About CSI
The Austrian Civil Service Insurance (CSI) specializes in the public sector, providing private life insurance and accident cover as well as special liability insurance solutions to employees of the public sector since 1895. People insured by CSI are members and therefore co-owners of the company. CSI’s corporate policy is independent of shareholder interests and focused on the long term and the community.
CSI employs 600 people at 27 locations in Austria as well as 500 external insurance brokers. A team of 35 employees is tasked with ensuring that all matters IT run smoothly, including the management of user permissions and identities.
Customer Opinion
“You can always rely on tenfold!”
Stephan Radl
Chief Information Security Officer, CSI
Project Information
Location
Vienna
Industry
Insurance
No. of IT users
600
IT Staff
35
License
Enterprise
Why Is IT Security Particularly Relevant for the Insurance Sector?
IT security is highly relevant to the insurance industry because insurance companies hold and process sensitive data, such as personal and health information, medical records, etc. To ensure that such information is adequately protected, employees should only be able to access data that is relevant to their job duties. Not only could a security incident considerably damage the company’s reputation and liability, it also poses an enormous risk to customers if their confidential information is stolen or published.
How Can an Identity Governance & Administration Solution Help Improve IT Security?
An identity governance and administration solution ensures that only authorized persons have access to sensitive systems and data within the company. This helps to prevent fraud attempts, data leaks and unauthorized or unintentional manipulation.
Our No-Code Solution Makes IAM Easy.
Start Your Free Trial Today!
Before tenfold: Faulty Data and Insufficient Control Over Permissions
For a long time, permissions at CSI were managed manually, which led to many challenges:
Great efforts for user onboarding: Creating new users and assigning them the necessary permissions across multiple systems manually took several hours.
Inconsistent, inaccurate data: The manual user setup often led to mistakes like typos and inconsistent ways of spelling names, email addresses or departments, which led to a faulty database.
Long waiting times: Due to the high manual effort involved in setting up user accounts, employees often had to wait a long time for their accounts to be activated.
Too many admin rights: For many of their tasks, helpdesk employees needed domain admin privileges. However, the more people with administrator rights there are, the higher the likelihood of an incident occurring. Hackers might exploit overprivileged user accounts to misuse or steal sensitive data. In IT, the principle of least privilege is considered best practice. However, if too many people have admin rights, least privilege can no longer be upheld.
Permissions are not deleted: When employees left the company, their access rights were often not removed from all systems, as searching through every single application for permissions is an extremely time-consuming task. Employees who continue to have access to information after leaving the company pose an increased security threat.
No overview: There was no way to deduce which users had which access rights for which systems.
No access reviews: Because it was too hard to track permissions, there was no way of conducting access reviews for user accounts and permissions, which in turn led to orphaned accounts – these can also be harmful to cybersecurity.
Compliance: Due to inadequate access governance, CSI could not guarantee compliance with cybersecurity regulations.
“Anytime we had multiple interns starting at the same time, it meant we would lose valuable hours to setting up new users – time that could have been put to much better use elsewhere.”
Stephan Radl
Chief Information Security Officer, CSI
The main reasons why CSI decided to scout for an IGA tool were, on the one hand, the hope for greater efficiency, particularly when it came to user onboarding, and also to close security gaps that existed due to a lack of overview and inconsistent data. Compliance was also an important factor in the search.
Criteria for an Identity Governance and Administration Solution
The following must-haves were defined for the future IGA system:
1. Integration
Out-of-the-box support for Active Directory (AD), Entra ID and OpenLDAP.
Flexibility for future integrations via APIs or other solutions – no closed system that only supports Active Directory.
2. Permission Management
The tool should be able to model existing permission processes.
3. Self-Service
Users should be able to request permissions themselves.
4. Access Reviews & Governance
Automated user access reviews to ensure permissions are current and still needed.
Data owners should be able to manage (grant, revoke) access independently.
Excel lists for permission reviews should be replaced by a more efficient, automated solution.
Search for a Solution
When CSI set out to look for a suitable IGA tool, they evaluated and compared a number of systems, including some larger cloud-based enterprise solutions.
However, it soon became apparent that purely cloud-based solutions were not suitable for CSI’s needs. The insurance company did not want important access information to be stored in the cloud, but instead exclusively on local servers. These security concerns meant that only providers who offered on-premise options were shortlisted. There was furthermore concern that an organization of CSI’s size would not receive the level of attention it needed from a large enterprise solution provider.
Thanks to its on-premise/hybrid services and rapid integration, tenfold was able to stand out against the crowd – not to mention its excellent support. The combination of technical flexibility and practical functionality made tenfold the ideal choice for CSI.
Implementation
1. Proof of Concept: First, a proof of concept was carried out to determine whether the required basic functionalities could deliver what they promised – and so, as a first step, Active Directory and Open LDAP were connected. Email and Exchange accounts were also created, both on-premises and in the cloud. Once these basic functions had been successfully tested, the implementation continued.
2. Data import: In the next step, the data quality of Active Directory and Open-LDAP was optimized and the user IDs were converted from names to numbers. Afterwards, the data was imported.
3. Setup of roles and resources: As a next step, roles were defined that were assignable to new users and which contained all the privileges required for each respective position.
4. Lifecycles: Different lifecycle phases were defined, such as “Enabled,” “Disabled,” “Retired,” “Leave of absence,” etc. The purpose of lifecycle phases is that when a user enters a different phase, tenfold automatically adjusts their privileges accordingly.
5. Recertification (i.e. access review) processes were set up for different resources.
6. Privileges were cleaned up and mapped to functional roles.
“All IGA solutions can cover Windows – but for customers who need more than the default setup, that’s where the wheat is separated from the chaffe.”
Stephan Radl
Chief Information Security Officer, CSI
Special Challenge: OpenLDAP
Connecting OpenLDAP to tenfold proved to be a particularly challenging task. tenfold can be connected to many applications and systems out of the box, including OpenLDAP, yet the interface had to be expanded during implementation – but thanks to tenfold’s flexibility, this hurdle was also easily overcome.
What Is tenfold Used for and by Whom?
1. User Onboarding, Offboarding and Changes:
The IT department is responsible for setting up tenfold so that the software can onboard and offboard users and assign resources automatically. The same applies to all types of changes, such as when users switch departments or acquire new surnames after marriage. All privileges are now managed centrally via tenfold, ensuring that all processes and permission assignments are documented seamlessly.
2. Access Reviews:
With tenfold, managers can decide for themselves whether users should continue to have access to certain resources or not.
IT uses tenfold to define roles that are automatically assigned to users when they join the company based on their position and other attributes contained in the role. When changes occur, such as department changes, old roles are removed after a customizable transition period, and new roles are assigned.
Improvements Through tenfold
CSI were able to achieve the following improvements after implementing tenfold:
More efficiency: The management of users and permissions has significantly improved since the introduction of tenfold. Requests are processed faster, and faulty data inputs have been entirely eliminated.
Seamless documentation & standardized data: All necessary information is recorded in a standardized, complete, and traceable manner—a major improvement compared to the past, when details were often overlooked and records were inconsistent (especially when names or email addresses changed). The entire IT team at CSI agree that the new solution has significantly helped to improve daily operations.
Compliance: Many compliance regulations require companies to be able to track and prove who has which privileges and access to which data. With tenfold, CSI is now able to meet these requirements and thus demonstrate compliance.
Future Plans With tenfold
90% of all systems in use are already connected to tenfold. Besides connecting the remaining 10%, CSI plans to expand and integrate other areas with tenfold:
Expansion of access review feature: Currently, only managers can conduct access reviews. In the future, all data controllers (e.g. application owners) shall be able to review access to their resources so that IT no longer needs to be involved in this process.
Reporting for Teams, OneDrive and other Microsoft services: With tenfold, there will be a clearer overview of and control over which (guest) users are in which teams and can therefore access shared content.
Granular roles for administrators: In the future, tenfold will enable administrator rights to be controlled even more granularly via profiles to meet compliance requirements. What used to be best practice—administrators have one regular user account and an additional admin account for administrative tasks—is now considered outdated. Instead, admin accounts should be divided into individual functions, e.g., one dedicated “Exchange Admin” account and a separate “Software Deployment Admin” account. This way, privileges are consistently linked to the specific function. To implement this granular role administration requires reworking the entire role concept as well as a clear representation of admin structure in Active Directory. This ensures that administrators only receive the rights necessary for their specific tasks, improving both security and compliance.
Migration of file servers to SharePoint & OneDrive: The goal is to replace traditional network drives and switch to hybrid cloud solutions to enable better integration with Microsoft 365.
Management of Entra ID guests: The possibility of using tenfold for managing external users is being explored.
Expansion of the self-service portal: Another plan for the long term is to open tenfold’s self-service up to other staff and areas.
Integration of further applications via APIs: As many applications as possible shall be connected directly to tenfold so that privileges can be granted and revoked automatically.
Conclusion
The introduction of tenfold at CSI has significantly improved efficiency and security with regard to access governance. Time-consuming manual processes that were highly prone to errors have been automated, reducing the workload both for IT and the individual departments. The seamless, audit-ready documentation of privileges enables CSI to better comply with regulatory demands. Looking ahead, CSI plans to expand tenfold’s functionalities, including more comprehensive access reviews, management of Entra ID guests and the use of the self-service portal. The migration of file servers to SharePoint and OneDrive and improved password management are also on the agenda. Through these optimizations, tenfold will continue to contribute to improving security, efficiency and compliance at CSI as a central IGA solution.
