Company
Star-shl, a leading Dutch medical services provider, employs 1,300 people in different locations. Star-shl employees support and advise professionals such as general practitioners, midwives, and hospitals and healthcare institutions in the South-West area of the Netherlands. The company specializes in laboratory testing of blood, urine, and stool samples as well as imaging and function tests such as X-rays or ultrasounds. Star-shl uses digital technology to facilitate data flow and a logistics network between diagnostics centers, laboratories, and research facilities throughout their work area. As the company is working with sensitive patient data, they are under close scrutiny and frequently audited.
Starting point
Ambition to build a portal
IT specialists at Star-shl had been automating queries and other tasks within Active Directory with PowerShell for some time. Identity and access management was time-consuming, including a lot of manual tasks and Excel sheets. They wanted to further pursue automation with PowerShell. However, they saw the need for a more user-friendly option than using the PowerShell command line. Yet having their own GUI build from scratch proved to be excessively time-consuming and did not lead to the desired result.
Getting started within a week
As a custom build portal did not bring the expected results in the set timeframe, Star-shl decided there was nothing to lose trying an off-the-shelf solution. But would ScriptRunner be up and running as fast as promised? Would it meet the industry-specific security requirements? Could the software faciliate identity and access management, and ease handling information of employees, their contracts, their different levels of access, and the like?
Challenge & Solution
Active Directory – initial use cases
The core of Star-shl's identity and access management is the authorization profile. Any change to existing users or creation of a new account meant that HR had to email or call a helpdesk employee to provide user information, Excel sheets had to be cross checked, accounts had to be mapped and created manually. Overall, there was a lot of potential for automation to save time and improve data quality and consistency. The initial use cases for ScriptRunner were all related to Active Directory. Actions were built to automate checking the system for existing IDs, to create accounts, or to provide membership in a security group. Processes like onboarding new colleagues, archiving inactive mailboxes, managing access rights during employment, or disabling accounts during offboarding were all simplified. Once an action is set up, it can be triggered manually, automatically (on a schedule), or by another system – at Star-shl, that system is Jira Service Desk, Atlassian’s help desk software.
Mastering frequent password changes
Due to increased security requirements, Star-shl employees must change their passwords at a certain frequency. The IT specialists have developed actions within ScriptRunner which make password changes possible without granting access to Active Directory. One option is a web portal that allows employees to reset their password, which is secured by confirmation via the employee's mobile phone. The other option involves a help desk colleague. The help desk employees have been working with Atlassian Jira for quite some time. Now, Jira is connected via a REST API and can trigger actions in ScriptRunner. When a particular checkbox is marked, Jira triggers the "Change password" action, and the specific change to Active Directory is executed without requiring administrative rights on the system. Limiting the number of people with administrative rights in Active Directory is important as this increases data security and helps to minimize potential security issues. When dealing with data – especially in healthcare – data protection is key. With ScriptRunner, a help desk or end user may trigger actions without having access to systems, and the credentials required to perform the actions are stored securely.
Meeting NEN 7510 standard requirements
The healthcare sector is closely monitored. NEN, the Royal Netherlands Standardization Institute, specifies the requirements for information security in the NEN 7510 standard (comparable to ISO 27001), and annual audits are mandatory. After using ScriptRunner for some time, the IT specialists realized that the software enables Star-shl to always be compliant and auditable. Axel Haringa, Senior IT Specialist, proudly points out: "Changes to the system are traceable. The auditors are really satisfied with our system." Granting access to actions instead of complete systems has made his life easier. Security issues caused by insufficient documentation, lack of knowledge, or the little mishaps when working with complex systems are now a thing of the past.
Automating the identity and access management was a success
Axel Haringa speaks openly: "It took time, and it was quite a process to automate our identity and access management. But we now securely manage 1,300 employees – from onboarding to offboarding and anything in between." The entire lifecycle of employees was analyzed, and actions were added step by step. The beauty of it: Whenever someone sees potential for automation, new scripts can be added; the software is flexible and does not dictate specific processes. Furthermore, it was important for Star-shl to keep all data on premises. They have full control over their ScriptRunner server just as they run, for example, Active Directory or Exchange on their own servers. When an action is triggered in ScriptRunner, a separate PowerShell process is started. The script, all parameters, and other required information are passed to this process. In Local Mode, the complete script processing is done locally.
