Gartner IAM summit: Identity and access management in flux but progressing

Identity and access management (IAM) remains in a state of flux as architectures and standards evolve. But does that mean no progress in managing identity?

Identity and access management (IAM) remains in a state of flux as related architectures and standards continue to evolve. But does that mean that there is no progress in managing identity, despite its growing importance?

Despite the uncertainty, several positive trends were highlighted at the Gartner IAM Summit 2012 in London, such as increased involvement of business managers in the management of identity.

The experience of French bank Société Générale and several other high-profile organisations helped spur a more business-oriented view of identity management.

That Jerome Kerviel, a junior trader at Société Générale, used the access rights granted to him in his former back-office role to carry out unauthorised trading costing the company £3.6bn, was a wake-up call for many IT departments in 2008.

"IT departments began to realise they are not necessarily in the best position to manage identity, and line-of-business managers probably have more insight," said Kevin Cunningham, president and founder of identity governance software firm SailPoint.

Businesses want to be sure employees have the appropriate access only for their current role, which requires mapping information from disparate systems to human resources data, he said.

"Many companies recognise that the old way of doing IAM through IT is not cutting it, and that there is a need to include business," said Cunningham.

This change of mindset, also driven by increased governance, risk and compliance requirements to prove protections are in place, has led IAM suppliers to develop more intuitive user-interfaces better suited to business users as demand has grown.

Jackie Gilbert, vice-president and founder of SailPoint, predicted that the proposed European Union data protection framework will also increase the sense of urgency for business managers to be more involved in IAM.

The proposed fines will give data protection requirements real teeth, she said, and that is likely to prompt action by businesses, as happened with the 1996 Health Insurance Portability and Accountability Act (HIPAA) in the US.

"We saw a major surge in demand for IAM from the healthcare sector when penalties for non-compliance were introduced about a year and a half ago," said Gilbert.

The last time most large organisations invested in IAM systems was between 1998 and 2000, which means many are now facing end-of-life for these systems. This too will help promote the transition to a more business-orientated approach to IAM, said Cunningham.

Businesses forced to undertake replacement projects, he said, are typically looking to modernise their systems and improve their ability to manage risk. 

"Effective management of risk typically enables businesses to do what they otherwise would not," said Cunningham.

A risk-based approach to IAM also shows companies what they need to do beyond audit requirements, said Gilbert: "This approach is getting more recognition and is supported by newer IAM tools and systems, most companies still trying to get their arms around risk."

Technology has matured in the past five years, but it seems many companies have not pursued implementations consistently.

"Technology has been updated, but a lot of companies have not done much and have really fallen behind," said Joe Anthony, director of security, risk and compliance product management at IBM.

However, the relative immaturity of standards remains a challenge. 

"While in access management, things like SAML and XACML are pretty common, and an increasing number of products are implementing them, the same is not true for user provisioning," Anthony said.  

When it comes to user provisioning, a lot of applications have not added automatic provisioning. While provisioning suppliers' products have standardised on things like SPML, applications have not. 

"This means it will take longer for as much automation to be done there as we would like to see in the industry," Anthony said.

However, Anthony said there is still a lot of benefit for most companies to automatically attach their user provisioning systems to the HR systems and automate the setting-up of the accounts and the removal of accounts when people leave the organisation, but for most organisations that is still a manual process.

"So even with existing products and standards, there is much more benefit that business can derive than they are in most cases. There is still an awful lot of value that customers can get by taking a look at their individual products and processes," he said.

Gartner analyst Bob Blakley said organisations should be aware of multiple identity-related standards, which are all likely to play some role in the future, with particular attention to the open standard for authorisation, OAuth.

Blakley expects OAuth to continue to evolve into a key identity-related standard. 

"See if and where OAuth fits into your enterprise," he said.

A core thing for a number of companies is being willing to modify their business processes to integrate more easily with the IAM products they are using from an ongoing maintenance perspective, according to Anthony.

"We can customise how products work with an existing business process, but over time that can be very expensive to maintain. Some flexibility on the modification of business processes with the products can end up with a total project cost significantly cheaper and easier to maintain over time," he said.

The stabilisation of identity-related standards and infrastructures appears to be one of the biggest obstacles to significant advances in IAM, but much can be done with existing technologies and standards. While some organisations are taking action with an eye on the future, many are lagging behind.

For the laggards, Gartner recommends defining a strategic vision for IAM.

"Doing IAM on an ad-hoc basis is not sustainable in the long term," Ant Allan, research vice-president at Gartner, told the Gartner IAM Summit 2012 in London.

While the basics, such as identifying pain points are still important, he said, IAM will continue to deliver business value only if it is tied to a strategic vision.

Allied to that, Allan said organisations should identify the business value of IAM. "Look at the business goals of the organisation, understand where IAM can provide value, and articulate that to business leaders," he said.

The main value of IAM, according to Allan, lies in the areas of efficiency, effectiveness and enablement. 

IAM can support firms' goals in reducing costs; improving operations and service levels; improving governance, risk and compliance to achieve security objectives; and enabling greater agility by improving processes to deal with business challenges faster and to help managers make informed business decisions, he said.

Embracing the forces of cloud, mobile, social and information will also be important in the year ahead, said Allan. 

"Think about the challenges and opportunities that these forces present, then look at how IAM support these, to what extent they will disrupt traditional IAM practices and how you will need to change what you are doing," he said.

Small and medium businesses, in particular, are likely to adopt cloud-based identity management services, said IBM's Joe Anthony. "I think you will see that continually increase, even getting up into the small enterprises in the next year or two," he said.

Finally, Allan advised businesses to establish effective governance over IAM. "In every organisation, IAM should be governed. It should be part of governance agenda because it is an enabler for everything you want to do with IAM," he said.

Read more on Privacy and data protection