A global pharmaceutical company conceded, after multiple federal audit findings for improper user access, that effective regulatory compliance would demand a comprehensive strategy for centralized Identity and Access Management (IAM). Internally, the pharma giant’s unstructured IAM business processes had become an onerous burden for application owners—certification of user accounts typically took months to conclude. At the same time, a growing population of mobile device users were having difficulty inputting the long passwords required to authenticate to corporate assets. And increased collaboration with external partners dictated that the company provision credentials for its 16,000 contractors and suppliers, and provide them with secure, straightforward access to necessary resources and applications. Taken together, these sweeping business demands called for a comprehensive reference architecture for information governance. This would not be a trivial task, given that the firm’s ecosystem comprised a complex tangle of 40,000 user accounts on more than 9,000 applications. Like many organizations, the pharma company lacked expertise in the processes and underlying technology architecture necessary to efficiently design an effective identity management solution. It needed help.
The pharmaceutical company selected PwC to craft a thorough IAM architecture that would boost visibility into user access across its ecosystem and create a governance framework to help prevent future compliance findings. Our team of identity management specialists assessed the company’s ecosystem to understand and align its information security policies, business objectives, and compliance mandates. Drawing upon knowledge of the firm’s workflow and business processes gained from a previous engagement, we worked with key stakeholders to craft enterprise reference architecture for governing its user identities and their access. In doing so, we found that the company’s far-flung application teams worked in isolated silos and addressed user-access problems in a reactive manner. What’s more, granting user access was a manual and laborious process. We helped the firm design a strategy that would tackle these challenges collectively and proactively, and suggested ways to redesign key business processes that would result in more efficient provisioning and access review across a variety of platforms. Our IAM team developed a strategic approach to manage the identities of external partners and provide single sign-in access via support for federated identities and claims-aware applications. We also conducted a maturity assessment of the company’s current IAM capabilities and helped it create a roadmap to advance the development of its identity and access management strategy.
Impact on client's business
The pharmaceutical company approved our thorough IAM architecture plans and has begun to implement the framework. The company has selected a technology vendor and conducted a proof of concept, and is moving quickly toward deployment. Once in place, our strategy will help alleviate audit problems, automate business processes, improve access for outside users, and secure access for mobile devices. Together, this will enable the company to realize substantial cost savings, particularly in quarterly access certification. For instance, comprehensive identity management will enable the firm to reduce by 50% the personnel required to complete certification while shortening the length of the process from three months to 15 days. When implemented, the federated identity and claims-aware solutions will allow the firm’s external partners to access corporate applications securely and promptly to minimize risk and improve collaboration. These enhancements will ultimately improve the user experience and enhance operational efficiency and time to market due to fast provisioning of users.