Comprehensive audit trail of users and their rights within UniCredit Banka Slovenije

UniCredit Banka Slovenije is one of the largest Slovenian banks. It is a member of the UniCredit Group, a leading commercial bank, which operates in 17 countries and employs more than 146,000 staff. The Bank’s staff in Slovenia number about 600 and the user identity management is supported by the Microsoft Identity Manager solution. As the system does not enable a comprehensive audit trail, we at Agitavit Solutions, in co-operation with the client, upgraded the solution using a component we ourselves developed Agitavit FIM/MIM Reporting and Attestation, which simplifies the annual review of accesses and reporting.

In order to effectively prepare ourselves for audits, we needed support in providing a fast electronic annual review of users’ rights. Earlier, we would conduct annual users’ right reviews and draw up the reports by hand, which was time-consuming, inaccurate and not up-to-date,” stressed Matjaž Batič Finžgar, Head of ICT Infrastructure Unit in UniCredit Banka Slovenia.
Another challenge was to provide an overview of a user’s rights status at a specific time. Namely, the identity management system only enabled a view into the current rights held by a user, without any information about when that user was granted this access right, by whom and why it was granted.

Agitavit FIM/MIM Reporting & Attestation
Agitavit FIM/MIM Reporting and Attestation is a purpose-built solution developed by Agitavit Solutions based on feedback from our clients – especially security engineers and IT experts – about auditors’ most frequent requests, including information on what tool could simplify the process of meeting such requests. It uses Microsoft SQL Server and Reporting Services and currently supports the Microsoft FIM/MIM environment, but can be adjusted and integrated with other identity management solutions.

The solution is designed for auditors, heads and IT administrators, while also offering the company a clear overview of users’ current and past statuses and their rights within the system. It facilitates the verification of changes in the central database as well as the intelligent storing of data in a separate data warehouse. The tool generates, in six reports, all the information that UniCredit Banka Slovenije needs to demonstrate compliance and simplify the IT administrators’ work. Its IT administrators can thus effectively identify anomalies and errors in the granted rights and simply implement the verification processes, which are one of the foundations of IT security and are also required by auditors.

Transparent overview of rights and change history
The Agitavit FIM/MIM reporting and attestation solution periodically verifies changes in the identity and access management system and prunes the information reasonably, structures it and saves it in the data warehouse, which thus serves as a direct reporting source. The reporting functionality requires a server with a SQL base and SSRS (Reporting Services) are installed, whereas the storing of additional data in the data warehouse can be set by any IT administrator with appropriate rights.

Ever since Agitavit FIM/MIM Reporting and Attestation was introduced, UniCredit Banka Slovenije has had the ability, with just a few simple clicks, to answer auditors’ most frequent questions:
– User rights: Who granted/revoked/changed them, when and why?
– Which rights did user X (or a group of users) have on day Y of the past year?

The report which is used to prepare an overview matrix of users and rights by job title, organisational unit or system enables the IT administrators to quickly identify anomalies (e.g. a certain user has too many rights) or the possibilities for optimising rights (e.g. all users from organisational unit X are automatically granted the right to use the printer in organisational unit X).

  Figure 1: An example of an overview matrix of rights. (* data are symbolic)

 

The above overview quickly shows the Bank that e.g. the user Petra Peternel (an example from the above figure) does not have the ‘right for printing’, whereas it has to be checked why only Oto Cefizelj was granted this right. The ‘right for printing’ is only one example. This simple procedure can also be applied to identify inappropriate access to confidential data (patents, business ideas, salaries etc.).

Annual access verification
The Agitavit FIM/MIM Reporting and Attestation solution also includes a component that simplifies the annual verification of accesses. At least once a year (or in accordance with the set policy), all user group owners are sent a request to carry out the annual access verification process. The owners examine the system and approve the accesses of all members of their groups, while the system automatically updates members’ accesses and prepares a report, specifying the changes within the framework of the annual access verification.

Figure 2: The FIM/MIM component for annual access verification.

Figure 2 shows an example of a form for approving members. The rejected members are immediately removed from the group and their rights are revoked. The removed and approved members can be checked in the report, whereas the checking administrator can also see progress in the annual verification and those users who have not yet undergone the annual verification process.

The project of upgrading the Identity Management solution with the Agitavit FIM/MIM Reporting and Attestation module was completed in summer 2016 and introduced within less than a month. “This enabled us to improve the overview of user rights and gain an insight into the user and rights history without any time limits, resulting in greater security, as we succeeded in cutting the possibility of rights being abused to the minimum. The pilot verification of accesses was already successfully trialled in a small segment, whereas the annual verification is scheduled for the end of the year,” Batič Finžgar commented at the end of the project.