Posting an annual revenue of some US$1.2 billion, Hansol Paper (Hansol) is South Korea's largest paper manufacturer, catering to the printing, packaging and industrial market segments.
With factories in four locations and some 900 employees to manage, the company saw a need to enhance data security. Controlling user access was a significant challenge under their existing manual identity (ID) management system.In 2006, Hansol engaged an accounting firm to audit its accounting and enterprise resource planning (ERP) systems.
Arbitrary authorisation
The audit found that user access authorisation was arbitrary because the task was handled by different individuals at Hansol Telecom, Hansol's IT outsourcing company.
Following the audit, Hansol concluded that existing system authorisation procedures were haphazard and inefficient, leaving the company vulnerable to security breaches. The company decided that a robust, automated ID management system was needed.
"ID management is about providing users access to the system required for work execution and information, according to the internal control standard," says Hansol Paper's Yang Jong-myung, manager, process innovation team.
Yang notes that when staff took on different positions or retired, changing their authorisation levels took "a very long time". The manual process also presented a huge challenge in determining employees' latest data access clearance status.
South Korea's 'internal control' regulation went into effect from January 2006, according to Yang. The regulation states the requirements for external auditing over a corporation and standards for a company's accounting management system. He says the regulation was designed to ensure that corporate financial statements are written and announced publicly, according to general accounting management system standards.
Certification
Additionally, the company had to ensure that its auditors were certified in accordance with government regulations and internal accounting standards. "Such certification is issued by the government," Yang says.
Consequently, Hansol recognised that user account management policies had to be aligned with the regulation's requirements.
The company also faced other challenges. "It was impossible to monitor whether the account allocated to an end-user was actually in use," Yang says. "IT managers found it difficult to report on usage of specific applications."
He notes that surplus authority, or granting a user more access clearance than necessary, was another problem. Some staff also accessed the ERP system without changing passwords regularly, as required by the company every 90 days, leading to frequent lock-outs.
In February 2007, Hansol decided to deploy Oracle Identity Management (OIM), an automated ID management solution, for its ERP system. Besides automating password and authorisation management, OIM was also expected to tighten data security at the company's head office and factories.
Going live
Two teams from Hansol's head office tested OIM and the company conducted extensive user training in all business units. The new system went live in May 2007.
"Due to enhanced productivity from OIM, we expect to continue scaling up the system as the business expands," Yang says.
OIM's deployment automated Hansol's ID management process, which is now centralised at the company's head office. The task is managed by one person, who easily oversees system authorisation for all staff, cutting management cost, minimising errors and ensuring greater process control.
With only one point of contact for queries, the centralised process also facilitates problem resolution. Now, each staff member requires only a single log-in and authentication across the ERP system, eliminating the need to remember multiple user names and passwords.
The company has also simplified password management.
OIM sends an e-mail alert to staff when the time approaches to change their passwords. Should they fail to do so within the designated 90-day period, the Oracle software automatically prevents them from logging into the ERP system. Consequently, staff lock-out frequency has fallen.
Tracking a lifecycle
"OIM facilitates individual account management, by tracking a person's entire work lifecycle in the company from recruitment to resignation or retirement," Yang says. "This solves the problem of surplus authority." For example, the system notes whenever someone receives a promotion or moves to a different role, and automatically adjusts the person's clearance level.
"OIM's certification and reporting functions has enabled us to conduct follow-up verifications and real-time monitoring of user account data," Yang says. "We are now using 13 types of custom reports in addition to the standard report forms provided by OIM."
Yang notes that following OIM's deployment, the cost of annual ID management dropped by US$1,670 per staff member. Of this amount, US$420 per staff member was attributed to fewer help desk calls, and US$1,250 related to savings from automatic user account generation.
"Before deployment, 80 per cent of help desk calls were about identity and authority issues," he says. "With OIM, user self-service reduced such calls down to 10 per cent, helping us cut costs."
Multi-pronged approach
Yang takes a multi-pronged approach in his ID management strategy.
Only Hansol's internal account manager has access to sensitive company information. For performance tests, the company uses 'dummy' data generated by operational level personnel. Actual data is stored in the account management system in encrypted form.
"We allow approved application developers to access the database and conduct queries only," says Yang. "Furthermore, we provide different levels of clearance to developers, project leaders, testers and architects for accessing operating equipments."
He adds that when an end-user is added to Hansol's HR system, application access authority is automatically designated, based on corporate account creation and access policies.
Satisfied with OIM's performance, Yang and his team are considering expansion of the system to desktops, SAP R3 and SAP BIW 7.0 in the company.
Yang has a word of advice for IT vendors.
"Rather than simply focusing on marketing solutions, vendors should thoroughly analyse customers' processes and help them meet business needs," he says. "Hence, vendors should be flexible to create 'best-fit' solutions for each customer."
