Professional Documents
Culture Documents
Identity and access management (IAM) systems are today used by the majority of European enterprises. Many of these are still installed on-premise but increasingly they are being supplemented by the use of on-demand IAM services (IAMaaS). The overall uptake represents a big increase from when Quocirca last surveyed the market in 20091. Whilst IAM is important for managing the access rights of increasingly mobile employees, three other major drivers have encouraged businesses to invest despite the tight economic conditions: the opening up of more and more applications to external users, the growing use of cloud based services and the rise of social media. The ultimate aim with all three is to nurture new business processes, thereby finding and exploiting new opportunities. This report presents new research into the use and benefits of IAM and the relationship it has with these three drivers. The research is based on over three hundred interviews with senior IT managers in medium sized to large organisations in a range of business sectors across Europe. The report should be of interest to anyone wanting to better serve all types of users, whilst still keeping control over applications and data.
Bob Tarzey Quocirca Ltd Tel : +44 7900 275517 Email: bob.tarzey@quocirca.com
Rob Bamforth Quocirca Ltd Tel: +44 7802 175796 Email: rob.bamforth@quocirca.com
Many businesses now have more external users than internal ones
The majority of businesses now open up at least some of their applications to external users, with 58% saying they transact directly with users from other businesses and/or consumers. The scale of the business processes they are running that require this will often mean the number of external users exceeds internal ones. This has led to a rise in the uptake of IAM systems with advanced capabilities to handle multiple types of users. 97% of organisations that are enthusiastic about cloud-based services have deployed IAM in general and 65% are using IAM-as-a-service (IAMaaS); only 26% of cloud avoiders use any form of IAM. The single-sign-on (SSO) capability of such services acts as a broker and a central place to enforce usage policy between users and both on-premise and on-demand applications. Many businesses also recognise the value of social media, with the top motivation being to identify and communicate with potential customers. When Quocirca last researched the IAM market in 2009 , 25% had some form of IAM in place, with 52% saying it was planned although, for many, those plans were delayed. However, regardless of the ensuing tight economic conditions, 70% have now deployed IAM. For 27% this is a totally on-premise system, however, 22% have already chosen to use a pure on-demand system, whilst 21% have a hybrid deployment. Active Directory is the most widely used primary source of identity for employees (68% of respondents). For users from customer and partner organisations the most common sources of identity are their own directories (1112%). Secondary sources include the membership lists of professional bodies, for example legal and medical practitioners (78%) and government databases (23%). 12% use social media as a primary source of identity for consumers, 9% say it is secondary. These fairly low use rates of alternative sources suggest an untapped business opportunity, perhaps because currently deployed IAM tools do not facilitate it. The top IT management challenge eased by IAM is the enforcement and management of access policy. However, it is also about improving the user experience by providing easy federated access to multiple applications and enabling user self-service. Whilst there are many benefits for businesses to be gained from effective IAM it seems likely that IT departments are under-selling these benefits. The potential of IAMaaS is widely recognised even by those with pure on-premise IAM deployments. Lower management and ownership costs along with improved employee productivity top the list, with ease of integrating external users not far behind. Those who make extensive use of cloud-based services are especially likely to recognise the benefits of IAM in general and select IAMaaS in particular.
1
Advanced IAM also helps organisations embrace cloud services and social media
Conclusions
Having an identity and access management system in place is now seen as an imperative by many businesses to achieving a wide range of IT and business goals. Those organisations that lack effective IAM are likely to lag behind their competitors in many areas as more and more business-to-business (B2B) and business-to-consumer (B2C) transactions move online, cloud services become the mainstream source of IT applications and services for many businesses and social media takes centre stage as a source of identity.
Quocirca 2013
-2-
Quocirca 2013
-3-
Quocirca 2013
-4-
Quocirca 2013
-5-
Authenticating users
The data shown in Figure 8 examines the attitude the respondents had to various aspects of authenticating users. It is widely accepted that clearly establishing identities is essential. Overall, 84% of all respondents say the need to do so is true for their organisation. When it comes to checking identities, 77% are likely to use strong authentication (this is especially true of telcos and financial services). However, only a small number of respondents say they use hardware token providers (as a primary source of identity), probably because of the cost. The main reason that businesses will have turned to hardware token providers as a source of identity in the first place is because they are also a source of strong authentication. Given the importance attached to strong authentication, many are probably seeking lower cost software-based alternatives that make use of spatial and/or temporal co-ordinates or making use of mobile phones (unsurprisingly, telcos take a lead here too). 70% say they no longer rely entirely on usernames and passwords to authenticate users (again, this is especially true of telcos). IP addresses are used for authentication by 82%; if used alone this would be a concern because IP addresses can be spoofed by hackers who want to make their attacks appear to come from legitimate locations. However, it is unlikely that IP addresses are being used as a primary means of identity; they are probably just an additional attribute that may be used as part of a strong authentication process. As many as 54% say they sometimes transact without first establishing the identity of users. This was especially true of telcos (83%) and financial services (77%). There may be good reasons for this, for example when asking for a quote for insurance or mobile phone service plan many do not want to give all their details before seeing the cost. However, it is likely that, in other cases, collecting such information is simply seen as too arduous, which it need not be if the supporting IAM tools were in place. In many cases the customer experience could be improved.
Quocirca 2013
-6-
Quocirca 2013
-7-
Quocirca 2013
-8-
Quocirca 2013
-9-
Quocirca 2013
- 10 -
Quocirca 2013
- 11 -
User self-service was seen at the number two management benefit of IAM, selected by 81% of respondents. Allowing users to reset their own passwords and be automatically granted access to new applications based on policy is good for user experience and makes for more efficient IT operations. This increases customer satisfaction and reduces operational costs.
84% of respondents believe that clearly establishing identities is essential in ALL cases before commencing a transaction. Advanced IAM enables access to both cloud-based and on-premise applications to be controlled via a single identity. 82% of respondents believe IAM is essential to achieving IT security goals. Advanced IAM enables the rapid provisioning of all types of new users and, as important, their immediate and comprehensive deprovisioning when the relationship with a given user ends. The opening up of a wide range of alternative sources of identity via the use of open standards is essential to achieving federated IAM. 88% say LDAP is essential or useful and there is increasing awareness of SCIM, with 60% saying it is essential or useful.
Quocirca 2013
- 12 -
Identifying and communicating with potential new customers is one of the top reasons for business use of social media. Certain IAMaaS systems have preconfigured links to many social media sites, enabling easy integration into business processes and the growing use of bring-your-own-identity (BYOID). 52% of all respondents saw improved employee productivity as a benefit of IAMaaS. It provides easy access to a wide range of resources for all employees, including those working remotely.
IAMaaS, like all on-demand software services, provides immediate access to new features without the need to install updates and the down time that can entail.
Many cloud-based applications also have their own directory of users, which can be integrated as part of a single overall user identity in a federated IAM system with access provided via SSO, linked to on-premise applications via existing internal IAM.
Quocirca 2013
- 13 -
Conclusion
Having an IAM system in place is now seen by many businesses as essential to achieving a wide range of IT and business goals. Primary amongst these are the opening up of more and more applications to external users, the growing use of cloud-based services and the rise of social media. The ultimate aim is to nurture new business processes, thereby finding and exploiting new opportunities. The number of businesses that have deployed IAM has increased dramatically over the last four years. Those organisations that lack effective IAM are likely to lag behind their competitors in these areas as more and more business-to-business and business-to-consumer transactions move online, cloud services become the mainstream source of IT applications and services for many businesses and social media takes centre stage as a source of identity. IAM has moved from a security tool to become a business enabler. The availability of IAMaaS has brought access to enterprise IAM capabilities within reach of smaller organisations and, for larger organisations with legacy IAM and directory systems, IAMaaS can provide them with the agility to embrace all these opportunities through integrating them into a hybrid system. This has led to a rapid growth in the use of IAMaaS either as the sole way a business deploys IAM or as part of an on-premise/on-demand hybrid deployment. However identity management is achieved, the majority of businesses now see it as essential. The statement made at the start of this report, that identity is the new perimeter, is already a reality and will become more so as IT users and applications disperse ever more and traditional IT security boundaries look more and more dated.
Quocirca 2013
- 14 -
Quocirca 2013
- 15 -
Digital identities and the open business Deployment and use of IAM
The Nordics may find it easier to embrace open applications and social media if more of them put IAM systems in place; they were some of the least likely to have done so. Overall, Iberian organisations were the most likely to have done so and the most likely to have deployed IAM-as-a-service (Figure 23). UK-based organisations are hot on strong authentication, with those in the Benelux region taking little interest (Figure 24). Italians were the least likely to see IAM an important for providing federated access to external users, whilst, in line with other findings, Nordics were keen. However, Italians were the most likely to extol the virtues of IAM for simplifying access to SaaS-delivered applications (Figure 25). The need for scalability of IAM for unknown numbers of users was most recognised amongst the countries with the largest populations (Figure 26), which makes sense, whilst only in the Nordics and Israel did the majority think IAM was very important for access policy management/enforcement although most saw it as at least fairly important.
Quocirca 2013
- 16 -
Quocirca 2013
- 17 -
Appendix 2 demographics
The following figures show the distribution of the research respondents by country, size, sector and job role:
Quocirca 2013
- 18 -
Appendix 3 references
1 Privileged user Management Quocirca 2009 http://www.quocirca.com/reports/430/privileged-user-management--its-time-to-take-control 2 The identity perimeter Quocirca 2012 http://www.quocirca.com/reports/791/the-identity-perimeter 3 UK Cabinet Office web site http://www.cabinetoffice.gov.uk/resource-library/identity-assurance-enabling-trusted-transactions 4 - Social media continues to rise in popularity among high street banks Virgin Media study http://www.virginmediabusiness.co.uk/News-and-events/News/News-archives/2012/Social-media-continues-torise-in-popularity-among-high-street-banks/ 5 Quocirca The data sharing paradox 2011 http://www.quocirca.com/reports/620/the-data-sharing-paradox 6 Forthcoming cloud report 2013 Quocirca will be publishing a follow-on report on the use of cloud-based services
Quocirca 2013
- 19 -
About CA Technologies
CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organisations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. IT Security solutions from CA Technologies can help you enable and protect your business, while leveraging key technologies such as cloud, mobile, and virtualisation securely to provide the agility that you need to respond quickly to market and competitive events. Our identity and access management (IAM) solutions can help you enhance the security of your information systems so that you can improve customer loyalty and growth, while protecting your critical applications and data, whether located on-premise or in the cloud. With more than 3,000 security customers and over 30 years experience in security management, CA offers pragmatic solutions that help reduce security risks, enable greater efficiencies and cost savings, and support delivering quick business value. CA CloudMinder provides enterprise-grade identity and access management capabilities as a hosted cloud service supporting both on-premise and cloud-based applications. Deployed as a service, CA CloudMinder drives operational efficiencies and cost efficiencies through speed of deployment, predictability of expense and reduced infrastructure and management needs.
TM
www.ca.com/mindyourcloud
About Quocirca
REPORT NOTE: This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations with regard to IAM. The report draws on Quocircas research and knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth. Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises.
Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms. Details of Quocircas work and the services it offers can be found at http://www.quocirca.com Disclaimer: This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may have used a number of sources for the information and views provided. Although Quocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner. Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice. All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.