Evolving identity and access management

  • Share

Identity and access management (IAM) is moving beyond compliance to become a valuable business tool. Making better use of IAM can help power and utility (P&U) companies improve operational efficiencies and user experiences. Tim Best reports.

IAM describes the management of user’s online identities and the authentication, authorization and privileges across IT and business systems. At its most basic, IAM defines what users can do on a system or network and under what circumstances.

But it is now evolving beyond compliance to become a risk-based program that can help an organization achieve competitive advantage through lower costs, increased efficiencies and reduced risk of security breaches.

While P&U companies are now more aware of external cyber threats, many are still trying to grasp the magnitude of the risks that lie within. As emerging technology trends and a changing business environment bring IAM to the forefront for utilities, it is time to see the bigger picture.

IT trends and regulatory pressure

Several new business pressures demand that IAM adapt to emerging technologies:

  • Mobile computing
  • Cloud computing
  • Connected home
  • Social media
EY - IT trends and regulatory pressure

Utilities also face pressure to manage the big data generated by smart grids and smart meters, as well as more regulatory obligations. They must also deal with the increased interaction of today’s more empowered consumer.

But many P&U companies are stuck at a low level of IAM maturity, still using time-intensive manual processes, delivering IAM in organizational silos and lacking the resources to put in place the finer-grained user access required for today’s energy sector.

This creates inefficiencies, higher costs and a greater risk of inappropriate user access.

Lessons learned

Utilities should consider the impact of these trends on their business, evaluate their capability levels and decide where their IAM maturity should be.

This is an individual decision. IAM can be a highly manual process and still be effective in meeting an organization’s goals. However, the cost of labor will be high and will likely outweigh the cost of technology.

On the other hand, a highly automated IAM program will have a low cost of labor but a high initial cost to implement and an ongoing maintenance cost.

The key is finding a balance between the cost of labor and the cost of implementation and maintenance while still meeting overall business, security and IAM goals.

As utilities progress their IAM maturity, lessons can be taken from sectors, such as banking and finance, which are typically more advanced in this area. These lessons extend across three key issues:


  • Take a risk-based approach to IAM enhancements to ensure minimal business disruption
  • Appoint one executive-level “program owner” who is empowered to make decisions to avoid confusion over responsibilities
  • Ensure an experienced manager is designated as the “service owner” and that other project execution staff also have appropriate IAM skills


  • Integrate process improvements into awareness campaigns designed to educate users
  • Document access control processes and perform periodic testing to validate that processes are being followed
  • Inform key stakeholders that business processes will change to accommodate improved IAM capabilities


  • Leading IAM products can usually meet most IAM requirements but may need configuration and/or customization
  • Redefine access profiles in terms of roles so that they can be more easily understood
  • Define a business-friendly name and description for these access profiles

Our teams can advise on the technology and tools that best suit a P&U company’s own IAM needs.

A balanced approach

P&U companies must evaluate whether the maturity of their IAM function is keeping pace with IT trends and changing business needs. Leveraging insights from sectors with more mature IAM models can help ensure best practice is adopted.

A risk-based action plan will support the development of an integrated IAM function, which is aligned to the needs of the business and drives value. Whichever approach is taken, the key message for P&U companies is not to consider IAM as an isolated function but as part of other information security technologies that provide an overall picture for an organization.

Case study – IAM in action


Original state

Inadequate user provisioning processes, inefficient manual review processes and toxic combinations access — for example, where a line manager is able to approve his or her own trades as well as those of other team’ members.


In addition to the risks of ineffective IAM, a lack of consensus regarding how to approach the problem compounded the issue’s complexity.

Maturity-level transformation

Repeatable to managed.

IAM solution

Short-term solution: Data analysis techniques identified segregation or duties conflicts across 800,000 entitlements.

Longer-term solution: The company implemented a standardized process for the provisioning and de-provisioning of user entitlements at the operating system, database and application levels.


Taking a risk-based approach, the company developed segregation of duties remediation plans for more than 6,000 accounts, bringing the company in line with risk and compliance targets. Balance between short- and long-term solutions allowed the company to prioritize resources and funding.

For more information

EY - Identity and access management: beyond compliance

Read more in our publication: Identity and access management: beyond compliance.