load them in.
“As a cloud-based identity management platform, SailPoint IdentityNow reduces our on-prem footprint while supporting our business in a sustainable way. When I think about IdentityNow, it’s all about efficiency,” said Jones.
Saving resources, ensuring compliance, and producing delight
The impact of SailPoint IdentityNow on Trane has been impressive. So far, over 42,000 accounts have been created automatically by SailPoint, with an average of over 400 new Active Directory accounts per week. The system is so automated that now the average time it takes to automatically fulfil an access or account creation request after approvals is 30 seconds.
“It would be difficult to hire or offboard any users without SailPoint IdentityNow, or even grant or remove access from key systems,” said Jones. “Since we have tightly coupled IdentityNow with ServiceNow, they both work together to provide essential services to our organization.”
Jones and his team have also taken a proactive approach to metrics and reporting. They apply a KPI-driven approach to IAM using the ISO 27001 Identity Wheel, which means they measure their success and effectiveness in various areas, including data quality, hygiene, and business-specific KPIs for identity management. Splunk generates The KPIs several times per day, allowing them to stay on top of any potential issues.
A significant benefit of the implementation has been its impact on compliance. “Supporting our compliance duties has been much simpler since we were able to disable access in near real-time when offboarding a user and get reporting on whether the action was successful,” said Jones. “Now we know that our key controls are being applied consistently, and if there’s an issue, we know we’d be able to triage and correct it quickly.”
“We’re really focused on producing customer delight, and SailPoint helps us achieve that,” said Jones. “It means our customers are working efficiently and we’re not a bottleneck for innovation and progress.”
A future filled with opportunity
Another area where Trane is finding significant benefits is by using SailPoint SaaS Workflows. So far, the company has created ten automated workflows, with more in development. Sample workflows include automating the conversion of a contractor to an employee or removing guest access from the system if the sponsor leaves the company. So far, the workflows have been triggered and completed a process over 12,000 times.
“Workflows are a game changer for us because it allows us to deploy extensible identity orchestration using smart logic in a supported manner, and since much of the functionality is out-of-the-box ready, we’re able to innovate faster with fewer scripts,” says Jones.
In addition to deploying more automated workflows, Trane plans on deploying SailPoint’s Separations of Duties (SOD) and Certification capabilities in the future.
And now that it has many applications onboarded, it wants to undertake some role mining to determine the spread of access. With AI-driven identity security, the company hopes to further automate identity management and access control requests and even predict them in advance.
“We want to put a program together based on AI and analytics that might be able to automatically put people in roles, so they don’t even have to request it. It will just be there for them,” says Jones.