The Belgian Federal Ministry of Foreign Affairs

"We did not make a financial business case for this project because we were sure to get a return on our investment. You can't put a price on our improved risk management." - Jorg Leenaards, ICT Director at Ministry of Foreign Affairs

 

Introduction

The Belgian Ministry of Foreign Affairs wished to improve their information management. An analysis showed them that the user management wasn’t free of problems. Different departments were managing user data independently from each other, which caused inconsistencies.

This also hampered the information flow to the ICT department. There were certainly issues with co-workers leaving the organization. These issues led to a situation where Active Directory could not serve as a trustworthy source of identity and authorization data.

The Ministry decided to automate its identity and access management. Together with IS4U, the Forefront Identity Manager (FIM) software was implemented. This system synchronizes identity data with a multitude of information systems. The ICT Servicedesk is responsible for the management of FIM, making the identity business processes more efficient.

Jorg Leenaards, the ICT manager for the Ministry of Foreign Affairs states: “When our department decided to improve the record- and document management, we requested a risk assessment of our identity management. From this, it became obvious that the identity management was a weak point. That is why we started a parallel identity and access management project.”

“Our workforce is 3.500 people strong but is continuously evolving. Embassy personnel and other co-workers abroad are being reassigned every 3 years. Next to this, there is the continuous flow of people leaving the organization, promotions, transfers and new arrivals. Managing all these changes is a complex and challenging task, which was being performed by different departments in separate identity silos. The information exchange did not happen consistently, leading to data that wasn’t always up-to-date. The manual processing of employee data also led to many errors in the different information systems. Especially co-workers leaving the organization led to problems. We work with classified information that demands that only those permitted, gain access to it. That access has to be revoked as soon as people leave their department. This hasn’t always been the case.”

Compelling assessment

The Ministry of Foreign Affairs hired a specialist from IS4U. In order to chart the identity management issues the ministry was facing, IS4U has performed an assessment in collaboration with the organization. Based on the conclusions of the assessment, IS4U proposed to optimize the workflows with the help of the Forefront Identity Manager software. The product complies to all the needs of the ministry and is relatively easy to implement. A proof of concept was demonstrated to an identity governance board – people from different departments within the administration – that immediately decided to go ahead with a full implementation.

Since the implementation, the majority of identity management processes have been automated. The employee data is entered once in the HR software of the ministry. Forefront Identity Manager collects these data and synchronizes it to Active Directory and other information systems. Jorg Leenaards: “A such, we avoid repeated manual processing and the errors that go along with it. We relieve the workload of the ICT department and save considerable amounts of time.”

Faster, more efficient identity management

Through workflow, every department has the possibility to enrich the identity data for its own use. The Forefront Identity Manager collects all new and modified data from the different systems and synchronizes it throughout the organization.

Jorg Leenaards: “Access to information systems is now being managed by the ICT Servicedesk. This used to be delegated to Active Directory engineers. The ICT Servicedesk uses Forefront Identity Manager making the process cheaper and more efficient. They now can perform tasks faster, leading to a faster service for co-workers.”

Thanks to the synchronization, the ICT department is immediately aware of who requires a new Exchange mailbox and which mailboxes can be decommissioned. Also the department in charge of physical access has integrated its database with Forefront Identity Manager in order to grant or deny building access.

Additionally, telephone operators can make controlled modifications in Forefront Identity Manager. The telephone operators have their own user interface and only have access to modify co-workers telephone numbers.

Temper the enthusiasm

“The project ran smooth, while this assignment wasn’t an easy one. There was for instance an internal discussion about delegating management of Active Directory to the ICT Servicedesk. There is a considerable amount of change management involved, not only for the ICT department. All departments had to change their way of working.“ says Jorg Leenaards. He adds: “As the project came along, it became clear that everyone would benefit from the implementation, which eased the transition to the new way of working.”

“This project was something which we always said we should do, but there was always another project that got the priority. Once we started, we expected resistance, which we experienced. By demonstrating the capabilities of the software, the acceptance has grown and the solution became embraced by the identity governance board. In the end, we had to temper their enthusiasm but we will be considering their suggestions in a next phase.”

IS4U can concur; certainly with identity management, it’s not always easy to get people to buy into the solution, because from their point of view, everything just works. That’s why IS4U advises a step by step implementation, demonstrating tangible results in a short term to grow the customer buy-in.

Our Partners