EY teams synchronize collaboration for over 300,000 users with modernized identity and data governance

Collaboration is much more than a word at EY.

The global professional services organization’s purpose, “Building a better working world,” rests on teamwork—within EY, with external experts, and with clients and other stakeholders. Its global client base in a wide range of company sizes and industries speaks to the trust the EY organization holds across the world. The organization carefully protects that trust, which is why it focuses on making collaboration as secure as possible. The EY organization didn’t need to buy additional data privacy management software from another vendor because the answer—Microsoft Purview Information Protection—was already available in its Microsoft 365 E5 license. When the COVID-19 pandemic struck early in the information protection rollout, EY teams worked with Microsoft to fast-track the rollout and safeguard online collaboration for the company’s professionals across the globe within days.

Seeking the perfect balance of collaboration and security

As a Technical leader of EY Microsoft 365 Services at EY Technology, Usman Abubakar Ehimeakhe’s role is all about finding the fine line between competing priorities. “It’s a constant dichotomy,” he says. “We need strong security, but we also need great collaboration.” That collaboration is a multifaceted process that requires exquisite attention to protecting not only internal EY data, but that of its clients, partners, and other external parties. “The EY organization relies on trust among its stakeholders, so we must protect our data with the highest possible degree of integrity,” adds Ehimeakhe. “That’s one of the reasons why we use Microsoft solutions.”

Finding that balance is an ongoing test for his team, and the challenge goes beyond the many people who need access to EY assets. A constantly growing threat landscape demands constant vigilance and strict security measures. Yet tens of thousands of clients and other external players require access for varying terms, creating a constantly shifting population whose access must be carefully orchestrated for the right assets at the right time. And because of varying data privacy regulations around the world, EY teams maintain a hybrid production tenant to comply with those countries that require on-premises data storage and restricted data travel. EY teams provision users locally for onsite applications and use Azure Active Directory (Azure AD) External Identities for cloud platforms.

Ehimeakhe had three goals for safeguarding collaboration: to block oversharing of data, prevent sharing sensitive personal data, and control exfiltration. Those goals seemed to clash with EY professionals’ need to collaborate with non-EY team members and desire to invite guests to use relevant applications and data with as close to the same streamlined workflow that professionals use with internal colleagues. EY professionals had begun using Microsoft 365 Groups, a feature that spans the Microsoft 365 applications for easy workgroup coordination, to collaborate with non-EY parties. They set up project teams in Groups, coupling selected Azure AD member lists with a shared Exchange mailbox, a SharePoint site, a OneNote notebook, and Microsoft Planner. At the time of solution implementation, no Microsoft 365 groups at EY contained guest identities.

That statistic pointed to the issue that Ehimeakhe wanted to solve: his EY colleagues were onboard with securing company assets, but they needed the right solution. His team analyzed EY professionals’ usage patterns and identified the groups of applications within Microsoft 365 that they most used for collaboration. Microsoft Teams and Groups were key applications. “We needed to figure out how to implement a least privilege access control model while maintaining an open collaboration platform,” recalls Ehimeakhe.

Doing more with less: Getting the most out of a connected Microsoft solution

He wondered how to make it easier for external users to join a collaboration group without compromising EY security. Microsoft Purview Data Loss Prevention policies for asset labeling and classification were the answer. EY teams’ strategy was to also use Microsoft Purview Information Protection to apply labels on data containers in Microsoft 365 applications, like OneDrive, SharePoint, and Teams, and in Exchange email, extending privileges and restrictions on this data through downstream applications in Microsoft 365. “We needed to precisely identify which Microsoft 365 productivity applications should be classified for internal or external use,” explains Ehimeakhe. “Using a container label to differentiate permissions meant users could access a single document within a team or SharePoint site and the same users could not accidentally stumble upon confidential documents, a key element of the Microsoft Purview Information Protection solution that we couldn’t get from any other solution on the market.”

EY professionals teamed up with Microsoft to resolve the guest access needs. Ehimeakhe and his team spent several months mapping out the necessary parameters so that EY guest users could easily access data with appropriate restrictions. By December 2019, the solution was ready. EY teams craft all solutions with the utmost care, progressing from development and quality assurance environments to user testing before finally launching into production—typically a process that takes from 8 to 12 months.

At the halfway point in the project, the COVID-19 crisis shuttered offices around the world, leaving organizations scrambling for solutions. When it received notice that everyone would have to work from home as of March 2020, the EY organization was ahead of the game. “We had the solution in our back pocket but had only weeks to wrap up a process that would have taken months,” says Ehimeakhe. He brought in the EY service adoption team, which socializes adoptions by creating a full spectrum of materials to educate users about use cases, adoption models, usage guides, and other communications. 

The EY project team began rolling out the solution in waves, creating from 500 to 600 external users every day. Demand was great, recalls Ehimeakhe, and the number of external users created spiked to 3,300 by mid-March 2020. By the end of the month, EY teams had onboarded every external user. “The EY organization’s collaboration grew exponentially because of our Azure AD External Identities solution,” remarks Ehimeakhe. “Within four months, the number of groups at EY swelled from 100,000 to over 450,000.”

Closing the circle

The people who use information protection at EY might not fully understand every technical aspect of the detailed plans that Ehimeakhe’s team put into place, but they’re critically important to everything the solution does. “We work to ensure that everyone at EY knows how to properly consume our services,” he explains. “Those people are our first line of defense in our zero trust model.”

Looking back on its collaboration deployment, the EY team checked every item on its list despite a global crisis. “By using Microsoft Purview Information Protection coupled with Azure governance, we fulfilled all three of our guiding principles,” says Ehimeakhe. “We can tag our SharePoint sites that include external users so that they’re isolated within the containers they’ve been admitted to. They can’t leave those containers or associated SharePoint sites to discover files, search the directory for other users, or otherwise engage in unauthorized exploration.”

In a company where delighting users is a requirement, compliments are a final bow on a project. “We’ve gotten very positive feedback from EY users, external partners, and support teams, and everyone reports a low-impact experience,” says Ehimeakhe. “Ours is a very positive story,” he concludes. “For a minimal operational spend, we deployed the solution to every member of the global EY organization, which answers our information protection needs.”

Find out more about EY on Twitter, Facebook, YouTube, and LinkedIn.