Solution Map

As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a
detailed description of the legal structure of Deloitte LLP and its subsidiaries.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, nancial,
investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualied professional advisor.
Deloitte, its afliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright 2010 Deloitte Development LLC. All rights reserved.
Identity and Access
Management
A visual overview of identity and
access management concepts
Contacts
Gordon Hannah
Principal
+1 571.882.5930
ghannah@deloitte.com

Kevin Brault
Director
+1 571.882.5910
kbrault@deloitte.com

Carey Miller
Senior Manager
+1 571.882.6975
caremiller@deloitte.com

Paul Grassi
Senior Manager
+1 202.758.1708
pgrassi@deloitte.com

Neel Agarwal
Senior Manager
+1 202.378.5030
neeagarwal@deloitte.com
Q1 Q2 Q3
Q4 Q3 Q2 Q1
Q1
Q2
Q3
Q2
Q1
P
o
lic
ie
s
Id
e
n
t
it
y
S
t
o
r
e

3
2
R
o
le
s
Roles
Identity
Enforce
Rules
1
8
Federation
Identity
Source Systems
Attributes
Person/Device
identity
Onboarding
Nam
e
Address
Phone
Role
etc.
Auditing and
reporting
Policy
enforcement
point
Guyguy Juan, S.
Card PIN
Biometric PKI
Guyguy
Juan, S.
Guyguy
Juan, S.
P
h
y
s
ic
a
l A
c
c
e
s
s
Guyguy
Juan, S.
Guyguy
Juan, S.
Multiple
locations
NO
YES
Ide
n
t
it
y
,
T
i
m
e
,
R
o
l
e
, L o c a t i o
n
,
A
t
t
r
i
b
u
t
e
s
, Crede
n
t
ia
l
s
,

P
r
i v
i l e g e
s
,
S
t
a
tus
Workow
management
On-boarding
Lifecycle
management
Po
licy
Id
entity
Id
entity
A
ccess
R
ules
W
o
r
k

o
w
A
c
c
e
s
s
M
a
n
a
g
e
m
e
n
t
Systems
Human resources
Payroll
Credential
Directory
External
Personnel security
Adjudication
4 5
6 7
9
10
11
Trusted
external
partners
R
u
le
s
B
a
ck
en
d
a
ttrib
u
te exch
a
n
g
e
Id
en
tity a
ssertio
n
/to
k
en
exch
a
n
g
e
Remediation
L
o
g
ic
a
l A
c
c
e
s
s
Guyguy Juan, S.
Identity, Ti m
e , R o l e , L o c a t i o n , A t t r i butes, Credentials, P r i v i l e g e s , S tatus
Files
Applications
Systems
Web services
D
a
s
h
b
o
a
r
d
Introduction to Identity and Access Management
An effective Identity and Access Management
(IAM) system provides functionality for identity life
cycle management and resource access control.
IAM includes policies, processes and workows for
on-boarding, off-boarding, identity modication,
provisioning, authentication, authorization and
entitlement enforcement.
1 On-boarding is the process of establishing an
identity for a person, device, or system account in an
enterprise. Identity information can be populated via
self-registration or a business process(es).
2 Identity source systems contain authoritative
data elements that collectively comprise each
individual identity.
3 Identity stores contain enterprise identities
linked dynamically to identity source system,
eliminating data duplication across the enterprise.
4 Workow management automates provisioning
processes (e.g., approvals, rejections, re-certications)
to enforce preventative access controls and maintain
audit and compliance of the identity life cycle to
provide users access to protected resources.
5 Lifecycle management is the process of
managing the digital identity and its attributes
including any updates or changes to attributes from
the creation of the identity to the removing an
identity from the IAM system during off-boarding.
6 Access management enables authentication of
identities for use with Single Sign-on to enterprise
resources by validating identity information (e.g.,
roles, attributes) and resource-specic access control
policies. Access control policies can incorporate
separation of duties, repudiation and reconciliation.
7 Policies incorporate business rules and logic,
dening them in IAM as controls for granting access
to resources based on attributes (e.g., title, applica-
tion) or roles (e.g., system administrator, human
resources specialist).
8 Physical access control systems can be
integrated with IAM to leverage identity information
provisioned to local data stores. Identity information
can be used for granting access to sites, buildings or
areas in conjunction with authentication mechanisms
such as smart cards, PINs, biometrics and Public Key
Infrastructure (PKIs).
9 Logical access to information technology
resources (e.g., networks, computers, applications,
data, etc.) is provided by integrating with the IAM
solution in an organizations enterprise. The IAM
solution performs identity authentication based on the
level of assurance required by an individual resource,
including the use of strong authentication mechanisms
like PKI and secure hard tokens. The solution then
authorizes or denies access based on resource-
specic policies that can be dened to accommodate
mixed populations (i.e., internal and external users)
and credential types (e.g., passwords, smart cards,
Personal Identity Verications, VPN tokens).
10 Auditing and reporting are IAM capabili-
ties that can provide an enterprise wide view (i.e.,
dashboard view) of detected access policy violations
(i.e. SOD, rogue accounts) security, compliance,
system monitoring, system notications and
warnings, performance indicators and data integrity.
Auditing capabilities can automatically enforce access
policies by mitigating detected violations.
11 Federation enables trusted, cross-domain
single sign-on authentication among internal or
external organizations and trusted partners by
establishing trust models for vetting identities and
enforcing security policies.
Deloittes approach to IAM systems
helps clients realize:
lncreesed efc|ency through bus|ness process
automation
lncreesed user/customer set|sfect|on
Reduct|on |n he|p des| costs (e.g., pessword resets)
Secure |nformet|on sher|ng end co||eboret|on
Lneb|ed trensperency
lr|vecy protect|on
Lnhenced dete protect|on end |ntegr|ty
lmproved end eutometed report|ng
Comp||ence w|th ledere| mendetes, |ews,
regu|et|ons (e.g., llSM/, Ll/C/l, /123),
end ledere| ldent|ty, Credent|e|, end /ccess
Management recommendations
Federal Solution Map
= Encrypted communications
Lncrypt|on |s used to secure commun|-
cations between internal and external
systems using a variety of encryption
techno|og|es (e.g., /LS, SSL, LS).

2
0
1
0

h
o
u
g
h
tl
o
rm
L
e
s|g
n
.c
o
m
9
b
b
8