Customer Solution Case Study
Financial Services Company Streamlines Employee Information Provisioning
Overview
Country or Region: United States
Industry: Financial Services
Customer Profile
AXA Financial, based in New York City, New York, provides insurance and other financial products and services. It had U.S.$550 billion in assets under management during 2004.
Business Situation
A lack of integration of user data stores, no single sign-on access to the enterprise, and a homegrown security code left AXA Financial without the availability, resiliency, or performance it required.
Solution
A Microsoft®-based employee identity integration management solution allows user access and comprehensive integration among the Lightweight Directory Access Protocol (LDAP), e-mail, and human resources databases.
Benefits
n Automates the generation and removal of e-mail accounts
n Streamlines the provisioning and deprovisioning of external consultants
n Manages new identities / ”MIIS 2003 provided the flexibility we needed to integrate our identity information promptly and simply in our language of choice—it also enabled us to pull all our information together and gives us a comprehensive view of our entire professional population.”
Margaret Rainstein, Director of Security and Directory Services for AXA Financial
Sean Montgomery, Project Lead, AXA Financial
With the help of an identity-management solution based on Microsoft® Identity Integration Server (MIIS) 2003, AXA Financial, one of the world’s leading providers of insurance and other financial products and services, is automating the management of its identity life-cycle processes, synchronizing identities across enterprise stores, lowering administrative costs, and simplifying the sharing of strategic information with business partners. Overall, the MIIS identity-management solution is helping AXA Financial centralize and consolidate business rules and establish a foundation for further streamlining of its employee identity information practices.
Situation
AXA Financial, originally the Equitable Life Insurance Company and, since 1998, a member of the worldwide AXA Group, is one of the world’s premier financial-protection and wealth-management organizations. The company specializes in life insurance, annuities, mutual funds, and funds management, and in late 2004, had more than U.S.$550 billion in assets under management. AXA Financial encompasses some 122 AXA Advisors Offices with roughly 6,000 internal staff members and 6,000 financial professionals.
Working with Microsoft Services in late 2002, AXA Financial deployed an identity-management solution based on Microsoft® Metadirectory Services (MMS) 2.2, part of Microsoft Windows Server SystemTM integrated server software. The solution synchronized employee identity information stored in diverse databases throughout the organization, including Sun iPlanet Lightweight Directory Access Protocol (LDAP), Domino iSeries (for Lotus Notes e-mail), and PeopleSoft, and integrated the information into an Active Directory® service.
The MMS solution accomplished three major goals for AXA Financial. It replaced multiple partial identity-management solutions that had been implemented previously. Also, the solution established an integrated metadirectory of Sun iPlanet and Active Directory as the company’s core identity information database. Finally, the MMS solution provided AXA Financial with a reliable and cost-effective way to automate the provisioning of employees and consultants and simplify the exchange of information with hundreds of business partners. This functionality helped AXA Financial reduce costs by decreasing the administrative time required to manage employee identity information. MMS also helped to reduce risk by providing employees, consultants, and business partners with appropriate access to accurate, timely information based on centralized authorization rules and by enforcing a strict account-security policy.
As with many such solutions, however, the company’s newfound visibility into identity management showed IT executives at AXA Financial just how far they still had to go. The generation and processing of employee identity data in various data stores was automated, but it was not synchronized across those data stores. Administrators were able to update records more efficiently, but it was difficult to ensure that updates to a user account in one data store were reflected accurately in that same user account in another data store.
“As the granular management of identity provisioning needs became more evident and amendments in compliance and regulatory requirements necessitated addressing various provisioning rules,” says Margaret Rainstein, Director of Security and Directory Services for AXA Financial, “we reevaluated the entire set of directories associated with management of life cycle and entitlements of electronic credentials. As the result of this evaluation, we realized that to enhance operational efficiency and reduce security risks, we would have to significantly improve our metadirectory functionality.”
This reevaluation became especially important with external changes in the business. In mid-2004, AXA Financial acquired the MONY family of insurance and financial services companies, which added 1,400 home office employees and 800 financial professionals—and an entirely new level of provisioning complexity. A Sarbanes-Oxley IT audit conducted in conjunction with the acquisition concluded that the organization needed a more efficient and comprehensive way of managing identity information. In addition, Microsoft announced the impending retirement of MMS. By early 2004, Marvin Rafe, Group Director and Head of Enterprise Architecture and Standards for AXA Financial, decided to move forward with upgrading the company’s identity-management system. The objective of implementing a new solution was to consolidate provisioning business rules on the same platform, which would ultimately improve operational efficiency.
Solution
The Architecture Security and Directory Services team at AXA Financial evaluated two identity-management solutions before making a decision: the SUN Waveset Lighthouse Provisioning Manager and Microsoft Identity Integration Server (MIIS) 2003. Part of Microsoft Windows Server System integrated server software, Microsoft MIIS is the newly announced Microsoft identity-management solution.
After weighing the advantages of each, the team selected MIIS for three reasons. First, it offered more advanced integration with Active Directory, which the company wanted to maintain as its core metadirectory. Second, the team considered MIIS a more reliable, scalable, and robust product. Third, the Microsoft commitment in the directory space convinced AXA Financial that the MIIS solution would provide the greatest functionality and best value.
Beginning in late 2004, the Microsoft Services MIIS solution team installed MIIS in the lab at AXA Financial, where it ran for six weeks without problem. Then, early in 2005, the team completed a production-level deployment of a fully MIIS-based identity-management solution for the company.
Microsoft Identity Integration Server 2003 Enterprise Edition provides AXA Financial with a centralized service for storage and integration of identity information. The solution gives AXA Financial the ability to manage user information across both Active Directory and LDAP, plus automates the synchronization of user identity information with both PeopleSoft, the company’s HR department’s management system, and with Siebel, which is a big part of the company’s customer relationship management (CRM) system.
The solution works by drawing employee provisioning information from the PeopleSoft database, called the HR “system of record,” and depositing it into the MIIS metadirectory. As the information is drawn, MIIS attaches business rules that determine whether the information is copied into LDAP, the e-mail database, or Active Directory, and also sends the information to databases owned by third-party business partners. These information transfer processes are conducted daily.
As the employee information is delivered to the various databases, it is transformed depending on the employee’s status on that day. For example, LDAP maintains permissions into Web-based applications depending on an employee’s role, permission levels into certain company data, and so on. Alternatively, information on an employee who has been terminated is deactivated from LDAP, the e-mail database, and Active Directory, as well as from the third-party databases so that business partners can apply their own termination-related processes to the identity. After 60 days, the record associated with that identity is permanently removed.
Benefits
Just a few weeks into production, the MIIS identity-management solution demonstrated its ability to yield solid benefits for AXA Financial. “MIIS 2003 provided the flexibility we needed to integrate our identity information promptly and simply in our language of choice—it also enabled us to pull all our information together and gives us a comprehensive view of our entire professional population,” says Rainstein. She continues by saying, “In addition, better quality identity information enables us to deliver exceptional levels of service to our IT partners.”
Automating the Generation and Removal of E-Mail Accounts
With MIIS, the solution team is developing a bridge between the HR system and Domino servers that will enable the company to automate the generation and removal of user e-mail accounts on the Domino iSeries database that supports its e-mail system. With improved processes for managing the life cycle of e-mail accounts, AXA Financial expects to improve security and anticipates significant savings in administrative time each year.
Streamlining the Provisioning and Deprovisioning of External Consultants
Because AXA Financial enlists the services of 80,000 wholesale insurance agents and brokers, as well as other temporary employees who are not included in the company’s PeopleSoft database, manual provisioning was required. Historically, it took administrators three days to provision a new person; in contrast, with the new MIIS solution, the company is projecting just one day for completion of this task. This means that a person can be hired one day and the next day can log into the network and access all necessary applications.
At the other end, making deprovisioning of temporary employees who leave a more automatic process will enable AXA Financial to dramatically reduce administration expenses of what has been, in the past, a largely manual process. By automating the deprovisioning of external consultants, AXA Financial also will address one of the requirements of the Sarbanes-Oxley study.
Managing Identities from the MONY Acquisition
MIIS dramatically simplified the task of managing the approximately 3,000 new identities that were added to the PeopleSoft database upon acquisition of the MONY family of companies. “Because our MIIS solution makes the application of business rules easier to understand and easier to centralize, it has enabled us to consolidate 16 processes relating to the application and maintenance of business rules into just six,” says Sean Montgomery, Project Lead for AXA Financial. “The result is a considerable reduction in annual administrative and programming expenses.”
Moving forward, AXA Financial plans to use the MIIS identity-management solution to consolidate business rules into a single MIIS metadirectory, extend the functionality of Active Directory, and implement comprehensive password-management capabilities. The company will do this by expanding MIIS capabilities as a front end to the metadirectory.
Through these moves the Security and Directory Services team intends to implement real-time provisioning, provisioning into a Siebel CRM database, automatic card-key generation, additional controls over access to wireless functionality, and more comprehensive storage and updating of desktop-based rights parameters. The team also plans for greater automation and streamlining of asset management, badge activation/deactivation, assignment of telephone systems, remote installation of PCs, virtual private network (VPN) and password management, and password synchronization. Still other development work will result in the automation of the request-and-order process for new hardware so that when an employee is hired, a fully customized PC can be up and running within hours.
Microsoft Windows Server System
Microsoft Windows Server System integrated server infrastructure software is designed to support end-to-end solutions built on the Microsoft Windows ServerTM operating system. Windows Server System creates an infrastructure based on integrated innovation, Microsoft's holistic approach to building products and solutions that are intrinsically designed to work together and interact seamlessly with other data and applications across your IT environment. This helps you reduce the costs of ongoing operations, deliver a more secure and reliable IT infrastructure, and drive valuable new capabilities for the future growth of your business.
For more information about Windows Server System, go to:
www.microsoft.com/windowsserversystem