90 Percent of Rights are Assigned Automatically

How Berenberg Modernized Authorization Management with a State-of-the-art IGA Solution

At a glance

Industry: Finance

Region: Global

Customer: Berenberg

About the customer

Berenberg was founded in 1590 and is one of today’s leading European private banks with its business divisions Wealth and Asset Management, Investment Bank and Corporate Banking. Managed by personally liable partners, the Hamburg-based bank has a strong presence in the financial centres of Frankfurt, London, and New York.

Challenge

Support in planning and implementing a company-wide Identity Governance & Administration (IGA) platform to streamline access management and automate it as extensively as possible.

Products & Services

SailPoint IdentityIQ

Results

  • Company-wide IGA platform with a high degree of automation
  • Customized or tailored connectors for integrating 420 applications
  • Implementation of a role-based model for more efficient onboarding processes
  • Integration of the Active Directory and Microsoft Entra environment into the IGA platform
  • Support for change management within the organization
  • Assistance with recertification campaigns and auditing processes

iC Consult made a substantial contribution to the success of the IGA project – both operationally, where we benefited greatly from their product and development expertise, and strategically, as a valuable source of inspiration and sparring partner to collaboratively develop new ideas.

Matthias Bork
Head of Identity & Access Governance
Berenberg

Founded in 1590, Berenberg is one of the world’s oldest private banks, combining centuries of tradition with a deep understanding of financial markets to offer clients always personalized and comprehensive wealth management. Behind its historic facade, state-of-the-art IT technology is now employed to ensure maximum efficiency and productivity in the interest of its clients, alongside strict security standards for handling sensitive customer data. A key element of the bank’s security concept is Identity Governance and Administration (IGA)—an area where Berenberg, with the support of iC Consult, has recently migrated to a new, largely automated platform.

Background

By the late 2010s, the digitalization of the financial sector was gaining momentum, leading to a rapid increase in IT applications – and, consequently, access permissions – across the entire industry. Matthias Bork, Head of Identity & Access Governance at Berenberg, recalls: “When we started addressing the digitalization and automation of the bank-wide Identity Governance Framework in 2019, we were already using around 200 dedicated IT applications and managing approximately 4,000 individual permissions for our employees. For this, we relied on a proprietary rights management solution, which primarily served as a front-end for employees to request new access permissions. However, the actual processing had to be done manually by the IT team, which often posed challenges and consumed significant time and resources. Moreover, we realized that the situation would only worsen with the continuously growing number of services and increasing regulatory requirements. As a result, finding a dedicated Identity & Access Management solution became a top priority.”

Challenge – Thorough Evaluation of Leading IGA Platforms

To ensure the chosen platform would provide the desired relief and meet current and future requirements, the team launched a detailed proof-of-concept, thoroughly testing all market-leading IGA solutions. Matthias Bork, Head of Identity & Access Governance, developed a comprehensive requirements matrix with weighted key criteria – ranging from support for customizable workflows and compliance and certification features to the integration of role models.

These criteria were then matched against the technical capabilities and user-friendliness of the most promising candidates. After the evaluation process, the decision was made to implement SailPoint IdentityIQ (SailPoint IIQ), the on-premises version of SailPoint’s IGA solution.

Matthias Bork recalls: “SailPoint met all our functional requirements and impressed us with its robust technical foundation and user-friendly design. Additionally, the solution integrated well into our existing architecture and provided all the necessary interfaces to transfer the extensive data set from our proprietary rights management system. This was a decisive factor for us, given the migration effort involved. However, we recognized that such a project would place a significant additional burden on our internal team, so we decided to bring in external support. Following another proof-of-concept, we selected iC Consult as our integration partner.”

Solution – Process Development as a Foundation for Migration

To ensure a successful go-live, the project team dedicated the initial months entirely to process definition—developing sustainable workflows for access management. The goal was to cover all phases of the identity lifecycle, from assigning access rights during the onboarding of new employees to handling changes due to transfers or departmental shifts, and finally, the immediate revocation of rights during offboarding. In parallel, iC Consult focused on preparing suitable connectors to integrate the application landscape and migrate the data. While some applications already had appropriate connectors available, others required customization or even the development of entirely new connectors.

Once the processes and interfaces were implemented, the team began phasing out the proprietary rights management system and transferring permissions to the new SailPoint solution. As anticipated at the start of the project, the number of applications and individual permissions had already increased significantly by this stage. The team now had to systematically migrate approximately 400 applications with 12,000 individual permissions to SailPoint IdentityIQ, with the majority of these permissions linked to the newly integrated Active Directory environment.

Involvement of Internal Stakeholders

Bernhard Strassberger, Identity & Access Governance Manager at Berenberg, explains: “The atmosphere before the go-live was naturally tense. After all, the SailPoint application and its automated connectors, which had been developed up to that point, had a significant impact on the smooth execution of internal processes and, in the worst-case scenario, could have led to prolonged IT downtime. Additionally, it is technically impossible to replicate an AD environment one-to-one for testing purposes, leaving a degree of uncertainty. Beyond the technical challenges, we also faced the task of engaging all stakeholders and employees in the project and convincing them of the potential we saw in the solution. If the launch had been bumpy, we likely would have faced considerable internal resistance. However, the SailPoint solution performed extremely reliably from day one of the launch and has continued to operate nearly flawlessly in the years since.”

90 Percent of Access Assignments Automated

Equally significant: Of the approximately 420 applications Berenberg launched, more than a third of the IGA processes were already fully automated. In the months following the launch, automation was continuously advanced through a series of sprint cycles, culminating in the integration of Microsoft Entra in spring 2024. As of autumn 2024, 90 percent of access processes are now handled automatically, without the need for manual intervention. This marks the natural upper limit, as the remaining 10 percent involve workflows with a physical component – typically, the issuance of a key card – which are inherently challenging to automate.

The introduction of SailPoint IdentityIQ also brought another important topic into focus for the Berenberg team: role concepts. André Höhler, Project Manager at iC Consult, explains: “When onboarding a new Berenberg employee, a large portion of the required access rights was previously determined individually and then requested, approved, and granted as separate access requests. However, as the application landscape grows, this process becomes increasingly complex and time-consuming. Role models can significantly streamline this process and even lay the groundwork for policy-based process control. Additionally, innovative role-mining models can contribute greatly to transparency in the highly regulated financial sector. This means Berenberg can unlock even more potential in the future through a targeted role concept.”

Outlook – After the Project is Before the Project

While the Berenberg team is pleased with the progress and outcomes of the project, they are not resting on their laurels. Matthias Bork and his team already have several follow-up initiatives in sight. In 2025, they plan to integrate the existing ServiceNow ticketing system with the SailPoint environment. This will enable the generation of tickets and the transfer of status updates across both systems, further enhancing automation. Another focus area for the coming year will be the consistent development of the already established Privileged Access Management (PAM). This is driven by two factors: privileged accounts are increasingly under the scrutiny of banking regulators, and the PAM domain offers significant opportunities for automation and efficiency gains.

For Matthias Bork, the continued involvement of iC Consult in these follow-up projects is a given: “iC Consult made a substantial contribution to the success of the IGA project – both operationally, where we benefited greatly from their product and development expertise, and strategically, as a valuable source of inspiration and sparring partner to collaboratively develop new ideas.”