Digital Identity

Director, Cybersecurity Technology & Transformation, PwC Switzerland

Email

The initiatives surrounding digital transformations have accelerated the shift towards online services and have also pushed for the need to enable internal users to remotely access organisations’ systems. These technology solutions often provide backdoors for attackers to access sensitive resources and data. Additional risks are posed by unmanaged admin accounts with higher privileges over the IT network. These and other security concerns can be mitigated by implementing the capabilities around Digital Identity.

Digital Identity combines governance, people, processes and technology to ensure compliant, effective and automated identity and access lifecycles for all entities that exist within an organisation’s systems. Digital Identity deals with all types of entities, i.e., a person – natural or legal – or a machine. For these entities it provides secure authentication mechanisms across an organisation’s IT systems.

94%

Over 94% of all organisations have experienced a breach that stems from poor identity security.

Source Egress (2021): Insider Breach Data Survey

So what is a Digital Identity?

The term “Digital Identity” describes both

the combination of different disciplines like Identity Governance and Administration (IGA), Identity and Access Management (IAM)¹and Privileged Access Management (PAM);
the digital representation of an entity in the digital context, with an assigned set of attributes and a unique identifier, and enabling authentication of that entity against IT systems, services and applications.

The disciplines of Digital Identity play a fundamental role in securing any organisation from external and internal compromise.

Simply put, the purpose of IAM is to ensure that the right people get the right access to the right resources at the right time for the right reason, enabling the right (business) outcome.

IGA focuses on the policy framework, tools and processes to manage access rights for individuals within an organisation automatically. IGA and IAM work closely together to ensure secure access to data, systems and applications.

More specifically, PAM is the practice of securely managing highly privileged account (HPA) access for humans and non-humans to sensitive information or functionalities. It deals with the creation, modification and removal of HPAs, as well as logging, monitoring, auditing and certifying privileged access and reporting violations.

The practice of Digital Identity starts on a strategic level, and deals with capabilities surrounding the overall strategy and planning while also considering the organisational culture and people. The requirements set and the insights gained on a strategic level need to be specified on a tactical level. Here, policies, standards and auditing capabilities need to be described and rolled out in the organisation. All these previously defined actions and working results on a strategic and tactical level support the definition of specifications on the operational level for aspects such as the identity lifecycle or access management as well as the operational enforcement.

65%

of Swiss executives have distinctly marked cyber risks as their top mitigation priority in 2024.

Source Swiss findings from PwC's 2024 Global Digital Trust Insights Survey

Digital Identity brings several benefits

Enhanced security is only one advantage of adopting Digital Identity processes. It goes hand in hand with ensuring regulatory compliance – managing identities and access to resources is required by various information security regulations and standards (e.g. the upcoming ISG law, FINMA, NIST CSF, ISO 27001 etc.). For instance, Digital Identity is one of the means to ensuring data security, a requirement imposed by the New Federal Act on Data Protection and the GDPR.

Digital Identity also brings a better user and customer experience through authentication technologies such as single sign-on or passwordless solutions. Automated IAM processes introduce a reduction in IT service costs while simultaneously bringing better transparency and enabling better control over users and data they can access.

The path to an effective management of Digital Identities

In order to implement an effective Digital Identity practice into your organisation, it is necessary to consider four key areas:

Governance of Digital Identity is an essential part of the implementation phase as well as later on in the operational phase. When building the implementation programme, it is crucial to consider the strategic and tactical layer of an organisation to make sure the practice will serve its specific needs. As a preparatory part of the implementation phase, governance includes

setting the strategy for the programme,
identifying key stakeholders,
defining the roles and responsibilities for the Digital Identity capabilities,
planning a roadmap thoroughly to ensure control over the programme progress,
creating an internal documentation framework, which serves as a guideline regarding all Digital Identity-related processes and activities.

The evaluation of technology vendors also takes place in the prework to the implementation phase, providing the basis for choosing the right solution.

In the operation phase, the governance processes established as described above enable the stakeholders and management to keep an overview and control of the Digital Identity practice in their organisation when it is up and running.

Client challenges which will be addressed include the following:

No IAM and/or PAM system to control the different types of identities and access rights to sensitive information and IT resources.
Lack of governance foundation leads to a lack of enforcement power.
No clear ownership and coordination of the IAM and PAM processes to ensure the involvement of the right stakeholders and functions.
Unclear distinction between IGA and PAM.

People and the organisational culture play a main role on all three layers of Digital Identity – on the strategic, tactical as well as the operational level. Furthermore, the aspect of people and organisational culture correlates closely with the aspect of governance, for example with regard to stakeholder management or roles and responsibilities. Focused on people and organisational culture, the availability and capabilities of resources influence the work package, resource allocation and timeline of the set up and implementation of a Digital Identity practice. Changes in processes and technology need to be clearly communicated and users need to be trained to be able to use the new processes, tools and technological capabilities. The consistent inclusion of people into the programme will increase the acceptance for changes and user satisfaction.

Client challenges which will be addressed include the following:

Internal resources won’t be missed out in the initiative, but will be included in activities such as the design and implementation.
With the help of a comprehensive Change and Communication management policy, all stakeholders, users and employees will be involved in the Digital Identity practice.
Missing internal resources and capabilities can be compensated by external support.
The governance, processes and technology fits the people and the organisational culture.

Process integration is the next key part of implementing a Digital Identity practice into your organisation and putting them into operation. It can become quite a challenge, as Digital Identity covers numerous processes under both areas – IAM and PAM. For it to be a success, the process integration part needs a viable roadmap with defined milestones and dedicated capabilities to drive the changes. The new secure procedures for handling and managing identities and accesses to important resources are integrated into the organisation, hand in hand with the implementation of technology and based on the processes and rules set out in the standards and policies.

Client challenges which will be addressed include the following:

Insufficient processes and rules in place to address the risks posed by unmanaged accounts and accesses to organisation’s resources.
No sustainable integration of IAM and/or PAM processes that is in alignment with business context and processes.
Enforcing accountability at the right stakeholders requiring them to act in case of security events.

The right technology is the key to an effective IAM and PAM governance and process implementation. Automating the repetitive tasks saves your specialist time and allows them to focus on other things. The most suitable technology solution to automate and secure the IAM and PAM processes should be chosen based on the assessment of the organisation’s needs and specifications and on the vendor evaluation. In addition, the overall technology landscape of the organisation must be considered to ensure compatibility with other solutions in place.

Client challenges which will be addressed include the following:

High level of manual effort in managing accounts and access to resources.
Lack of integration with other technical solutions such as HR administration, logging and monitoring solutions, etc.
Poor data leads to low degree of automation.

Our support in the following three areas of Digital Identity

Digital Identity encompasses numerous complex processes, which all require a good knowledge of all components and a close coordination of resources, activities, and people. We at PwC Switzerland have the know-how and experience to support you in any part of your journey to develop effective IAM and PAM systems.

Our approach is based on three main pillars:

We assess the current situation, as well as the capabilities, culture, specifications and needs of your organisation. Based on the outcomes, we develop a Digital Identity management framework tailored to bring the most benefits to your organisation.

We identify the scope in terms of information and IT resources, processes, applicable regulations and stakeholders.
We assess the gaps between as-is and the regulatory requirements, and prioritise the gaps based on their business impact. An overview of all business, IT and information security risks is fundamental for building an effective Digital Identity practice.
We develop a roadmap and prepare cost estimates to be communicated to your senior management.

We provide guidance in designing the target architecture and processes and work together to implement the right capabilities. We support you in the evaluation of the right solutions and the integration of the solutions into your existing landscape.

We define a target architecture and Target Operating Model (TOM) in terms of governance, people, processes and technology. All the decisions and established processes are documented in policies and internal standards, including the operational handbook.
We use our extensive experience with various technology solutions to help you evaluate the right solution for your organisation.
We agree with you on a gap closing plan as well as the sourcing options.
We work with your IAM team to implement the defined processes and integrate the chosen solution. Technical and non-technical access controls are put in place based on the requirements and the defined risk tolerance.
We hand over the established control framework to business and IT, including the necessary documentation.

The implementation of Digital Identity involves restructuring and optimising an organisation’s entire approach to authentication and access processes and the overall management of identities. It’s a transformation initiative that not only enhances security measures but also reshapes how users interact with digital resources. As such, a Digital Identity project must be managed with the transformation aspects in mind.

Read more about security transformation and how our project management-based approach can be the right solution for your business.

We offer to manage the entire Digital Identity lifecycle for you to ensure that the access to your organisation’s resources is secured and the identities within your information systems are protected and effectively managed.

We enable the successful integration of the chosen solution and defined processes into the organisation’s technology landscape, especially the integration with the security monitoring tool and log management.
We provide effective awareness training for your users.
We perform a review of the implemented processes and tools, including an effectiveness and performance evaluation, and suggest an optimisation strategy and recommendations for continuous improvement.
We help you to prepare for an external audit/independent third-party assurance service to verify compliance.
We offer IAM and PAM as a managed service, i.e., identity management and provisioning, identity and access governance, access and risk management, including running the technology behind the processes as well as a regular review and reporting.

Summary

Accelerated digitalisation, an increase in online commerce and remote working – these and other aspects of modern business make the management of processes even more challenging while also widening the attack surface. A secure and efficient management of identities, accounts and access is one of the basic requirements of any information and IT security standard or regulation, and therefore should be addressed with care.

However, you don’t have to face this challenge on your own. We have the specialists who can help to make sure you implement effective IAM and PAM solutions that will ensure your organisation protects both your own data as well as that of your customers. That way, you avoid financial sanctions, mitigate the damage caused by a potential data breach and most importantly build trust in your business.

^{1 IGA and IAM are often used similarly. For the purpose of simplification, IGA and IAM are used synonymously in this blog post.}

#social#

Get in touch

Please reach out to us if you’re interested in learning more about how we can help to make sure you implement effective IAM and PAM solutions to ensure you let in the right people in an effective and secure manner, and keep everyone else out.

https://pages.pwc.ch/core-contact-page?form_id=7014L000000IIbfQAG&embed=true&lang=en