Think. Transform. Integrated Identity Management and its Impact on Governance, Audit, and Security
October 2012
A forward look at the evolution of identity & access management and governance
Copyright © 2012 Deloitte Development LLC. All rights reserved. 2
Abstract
As audit, compliance, and regulatory requirements continue to drive organizational directives,
organizations are looking for ways to increase the effectiveness of their business through a combination
of security compliance initiatives and technology. In this session, Deloitte & Touche LLP discusses the
evolution of Identity & Access Management (IAM). The focus of this session is to highlight the
intersection of IAM and governance, and how IAM enables organizations to incorporate the
management of risk and cost, while at the same time improving service and aligning IT investments to
business requirements, all with the end-goal of improving security compliance and the management of
the identity within the organization.
Copyright © 2012 Deloitte Development LLC. All rights reserved. 3
Biography
John Lu, Senior Manager, Deloitte & Touche LLP John is a Life Sciences Senior Manager in Deloitte & Touche LLP’s Enterprise Risk Services practice,
specializing in the area of Security & Privacy Services. He has over twelve years of experience in
information technology, information security, data privacy, and risk management, with a focus on Identity
& Access Management. John’s experience encompasses a broad spectrum of engagement types,
ranging from project management, policy development, current state assessment, strategy and
roadmap development, requirements analysis and definition, vendor evaluation and selection,
architecture and design, installation and configuration, testing, and knowledge transfer. In addition to his
technical skills, John possesses strong technical writing, leadership, project management, and
interpersonal skills.
Copyright © 2012 Deloitte Development LLC. All rights reserved. 4
Today’s agenda
Marketplace challenges
Evolution of IAM
Summary
Copyright © 2012 Deloitte Development LLC. All rights reserved. 5
Polling question
Which industry below best describes your organization’s primary focus?
• Financial Services
• Consumer Products
• Healthcare & Life Sciences
• Technology, Media & Telecommunications
• Oil & Energy
• Other
Copyright © 2012 Deloitte Development LLC. All rights reserved. 7
Organizations continue to face a myriad of challenges
• Mergers and
acquisitions impact
organizational
technology strategies
• Technology and
regulatory
challenges due to
globalization initiatives
Business Facilitation
Enterprise
• There is a need to
manage user accounts
and passwords centrally
to reduce operational
overheads
• Organizations have
issues with respect
provisioning access to
users in a timely fashion
to increase productivity
Operational Efficiency
• Cost cutting measures
cause difficulty in
maintaining current
performance levels and
SLAs
• Increased management
skepticism associated
with IT spending
Cost Containment
• No single view exists
of the organization’s
control, security, and
privacy requirements
and operating
framework
• Challenges in
responding and
addressing audit and
regulatory issues
Risk Management
• Changes in existing
regulations and increase
in new regulations are
creating compliance
challenges
• Cross-boundary
regulatory needs are
causing the organizations
to rethink compliance
strategies
Compliance
Copyright © 2012 Deloitte Development LLC. All rights reserved. 8
Including the struggle to manage access rights, both within, and across, applications
Application 1
Platform A
Application 2
System X
Directors
Business Analysts
Technical Analysts
Application 3Manual Request
Process
Manual Request
Process
Copyright © 2012 Deloitte Development LLC. All rights reserved. 9
Resulting in issues that are prevalent across various industries
“On average, workers receive 35% more access rights than needed” – Insider Threat
Global Financial Services Organization
System administrator sabotages corporate network, then made
financial bets that the company's stock would tank as a result
Healthcare ProviderEmployee accused of selling 2,000
patients' data & accessing nearly 50,000 records illegitimately
Chemical ManufacturerEmployee gains access to R&D documents unrelated to job –
compromises multiple millions in trade secrets
National Grocery ChainRegional manager steals millions of
dollars by manipulating the accounting system with dummy
accounts
Global Financial Services Organization
Former contractor steals Social Security numbers and other personal
information from regional customers
Sabotage
Espionage
Abuse of privileges
Theft of proprietary data
Data altering / deletion
Financial fraud
Government AgencyDisgruntled contractor sabotages
several government agency servers
Hacking as a business
Proliferation of data via
mobile platforms
Abuse of privileges
Theft of proprietary
data
Changing regulatory
environment
Copyright © 2012 Deloitte Development LLC. All rights reserved. 10
These issues have resulted in a steadily increasing risk gap
Information security risks increase as the organization and technology evolves. Necessary changes will
help close the current gap, as well as position Merck to respond to future risks in a practical, cost-
effective way.
Time
Typical organization capabilities
Risk
Gap
Trends in the market
Proliferation of data through the use of mobile devices
Excessive access rights and management of privileged
accounts
Externalization and sharing of data with individuals,
organizations, etc.
Move to cloud-based solutions (salesforce.com;
Workday)
Advanced persistent threats and other advanced cyber
attacks (hacking as a business; cyber espionage)
Attacks via social networks
Shortened product development lifecycles and rush to
market
Difficult global economic environment
Ris
ks
Copyright © 2012 Deloitte Development LLC. All rights reserved. 11
As a result, organizations have shifted towards enabling technology to meet these challenges
‒Regulatory compliance‒Customer demands and
new product sets‒Ever-changing business
requirements‒Mergers, acquisitions,
divestitures‒Globalization‒Intellectual property
‒Number of internal and external users
‒Distributed enterprise‒IT investment ROI‒Disparate applications
and devices‒Rapid expansion‒Outsourced IT
Business Drivers
Technology Drivers
Contain CostsManage Risk
Improve Service Align IT Investments
Modern Enterprise
Copyright © 2012 Deloitte Development LLC. All rights reserved. 13
Polling question
How many digital identities do you have? (*Hint: Think about business identities
AND personal identities)
• 0
• 1 - 3
• 4 - 7
• 8 - 10
• More than 10
• Don’t know / Not applicable
Copyright © 2012 Deloitte Development LLC. All rights reserved. 14
What is an identity?
User
User Identity:
• First Name, Last Name, Unique Identifier, Date of Birth
Account Credentials:
• Login ID and password • SecurID card, other strong authentication factors
Common Profiles:
• Job Functional Roles • Business Unit • Office Location • Manager/Supervisor
Application Profiles:
• Permission levels • Access control items
Update Personal Web
Parts
Limited
Access*
Add/Remove Personal
Web Parts
Read
Manage Personal
Views
Contri-
bute
Delete Versions
Full
Control
Approve Items
Design
Cancel Checkout
View Versions
View Items
Open Items
Delete Items
ü ü ü
ü ü ü
ü ü ü
ü ü
ü ü ü
ü ü üü
ü ü
ü ü üü
ü ü üü
ü üü
New in Window
SharePoint Services
(version 3)?
No
No
No
New
New
New
No
New
No
No
User’s Digital ID
An “identity” is both a real world concept and a digital artifact.
• Internal employees
• Third-parties/vendors
• External resource collaboration
Copyright © 2012 Deloitte Development LLC. All rights reserved. 15
Identity & access management utilizes a combination of process and technology to protect those identities
Identities Role Functions / Privileges
Systems
ERP
Directories
Mainframes
Portals
Supervisor
Manager
Administrator
Application access
System resources
Database tables
Approve invoices
Monitor transactions
Base access
Copyright © 2012 Deloitte Development LLC. All rights reserved. 16
Streamlining the administration of users and their corresponding access rights
Application 1
Platform A
Application 2
System X
Contractors
Business Partners
Customers
Application 3
Integrated IAM Solution
Supervisor Role
Business Analyst
Role
Technical Analyst
Role
Copyright © 2012 Deloitte Development LLC. All rights reserved. 17
Providing a standards-based framework for managing digital identities throughout the identity lifecycle
Request
System Access
Provision
Access
Maintain &
Control Access
Terminate
Access
• Identity is created as
the first step of on-
boarding employees,
contractors or
business partners
• Identity is created in
Authoritative Sources
such as PeopleSoft
HR Relationship
begins
Relationship ends
• User Life Cycle Management:
– Access Request
– Promotion/Transfer
– Status change
– Approvals
• Role Life Cycle Management
– Role Approval
– Role Assignment
• Access Management
– User Authentication
– User Authorization
• Audit
– User Access Review
– User Access Recertification
– Approver Actions
– Administrator Actions
• Removing user access
permissions from all
managed resources
• Scheduled User
Termination
• Unscheduled User
Termination
• Archive user identity
• User accounts are setup
for each of the resources
user will access
• Initial access permissions
and rules are setup on
each resource
• Self-Service Registration
User Identity:
• First Name, Last Name, Unique Identifier, Date of Birth
Account Credentials:
• Login ID and password• SecurID card, other strong authentication
factors
Common Profiles:
• Job Functional Roles• Business Unit• Office Location• Manager/Supervisor
Application Profiles:
• Permission levels• Access control items
Update Personal Web
Parts
Limited
Access*
Add/Remove Personal
Web Parts
Read
Manage Personal
Views
Contri-
bute
Delete Versions
Full
Control
Approve Items
Design
Cancel Checkout
View Versions
View Items
Open Items
Delete Items
ü ü ü
ü ü ü
ü ü ü
ü ü
ü ü ü
ü ü üü
ü ü
ü ü üü
ü ü üü
ü üü
New in Window
SharePoint Services
(version 3)?
No
No
No
New
New
New
No
New
No
No
Copyright © 2012 Deloitte Development LLC. All rights reserved. 18
Polling question
Does your organization utilize an IAM solution?
• Um… what is IAM?
• No, and we do not plan to
• No, but we are going to implement one in the future
• Yes, but it is not effective
• Yes, and it is great!
Copyright © 2012 Deloitte Development LLC. All rights reserved. 19
IAM has been a key enabling technology for many years
• User and role lifecycle management
• IAM organization, roles & responsibilities
Governance and
Business
Processes
• Risk management policies and controls
• Digital IDs, data flow, and reporting
Information and
Data Protection
• Administration and audit tools
• Provisioning, access management, and repositories
Technology and
Infrastructure
Copyright © 2012 Deloitte Development LLC. All rights reserved. 20
Security is contained within the
geographical location of the
organization
Employees don’t change job as
often and there is a job loyalty
Scope is limited to the
organization
Security is localized
“Exposures are limited and controllable”
Risk mitigation technique is used to reduce
risk
Network security is viewed as “the silver
bullet”
Attacks increase as channels of access to
data increase
Scope is broader than organization, it reaches
the globe including business partners,
customers, employees, etc.
Security viewed as a cost
“Security is viewed as a risk mitigation cost”
Security breaches most commonly
occur due to inappropriate user access
Integrated IAM becomes the focal point
for controlling the technologies that
enable business
People don’t do business with insecure
organizations
Security breaches are now top news
stories
Security is a business requirement
“People expect security”
Busin
ess V
alu
e o
f
Applic
ation S
ecurity
Host based
Access control
and OS and
file system
level security
controls
Distributed systems
and access control
and cryptography
Regulations (escrow,
etc)
Internet
As a channel
Security is
perceived as
a cost
Network security is
expected from
organizations
Privacy legislations such as
HIPAA standards for health
records, and the Gramm-Leach-
Bliley Act for FIs
Lack of security is a legal
exposure
Identity Solutions
begin to gain
market attention
Fines and security incidents
around Identity and access
management begin to gain
media attention
Integrated IAM
concept is born to
encompass the
protection of assets
across the enterprise
Late 80s Early 90s Mid 90s Late 90s Now Early 00s
Application Security
During that time IAM has been a core component to securing the enterprise
Integrated IAM has become a business requirement. Technology enables business to access
applications and data in more ways than ever before.
Copyright © 2012 Deloitte Development LLC. All rights reserved. 21
Evolving to not only protect, but also enable the business
• Improves efficiency of
privilege management
• Improves security and
compliance
• Supports seamless
integration with identity &
access management
solutions
• Supports single sign-on of
traditional web application
and web services
technologies
• Provides improved
alliances and cooperation
between organizations
• Helps reduce cost and
comply with regulations
• Encompasses the
integration between cloud
computing and IAM
• Enables management and
provisioning of user
accounts
• Provides workflow based
approval
• Enables management of
user privileges
• Enables seamless single
sign-on to the web services
• Provides centralized
authentication and
authorization decisions
• Encompasses privacy and other data protection requirements
• Incorporates data leakage prevention/protection
• Integrates privacy requirements with IAM
Integrated identity & access
management
Cloud computing
Identity federation
Enterprise Role
Lifecycle
Management
(ERLM)
Identity
Lifecycle
Management
(IdLM)
SOA security
Copyright © 2012 Deloitte Development LLC. All rights reserved. 22
Resulting in organizations relying on integrated IAM solutions to address business challenges
Integrated IAM Solution
• Current manual, fragmented approaches are not sustainable
• Existing technology is not adequately used to support governance, risk, and compliance
• Executives lack a complete picture of risks and costs ─ a situation exacerbated by fragmented
approaches to compliance, risk and performance management
• Leaders are looking to comprehensive, integrated IT solutions to improve the efficiency and
effectiveness of compliance
• Leaders are expecting technology to reduce cost and improve effectiveness
Regulatory
Compliance
People
Process
Governance
IT & Data
Strategic
Initiatives
People
Process
Governance
IT & Data
Legal
Requirements
People
Process
Governance
IT & Data
ORM
People
Process
Governance
IT & Data
Information
Security
People
Process
Governance
IT & Data
Internal
Policies
People
Process
Governance
IT & Data
Business Unit Requirements
Various organizational challenges
Copyright © 2012 Deloitte Development LLC. All rights reserved. 24
Integrated IAM continues to evolve – Future trends for consideration
As business strategies and organizational directives continue to change, integrated IAM solution will
evolve and expand to enable the business.
• Consolidated move towards IAM suites
• Externalization of identities/Identity-as-a-Service (e.g., Verizon, Google, Facebook, Apple, Microsoft)
• Adoption of cloud based solutions raises the importance of integrated IAM
• Mobile security/mobilization (e.g., bring your own device, iPads/iPhones, Android devices)
• Finer-grain entitlement management (i.e., taking into account location, type of resource, type of
access, amount of access, time of access, etc.)
• Expansion of consumer solutions for proofing and verification
Copyright © 2012 Deloitte Development LLC. All rights reserved. 25
Impact to Audit and Compliance
As integrated IAM continues to evolve and expand within the enterprise, the impact to audit and
compliance increases:
• Automated provisioning, modifications, and de-provisioning
• Trigger and/or risk-based reviews
• Closed loop provisioning with workflow to enable audit trails
• Access governance – Quickly and easily understand who has access to what
• Privileged account management
• Metrics, metrics, metrics…
Copyright © 2012 Deloitte Development LLC. All rights reserved. 26
Recommended Practices
Successful integrated IAM implementations are dependent on the ability to get the project moving,
effectively completing foundational elements, and institutionalizing the solution throughout the
enterprise.
Integrated IAM projects cross organizational boundaries and require strong sponsorship to
set direction and priorities
Governance function with engaged stakeholders from management, business, Information
Technology is challenging to establish, but vital for the long-term
Executive Sponsorship
Achieve clarity on the business challenges being addressed by the Integrated IAM solution
Identify business drivers – Compliance, Risk Management, Cost Control, Business
Facilitation – based upon enterprise needs and determine priority with stakeholders
Business Focus
Obtaining organizational buy-in for moving to enterprise Integrated IAM is an exercise in
diplomacy
Integrated IAM implementations are about people and organizations, about re-engineering
processes for managing user access to business information resources
Change Leadership
Copyright © 2012 Deloitte Development LLC. All rights reserved. 27
Recommended Practices (continued)
Initial Integrated IAM projects should deliver "quick wins" to build business support for
continuing the Integrated IAM program
The “big-bang” implementation approach is unlikely to build stakeholder trust and
involvement required for continuing Integrated IAM maturity
Value Delivery
Define identity populations (such as employees, contractors, business associates, and
customers)
Establish required identity characteristics and required data attributes
Establish authoritative sources for identity information
Define requirements associated with role-based access controls
Identity Definition
Determine point of diminishing returns for automated and manual processes
Pilot the implementation to prove the solution
Implement the solution by delivering in phases (top value first)
Test performance and functionality
Technology Integration
Integrated IAM projects have unique characteristics, so domain experience is vital
Integrated IAM projects are complex, demand effective managers who can not only track
schedule and budget, but effectively communicate with a diverse set of stakeholders and
make sure everyone is pulling in the same direction.
Integrated IAM
Experience
Copyright © 2012 Deloitte Development LLC. All rights reserved. 28
Integrated IAM solutions addresses strategic business challenges utilizing a holistic approach
Integrated IAM addresses business-focused challenges, enabling organizations to efficiently and
effectively support the enterprise.
• Efficient processes and lesser administrative overheads
• Reduced cost of audits through automated processes and technical controls
Business Facilitation
Risk Management
Regulatory Compliance
Operational Efficiency
• Flexibility to enforce compliance to new and changing regulations
• Implement automated controls and review them periodically
• Centralized management of risk leveraging consistent technologies and
processes
• Enforce enterprise risk management policies and protect sensitive assets
• Enable collaboration with business partners securely
• Improved user experience for customers and employees alike
Cost Containment
• Consistent, repeatable processes used throughout the organization for user
management
• Extensive automation that reduces the amount of manually intensive activities
About Deloitte
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the
legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited