Hands on laptop touchpad during meeting
Case Study
The better the question The better the answer The better the world works
Case Study

How to modernize audit security and access management capabilities

EY helped one federal agency improve audit security by architecting and implementing refreshed identity and access management technology.

1

What does it take to fast-track digital identity user governance?

Federal agencies are under pressure to automate manual processes to enhance operational efficiencies.

The government workforce is constantly changing. People move from one agency to another or accept new roles within the same organization. It is hard to keep track of who has access to agency data – and more importantly, what access privileged users have.

A component within a federal agency was seeking to resolve issues with audit findings and to remediate gaps in security architecture. They looked to EY to help them create a centralized identity management platform that would improve access control processes and audit security.

EY understood what was needed and worked closely with federal government agency leadership to offer a solution.

Four co-workers briefing in conference room
2

Looking beyond mandated security auditing

Establishing a new platform that evolves to meet added federal agency business requirements.

The EY team has been on the ground since late 2018 and is directly responsible for architecting, implementing and supporting identity governance and administration for the federal agency. The initial scope of the project focused on implementing identity and access management software to support audit compliance. As part of this effort, the EY team developed custom logic to automate the removal of user access for those who were not compliant with security guidelines and to remove access for users who had not logged into applications for a certain period of time.

New system improves access controls and automation

Our work established a new identity governance and administration (IGA) platform that continues to evolve and expand to meet added federal agency business requirements. It uses processes and technologies to manage digital identities – securing valuable information and protecting agencies from costly data breaches.

Other notable IGA-supported activities include:

  • Creating automated access request workflows to provision roles for enterprise applications
  • Developing a custom reporting and self-service role administration portal for end-user applications
  • Implementing new access certifications and user separation workflows for applications, including high-value financial management applications
  • Automating annual training compliance for the entire end-user population
  • Building custom functionality to support various groups, including VIP users
  • Supporting the retirement of legacy systems

Managing the end-to-end lifecycle of privileged users

The EY team worked closely with agency leadership to develop both IGA and privileged access management (PAM) capabilities. They developed a roadmap to define and prioritize major tasks and milestones, including the EY Zero Trust model, enterprise separations, and integration with enterprise users and thousands of assets. A team of IGA and PAM engineers were engaged to bring deep product and domain knowledge to the project. Integrating the various target systems was a key differentiator.

Living and breathing the fact that identity is the new perimeter is far different than simply talking about it. Our cybersecurity architects and engineers at the federal agency have not just provided measurable returns on cyber investments in digital user identity and privileged access management, but every day they diligently further the agency’s mission by implementing multiple proof of value points across all the pillars of a real and truly integrated Zero Trust architecture.
Mahreen Huque
Senior Manager, EY Cybersecurity
Back view of businessman surrounded by data sheets
3

Evolving solutions to integrate with enterprise policies

New features are bringing the identity and access lifecycle full circle.

As a result of our work the first year, audit findings declined to a single finding – and by 2021, were further reduced to zero. Since the beginning of the identity and access management implementation, millions of user roles have been recertified and user separations have been automated for over 100 enterprise applications and thousands of roles.

The IGA and PAM integration continues as additional provisioning functionality is built into the identity lifecycle. The new capabilities allow the platform to support thousands of privileged users and requires minimal intervention or manual processes from operations staff. Connections improve as upgrades are made and security, performance and feature enhancements are added. As the solution evolves, there is also greater integration with enterprise policies, such as password rotations and user separations.

Today, government is facing an increased risk from more sophisticated cyberattacks and widespread compromise of credentials. The EY Zero Trust security model validates and enforces the cybersecurity concept of “never trust, always verify.” Our team is helping federal agencies by providing Zero Trust services to support access workflows and operational policies that will improve the security to agency assets and result in cost savings and greater efficiencies.

As a result of our work the first year, audit findings declined to a single finding – and by 2021, were further reduced to zero.

Contact us

Like what you’ve seen? Get in touch to learn more.

Contact us