Has IAM reached the end of the road, or is it about to turn a corner?

Compliance is the main reason why organisations have invested in identity and access management (IAM) systems, although they still fail to derive any real value beyond that.

Compliance is the main reason why organisations have invested in identity and access management (IAM) systems, although they still fail to derive any real value beyond that.

In the light of this fact, many in the industry are questioning whether there is a future for IAM.

By the end of 2013, fewer than 10% of all authentication events will involve discrete, specialised authentication hardware, according to research firm Garter.

But, at the 2011 Gartner IAM Summit in London, analysts indicated that IAM may be headed for a renaissance as organisations find ways to get more value out of these systems by viewing them as an information asset.

Value to the business

Businesses need to understand that tying up data in IAM systems with other business data can be extremely valuable, says James Richardson, research director at Gartner.

Moving beyond core IAM functions of simply controlling, observing and informing about access could also help to build a bridge between IT and the business, says Earl Perkins, research vice-president at Gartner.

"By linking up the wealth of data stored in IAM systems with business data, IT can justify investment in IAM by helping create real business benefit through enabling better decisions based an a wider spread of data," he says.

The first step, says Perkins, is for IAM administrators to identify exactly what data they are collecting and then sit down with the business to work out how to make it useful to the business.

For example, he says, many processes are anonymous, but the data in IAM systems can be harnessed to enable the business to know who is doing what and when to help understand behaviours and decision-making processes, as well as help make people accountable for their actions.

Connecting data

Business value comes from making connections between different types of data, says Richardson.

Better and faster decision-making processes, he says, are fundamental to helping IAM add value to the business and not just IT, through lower total cost of ownership and operational efficiency by enabling business agility and strategic transformation.

But much work still has to be done in many organisations to break down the silos of information, says Nishant Kaushik, chief strategist IAM at Oracle, particularly as older systems are usually not built for information sharing and collaboration.

Despite the challenges, however, Gartner says a growing number of organisations are shifting identity and access management (IAM) efforts from administration to a strategic focus on intelligence.

The need to limit costs and deliver real-world business results is forcing IAM professionals to have a more strategic approach, says Ant Allen, research vice-president at Gartner.

Project failures

Against this background, Gartner predicts that by 2014, notable project failures will cause 50% of organisations to shift their IAM efforts to intelligence rather than administration and more than 80% of successful IAM projects will be process-driven to achieve IAM intelligence.

"A process approach is necessary as technology alone is not enough," says Allen.

Although IAM in many organisations is still focused on administration or provisioning access to IT systems - and likely to remain that way at least until 2013 - more mature companies are starting to move to an intelligence-driven approach, says Perkins.

Such organisations are moving towards getting as much business benefit out of IAM systems as possible, instead of using it just to make it easier for the IT department to provision and control access to IT systems.

In light of the budget constraints following the world economic crisis, Perkins says that unless IT professionals can provide real intelligence for the business, they should simply "go home".

Although Gartner thinks it unlikely that enterprises will be using cloud-based services for all their IAM needs within the next four years, cloud computing is considered to be an important new enabler for IAM technologies, first as a delivery mechanism, where scalability is important, and second, as a way for organisations to outsource the integration of IAM with their back-end systems.

Tim Dunn, vice-president of security strategy Europe for CA Technologies, says cloud computing is also galvanising the need for IAM.

Cloud computing will push more organisations to adopt IAM that have not done so before, he says, as they will typically not have the problem of having to deal with legacy systems.

According to Dunn, cloud computing will make the relevance of IAM more visible to the business, as well as providing a highly efficient way of managing identity, which could well change the way business views IAM in future.

Taken together, these views suggest that far from reaching the end of the road, IAM is set to turn a corner by enabling and using cloud technologies, and by linking hitherto unutilised repositories of data to other information to deliver greater intelligence, and therefore value, to the business.

Read more on IT risk management