Identity and access management (IAM) is an essential function for protecting the privacy of information, enhancing user experience, enabling accountability and controlling access to an organization’s assets. Improving IAM systems and processes has been a growing priority in financial services institutions in recent years. Keeping up with access control requirements driven by Sarbanes-Oxley and Federal Financial Institutions Examination Council (FFIEC) IT examinations consumes considerable time and resources. The IAM budgets of large financial services organizations have increased significantly over the last few years, and in some instances, all-in budgets exceed US$ $80 million for multiyear IAM transformation programs. Our experience shows that emerging cloud-based IAM solutions offer a great potential advantage, including the possibility of reducing implementation times by as much as 70% and cost by 50%. Success with this strategic approach requires strict business-value management, common and consistently applied IAM processes and strong integrated security and risk management discipline.
A significant challenge in implementing a world-class IAM solution is controlling the duration and costs to maintain the validity of the business case. To address this, businesses are experimenting with cloud-based solutions in addition to their on-premises solutions. Traditional on-premises IAM implementations can take years. In the eyes of some business leaders, certain IAM programs do not offer returns on investment quickly enough; they lose momentum and face cancellation. But with the advent of cloud computing this has begun to change. A service-based approach can slash implementation time to a matter of months, allowing the programs to demonstrate their benefits faster and meet the deadlines regulators may set for access-risk remediation and system improvements.
Key Decision Points
CIOs or security executives thinking about a cloud-based IAM solution should carefully consider three key questions for a successful deployment and ongoing sustainability.
1. What are the IAM business drivers? Most organizations do not spend enough time clearly defining the critical business issues or business drivers for an IAM program. These drivers must be based on business objectives and requirements, regulatory requirements, and directives from the board of directors and executive management. Without such alignment, there is the possibility of confusion in coordinating complex multiyear transformation programs and communicating the overall IAM vision. Typical business drivers include protection of customer and employee information, enabling risk reduction and enhanced regulatory compliance through removing inappropriate and excessive access and preventing toxic access combinations; increased productivity and cost reduction through decreasing the number of entitlement reviews and automating the IAM workflow; and an enhanced user experience through identity analytics and improved correlation across business products and delivery channels.
2. What are the specific business scenarios or activities that the cloud-based IAM solution is expected to support? Can the activity be measured sufficiently to evaluate whether the solution is advancing the business case?
Our experience indicates that organizations achieve results from cloud-based IAM solutions in the following six key process domains: request and approval, provisioning and de-provisioning, enforcement, review and certification, reconciliation and reporting, and auditing. The “enforcement” (authentication and authorization) and “review and certification” domains may offer the greatest opportunity for a cloud-based IAM solution based on the nature of resource usage. A cloud-based IAM solution for these domains can provide resource flexibility by dynamically adjusting resources to accommodate peak usage demand. For example, there are usually only short periods of peak usage, when financial institutions conduct their reviews of individuals’ access. In a traditional on-premises IAM implementation, firms are forced to buy systems powerful enough to handle that peak demand even though they only need it for a short time period. By comparison, IAM cloud systems can dynamically adjust resources to accommodate these spikes, as well as lulls, in demand, which results in cost savings in the long run.
3. Does the solution have adequate risk management and security controls? Can the organization manage the risk effectively while integrating with other traditional or cloud-based IAM services?
For cloud-based IAM solutions to become a key part of the IT enterprise portfolio, they need to provide adequate security controls for sensitive enterprise data and applications. Cloud-based IAM solution providers have made significant strides in addressing these concerns through their internal controls and service-provisioning strategies. Yet the service providers’ security and privacy protections must be augmented by financial institutions’ internal controls and validated further by the organization’s third-party risk management program.
Cloud-based IAM solutions can support both traditional on-premises components and software-as-a-service applications. For example, an organization may choose to implement a common authentication service for both its cloud-based and on-premises applications in order to provide its employees a seamless user experience across applications. Organizations should confirm that their cloud solution provider is able to meet the IAM solution security requirements.
Companies that turn IAM into an explicit business enabler rather than a cost center will create competitive advantage. As the IAM market consolidates and integrated cloud-based IAM functions become more dominant, we expect organizations to consider the focus areas outlined in this article and achieve the key business benefits of cloud-based IAM solutions while providing a flexible, standardized and secure enterprise service.
Ertem Osmanoglu is a principal in the Financial Services Office of Ernst & Young LLP.
The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.