This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Identity & Access Management

The importance of controlling access to information has never been greater. Organisations within both the private and public sectors are collecting and storing ever increasing volumes of sensitive data. At the same time, businesses are extending their operations outside traditional boundaries - authorised access to information at anytime, from anywhere, by employees, business partners, and customers has become a fundamental requirement across all industries.

External factors are also forcing organisations to improve the way in which they manage access to information. Legal and regulatory requirements such as the Data Protection Act and Sarbanes Oxley have raised the minimum acceptable level of access control, and penalties for non-compliance are significant. In addition, customer expectations regarding the protection of their personal data are at an all-time high.

Deloitte has acquired IM Global, a specialist identity and access management security firm, to strengthen Deloitte’s existing identity and access management capabilities with a significant team of specialists joining from IM Global to create one of the largest identity and access management teams in Europe.

The enlarged Security team at Deloitte will be able to provide the full range of identity and access management advisory, strategic, technical and vendor specialist skills including Oracle, IBM, CA, Aveksa, SailPoint and Novell.

The Identity & Access Management (IAM) team will deliver services to clients through seven key areas of IAM specialism:

Access certification

Regulation requires organisations to ensure that appropriate controls are in place when accessing financial systems, customer management systems, payments systems and any customer sensitive information. In order to correctly implement an access certification solution, the organisation must understand:

  • Who has access to which systems, resources, applications and data?
  • Who approved this access?
  • How was the access granted?
  • When was access last reviewed?
  • What mitigating controls are in place for high-risk access?

Access certification is a core component of an IAM solution and is designed to efficiently fulfil audit and governance requirements. Performing a regular manual review or certification of all user access can meet audit requirements but is expensive and time consuming.

Automating an access certification process allows identities to be correlated across the enterprise providing a holistic view of user access and entitlements to specified applications. With this overview, certification events can be triggered to allow the appropriate person within the organisation, such as a line manager, to approve or revoke employee access; automation is a much more cost effective process than manual certification.

Access management & federation

Centrally controlling access to applications, systems and other resources is core to any successful Identity & Access Management strategy. Without access management, the responsibility for authorising and authenticating users remains with the application developers and owners, which leads to inconsistency surrounding the access process.

An enterprise wide access management approach externalises and centralises the authentication and authorisation of users to an application, web-service or resource providing a scalable, secure and standards based approach to access control. In addition, Deloitte can enhance the traditional Web Single Sign-On with dynamic risk based authorisation with real time risk analysis.

Whilst stand-alone access management solutions can provide sophisticated authentication and authorisation capabilities, it remains within the domain of the organisation’s control. It may not be possible to bring all your users and identities under management of your central access control systems.

With the extension of traditional organisations’ boundaries, mergers and acquisitions, Software as a Service (SaaS), and multiple brands in one business, customers are increasingly expecting to access their cross-brand services in one session e.g. once a customer has entered a username and password into Brand X website, they would expect to access Brand Y services, a trusted partner, without having to repeat the process. To achieve identity federation it is necessary to use an open standards based approach (SAML, SPML, OpenID, Information Cards, etc) and a federated application can provide and receive identity assertions from otherwise completely independent access management systems. While the initial use-cases largely focused on B2B or B2C type applications the same approach is increasingly deployed within the organisation to integrate multiple identities, systems and applications across regional boundaries.

Entitlements management

Authenticating access alone is not enough to mitigate risks; users need to be given entitlements in applications to ensure the correct segregation of duties and compliance. Fine grained user entitlements grant capability to functions, transactions and data and should be built into the code of every custom application, every enterprise directory and industry standard systems. Whilst your IAM strategy may have control over identity-side access, a complete view of access can only be achieved with entitlements management. Understanding and managing the complete entitlements model of the organisation is essential to gain full visibility and control in a strategic platform that can be used for all new application development.

Our clients have used our expertise to:

  • Expose and manage hidden entitlements within business applications
  • Enhance the permission and entitlement model in industry standard applications
  • Provide a centralised platform for new application development
  • Implement, review and approval processes to model entitlements policies as the business evolves.

Role management

Within every organisation there will be a collection of pre-defined business roles or job positions. Role management aims to use these business roles within other components of an IAM strategy to solve real business problems and provide a quantifiable return on investment. Examples include automatically provisioning a new joiner to the correct applications required for their role type thereby reducing on-boarding time for staff and administration costs. Another example could be dynamic notification to a manager if an employee has access beyond that expected for their role and in parallel trigger a certification process to ensure the exception is audited. Our team assists clients throughout their role engineering process including role mining, role discovery and full role lifecycle management.


A successful Identity & Access Management programme should supports all parts of an organisation. Therefore, there is an inherent need to approach from a strategic, corporate and regulatory control perspective.

Our team delivers cross-functional services that bring an organisational perspective to planning and implementing IAM. We provide strategic advice on risk control, architectures, business and IT processes and on mergers, acquisitions and separation processes.

The benefits for our clients are:

  • Current state and future state reviews towards building a successful IAM business case
  • Strategies for implementing and maintaining risk controls, business process and IT processes built on IAM cornerstones
  • Centralised policy and process intelligence that allows visibility at the right level within the enterprise
  • Business transformation programmes, supported by an IAM project
  • Cost-effective delivery and support mechanisms, whether within an acquisition or separation, or as part of the evolution of a business operation.

Strong authentication

User access to systems, applications and data within Identity & Access Management strategy goes beyond basic username and password authentication. Strong authentication leverages appropriate authentication complexity dependent upon the application or service being requested. This can include certification based authentication, smartcards, tokens, biometrics and much more.

A service oriented approach to strong authentication enables services to be granted dependent upon the authentication mechanism used. A username and password authentication may grant a basic level of access whereas a smartcard authentication allows for 2-factor authentication and non-repudiation of the transaction being performed.

Taking a risk based approach to strong authentication requires a risk assessment to understand the additional factors that need to be considered such as the user location, time zone, last authentication time, hardware device and other policy factors.

Our team have deep industry expertise to advise and implement strong authentication solutions to secure our clients’ business boundaries, whilst allowing business operations to continue efficiently.

User provisioning

User provisioning is at the centre of many successful IAM strategies. User provisioning provides process and administration cost savings by enabling user self-service capabilities such as password reset or leveraging a role model to perform fine-grained user management. Furthermore, user provisioning solutions no longer remain for internal use only but also manage the customer identity lifecycle in B2B and B2C portals.

Combining request and approval workflow with a technical integration to the underlying applications and resources within the enterprise, user provisioning solutions address many use-cases and business problems. As the market matures we are moving beyond the traditional joiner-mover-leaver use-cases to solutions designed for B2C, B2B and purely certification based solutions. These more specialised deployments leverage core user provisioning components in a new and novel way to meet an increasing range of business problems.

Our team has extensive experience in assisting clients to manage user provisioning solutions and have been involved in the first UK deployments. With such expertise, we are able to best advise our clients on their strategy and technical implementation to meet their requirements, timeline and overall project objectives.

Material on this website is © 2014 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see “About Deloitte” for a more detailed description of DTTL and its member firms.

Get connected
Share your comments


More on Deloitte
Learn about our site