|
Feature
After the merger
Identity management solutions can help a company handle the
complexity of combining disparate IT systems after a merger or acquisition,
says Sushma Naik.
Industrial sectors across the board—Finance, Telecom, Foods, FMCG, IT
and Pharma—have had their share of mergers and acquisitions in the first
half of 2005. When the merger or acquisition ends, it marks the beginning of
a CIO’s job to integrate the IT systems of the two entities involved. Take
the merger of the large government-owned financial institution, Industrial Development
Bank of India (IDBI) with its subsidiary IDBI Bank in a deal worth Rs 7.6 billion
($174.6 million). This deal was part of IDBI’s strategy of converting itself
into a universal banking institution. Following the merger, the combined entity
is known as IDBI, undertakes activities ranging from project finance to retail
banking, and shortly expects to enter the insurance market as well.
Sanjay Sharma, IT head, IDBI Bank says, “Our IT budget is going to increase
from Rs 40 to 200 crore, especially the security spend. We will now have the
capital, but need to use it in an optimal way to serve our purposes.”
The task of integrating different IT systems can be eased by using identity
management (IM) solutions. Databases and drives have their own access-control
features. IM or Single Sign On (SSO) tools can be used to provide a single point
of access to applications. IM tasks are typically under the purview of several
departments. Because an SSO solution enables access to many applications across
the network, it reduces the time spent on managing user access and answering
queries put to the technical help desk.
Remarks Zoeb Adenwala, CIO of Pidilite, “IM and other IT tools will have
to meet the goals of the management. Compatibility in systems is not matched
before such deals, and hence it is all the more important to keep this aspect
in mind before deploying IM tools.”
The IT department of Pidilite has handled an acquisition before. It had acquired
the Roffe brand (construction chemicals business) for a consideration of Rs
14 crore in July 2004. This acquisition was simple from the IT point of view
as the brand did not have any central data repository system. That said, any
future acquisition will require putting an IM system in place.
| Factors influencing the adoption of IM |
- The size of the company being acquired
- The policy of sharing applications and network
- The inter-operability between the IM suite of different vendors
- The infrastructure readiness of the company acquired
- The change in the roles of employees
|
Choosing the right IM
Is there a rule of thumb or a list of things that need to be kept in mind before
deploying an IM solution? Adenwala is uncertain about the inter-operability
of the solutions. “The aspect that will be challengin g is role-based access
control. The roles of individuals will change with the M&A activity. Employees
will most likely be transferred to different roles. The hierarchy and structure
might change, and there is an expected amount of shuffling in departments,”
he adds. What about the choices available in the market? Says Anil Kumar Kaushik,
Deputy GM, IS Application, BPCL, “The choice is always limited to the top
two or three IM suites.”
Organisations can look at providing role-based access control as an approach
to restrict system access to unauthorised users. It is a newer and alternative
approach to providing discretionary and mandatory access control.
Within an organisation, roles are created for various job functions. System
users are assigned particular roles, and through that they acquire the permissions
to perform particular system functions.
Since users are not given permissions directly but only acquire them through
their roles, management of individual user rights becomes a matter of assigning
the appropriate roles to the user. This simplifies common operations such as
adding a user or changing a user’s department.
With dozens of applications, users often deal with more accounts, passwords
and personal identity attributes than a busy professional can be expected to
keep track of. Passwords are often forgotten and personal information or attributes
change. This results in users calling up the help desk for assistance. Automating
this process helps deal with ghost or rogue accounts. (An example of a ghost
account could be a user account that is still present on the network even after
the employee has left the organisation.)
Integration challenges
|
The degree of synergy between systems is directly proportional
to the management issues resolved
|
The challenges involve the kind of applications the two companies have and
the degree of similarity or differences between them. If companies need to share
the same network or applications, or if the merger requires that there should
exist a single network, then certain issues need to be fixed. For example, the
nomenclature; the style may vary from separating the names with a dot, or only
using the first names.
Then the decision has to be made whether two types of identities can be retained,
and if not, which one needs to stay. IM consists of network architecture, policies,
data architecture and the degree of inter-operability between applications and
systems.
“The degree of synergy between systems is directly proportional
to the management issues resolved,” says Unni Krishnan T M, CTO, Shoppers’
Stop. When the company acquired Crossword, the bookstore chain, “the takeover
was gradual and Crossword slowly adopted Shoppers’ Stop’s systems
such as messaging,” says Unni Krishnan.
|
|
|
|
The aspect that will be challenging is role-based
access control. The roles of individuals will change with the
M&A activity.
Zoeb Adenwala
CIO, Pidilite
|
Our IT budget is going to increase from Rs 40 crore
to Rs 200 crore. We will now have the capital, but need to use it in an
optimal way
Sanjay Sharma
IT head, IDBI Bank
|
For a large company that deals with thousands of employees,
suppliers and customers, provisioning enables fast and easy activation or deactivation
of privileges. Companies therefore need to make a strategic decision regarding
the IM suite that they propose to use.
For instance, features such as user self-service management allow users to enroll
and manage their profiles independently, and automatically assign data and network
entitlements based on the information that users submit at the time of enrollment.
So is there a ‘correct’ approach to deploying an IM solution? There
are a few aspects that need to be kept in mind. “Firstly, role-based access
control, which is a popular approach, doesn’t deal with the process even
though it may be based on one,” observes Sharma.
The challenge is that HR, IT and Finance all want to look at the available information
in a different way. Adenwala has a word of advice for them: “Another approach
can be devised that is something akin to a service-oriented approach. There
can be one service to talk to employees, another to address customers, but all
going through the same hierarchy.”
Then there is the security aspect which makes deployment that much more sensitive
since the data between the two companies is being shared. Says Sharma, “The
volume of sensitive and high-value information, accessed by the growing population
of users, continues to rise. And where there is value there are people who will
try to obtain it.”
For now, there is no standard policy that companies follow. The course of action
varies depending on the size of companies, the nature of the acquisition or
merger, and the degree of sharing IT applications.
sushma@expresscomputeronline.com
|
