tenfold V24:
The Future of IAM

Project Information

Location
Vienna

Industry
Healthcare

No. of IT users
260

License
tenfold Enterprise

About the Childrenโ€™s Cancer Research Institute

Since its foundation in 1988, the renowned Viennese Children’s Cancer Research Institute St. Anna (CCRI) has established itself as one of the world’s leading institutions in the field. The dedicated research that has been carried out here for over 35 years has significantly contributed toward increasing the chances of curing childhood leukemia from only 20% in the 1960s to 85% today.

Customer Opinion

The Challenges of Protecting Private Information in the Healthcare Sector

While scientists work relentlessly to improve the quality of life for children suffering from cancer, there is another major battle taking place in the background: the digital fight against hackers and other security threats. Sensitive data is among the most valuable and at the same time most vulnerable assets of our time. It is therefore essential that such information be treated with the greatest of care โ€“ especially at institutions like CCRI, which handles highly sensitive personal and medical records. In order to guard sensitive personal information against attacks, healthcare institutions must implement particularly effective security measures. A security incident such as a data leak or ransomware attack due to poor cybersecurity can have dire consequences, both in terms of patient care as well as research outcomes. Such consequences include:

  • Financial damages

  • Reputational damages

  • Compliance violations (healthcare organizations are subject to compliance policies like HIPAA in the US)

Identity Access Management as a Security Measure

Alongside traditional measures such as firewalls, antivirus software, data backups and employee training, a solid security strategy must also include an IAM solution. That is why in 2023, under the leadership of CCRI’s Head of IT Ingomar Schmickl, the IAM software tenfold was brought on board for managing users and access rights.

Different Environments Demand Different Approaches

Up until a few years ago, CCRI shared an IT department with its neighbor across the road, the Childrenโ€™s Hospital. However, it was long apparent that the requirements of a hospital differ greatly from those of a research institution, and so the decision was made in 2020 to split the two and create an independent IT department for CCRI.

โ€œIn my eyes, a hospital is like a cargo ship that has to transport its valuable goods safely and steadily across the ocean. It travels straight ahead on its route, avoiding any abrupt turns to reach its destination without interruption. Everything must function consistently and smoothly. By contrast, a research institute is much like a speedboat that moves fast and dynamically, able to change direction quickly as new discoveries are made and new paths must be explored.”

Ingomar Schmickl
Head of IT, CCRI

Research is like a speed boat, ready for every bump and turn on the mission. Adobe Stock (c) Kara
Free Trial

Our No-Code Solution Makes IAM Easy.
Start Your Free Trial Today!

The Before: Intensive Manual Work

The above quote from IT manager Schmickl illustrates the difference between the (IT) operations of a hospital, which must function strictly, continuously and securely according to prescribed standards, and the operations of a research institute, which are characterized by a high degree of flexibility and innovative spirit. Traditionally, a high turnover of staff is common in the research sector, as participating in different projects promotes the professional development and reputation of researchers and opens up new perspectives.

However, the flipside of the coin is that the constant changeover of employees presents a great challenge to the IT, who must find ways to onboard and offboard users efficiently and securely as they come and go. Before these processes were automated with tenfold, they were time-consuming and prone to errors:

For every new scientist that joined the team, the IT had to manually set up user accounts for that person in Active Directory and other systems and assign them the appropriate access rights. Depending on the employee and complexity of their requirements, this process could take several hours. And when the same scientist changed groups internally or left the institute altogether to venture into new waters, it was equally challenging to revoke those rights again on time and deactivate the associated user accounts across all systems.

Fluctuation is common in the world of research.

โ€žThe situation prior to tenfold was characterized by extensive manual processes and
limited automation.”

Ingomar Schmickl
Head of IT, CCRI

Internal lateral movements, like changing from one research group to another, are particularly challenging in terms of access governance. Information must pass through various departments – from the research group manager to HR and from there to IT – before it can be input in the system. Not only does the information need to travel quickly to ensure users have access to the resources they need in time, but IT workers also have to set transition periods for privileges to allow scientists to go back and forth between departments in between projects.

Doing all this by hand is tricky, time-consuming and likely to result in mistakes, as every connected system must be scanned manually for the affected person’s privileges and resources.

Furthermore, researchers often provide their own work tools and systems, which, like the employees themselves, must be integrated with the internal IT infrastructure, often at short notice and for a limited period of time. Password changes and other similar tasks are also part of the daily workload. In short: there’s a lot to be done.

Manual User Management Leads to Mistakes and Security Risks

On top of the heavy workload caused by the lack of process automation, manual access management leads to other problems: Mistakes happen, naming conventions are inconsistent or disregarded, users receive permissions they are not entitled to, and so on. It is also not uncommon for users to retain privileges they do not need anymore for a prolonged time or even permanently, for example after they change departments and the IT forgets to revoke their old privileges – this phenomenon is known as privilege creep. Generally, you can say that keeping track of users and permissions is a huge challenge if done manually.

Unnecessary Expenses for Extra Licenses

Another problem CCRI faced was in the distribution of licenses for different programs and systems, which is a common issue many companies struggle with: assume you are an administrator and an employee leaves the institution. Because you’re doing everything manually via Excel lists and ticket systems, you forget to withdraw the M365 license of that personโ€™s associated user account. In theory, the license should be available for the next user who joins the team, but because there’s so much fluctuation and you’re struggling to stay on top of your lists, the license does not show up as available in the license pool and you therefore buy a new one for the user. It’s an unnecessary waste of money that could easily be saved if you had a better overview of the access landscape.

Reference Users: The Glaring Security Risk

Another challenge in this context is the use of reference users for creating new accounts. Reference users are existing user accounts that serve as a template for new user accounts. The existing accountโ€™s permissions are simply duplicated onto the new user account, for example if the new employee holds a similar position to that of the reference user or works in the same department. Itโ€™s tempting because it appears a viable and easy shortcut, but the problem is that the new employee might receive access to networks and information they should not have access to at all. Itโ€™s also a violation of the principle of least privilege, which is a key security best practice. You should avoid reference users at all costs to prevent users from becoming overprivileged insider threats.

IAM Recognized as an Important Security Measure, but Viewed as โ€œToo Complexโ€

An Identity Access Management Solution is the right remedy to prevent overprivileged users and overspending on licenses because it makes sure licenses are revoked automatically when a user account is deactivated.

While Ingomar Schmickl, Head of IT at CCRI, had IAM on the radar, he, like many of his peers, had it saved under โ€œcomplex, expensive, time-consumingโ€. Not an option for an institution like the Cancer Research Institute, which relies 100% on donations. Plus, Schmicklโ€™s IT department was busy enough tackling the various tasks they faced on the daily. How should they pile the integration of a highly complex IAM-system on top of their enormous workload? It was impossible.

Or was it?

As luck would have it, tenfoldโ€™s integration partner Artaker Computer Systems also worked closely with CCRI. As the topic IAM came up in conversation, Schmickl realized that identity access management is not just about improving cybersecurity, but that it also helps to alleviate the workload in an IT environment.

โ€žIt became clear that Identity Access Management is not only associated with cybersecurity, but also significantly lightens our daily workload.โ€œ

Ingomar Schmickl
Head of IT, CCRI

As soon as he realized that there are solutions available on the market that are better suited to the needs of small and medium-sized businesses and who offer more favorable conditions for institutions such as CCRI, who depend entirely on donations, the IAM-ball got rolling.

The Search for the Right Solution: Data Governance, Enterprise or Something in Between?

In the course of evaluating potential IAM solutions, Schmickl compared tenfold to a data governance solution as well as a larger enterprise solution. However, he quickly came to the conclusion that neither of the latter options offered what was needed – the data governance solution was primarily geared towards logging changes in Active Directory, while the enterprise solution proved to be โ€“ as expected โ€“ too complex and costly in comparison to the benefits it might reap.

tenfold, however, offered the ideal combination between the two options. It is able to automate processes like user on and offboarding and log AD rights and change histories at the same time. It also scored points for its built-in self-service tool, which allows users to request permissions directly from the designated data owners. They in turn can directly respond to such requests with a simple click of a button that either confirms or rejects the request, and tenfold takes care of the technical procedures in the background. Not only does this reduce the strain on IT staff, who no longer have to act as a nexus between users and data owners, but it also saves a tremendous amount of time for everyone involved.

With tenfold, IAM does not have to be complicated. Adobe Stock (c) Thomas Reimer

How Does CCRI Use tenfold?



User-Offboarding

The first step was therefore to optimize the challenging user-offboarding process. In a four-hour session with assistance from Artaker and tenfold, Schmickl and his team were able to implement a process that assigns leavers an expiration date that is automatically tied to a 14-day transition period. As soon as the expiration date is reached, tenfold automatically deactivates the user. And once the transition period has expired, all licenses, including those for Microsoft 365 and file shares, are revoked and the user is removed from all distribution and address lists automatically and without any manual intervention.

This setup has thus far saved the IT department bouts of time and furthermore put an end to unnecessary license purchases.

Automating access governance with tenfold saves time, money and nerves. Adobe Stock (c) BillionPhotos


User Onboarding with Role-Based Access Control

The second natural step was to implement a process for user-onboarding via tenfold. To do this, CCRIโ€™s IT had to first define resources in tenfold (such as PCs, file servers, mailboxes, etc.) that can be assigned to new users automatically when they are added to the system. In doing this, Schmickl and his team realized for the first time the amount of resources they had been juggling manually in the previous years, without the help from an IAM system: 14 research groups and their associated programs, tools and systems, of which each has its own folder structure on the file server; 10 different departments from IT to HR to Legal to Finance, who in turn each have their own systems and require different sets of privileges and resources.



โ€œA key insight we gained through tenfold was that we understood for the first time how many resources we actually have and how complex our infrastructure is, despite our relatively small number of employees. We were completely blind to the scale of it before.โ€œ

Ingomar Schmickl
Head of IT, CCRI

Once the resources have been defined in tenfold, they can be bundled into what is referred to as โ€œProfilesโ€ (see also: What Is Role-Based Access Control?). Each Profile has a unique name and can contain any combination of resources and privileges. When a new user is added to the system, tenfold assigns them the appropriate profile automatically based on their job title or department. This way, new employees can get cracking on the job the second they walk in the door and donโ€™t have to wait for days or weeks to get the access rights they need. At the same time, they are only given exactly the rights they need for the job, no more and no less.

Future Plans with tenfold

Self-Service Feature

As a next step, the plan is to implement the tenfold self-service portal mentioned above, which users can use to independently request resources and access from designated data owners. The advantage of this is that requests and decisions no longer have to go via the IT department – which can lead to further delays and errors – but can be made directly.

tenfold screenshot showing the self-service interface for an end user.
tenfold’s self-service platform allows end users to reset their own passwords or request new permissions without the need for tickets or emails.
Integration with Sage HR Software

To further alleviate pressure on the IT, the plan is to integrate more systems with tenfold, such as, for example, Sageโ€™s HR software.

Currently, CCRIโ€™s HR staff have to enter new users into Sageโ€™s HR software and then feed all relevant information to the IT department via email, who then go on to set up the necessary user accounts and privileges for the new employee across multiple systems, based on the information they received from HR. Not only is such an intricate process that involves many people across departments prone to errors (HR forget to pass on info, typos when inputting data, etc.), it also takes really long.

Solution in tenfold: As soon as the HR software and tenfold are connected, the entire arduous form of communication between the two departments will be short-circuited, as tenfold is able to directly retrieve the information it needs from HR to set up user accounts and assign privileges across systems. This ensures that users do not get access to information and resources they shouldnโ€™t have, while reducing the workload for IT and HR at the same time.

Reporting

There are also plans to integrate tenfold’s Reporting feature, which reveals at a click not only which resources a user has access to, but also since when, for how long and who is responsible for assigning access. Not only does this help companies to keep a better overview of their access landscape, it also helps them to excel at both internal and external audits.

Before, if a manager needed information about an employee’s access rights, they had to
manually search through all nested AD groups and M365 services, shared mailboxes, distribution lists and teams. It was impossible to get a simple, immediate and comprehensive overview of privileges.

Ingomar Schmickl
Head of IT, CCRI

User Access Reviews

Another item on the list is the implementation of tenfold’s access review feature, which regularly prompts data owners (research group leaders, for example, in the case of CCRI) to review the existing additional permissions of researchers on their team and to remove privileges that are no longer needed. The access review feature only applies to extra privileges. Default privileges that users receive via profiles, for example, do not need to be reviewed. Access reviews help to reduce the risk of privilege creep and to keep insider threats contained, while also ensuring that the principle of least privilege is adhered to.

โ€žAccess reviews would instantly level up our cybersecurityโ€œ

Ingomar Schmickl
Head of IT, CCRI

Conclusion

Ingomar Schmickl is pleased to be working with tenfold. Ever since going live, the IT workload has been significantly reduced and the rate of errors has dropped, while efficiency and security have gone up. Most evident is the time saved during the offboarding of employees.

And future plans like the integration with Sageโ€™s HR software and implementation of tenfoldโ€™s self-service and reporting features promise further improvements of processes and even better security. The decision to introduce tenfold represents a significant step forward for CCRI in continuing its important work in the fight against cancer in children.

Video Overview

See tenfold in Action With Our Feature Video

Book a 1:1 Demo

Schedule a Live Demo With One of Our Experts

Free Trial

Put tenfold to the Test With Our Free Trial!