Identity & Access Management
Managing today's identity crisis
The headlines are becoming commonplace: Another
organization or government agency loses sensitive
customer information due to data breaches. The incidents
of internal fraud and abuse among employees, vendors
and business partners continue to increase.
As much as these crises generate negative headlines, bad
publicity is just the tip of the iceberg when it comes to
the potential risks associated with the loss of control over
identity. There is also the potential for loss of consumer
and vendor trust, legal and regulatory action and
significant financial losses.
The problem has grown to such an extent that government
is involved. Legislators and regulators are imposing an ever-
tightening circle of laws and guidance on businesses aimed
at encouraging organizations to better control access to
their sensitive information, particularly personally identifiable
information. Many organizations are struggling with this
issue, often relying on quick fix solutions as a response to
the most visible areas of vulnerability. Still other organizations
do nothing, living in a dangerous state of denial.
Components of an Effective Identity Management Solution
Authoritative
Source
Business Events/Triggers
Identity Repository
Employee
Customer
Business
Partner
Identity Role Architecture
Protection
Enterprise Risk Services
The reality is that identity and access management is a
highly complex business issue that goes far beyond the
IT department. It encompasses the entire organization,
including business units, individual locations, systems,
access points, business partners and customers.
Complicating matters further is the growing number
of mobile employees, joint ventures and other business
activities that expose IT systems to potential threats.
An end-to-end solution
Deloitte member firms’ Identity & Access Management
(IAM) framework addresses all aspects of the identity and
access management lifecycle. It is a holistic, business-
focused approach that incorporates Deloitte member
firms’ experience related to processes, control, technology
and security with in-depth vendor software knowledge,
to deliver a comprehensive and sustainable identity
management solution.
Applications and users
User
Provisioning
Attributes
Attributes
Attributes Access
Management
Identity & Access Management
Managing today's identity crisis
Deloitte member firms’ solution can encompass the
following components:
• Identity repository – a central repository of user-related
information created by synchronizing multiple sources of
information or by combining multiple sources into one
virtual resource, e.g., a central, meta, or virtual directory
• Integrated authoritative source – a source of trustworthy
and dependable information, e.g., the human resources
systems used to identify employees
• Identity roles – their proprietary method of defining,
managing and enforcing access control privileges
through the use of roles between end users and
permission assignments, e.g., the systems that help
you build and enforce the use of roles
Deloitte member firms’ solutions can include the
following services:
• User provisioning – centralized management of user
information, such as user ID, password and role, through
automated or manual workflows, e.g., the systems that
automate the distribution of user-related information
and keep it in sync with multiple target systems
• Access management – authenticating users and
determining if they have the appropriate credentials
to access an application, e.g., the web and single
sign-on systems
• Self-service password management – a centralized
service where users can manage and modify their
personal information and reset passwords
• User administration – this component can be managed
in two ways:
• Central administration – a resource for managing a
user’s system access profile from one location
• Delegated administration – a method of
distributing central management access based
on organizational hierarchy
• Auditing and reporting – key internal processes
focused on achieving compliance requirements,
e.g., a system that centralizes the different logs that
your solution generates
• Compliance and privacy component – identity
management helps enable an organization to meet
compliance and privacy requirements
• Portals capability – portal personalization engine which
can be enabled by leveraging identity management
• Strong authentication – leveraging the appropriate
authentication complexity methods, for application
access based on various factors, including risk
assessment, e.g., certificate-based authentication,
biometrics, smartcard and tokens
• Identity and Access Management for service-oriented
architecture (SOA) – the next level of system based
communication based on industry standards
• Identity data integrity – the application of automated
tools and techniques to clean existing data and verify
that ongoing data in the system is accurate and
complete and can be reported on
The IAM framework and Deloitte member firms’
methodology can help you:
• Implement and customize identity and access
management solutions, including web and single
sign-on, provisioning, identity federation, web
services/SOA security and directories (both virtual
and meta-directories)
• Design and implement authoritative sources and
identity stores
• Deploy and implement a role-based access infrastructure
that may improve your overall security, streamline access
control processes and provide easier reporting and
validation of regulatory and audit compliance
Deloitte member firms’ approach to any IAM project is
collaborative in nature and leverages an iterative approach
based on the unified process; they work closely with you
to define and validate your requirements.
Deloitte member firms understand that simply installing
a technology solution does not make a project successful.
They also recognize that complex solutions often require
specialized business cases. With the benefit of their
extensive experience, they will help you integrate the
required project components for success, including regular
communication with key stakeholders and an adoption
program for the new processes and technology.
Deloitte member firms will work closely with you to
develop a strong, organization-wide commitment from
your business and IT leaders since buy-in is one of the key
success factors to implementation and a long-term solution.
A tailored solution
Deloitte member firms are experienced in developing
and implementing identity and access management
solutions across industries for large and small organizations
and provide:
• Subject matter experience in project planning, technical
deployment, customization, architecture development,
project oversight and alliance relationships
• Training for member firm practitioners on their
proprietary methodologies and alliance systems
• Labs through which alliance solutions are tested,
adjusted and demonstrated
• Customized identity and access management solutions
designed to meet their clients’ unique environments
• A global perspective on the IAM marketplace
 Identity & Access Management
Managing today's identity crisis

Security & Privacy lifecycle framework

Sustain Assess
Security
• Control Assessments & Certifications Management • Vulnerability Assessment
• ISO 27000 series/COBIT/ITIL Compliance (e.g. Penetration Testing, Ethical Hacking)
• Business Continuity Planning Business • Threat Risk Assessment
Continuity Vulnerability
• Disaster Recovery Planning Management • Privacy Impact Assessment
Management
• Security Awareness & Training • Application Security/Integrity Assessment
• Security Education & Certification • PCI DSS
Sustain Assess • Product Selection & Evaluation
Security & • Health Checks
Privacy • Security Benchmarking Strategy
Implement Framework Privacy &
Application Data Policies & Standards
• Security Program Integrity Protection
• Identity & Access Management Implement Architect
• Network Access Management Architect
• Application Integrity (ERP/Web) • Security Architecture
• Data Protection & Encryption • Security Design Patterns
• Policy Management Identity & • Platform Security Standards
• Incident Management Infrastructure &
Access
Operations • Secure Development Guidelines
• Controls Automation Management • Governance, Policies & Standards
Security

Deloitte member firms can help implement the solution
you need to solve today’s identity management
problems and help you leverage your identity and access
management practices for competitive advantage.
Deloitte member firm services
The ongoing mission of the Security & Privacy Services
team is to work with clients to achieve robust security
through the delivery of end-to-end solutions, utilizing
proven methodologies and tools, in a consistent manner
globally, by world class experienced professionals. By
working together, Deloitte member firms can assist you
in improving enterprise security and value, bring new
solutions to market and develop risk aware programs
and processes.
Security & Privacy Services form part of the Enterprise
Risk Services (ERS) practice. Deloitte member firms have
over 16,000 professionals helping clients manage risk and
uncertainty, from the boardroom to the network. They
provide a broad array of services that allow clients around
the world to better measure, manage and control risks to
enhance the reliability of systems and processes.
The Deloitte member firms’ Security & Privacy
services include:
• Security Management
• Identity & Access Management
• Privacy & Data Protection
• Business Continuity Management
• Application Integrity
• Vulnerability Management
• Infrastructure & Operations Security
Deloitte member firms offer broad, customizable solutions
that will help clients enhance opportunities and master
their most pressing and complex challenges. Deloitte
member firms value clients and commit themselves to
their success.
Practice highlights
• Approximately 10,000 IT Risk Management and Security
& Privacy Services professionals globally, including over
1,000 CISSPs (Certified Information Systems Security
Professionals), more than any other professional
services organization
• Certified professionals in many other technologies and
designations including CISA, CISM, CIPP, ISO 27000
series, GEAC, ITIL, CISCO, DRII, BCI, Novell, Tivoli,
Checkpoint, Microsoft, Sun, Entrust, IBM, WebSphere,
CA, Siemens, SAP, PeopleSoft and JD Edwards
• Industry association memberships with Information
Security Forum (ISF), Information Systems Audit &
Controls Association (ISACA), International Information
Systems Security Certification Consortium (ISC)2,
Information Systems Security Association (ISSA), CyLab,
I-4, International Association of Privacy Professionals
(IAPP), American Society for Industrial Security (ASIS),
International Standards Organization (ISO), Association of
Contingency Planners (ACP) and Open Web Application
Security Project (OWASP)
Global contacts
Enterprise Risk Services Security & Privacy Services Identity & Access Management
Mark Layton Adel Melek Mark Ford
Deloitte & Touche LLP - USA Deloitte & Touche LLP - Canada Deloitte & Touche LLP - USA
+1 214 840 7979 +1 416 601 6524 +1 313 394 5313
mlayton@deloitte.com amelek@deloitte.ca mford@deloitte.com

Regional contacts
Asia Pacific (APAC) Europe/Middle East/Africa (EMEA) Latin America/Caribean (LACRO)
Uantchern Loh Carlo Schupp Martin Carmuega
Deloitte & Touche LLP - Singapore Deloitte Touche Tohmatsu - Belguim Deloitte Touche Tohmatsu - Argentina
+65 6216 3282 +32 2 800 20 77 +54 11 4320 4003
uloh@deloitte.com cschupp@deloitte.com mcarmuega@deloitte.com

Canada Japan USA

Adel Melek Mitsuhiko Maruyama Ted DeZabala
Deloitte & Touche LLP - Canada Deloitte Touche Tohmatsu - Japan Deloitte & Touche - USA
+1 416 601 6524 +81 (3) 6213 1112 +1 212 436 2957
amelek@deloitte.ca mitsuhiko.maruyama@tohmatsu.co.jp tdezabala@deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms,
each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

© 2008 Deloitte Touche Tohmatsu. 08-006G