Unified IAM & PAM Drive $2.5M Value at CPG Giant Flora Food Group

Watch the Webinar and Learn How Flora Food Group Eliminated Critical Identity-Based and Privilege-Based Risks

When global manufacturing giant Flora Food Group carved out its independence, they faced an urgent identity security crisis: 16,000 unprotected user accounts leaving manufacturing operations vulnerable to insider threats and system compromise.

Learn from Alet Ferreira, Cybersecurity Identity Manager, as she reveals how Flora Food Group: 

• Eliminated critical security gaps through a unified identity and privileged access management program across 6,000+  accounts and 90 countries and secured administrative privileges across global manufacturing operations in just 12 weeks 
• Recovered $2.5M in annual costs by eliminating orphaned accounts and unauthorized license usage 
• Achieved compliance requirements by transforming manual security audits into automated, reportable processes 
  

A Risk-Based Strategy and 10-Step Approach for Eliminating Identity and Privilege Risks

Discover how Flora Food Group: 

• Secured executive buy-in by quantifying security risks and demonstrating measurable risk reduction 

• Prioritized critical security controls by breaking down the identity program into achievable phases 

• Maintained operational continuity while automating critical security processes 

• Built a sustainable security foundation for future growth 

This session delivers actionable insights for implementing risk-based identity governance at scale. 

"I often joke that purchasing the Bravura Security Fabric means that we got a Ferrari for the price of a Ford. We have the same functionality that you would see in a super swanky vehicle, but we didn't pay for different modules."

 

Alet Ferreira, Cybersecurity Identity Manager, Flora Food Group 

Review the Full Session Transcript

No time to watch the session? No problem. Take a read through the session transcript.

Bryan Christ (00:01):

Alright, well hello everybody. It's good to have you here with us today for the webinar. We're eager to hear from Flora Food Group about their identity management success story. Joining us today is Bart Allen, COO of perverse security and our special guest Alet Ferreira, Alet is the cyber identity manager at Flora Food Group. She joined the organization early in 2019 when it was a greenfield implementation. She has broad experience with subject matter today with 15 plus years experience in identity and access management across all roles, service, solution design, service owner, et cetera, across the food and banking sectors. My name is Bryan Crist. I serve as a sales engineer at Reverse Security and I will be your moderator today.

Alet Ferreira (00:52):

As you know, look after identity and access management. So it's really important that we understand our identities. So if you take a look, flora Food Group is a global company. We manufacture plant-based foods. We've got 150 years blockbuster brands. So those are brands for things like Stalk, Country Crock, etcetera. But the important thing here was that we've got more than a hundred countries and we've got 4,800 Flora foodies. Those are users internal that we look after. We manage and protect their identities as well as 1,200 external people. If you wouldn't mind taking a look at the next slide, please, I can just briefly take you through the brands that we cover. Quite proud of our iconic brands. You might notice some of those in your shelves. So whilst we are a group, a food manufacturer company, many people don't concentrate on their cybersecurity stuff, which was really, really cool five years ago when we came in and took a look at access management and how we're going to look after those and manage and protect those identities. If you wouldn't mind going to the next slide, please, Haleigh.

(01:59):

So if we take you back to five years ago, we had a huge access management problem. I talk about this all the time. I was busy constantly telling everybody, guys, we have an access management problem. We have an access management problem. Right? In the beginning we were greenfield. So you come from nothing to having the opportunity to set up your identity management program. So that's not just the creation of those accounts and the creation of those identities. It's also how to make sure that we know what access to request and access management as a whole. I regularly try and solve everything at once, but we decided we're not going to do that. So what we took a look at is we took a step back and said, we want to understand what our landscape looks like. So we saw that, okay, we've got 5,400 identities out there in the world that we want to be managing. If you've been following the Flo of Food Group or any of the other case studies on the brara website, you will see that actually when we started this, I saw 16,000 accounts. So we were really concerned about how can we have 16,000 accounts. We've only really have 5,400 people we need to be worrying about.

(03:11):

Once we understood, okay, cool, these are the identities we want to look at, we then wanted to understand what does our application estate look like? What are they accessing, what should they be accessing? When we saw that we actually were using 300 applications. So for something that's greenfield, using 300 applications was also quite alarming, but we really wanted to understand, do we know what these look like and who owns them, et cetera. And then when we took a little bit of a deeper dive into some of those applications, we saw that actually, you know what? We've got 10,000 plus permissions in those applications. So that's quite a lot to kind of wrap your head around and try and understand how we actually going to be able to look after these identities plus these applications and what people should be requesting. So we then said, okay, cool.

(03:57):

Let's take a look at what those pain points are. Why are we seeing this problem? What is the problem itself? So if you take a look at the middle of the slide, largely we didn't have clear roles designed for our applications. So we didn't know in the SAP estate, if we looked at the permissions in SAP, there's 15, 16,000 permissions. So the roles weren't defined correctly. So we wanted to make sure that we understood what those roles looked like for each of the applications. We didn't really have a proper roles and responsibilities table between the business, the IT teams to understand who's going to fix this, where does the problem sit? So we wanted to make certain that not only did we look at those roles, but also the raci. If you don't have that RACI defined, you can't. It's not an IT problem to solve, you need to be supporting your business.

(04:50):

So we wanted to understand what that racy looked like. We saw a large number of accounts in the applications that weren't managed correctly. As I said, 16,000 accounts, when we looked at this first to actually 5,400 identities, we should be looking at users were having delays. The experience was awful. No one knew where to go request access, no one knew how to request access. No one even knew they had to request access. Magic happened and no one understood what was happening. But that magic didn't happen instantaneously. Sometimes someone would raise a request and it would take up to two weeks to create an account for a person to log into the environment. And if you were trying to get application access, good luck. I mean if you got that within six months, lucky it was really awful. There was so many delays and obviously if you're doing something manually, please, please make my access the same as Paul's or can I have the same access as Susan?

(05:49):

You can make mistakes, right? So you're actually giving people inappropriate access. You just dunno it. And as a result of that, we had a large number of audit points because we didn't really have control in our access management state. So when we took a look at those five main problems, we then decided, okay, we need a clear roles and responsibilities table. And what that enabled us to do was go and get that buy-in from those teams we needed, we defined an identity standard so we understood what accounts need to look like. We understood what a user account needs to look like. We created naming conventions. We said that first name, last name as per passport. We had understood what if we had shared accounts, we understood service accounts, we understood all different kinds of accounts. So those 16,000 accounts we were looking at, when we broke that down, we got down to about 7,000.

(06:45):

And of those we've got shared mailboxes, meeting room accounts, service accounts, and obviously user accounts. And so it was very important that we understood what our identity standard looks like. We wanted to make certain that we had simple and consistent processes for access requests. We wanted to make absolutely certain that people knew you have to request access. It isn't magic. You really do need to be requesting access. And when you request access, it's approved by your manager. It then goes to somebody else to do approval and then it's provisioned by a team. We wanted to make certain that we had an access catalog where a single place where someone could go and say, okay, I want access to SAP and I want access to this. I don't want the same access as Bob and Paul. I would like green access to SAP or I would like blue access to SAP.

(07:33):

So we created what we call our access catalog and we really wanted to improve the controls we had in our access space. So we wanted to make absolutely certain we were governing that access correctly. So we were compliant with audits that we had. We understood if they had segregation of duties, errors, we wanted to make absolutely certain that we had logs and all that kind of stuff. So we really wanted to make certain, we did those five things, clear roles and responsibilities. We had an identity standard and we understood all our users. We had simple and consistent processes and access catalog and we improved our access controls. If you wouldn't mind going to the next slide, please. Haleigh.

Bryan Christ (08:13):

Hold on just a second. Haleigh, I did have a couple of questions for Alet on these. So Alet, I heard you say at one point it was taking two weeks for a user account to be provisioned. Then I heard something about six months. What would you say the average delay was in terms of new onboarding?

Alet Ferreira (08:32):

Good question. I'm sorry. Yes, I forgot you were going to ask questions. The average delay was really no one knew where to go to go and do that request. So when we finally tracked down the person that needs to do that request, it would probably be, okay, I've got to send an email to so-and-so to approve this access, but they've approved that access but they forgot to let me know it's done and then you'd have to go and the person who's doing the provisioning. So we didn't really have a centralized place for people to do those requests and for that request, all those processes. And that's why we brought that into a central system.

Bryan Christ (09:07):

Ah, understood. Okay, thanks. One last question on this slide. You said that I think the inappropriate access came from the process of making Bob look like Mary or something like that. Did you have any other, was that the main culprit or did you have things like transfers where people were holding onto Absolutely permission? Yeah. Okay. Alright, good

Alet Ferreira (09:31):

Question. So I'll just say again, right, so they were copying Bob and Paul and Susan and Mary, but also no one knew who had access to what. So if you don't even know what to request, you're going to request the world. And then after the world is signed off, you're going to be provisioned, the world will be provisioned. Before we progress to the next slide, I see that someone in the chat, someone raised their hand. I think that is, was that, did I see that or no questions on the slide?

Bryan Christ (10:03):

Okay. Yep. And it is just a reminder, if you do have a question for Alet, we're going to take questions from the audience at the end. So just pop 'em into the chat channel and we will take a look at those back to you on this one.

Alet Ferreira (10:15):

Thank you very much. So after a lot of work to try and understand, try and understand how we were going to address those pain points, we delivered a centralized system that looked after our identity. So we had a fully automated identity life cycle. So we connected our system with our HR system so we know when we create an account, we know what that account needs to look like. It's automatically created so there's no more manual issues anymore. We connect that system to our HR system twice a day, which meant that we don't have those delays. If someone puts that person in the middle of the day, when we run our connection to the success our HR system, we create that person straight away so that the delay is removed. And we also reduced our number of orphan accounts. So again, with 16,000 accounts, we went down to 7,000 accounts.

(11:05):

We don't have orphan accounts. For those of you who might not know, an orphan account is an account that you can't tie to an identity. It's very important for us to be able to tie those accounts to identities. How do you know if that orphan account is a rogue account, etcetera. So it was very important. We understood what our identity looked like and that's how we improved our security posture. We also improved our user experience and our access control mechanism. The controls we were using was that access catalog with clearly defined roles so we know where to go to go and request access. It's that single access point. We've got clearly defined roles, so you now know I'm requesting green access. I'm not saying I want the same access as Susan or the same access as Bob or the same access as Peter. You are actually requesting what you want so you know what application you'll be requesting and what role you should be requesting.

(11:54):

And what that enabled us to do was again, those simplified and consistent processes was we could see who's approving access. We can see line managers are approving access, right? Because we understand we connected to the HR system in the morning, we understand if your line managers changed, the systems are in sync all the time. So those requests are rooted to the right place. We really improve that user experience. So we reduce the delay for joiners, people know what to request so they don't have to go run around and go and find the person for access to whatever application. It's in a simple clear place. We've also done some more automation, which we'll talk about on the next slide in a minute. But that automation meant that that delay in getting that access created has obviously reduced as well. With that automation, it's instantaneous. So you don't have to wait six months or two weeks or five days or whatever it was.

(12:44):

Your access is granted almost instantaneously and you can also kind of track where your request is, which was very, very important. So that really does help the users. They know where they can go and look for their requests and they can see if it's pending approval or if it's pending provisioning. They can see all of that. They can track that themselves. So I think self-service for us was very important. And again, that improves that user experience. The last point was because we finally know who's got access to what we were able to put in that user access recertification process, which is periodically we present a list of the users, a particular and the roles that they've got and then that is approved and signed off by their managers so that it's still appropriate. So that is why we were saying Bryan, that we now know what access we've granted to people and also recertifying that to remove it if it's no longer required.

(13:37):

I've spoken about the automation so that automation is the increased in speed and accuracy. So again, those delays also, if many of you know, might have a service provider that charges you a ticket to go and create an account or an amend an account or delete an account because we've got that automation in place, we don't pay for those tickets anymore because the connector is doing that for us. So it was an increase in speed accuracy and money savings to do that. Automation and obviously compliance. So what we said before was we had audit points. So we've reduced our number of audit points because we are able to rely on our automated controls and we're actually able to say, actually you know what? This person, Peter has got a segregation of duty error or a segregation of duty clash and we know about it, it's been signed off by this person.

(14:32):

Or if someone else goes and requests an access to a role that is going to result in a segregation of duty error, we don't let it through. So that's really, really, really helped us, especially the increase on our reliance on those automated controls. So that audit is not as painful as it usually is. You're able to actually just run reports out of the system and that was, I think for us, the biggest, biggest benefit and makes my CFO smile every day when she sees those. That audit bill is no longer as big as it was before. I'm going to pause there in case you've got any questions. Yeah,

Bryan Christ (15:08):

Sure. Ette, I did have a quick question. So you talked about access recertification; the product obviously has a number of different campaign modes. What are y'all doing? How frequently are you doing certifications and under what conditions?

Alet Ferreira (15:22):

That's a very good question. So as user access recertification is a new process for Flora. We have twice now run a recertification that is a line manager recertification. So the line managers has presented a list with all the users that are in his team or report to him where his direct reports and the access that they have. And we ran that successfully just in December last year. And we saw that we had a five or 6%, I think 5.6% removal rate, which tells me that the managers are actually looking at that. They're not just approving everything. And I think if you take a look at that between five and 8%, it's always my kind of aim. It means it works the way we want it to work and it's not just a tick box exercise, but we are going to be running it bi-annually soon and we run it for our privileged access management application accounts as well. And I think the business really likes it. They've bought into it and soon we are going to be doing a move research at the time of the person changing their role, we're going to be capturing the access that that person has. So we'll be doing quite a bit with your certification module.

Bryan Christ (16:40):

Oh wonderful. Wonderful. Okay. I didn't have any other questions. So I think Haleigh, you're, yep, there you go.

Alet Ferreira (16:48):

This is my favorite slide and I'm really sorry. It's quite complicated. It's very difficult to draw our identity architecture at a high level. So we call this our 10 steps or 10 ingredients for our recipe to success. That's a play on the fact that we are a food company. So if you take a look on the top left-hand side, those are the 10 steps we took. So we wanted to break down this massive program into smaller, durable and achievable bite-sized chunks. So the very first step was we wanted to understand our 80 architecture and that data mapping. And that was so that we made certain, we understood what our identity standard looked like. So if we've said this is what an account should look like, we understand what every field that is in our HR system is in our active directory system. We have a very clear data mapping and for that, that underpins our entire identity architecture.

(17:40):

So we have an identity standard and that again, underpins everything. So that was the first step, understanding active directory and understanding what identities look like. The second step was connecting our Bravura security identity tool with our HR system. So we connected with that HR system so that we understand when we've got joiners, when we've got movers for job changes, and when we've got levers. So we understand when that identity should be created and when that identity needs to be updated or when that identity needs to be removed and deleted because obviously HR is our source of truth. We also wanted to connect to our MS active directory connector. And again, that architecture, the a d architecture and that data mapping was so important because if HR is telling me to create an account, I want to be creating that account and active directory with all of the right information in it, whether it's a line manager, whether it's the person's department, their cost center, all that information.

(18:41):

I want to be creating that and I want to be creating that automatically, which is why we wanted to connect to MS A D. So in Ms a D, we go and create those accounts. We would remove people from groups if we need to. We will update any attributes if the person's line manager changes or if they change roles, if they change locations, we update those attributes automatically. And again, we do the lever process automatically. So HR tells me Alet'sleft and Alet is deleted the way she should be deleted automatically. No manual tickets and none of those pesky little manual ticket costs. We also connected to our Azure active directory because we want to be certain that we can provision licenses, look after our privileged identity management look after SharePoint and all those kind of things. So we've also connected to Azure Active directory where we were not able to, so we've connected to those.

(19:38):

When I say connected, it means we're doing that stuff automatically, so I don't have my service provider charging me for those tickets. We're also focused on SSO, so SSO between all of our applications. So if you take a look at 300 applications, the very first thing you want to do is SSO with and understand what access do people have. So we SO that. So you'll see little blue lines or our SSO, we set up SSO between the underlying application and Azure active directory. And that continues, right? I mean could be every time a new application comes in, we make sure that we do a secure by design review plus we SSO that application. And then we added into ourBravuraaccess catalog. So step number six was anywhere where we are not able to automate or create a connector, we needed to make certain that we had a mechanism to split our tickets.

(20:32):

So if we raise a request for access to an application, we need to make sure we notify that service provider, please go and create a let in SAP, please update S line manager in SAPA, please delete the let she's left in SAP. So we wanted to make absolutely certain that we had that snow connector that enables us, that enables us to create those tickets. Again, that snow connector was quite important. We connect to our ServiceNow thing, we create all the tickets. We made certain that we understood what information the underlying teams needed. We told them exactly go and give a S blue access or go and give a SAP green access. That was very important and we were very excited to have that one in place. So we felt that that was cool and it covered most of our estate. However, we found that in our SAP estate, we are heavily reliant on SAP.

(21:30):

It's a huge, huge platform, has loads and loads of different modules and every single user basically has access to SAP. So we felt that we should have a connector there as well. And we recently went live with a connector between Bravura and SAP that also automatically provisions those SAP accounts, updates, those SAP accounts or deletes those SAP accounts when they're no longer required. That was very, very important for us. And again, as I said before, automation is important. Automation is key. So we no longer have people being added to random SAP roles. They're actually added to the correct role and given the correct access. And that's also driven down our sods in our SAP estate. We are also in the process of reviewing Ariba. That's another SAP SaaS product that we also use very heavily in our estate. And we want it to be certain, we want to make certain we understand what that connector looks like.

(22:27):

Is it worth us putting that connect in place? So that's very exciting what we're working on at the moment. And then step number 10 was recertification. So we talked about recertification, we talked about enterprise, well, I haven't talked about enterprise roles, but that's a very good control. So people know what to request based on their job role. They're going to be saying, okay, instead of requesting 10 different applications, they just say, I am an IT specialist in Germany. And they will get all the access that they need, underlying access that they need. And we are literally in the process of inputting those sods. So segregation of duty clashes or rules into the system so that we can again, have a map of who's got access to what, who's got an SOD. And I think that's the last most successful step in this process. So hopefully that makes this slide make a bit of sense. I'm going to pause there in case you have any questions,

Bryan Christ (23:25):

Bryan? Yep, I do. I have a question. It's a pointed question and I think I know the answer to it already, but I'm asking it because in my role I sort of sit on the front line hearing from potential customers about their requirements and sometimes we see things that raise an eyebrow. Do you drive your access requests through ServiceNow or do you go directly to the Bravura portal

Alet Ferreira (23:53):

Also? Very good question. We go through theBravuraportal. So we have a link from ServiceNow to the  Bravura portal and we tell people go into  Bravura and go and request access in revera. So all that connector betweenBravuraand Snow is to spit out that ticket. So they have to go toBravurato request the ticket to request the access. Once that's approved, it'll create the snow ticket.

Bryan Christ (24:17):

Perfect. Perfect. Thank you. Willette, I don't have any other questions on this slide, so Haleigh, you're

Alet Ferreira (24:25):

Free to move on. I love the fact that this is my favorite slide of all time. I think it's been a journey with the Braa team. We've all learned quite a lot. I think in order to succeed in any identity and access management program is people aren't going to call it a project, but it is a program of work. So you really have to have a clear view of what your target end state is. If you don't understand where you want to get to, how on earth, how on earth would you be able to actually implement something if you don't understand your use cases? So what Bryan was saying before, do people want to go raise requests in snow versus into Bravura? You need to know your use cases. In our world, we've got people who work in factories and now it might blow some people's minds, but people in factories don't log onto PCs every day.

(25:13):

Why would they need an email address? Why would they need an account? So you have to understand your use cases and you obviously need to understand your requirements. You'd have security requirements, technical requirements, all kinds of requirements. So you have to have that very clear view of what you want to achieve. As I showed you in the previous slide, we had 10 clear steps and that was because you can't eat the whole elephant at once. You have to break it down into small phases. That's why we broke ours into 10 steps and reviewer security were very good in supporting us in those 10 steps and saying, actually, you know what? Maybe you want to break this into another step, or maybe you want to say maybe we can do these two together. So you need to understand clear view, you have to have clear phases, you have to have a roadmap and you have to keep beating the drum if you don't beat the drum.

(26:01):

And if you don't tell people there's a problem, there's a problem, there's a problem. It's important, it's important. You won't get that buy-in from that exec. You have to get buy-in these fail because they're IT led. It's not IT led. It's not an IT problem, it's a business problem and it need to support the business in making that a success. So you have to go and get that exec sponsorship, otherwise it's not going to succeed. I speak regularly about how I pounced on people in lifts to say, you have an access management problem, we have this problem, we've got an audit problem, we have this problem. You have to keep beating the drum, make sure everybody buys in and sees how crucial it actually is. If you're on zero journey, identity is the thing, right? It's the key. It's the foundation of it all. You have to have to get that buy-in.

(26:50):

You need to understand what your scope and your standard is, right? If you are going to, once people see how this works, and I see it every day, once people see how this works, they're like, oh, can I please SSO my application? Can I please put it in? So it grows 300 applications are a lot. At the moment. We are managing a hundred our key financial systems. So we said our scope is key financial systems and our crown jewel applications need to be SS O to need to be put into our proves tool. Otherwise, if you don't have that good governance in place from the beginning, your scope is going to creep. You're never ever going to be able to ensure that those a hundred applications or SSO plus under management in your system. So please make certain that you have a proper scope. We said we are not going to put non-production applications into our system, otherwise we'd have 700 targets and it just isn't done.

(27:45):

So you need to make absolutely certain what your scope is and protect that at all costs. Otherwise you will not be able to deliver what you want to deliver. And lastly, for us, it's you have to choose a very strong partner to take you on this journey. I bulldoze people all the time. You cannot be bulldozing your strong partner. Your partner has to be able to speak openly with you and call out issues. And you need to remember right, identity is not, you don't need to reinvent the wheel. We all have joiners, we all have movers, we all have levers, we all have people who need to have access to applications. We all have people who need privileged access management. There's no requirement and need to reinvent the wheel. So it's so important that your partner pushes back or brings you back out of cuckoo land. You need to be read back down to the basics, understand what you want to do. You shouldn't need to reinvent the wheel. Sorry to call it kuku land, but sometimes I think I'm in KU land. Any questions on this slide?

Bryan Christ (28:47):

No questions for me.

Alet Ferreira (28:51):

So before you start with bot, just to say that I just really wanted to say we partnered with Bravura from the beginning because we felt that they were a strong partner and I think our success was because we were able to literally compromise both of us, right? It's very hard to compromise for me, but the team was so strong, they were really good in saying, no, you can't do this. Yes, you can do this. And it really is a partnership. And so that's why I think that definitely did contribute to our success. Thank you.

Bart Allan (29:18):

Yeah, I can agree more

Bryan Christ (29:19):

For sure. Thank you Ette. Yeah, we really appreciate that. Your story there was super insightful. We're going to shift gears here for a minute and talk about professional services and that conversation's going to be led by Bart. He is our CEOO. He has been with Bravura Security for more than 10 years with 15 plus years in the IT industry. Bart initially joined professional services as a solution architect focused on designing and implementing repeatable patterns in identity and the privileged access management space. Today he leads our overarching operations portfolio including professional services but also support customer service and SaaS operations, which combine and collaborate to help our customers achieve their security goals. With that, I'm going to turn the floor over to Bart to discuss professional services that Flora Food Group has utilized.

Bart Allan (30:19):

Thanks Bryan. Yeah, I mean as a lot said, I think choosing a strong partner but also being an open partnership on both sides is really important. A lot of customers come to the table with a lot less experience than a lot brings. This is not her first time doing an identity project, but it's not ours either. So at Bravura our team played a pivotal role in transitioning Flora Food Group, bringing our decades experience together with Alet's to transition them away from a legacy IAM solution to what they have today, which we would describe as a fully integrated identity and privilege access management environment. And we were a trusted partner throughout that, right? So a lot would say, Hey, I want this. And we would say, well how about this? And that's really where through our advisory services and just working closely with Alet, we were able to align year after year and we're still doing it this year.

(31:23):

We will still do it next year. Identity is a program, not a project, but through those targeted advisory services, we were able to align our implementation efforts towards a prioritized security roadmap that tackled the high value and high ROI items. First. We all know that we don't have an unlimited identity security budget. We would all love that. There's many things we would do, but we have to be practical And tackling those items first really helped us gain confidence within Flora and I think has helped to let year over year fight for that budget to expand the reach of the identity program. Hence we targeted SAP rule management in the last year. It's an expensive and manual task doing that through a third party service provider. I mean you pay per ticket, that adds up really quickly. One of the first things we tackled was optimizing their Microsoft 365 license use and all of that really delivered tangible cost savings that we were able to use to kind of spearhead additional budget. Not to mention cost savings just through process automation. We'll talk about that on the next slide. But these strategic moves in the journey and really consulting with a partner on this and implementing together really streamlined the operations of the program, but the operations of the business as well and set a foundation for scalable and secure growth.

(33:02):

We try to not carry a whole lot of technical debt through the program. We realize that we're going to do phase after phase after phase. And so we really try to encourage our customers as a partner not to cut corners where it doesn't make sense, but also not to over-engineer the solution. Haleigh, you can jump to the next slide there if you will. So one of our critical successes at Flora was our ability to what I would call close gaps through integrations and automation, but also just by tracking manual processes, which we'll talk a little bit about. So one of the things that is really key in kind of any identity program is getting that overarching lens of your identities, right?Alet talked about the 16,000 accounts when they knew they only needed like 7,000. And when that's across many different systems, you're not going to be able to integrate all of those day one.

(34:05):

But we were able to integrate the critical ones quickly and by securely connecting those systems and automated key processes, we started to reduce manual intervention. So it really narrowed the focus of the program to try to understand where there were still identity security gaps where we still had issues to address it improved overall accuracy and speed, which a lot talked about and boosted compliance. One of the main drivers is definitely audit and compliance for an identity security program. But the other is really that automation piece, especially when you're using a third party service provider who's doing service test fulfillment and you're paying for every identity you create, move, add, change, et cetera. So one of the items that I think was really successful here that we brought on early on within the scope of the service catalog and automation was automated reconciliation for disconnected systems.

(35:06):

Really meaning that we're not going to connect to all 300 applications out of the box and certainly not all at once, but what we can do is make sure that those are all tracked in a single place. People can come to a single portal, they can request access for any application in that portal. And then fulfillment is either automated through connectors or it's ticketed in snow for their third party service providers to take action on. But that also means that when it comes to recertification, that information's all in one place and they can start to do proper recertification across that entire application landscape. And that really results in reduced operational risk and administrative burden. You're not trying to pull together an Excel spreadsheet with 300 different tabs of accounts of every system that you have within the organization and trying to figure out, okay, well this system has 20 identities that no longer exist in the organization.

(36:05):

Okay, that's a problem. Oh this system they don't even align, we don't even have mapping. It really helps you automate that process and to have everything tracked and audited in a single system was definitely key. And again, I mean tackling the low hanging fruit, ServiceNow was pretty much a day one connector for Flora, maybe a day two kind of thing. Success factors, making sure that we have that data feed from hr, that was definitely day one as were Azure AD and active directory. And SAP GRC has been a more recent implementation, which we'll talk about in the next slide, which you can go to Haleigh, thanks. Awesome. So one of the challenges that you face with an identity security program is when am I going to get RO? It is a journey, it's not a destination. And making sure that whoever you're partnered with is really helping you kind of build a roadmap that has built in ROI that the business can see, right?

(37:14):

So targeting those automated processes, targeting unused licenses and systems, these are kind of nice things that we do along the way really to ensure that we can continue to fund the program where the business can continue to fund the program and continue to improve on their security journey. But there's a couple of things that we do somewhat uniquely. So we bring rapid deployment and quick value realization and that was a central part of our implementation strategy. But we bring that through pattern deployments. So we have this, used to call it our corporate reference build, but our corporate pattern that we start with, it's a starting point. It brings processes, everything from joiners, leavers, the mover, recertification,Alet talked about, that's on their roadmap, that's in the pattern. All of these things we kind of bring out of the box and it's kind of an a la carte menu.

(38:12):

We can guide you as to where you should start, but you don't have to build these processes from the ground up. They're built for you and they can be tailored to your business, which means that you're spending time on that little bit that is important to your business while not having to build the whole process from the ground up. And these are really built with predefined best practices based on our decades in the industry. We've used these across companies like Flora, they've extended to financial services, higher education, and we have tailored versions of them in each vertical, but these are used across our deployments to really speed up deployment and really get those quick wins and maximize the ROI of the program. And at Flora we delivered, we chose to deliver accelerated onboarding m new roles and business applications through a configuration process and quick access catalog creation.

(39:14):

That was really kind of that snow connector piece. Being able to onboard new applications, quickly define their roles, their access rights, who has them, and then reconcile them continuously for connected and disconnecting systems. And especially with the use of a third party service desk fulfillment. That also really helped us build a clear ROI in business case for each connector we built out. S-A-P-G-R-C was part of a larger project, but every connector we do, we know okay, while there were a number of access requests during the past year, okay, what was the actual tangible cost of those versus the cost to develop a connector. And so that's really something that helps establishing day one. It really helps you clarify your roadmap, you know where to go next. And that's really been key through the program with Flora and yeah, the approach we took overall reduced typical implementation timelines.

(40:17):

I think it's one of the faster identity phase ones I've seen done. I think we were done in six months. Keep me honest a lot, let but yeah, it was a very quick go live with them and definite credit to ette. She knew what she wanted, she needed the processes that needed to be automated, but she was willing to listen to a trusted partner and allow us to tell her where things might be a little bit easier using something that was under the box as part of our pattern versus go and build your own process. And that really allowed you guys to achieve some key milestones faster. Again, that initial go live and I think it's been part of our overall project success and stakeholder satisfaction and let's talking here on this webinar. So I think that speaks to that enough, but that's really it. That is the benefit of choosing a partner who knows our solution inside and out and really knows the identity security space very well. I mean we don't just do identity and access management, it's privilege access. And that project was even quicker, I think three months to go live on that and it's been very much an easy product for Flora to manage and run with. And that's pretty much it. I think Next slide is questions.

Bryan Christ (41:45):

Hey, thank you Bart again, thank you Alet and thank you to our audience for joining us today. Before we get into questions, I do want to let you know that today's recording will be made available shortly. So if you want to go ahead and share that with your colleagues, you'll be able to do so. Also, you see here a QR code on the screen. If you want to learn more about what you heard today about some of the experiences that Alet shared and how we can bring that to your organization, again, snap that QR code and set us a contact request, we'd be happy to set up a discussion. So with that, we will turn over to any questions that have come in. I am seeing a few here and it looks like we have about 15 minutes, so we'll get to as many of these as we can. And if there are others, again just drop 'em in the chat and then we can do a follow-up later if we run out of time. This first question is clearly for ette. The question is about the diagram that you showed and they're asking basically they saw that you have AD and Azure ad. Are you syncing those and how does that work?

Alet Ferreira (43:20):

Cool. So definitely we do have MS A D. We are using that as our identity master at the moment and we use Azure. Id connect to sync. So we create an MS id. It syncs across using the Azure ID Connect service and then it created in Azure active directory. And that sync runs constantly. So we are hoping to move into just going straight into Azure active directory. But unfortunately our architecture at the moment is MSAD is the master and that syncs across to Azure Active Directory.

Bryan Christ (43:58):

Okay, thank you Alet. Hope that answered that question. Next question, really simple. Do you plan to keep using AD on-prem

Alet Ferreira (44:07):

Also? Very good question. So we're at the moment assessing that. So some of our legacy applications do still need that access to MS A D, but again, we are working in impact assessing at the moment, moving to directly going to Azure active directory as opposed to Ms A D.

Bryan Christ (44:27):

Thank you. This next question feels could be maybe a shared question between you and Bart. The question is basically did you have to customize Bravura identity for your environment? So again, I think that could maybe be either one of y'all or maybe a mixed conversation. I'll

Alet Ferreira (44:49):

The first and I'll let board it go. So

(44:52):

What we try to do is we tried as best possible not to customize, but in some instances for Snow, we did have to do some customization. That was really because of we wanted it to do something specific like write back the status of the request to our instance. So we did customization there and we also had to customize a write back into success factors again. So wherever possible, the professional services team called out to us, here's the risk to doing this, we need to do this customization. And we went and assessed, is that required? Is it not required? And that was that bit about compromise. So where we have customized, we know where those parts are and we have a plant either address or not. The less to broad.

Bart Allan (45:46):

Yeah, I mean it really comes back to the pattern. I love to use the word tailor as opposed to customize. But yes, I mean either or, there's going to be certain things that every business does. And we see this in pretty much every identity and access management deployment privilege less so where certain business processes and how they run within your business are not going to fully align with how business processes work out of the box with Vera. And so there's the ability to highly customize the solution, but a lot's taken the road that we recommend, which is a little bit of tailoring where it's needed and that really results in a solution that's both cost effective and tailored to the business's needs.

Alet Ferreira (46:42):

And it's important that you do decide that, make that decision correctly because it's easier to change a business process than it is to go and configure something that is going to result in issues down the line. So we were lucky, we were greenfield, so we were able to change a lot of those processes and put them like we wanted to do. But again, we made an informed decision where we've customized, tailored, where we've tailored it, we made informed decisions, I believe on those.

Bart Allan (47:09):

Well, and I think that really comes back to something that you said that I definitely believe in. This is not an IT led program. This is a business led program. And if you take that stance then modifying business processes is easy. It's part of the program, we just do it and it becomes the new process. But if you'd run this as an IT led program, then a lot of your business processes will become bespoke, tailored, customized in some way, shape or form. But being able to change those processes is key.

Alet Ferreira (47:46):

And that helps when you have buy-in, right? That buy-in is so important. Exec buy-in and exec sponsorship.

Bart Allan (47:52):

Yeah, you talked about exec sponsorship, I mean for the people on the call who your program sponsor is your C-T-O-C-I-O-C-F-O,

Alet Ferreira (48:03):

Cfo.

Bart Allan (48:04):

C-F-O-C-F-O. Yeah. So I mean really having sponsorship all the way to the top, that's key. It's not something we see in every program, but it's certainly something we encourage.

Alet Ferreira (48:18):

It does help they listen to her. They're not going to listen to some random cyber person.

Bart Allan (48:25):

A hundred percent.

Alet Ferreira (48:27):

Next

Bryan Christ (48:27):

Question. Thank Yeah, appreciate that. Quick, easy question. Are you managing privileged identities?

Alet Ferreira (48:36):

We are managing privileged identities. So I didn't talk a lot about privilege because for me the access management, regardless of whether you're privileged user or not, is kind of, we need to understand what the roles are, but we are using privileged access management and Bravura Pam solution. We rolled it out in three months. I said bot as well. Have we really done this? Is it done? We are managing those across our OS layer. So our Windows and Linux servers are managed and people request that access in our identity system. So they say I want access to the server, and then approval process happens and then the access is granted again just by ad group. So very pleased with that and I think we're going to be expanding with scope of what we're doing with privilege later this year.

Bryan Christ (49:27):

Okay, I'm looking at the list coming through chat here and I only see one more question, which is are you using any other Bravura products?

Alet Ferreira (49:40):

We are using brara Safe as a password manager and we quite like it. Actually. It was also one of those things, it was just like plug and play and it just worked and it compliments our Bravura privilege solution and we might be looking at some of the other things coming on the horizon from yourselves later this year.

Bryan Christ (50:03):

Okay, well that's all the questions that I see here. And yep, that's it. And so with that, we are going to wrap up. Just a quick reminder, this presentation will be available shortly, the recording. And again, if you want to find out more, snap that QR code and if you happen to think of any questions later, don't hesitate to reach out. We're always glad to answer. And with that, we thank you for joining us and hope you have a pleasant day.

Bart Allan (50:37):

Thank you. Thanks again.