PwC: reducing complexity in identity and access management
PwC ha s identified a number of trends affecting organisations, centered around a digital landscape that was growing in complexity even before the COVID-19 pandemic. “We are in a very strange and unprecedented situation - the ‘new normal’, as we call it within PwC,” says Ivo Van Bennekom, Director, Digital Identity. “What that new normal means, is that it’s accelerated a big change that was already happening prior to the COVID-19 situation, where we see clients changing from a traditional value chain that was very direct, to starting to become more part of a digital ecosystem, collaborating to delivering a variety of services towards the end consumer.”
Increased digital complexity and ever-changing employee roles within an organisation means identifying and allowing the access of users is all the more important. “Managing identity is vital, but it's also a daunting task for many organisations who lack proper identity and access management (IAM) for governing their digital identities,” says Duane Carstens, Director, Cybersecurity & Privacy. “That’s regardless of their IAM service maturity and whether they are adopting or replacing digital technology through their digital transformation”.
To help organisations with digital identity, the company maintains more than 950 digital identity professionals as part of a broader cyber team that is 3,500 strong, with extensive experience across various industries. PwC consequently differentiates itself from competitors in the space along a number of lines. “One of the biggest benefits that clients see when working with us, is that we can deliver an integrated approach to the whole breadth and depth of cybersecurity and digital identity management,” says Van Bennekom. Carstens believes in the transformative power of PwC’s cyber business. “The purpose of our cyber business is to help build a secure digital society. This is done through three key aspects, including 1) serving our clients, 2) extensive research and disruption to the market and to threat actors which is done by challenging conventional thinking, and 3) shaping society by being an exemplar. These three key aspects are encompassed by our DNA which includes empowering an innovative and diverse team.
PwC is equally focused on forging strong bonds with their customers. “Our value is defined by the relationship with the client,” says Carstens. “That relationship is born from an intelligent, engaged, highly collaborative process. It’s about helping them through their digital transformation journey, through their challenges and providing the insight to assist clients to reach their objectives.”
The ongoing COVID-19 pandemic is resulting in innovative attack vectors which companies must respond to. “We see key emerging cybersecurity risks as a result of COVID-19,” says Carstens. “There are a lot of opportunistic threats at the moment. The increasing attacks on businesses means that identity and access management continues to be of paramount significance, in the risk management priorities of organisations.”
“The focus should be on providing the right people, with the right access, at the right time through the identification, authentication and appropriate authorisation information security principles” Carstens adds. “Identity and access management is not just about the technology, it also involves the organisation’s people, processes and governance on the service. This holistic approach will provide secured flexibility for your remote workforce to remain productive and ‘work from anywhere’.”
Defending against those threats requires capabilities across a range of arenas. “Digital identity can roughly be carved up into four different areas,” says Van Bennekom. “One is the workforce identity space, so access management, but also identity governance. Second, is privileged access management, for users such as database administrators that, basically with one press of a button, can wipe out a complete IT estate. Thirdly, we have customer identity, from B2B customers to consumer scenarios, or even governments and how they interface with their citizens. Lastly, we have artificial intelligence, RPA and the identity of things.”
With such a wide range of areas to be aware of, a holistic approach is necessary. “What’s most important in terms of digital identity is that management should have a complete vision for their identity and access management program. Coupled with that vision should be capability in managing and governing identity, as well as controlling and monitoring access,” Carstens says. “Capabilities have to run across different groups, including human and non-human users, who will be in contact with your organisation and the assets that you're trying to protect, from applications in the cloud, to on-premise solutions, databases and operating systems and the data that resides on these assets.”
“The vendors that we typically work with are on a journey together with us to actually decrease the technology debt that you need in order to fulfill a lot of those use cases,” adds Van Bennekom. “Cloud solutions, for instance, simplify a lot of the technical digital identity complexity while also reducing the cost of operating such a system.” The effective utilisation of appropriate technologies will allow organisations to spend more time on what really matters: managing business risks related to digitalisation.
An accomplished cybersecurity strategy is a vital complement to digital transformation. “Digital transformation can result in a company becoming a target for attackers because they know that there's a lot of volatility within the organisation,” says Van Bennekom. “We understand how to integrate cybersecurity into those types of transformations, because technology continues to be the driver and it's evident that security is an enabler of those digital journeys.”
PwC consequently ensures its cyber defence offering keeps up with the pace and evolving trends. “We are already in the fourth wave of digital transformation. Agility is becoming more important and, with that, the required agility of cyber defence is also increasing. We're also bringing in consultants from other PwC competencies to understand business processes and take the right approach to help organisations become smarter in terms of cybersecurity defense,” says Van Bennekom.
While as a consulting and advisory house PwC remains technology and vendor agnostic, SailPoint, OKTA and CyberArk are some of the solutions it employs to help clients achieve their goals. “The technology vendors that we work with are a big part of helping clients to decrease their IT complexity so that there's more room to create business value,” says Van Bennekom. “Typically, the vendors that we work with are capable of covering a whole ecosystem of use cases and different types of identities, all from the cloud.”
The companies with whom PwC works with are therefore carefully selected through a consultative approach, based on product value and market need. “Digital identity for us as a business is one of our growth priorities over the next few years,” says Carstens. “Together with the right partnerships, matching a solution to a client problem, and our robust methodologies supported by our global network of subject matter experts, we will continue to add the desired value to our client engagements.”
Going forward, the two are clear that PwC stands in good stead to assist not only its clients but society at large with transformation in access management, decreasing complexity and improving the utility of digital environments. “We’re focused on building trust in society and solving important problems while making sure that we are looking at this from a broader perspective rather than just creating locks,” says Van Bennekom. “You need to understand what an organisation wants to achieve from a business perspective to understand how cybersecurity can support that most effectively. We’ll continue integrating all those different competencies to decrease the complexity and the risks of our clients’ ecosystems.”