Digital identity and access management

In Advisory

Identity and access management (IAM) is a foundational element of any information security program and one of the security areas that users interact with most.

What EY can do for you

Identity and access management (IAM) is the discipline for managing access to enterprise resources.

In the past, IAM focused on establishing capabilities to support access management and access-related compliance needs. The solutions often focused on provisioning technology and were poorly adopted.

They also resulted in high costs and realized limited value. Organizations often struggled to meet compliance demands during this period, and the solutions were deployed to manage very few applications and systems.

Centralized, standardized, automated identity management services designed to reduce risk and costs while improving operational efficiency continued to be elusive. Many organizations now understand, or meet, their compliance requirements.

While compliance is still a key driver in IAM initiatives, IAM is evolving into a risk-based program with capabilities focused on entitlement management and enforcement of logical access controls.

IAM life cycle phases

The management of identity and access permissions can be viewed as three stages.

  • 1. User access request and approve


    Gaining access to the applications, systems and data required to be productive

    Common challenges
    • Processes differ by location, business unit and resource.
    • Approvers have insufficient context of user access needs. Do users really need access to private or confidential data?
    • Users find it difficult to request required access.
  • 2. Reconcile


    Enforcing that access within the system, matching approved access levels

    Common challenges
    • Actual rights on systems exceed access levels that were originally approved/provisioned.
    • There is no single authoritative identity repository for employees/non-employees.
  • 3. Review and certify


    Reviewing user access periodically to realign it with job function or role

    Common challenges
    • Processes are manual and differ by location, business unit and resource.
    • Reviewers must complete multiple, redundant and granular access reviews.
    • Reviewers have insufficient context of user access needs.
NextGen IAM Reference Architecture

NextGen IAM architecture is designed to orchestrate the integration across the entire IAM ecosystem and life cycle (i.e., identity governance and administration, access management, privileged access and customer identity management).

Our NextGen IAM architectural approach seeks to reduce the complexity of IAM implementations, address legacy and emerging IAM use cases, and enable agility when dealing with significant organizational change (e.g., digital transformation, technology refresh, mergers and acquisitions, managed service transition).

Key IAM capabilities

During the development of an IAM transformation plan, you should confirm that these recommended capabilities are included:

  • Job role or application access matrices using rule-mining tools
  • Automated workflow-based access request and approval processes, using job role or application access matrices and segregation-of-duties checking
  • Entitlement warehouse solution
  • Access proxy solutions and central authentication (application, host and database layers)
  • Risk-based authentication solutions
  • Identity analytics and behavioral analysis services to integrate with data loss prevention (DLP) and security information and event management
  • Data and access management process governance program, which includes HR, application owners, information security and IAM stakeholders
  • Federation solutions
  • Emerging solutions that combine logical and physical security
  • A solution designed with future scalability requirements in mind

The skills and resources needed to address cybersecurity are extremely scarce in most organizations. We can train, develop and deploy those resources in your organization, to embed that deep experience so you can protect yourselves in the long term.

Contact us

Like what you’ve seen? Get in touch to learn more.