The importance of controlling access to information has never been greater. Organisations within both the private and public sectors are collecting and storing ever increasing volumes of sensitive data. At the same time, businesses are extending their operations outside traditional boundaries - authorised access to information at anytime, from anywhere, by employees, business partners, and customers has become a fundamental requirement across all industries.
External factors are also forcing organisations to improve the way in which they manage access to information. Legal and regulatory requirements such as the Data Protection Act and Sarbanes Oxley have raised the minimum acceptable level of access control, and penalties for non-compliance are significant. In addition, customer expectations regarding the protection of their personal data are at an all-time high.
Deloitte has acquired IM Global, a specialist identity and access management security firm, to strengthen Deloitte’s existing identity and access management capabilities with a significant team of specialists joining from IM Global to create one of the largest identity and access management teams in Europe.
The enlarged Security team at Deloitte will be able to provide the full range of identity and access management advisory, strategic, technical and vendor specialist skills including Oracle, IBM, CA, Aveksa, SailPoint and Novell.
The Identity & Access Management (IAM) team will deliver services to clients through seven key areas of IAM specialism:
Regulation requires organisations to ensure that appropriate controls are in place when accessing financial systems, customer management systems, payments systems and any customer sensitive information. In order to correctly implement an access certification solution, the organisation must understand:
Access certification is a core component of an IAM solution and is designed to efficiently fulfil audit and governance requirements. Performing a regular manual review or certification of all user access can meet audit requirements but is expensive and time consuming.
Automating an access certification process allows identities to be correlated across the enterprise providing a holistic view of user access and entitlements to specified applications. With this overview, certification events can be triggered to allow the appropriate person within the organisation, such as a line manager, to approve or revoke employee access; automation is a much more cost effective process than manual certification.
Centrally controlling access to applications, systems and other resources is core to any successful Identity & Access Management strategy. Without access management, the responsibility for authorising and authenticating users remains with the application developers and owners, which leads to inconsistency surrounding the access process.
An enterprise wide access management approach externalises and centralises the authentication and authorisation of users to an application, web-service or resource providing a scalable, secure and standards based approach to access control. In addition, Deloitte can enhance the traditional Web Single Sign-On with dynamic risk based authorisation with real time risk analysis.
Whilst stand-alone access management solutions can provide sophisticated authentication and authorisation capabilities, it remains within the domain of the organisation’s control. It may not be possible to bring all your users and identities under management of your central access control systems.
With the extension of traditional organisations’ boundaries, mergers and acquisitions, Software as a Service (SaaS), and multiple brands in one business, customers are increasingly expecting to access their cross-brand services in one session e.g. once a customer has entered a username and password into Brand X website, they would expect to access Brand Y services, a trusted partner, without having to repeat the process. To achieve identity federation it is necessary to use an open standards based approach (SAML, SPML, OpenID, Information Cards, etc) and a federated application can provide and receive identity assertions from otherwise completely independent access management systems. While the initial use-cases largely focused on B2B or B2C type applications the same approach is increasingly deployed within the organisation to integrate multiple identities, systems and applications across regional boundaries.
Authenticating access alone is not enough to mitigate risks; users need to be given entitlements in applications to ensure the correct segregation of duties and compliance. Fine grained user entitlements grant capability to functions, transactions and data and should be built into the code of every custom application, every enterprise directory and industry standard systems. Whilst your IAM strategy may have control over identity-side access, a complete view of access can only be achieved with entitlements management. Understanding and managing the complete entitlements model of the organisation is essential to gain full visibility and control in a strategic platform that can be used for all new application development.
Our clients have used our expertise to:
A successful Identity & Access Management programme should supports all parts of an organisation. Therefore, there is an inherent need to approach from a strategic, corporate and regulatory control perspective.
Our team delivers cross-functional services that bring an organisational perspective to planning and implementing IAM. We provide strategic advice on risk control, architectures, business and IT processes and on mergers, acquisitions and separation processes.
The benefits for our clients are:
User access to systems, applications and data within Identity & Access Management strategy goes beyond basic username and password authentication. Strong authentication leverages appropriate authentication complexity dependent upon the application or service being requested. This can include certification based authentication, smartcards, tokens, biometrics and much more.
A service oriented approach to strong authentication enables services to be granted dependent upon the authentication mechanism used. A username and password authentication may grant a basic level of access whereas a smartcard authentication allows for 2-factor authentication and non-repudiation of the transaction being performed.
Taking a risk based approach to strong authentication requires a risk assessment to understand the additional factors that need to be considered such as the user location, time zone, last authentication time, hardware device and other policy factors.
Our team have deep industry expertise to advise and implement strong authentication solutions to secure our clients’ business boundaries, whilst allowing business operations to continue efficiently.
User provisioning is at the centre of many successful IAM strategies. User provisioning provides process and administration cost savings by enabling user self-service capabilities such as password reset or leveraging a role model to perform fine-grained user management. Furthermore, user provisioning solutions no longer remain for internal use only but also manage the customer identity lifecycle in B2B and B2C portals.
Combining request and approval workflow with a technical integration to the underlying applications and resources within the enterprise, user provisioning solutions address many use-cases and business problems. As the market matures we are moving beyond the traditional joiner-mover-leaver use-cases to solutions designed for B2C, B2B and purely certification based solutions. These more specialised deployments leverage core user provisioning components in a new and novel way to meet an increasing range of business problems.
Our team has extensive experience in assisting clients to manage user provisioning solutions and have been involved in the first UK deployments. With such expertise, we are able to best advise our clients on their strategy and technical implementation to meet their requirements, timeline and overall project objectives.