News & Commentary

12:04 PM
Ertem Osmanoglu, Ernst & Young
Ertem Osmanoglu, Ernst & Young

Enabling Business Performance Through Cloud-Based Identity and Access Management

Cloud-based identity and access management systems can reduce implementation time and costs for banks trying to keep pace with regulations regarding organizational access controls.

Identity and access management (IAM) is an essential function for protecting the privacy of information, enhancing user experience, enabling accountability and controlling access to an organization’s assets. Improving IAM systems and processes has been a growing priority in financial services institutions in recent years. Keeping up with access control requirements driven by Sarbanes-Oxley and Federal Financial Institutions Examination Council (FFIEC) IT examinations consumes considerable time and resources. The IAM budgets of large financial services organizations have increased significantly over the last few years, and in some instances, all-in budgets exceed US$ $80 million for multiyear IAM transformation programs. Our experience shows that emerging cloud-based IAM solutions offer a great potential advantage, including the possibility of reducing implementation times by as much as 70% and cost by 50%. Success with this strategic approach requires strict business-value management, common and consistently applied IAM processes and strong integrated security and risk management discipline.

A significant challenge in implementing a world-class IAM solution is controlling the duration and costs to maintain the validity of the business case. To address this, businesses are experimenting with cloud-based solutions in addition to their on-premises solutions. Traditional on-premises IAM implementations can take years. In the eyes of some business leaders, certain IAM programs do not offer returns on investment quickly enough; they lose momentum and face cancellation. But with the advent of cloud computing this has begun to change. A service-based approach can slash implementation time to a matter of months, allowing the programs to demonstrate their benefits faster and meet the deadlines regulators may set for access-risk remediation and system improvements.

Key Decision Points

CIOs or security executives thinking about a cloud-based IAM solution should carefully consider three key questions for a successful deployment and ongoing sustainability.

1. What are the IAM business drivers? Most organizations do not spend enough time clearly defining the critical business issues or business drivers for an IAM program. These drivers must be based on business objectives and requirements, regulatory requirements, and directives from the board of directors and executive management. Without such alignment, there is the possibility of confusion in coordinating complex multiyear transformation programs and communicating the overall IAM vision. Typical business drivers include protection of customer and employee information, enabling risk reduction and enhanced regulatory compliance through removing inappropriate and excessive access and preventing toxic access combinations; increased productivity and cost reduction through decreasing the number of entitlement reviews and automating the IAM workflow; and an enhanced user experience through identity analytics and improved correlation across business products and delivery channels.

2. What are the specific business scenarios or activities that the cloud-based IAM solution is expected to support? Can the activity be measured sufficiently to evaluate whether the solution is advancing the business case?

Our experience indicates that organizations achieve results from cloud-based IAM solutions in the following six key process domains: request and approval, provisioning and de-provisioning, enforcement, review and certification, reconciliation and reporting, and auditing. The “enforcement” (authentication and authorization) and “review and certification” domains may offer the greatest opportunity for a cloud-based IAM solution based on the nature of resource usage. A cloud-based IAM solution for these domains can provide resource flexibility by dynamically adjusting resources to accommodate peak usage demand. For example, there are usually only short periods of peak usage, when financial institutions conduct their reviews of individuals’ access. In a traditional on-premises IAM implementation, firms are forced to buy systems powerful enough to handle that peak demand even though they only need it for a short time period. By comparison, IAM cloud systems can dynamically adjust resources to accommodate these spikes, as well as lulls, in demand, which results in cost savings in the long run.

3. Does the solution have adequate risk management and security controls? Can the organization manage the risk effectively while integrating with other traditional or cloud-based IAM services?

For cloud-based IAM solutions to become a key part of the IT enterprise portfolio, they need to provide adequate security controls for sensitive enterprise data and applications. Cloud-based IAM solution providers have made significant strides in addressing these concerns through their internal controls and service-provisioning strategies. Yet the service providers’ security and privacy protections must be augmented by financial institutions’ internal controls and validated further by the organization’s third-party risk management program.

Cloud-based IAM solutions can support both traditional on-premises components and software-as-a-service applications. For example, an organization may choose to implement a common authentication service for both its cloud-based and on-premises applications in order to provide its employees a seamless user experience across applications. Organizations should confirm that their cloud solution provider is able to meet the IAM solution security requirements.


Companies that turn IAM into an explicit business enabler rather than a cost center will create competitive advantage. As the IAM market consolidates and integrated cloud-based IAM functions become more dominant, we expect organizations to consider the focus areas outlined in this article and achieve the key business benefits of cloud-based IAM solutions while providing a flexible, standardized and secure enterprise service.

Ertem Osmanoglu is a principal in the Financial Services Office of Ernst & Young LLP.

The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.