James Thew - Fotolia

Organisations still fail to understand IAM, says KuppingerCole analyst

IAM is seen as being part of IT and not business, and investments tend to be aimed at mitigating one-off incidents, says KuppingerCole analyst Matthias Reinwarth

Many organisations are still failing to understand the role and benefits of identity and access management (IAM) systems, according to Matthias Reinwarth, senior analyst at KuppingerCole.

“Many organisations still do not see IAM as a necessity for implementing security and policy or as an enabler of business models requiring customer or partner interaction,” Reinwarth told Computer Weekly.

KuppingerCole believes IAM should be embedded in business processes and the underlying policies, and should constitute a stable and continuous process.

“Typically, however, IAM is seen as being part of IT and not business, and investments tend to be aimed at mitigating one-off incidents such as a segregation of duties violation,” said Reinwarth.

This is particularly true in traditional, established industry sectors such as manufacturing, banking and insurance, he said.

The business role of IAM, he said, tends to be better understood in modern industry sectors that are more customer-oriented.

“We consider access rights reviews and re-certifications to be the duty of the business rather than IT, which is what is beginning to happen in the more mature organisations,” said Reinwarth.

One of the most common IAM failings identified in assessments by KuppingerCole in the past year is the failure to apply a risk-based approach.

Read more about identity and access (IAM) security

Managing privileged users' rights

“Organisations need to conduct a risk analysis of the core entitlements, to understand which systems have the highest risk in terms of impact and probability, so they can adjust their access controls and mitigation mechanisms accordingly,” said Reinwarth.

Another common failing, he said, is that even if organisations are fairly mature in managing the access of general users, they tend to fall down on managing the access rights of privileged users.

“These users can be systems administrators as well as ordinary application users with extreme privileges to perform actions such as changing the access rights of other users,” said Reinwarth.

However, he said the EU’s General Data Protection Regulation (GDPR) – due to come into force in early 2018 – could have a positive effect on organisations’ approach to IAM.

“The GDPR will be a massive game-changer for many organisations because they are currently not fulfilling many of the new requirements – particularly organisations doing customer identity and access management,” said Reinwarth.

“Done properly by embedding it into the enterprise business processes and policies, and involving the relevant stakeholders in the organisation, IAM will be a great help in ensuring that organisations have the systems and processes in place for GDPR compliance,” he said.

This topic will be discussed in detail at a workshop on assessing and improving IAM maturity at the European Identity & Cloud Conference 2016 in Munich from 10-13 May 2016.

The workshop will outline KuppingerCole’s methodology for assessing IAM maturity and look at the results of applying the methodology to real-world organisations.

Read more on Identity and access management products