Research Publication Date: 21 June 2005 ID Number: G00127743 Hype Cycle for Identity and Access Management Technologies, 2005 Roberta J. Witty, Ant Allan, John Enck, Clare Hirst, Barry Runyon, Ray Wagner, Earl L. Perkins, John Pescatore, Vic Wheatman Other than biometrics, most identity and access management technologies are maturing. Investing in an overhyped technology too early can waste funds, while delaying too long could give competitors an edge. Vendor hype concerning IAM technologies needs deflating. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
TABLE OF CONTENTS 1.0 The Hype Cycle... 3 2.0 On the Rise... 4 2.1 IAM/NAC Integration... 4 2.2 Contactless Proximity Cards... 5 2.3 Role Planning, Audit and Compliance... 5 3.0 At the Peak... 6 3.1 Biometric Identity Documents... 6 4.0 Sliding Into the Trough... 6 4.1 Virtual Directories... 6 4.2 Biometric User Identification... 7 4.3 Public Key Operations... 7 5.0 Climbing the Slope... 8 5.1 Federated Identity Management... 8 5.2 Microsoft AD/Kerberos... 8 5.3 CCOW Standard... 9 5.4 User Provisioning...9 5.5 Meta-Directories... 10 5.6 Smart Tokens... 10 5.7 Enterprise Reduced Sign-On... 10 6.0 Entering the Plateau... 11 6.1 EAM... 11 6.2 Password Management... 11 6.3 Hardware Tokens... 12 7.0 Off the Hype Cycle... 12 7.1 User ID and Password... 12 7.2 Single Sign-On... 12 7.3 Kerberos... 13 8.0 Conclusions... 13 9.0 Appendix A: Hype Cycle Phases, Benefit Ratings and Maturity Levels... 13 LIST OF TABLES Table 1. Hype Cycle Phases... 13 Table 2. Benefit Ratings... 13 Table 3. Maturity Levels... 14 LIST OF FIGURES Figure 1. Hype Cycle for Identity and Access Management Technologies, 2005... 4 Publication Date: 21 June 2005/ID Number: G00127743 Page 2 of 15
ANALYSIS 1.0 The Hype Cycle Identity and access management (IAM) refers to those technologies that allow companies to manage and control user accounts and privileges. It is clear that, today, regulatory compliance is the key driver of IAM implementations. Other business drivers are cost containment and business facilitation. In deciding how to implement IAM, however, security managers face a dilemma: Investing in an overhyped technology too early can waste enterprise security funds, while delaying too long runs the risk of giving competitors an edge. Security managers can use the analysis contained in this report to help deflate security provider and security vendor hype about IAM technologies, allowing them to make more intelligent choices. This report describes 17 IAM technologies that are on various stages of the Gartner Hype Cycle, as well as three technologies that we have removed from the previous IAM Hype Cycle. Certain technologies, such as contactless proximity cards, are relatively new and have not been extensively hyped, while a few others, such as biometric identify documents, have reached the Peak of Inflated Expectations. Once a technology has received the maximum amount of hype, it usually begins its descent into the Trough of Disillusionment. No technologies here reside at the absolute bottom of the trough; even technologies such as federated identity management have begun the slow climb out of the trough toward the Plateau of Productivity. Technologies that are far along on the plateau include password management, extranet access management (EAM) and hardware tokens. All these have proved they can provide business value. Publication Date: 21 June 2005/ID Number: G00127743 Page 3 of 15
Figure 1. Hype Cycle for Identity and Access Management Technologies, 2005 visibility Biometric Identity Documents Role Planning, Audit and Compliance Contactless Proximity Cards Virtual Directories Biometric User Identification EAM Password Enterprise Management Reduced Sign-On IAM/NAC Integration Meta-Directories Smart Tokens User Provisioning CCOW Standard Microsoft AD/Kerberos Federated Identity Management Public Key Operations Hardware Tokens Peak of Technology Trough of Inflated Slope of Enlightenment Trigger Disillusionment Expectations maturity Plateau will be reached in: less than 2 years 2 to 5 years 5 to 10 years more than 10 years As of June 2005 Plateau of Productivity obsolete before plateau Acronym key: AD Active Directory CCOW clinical context object workgroup EAM extranet access management IAM NAC identity and access management network access control Source: Gartner (June 2005) 2.0 On the Rise 2.1 IAM/NAC Integration Definition: Integration of network access control (NAC) functions with IAM infrastructure for userlevel access by connection profile. Justification for Hype Cycle Position/Adoption Speed: NAC technology is just getting to the point at which developers can achieve significant value through integration with the enterprise IAM infrastructure. Remote Authentication Dial-In User Service (RADIUS) and Dynamic Host Configuration Protocol (DHCP) are key NAC authentication services, but while user-provisioning products regularly provision user accounts to RADIUS servers, IAM systems cannot use RADIUS or DHCP authentication for IAM authentication. However, the speed with which companies are deploying modern IAM systems and NAC technology will hasten integration between them to allow application-level identity management policies to support NAC decision processes and minimize the number of authentication steps needed to access a resource. Publication Date: 21 June 2005/ID Number: G00127743 Page 4 of 15
Business Impact Areas: Remote, wireless, virtual private network (IPsec, also known as Internet Protocol security, and Secure Sockets Layer), and internal network access. Market Penetration: Less than 1 percent of target audience. Maturity: Emerging. Example Vendors: Checkpoint, Cisco Systems, InfoExpress, Juniper Networks, Microsoft and Sygate. Analysis by Ray Wagner and John Pescatore 2.2 Contactless Proximity Cards Definition: Integrated circuit-based cards for information systems access that transmit and receive data via radio frequency technology. Based on the International Organization for Standardization/International Electrotechnical Commission 14443 standard, types A or B, with a range of up to 10 centimeters. Building access can be incorporated on the card, which can also hold digital credentials for security processes, such as encryption or digital signing. Justification for Hype Cycle Position/Adoption Speed: Contactless cards are convenient a contact reader is not needed. PC standards that support contactless cards (PC/SC Specification version 2) were finalized in 2004. There has been heightened interest within the corporate sector in combining logical and physical access. Business Impact Areas: Contactless cards provide a platform for multiple security functions. They become a symbol of company trust in the employee. Market Penetration: One percent to 5 percent of target audience. Maturity: Early mainstream. Example Vendors: Axalto and HID. Analysis by Clare Hirst 2.3 Role Planning, Audit and Compliance Definition: Designing, delivering and managing access to IT resources by allowing the creation of roles or rules to govern the authorization of that access across multiple systems or applications. Allows a company to manage access in a manner that corresponds to the multiple operating views that reflect how day-to-day business is conducted. Justification for Hype Cycle Position/Adoption Speed: Improved deployments for enterprise resource planning implementations and some enterprise Web access systems; nascent stages of cross-platform realization. Business Impact Areas: Allows the reuse of IT application infrastructure and better application of compliance-related requirements. Pure-play role matrix management vendors are partnering with user-provisioning vendors to deliver these functions. Some user-provisioning vendors are offering this functionality as part of their core product. Publication Date: 21 June 2005/ID Number: G00127743 Page 5 of 15
Market Penetration: Less than 1 percent of target audience. Maturity: Emerging. Example Vendors: Approva, Beta Systems Software, bhold, Bridgestream, Courion, Eurekify, Securent, Sun Microsystems and Virsa Systems. Recommended Reading: Use This Eight-Step Process for Identity and Access Management Audit and Compliance Analysis by Roberta Witty and Earl Perkins 3.0 At the Peak 3.1 Biometric Identity Documents Definition: Uses one or more unique physical characteristics (such as a fingerprint, face or iris identification) or, less frequently, behavioral traits as part of a government-issued identification document (such as a passport or national ID card). Justification for Hype Cycle Position/Adoption Speed: Some see biometrics as the "killer app" for international and national identity documents. However, thus far poor accuracy, poor interoperability, and privacy and civil liberties concerns have been barriers. Business Impact Areas: Biometrics potentially make identity documents harder to forge and more reliable, but that makes bogus identity documents much more valuable to criminals. Commercial organizations may be able to capitalize on robust identity documents within "know your customer" processes. Market Penetration: Five percent to 20 percent of target audience. Maturity: Emerging. Example Vendors: SuperCom and Unisys. Recommended Reading: Hype Cycle for the Uses of Biometric Technologies, 2005 Analysis by Anthony Allan 4.0 Sliding Into the Trough 4.1 Virtual Directories Definition: Software products that create a logical (virtual) view of a Lightweight Directory Access Protocol directory by combining data from multiple repositories or by combining multiple repositories into a single view. Justification for Hype Cycle Position/Adoption Speed: Virtual directory use is increasing to create a single access point to the multiple-user repository model most organizations must use. Publication Date: 21 June 2005/ID Number: G00127743 Page 6 of 15
Business Impact Areas: Identity access and management vendors are partnering with virtual directory vendors to deliver combined products. User-provisioning products in particular are being joined with virtual directory technology. Market Penetration: Five percent to 20 percent of target audience. Maturity: Adolescent. Example Vendors: MaXware, OctetString and Radiant Logic. Recommended Reading: Virtual Directories Enhance Identity and Access Management Solutions Analysis by John Enck 4.2 Biometric User Identification Definition: Use of unique physical features (such as fingerprints, face, and iris recognition) or, less often, behavioral traits (such as voice, typing rhythm, and signature dynamics) as a form of user authentication. Justification for Hype Cycle Position/Adoption Speed: Although "good enough" solutions are available for small or specialized implementations, barriers to broad-based use remain in particular, poor accuracy, poor scalability, integration issues in large and technologically diverse organizations, and high cost. Business Impact Areas: Potentially simplifies identification and authentication without the need for passwords or hardware tokens. Market Penetration: One percent to 5 percent of target audience. Maturity: Emerging. Example Vendors: A4Vision (face), BioPassword (typing rhythm), CIC (signature), DigitalPersona (fingerprint), Identix (fingerprint), Iridian Technologies (iris) and Vocent (voice). Recommended Reading: Hype Cycle for the Uses of Biometric Technologies, 2005 Analysis by Anthony Allan 4.3 Public Key Operations Definition: A system for generating and managing digital certificates that identify the holder (person, system or device) of assigned public and private key pairs useful for identification, authentication, encryption and digital signing. Justification for Hype Cycle Position/Adoption Speed: The original public-key infrastructure (PKI) vision is changing, moving key management functions away from attempts to centralize them to be close to applications that use the keys and to apply PKI technology to Web services security. Publication Date: 21 June 2005/ID Number: G00127743 Page 7 of 15
Business Impact Areas: Supports trust of code, applets, devices and people over open networks. Enables message and content integrity and encryption of sensitive information. Market Penetration: Five percent to 20 percent of target audience. Maturity: Adolescent. Example Vendors: Betrusted, Entrust, GeoTrust, Microsoft, RSA Security and VeriSign. Analysis by Vic Wheatman 5.0 Climbing the Slope 5.1 Federated Identity Management Definition: Allows sharing of identification credentials among several entities. Trust is transferred from one identifying and authenticating entity to another. Justification for Hype Cycle Position/Adoption Speed: Liberty Alliance Security Assertion Markup Language-based solutions remain underutilized, yet interest is growing. The technology has some applications in the enterprise, but it has little use in business-to-consumer communication. The telecommunications industry has shown significant interest. Business Impact Areas: Positioned to provide consumer and business identification, and eventually authentication services supporting e-business and other applications. Market Penetration: One percent to 5 percent of target audience. Maturity: Emerging. Example Vendors: Liberty Alliance, Microsoft, Novell, Oblix, Ping Identity, RSA Security and Trustgenix. Analysis by Ray Wagner 5.2 Microsoft AD/Kerberos Definition: Microsoft's Active Directory (AD) supports Kerberos as a means of exchanging authorization credentials with other platforms. Justification for Hype Cycle Position/Adoption Speed: The dominant usage of AD Kerberos is Windows-centric; however, companies are beginning to deploy products that use AD Kerberos into non-windows environments. Business Impact Areas: Simplifies user administration by focusing access on a single set of credentials maintained in AD and reduces sign-off in heterogeneous environments. Market Penetration: Five percent to 20 percent of target audience. Maturity: Early mainstream. Example Vendors: Centrify, Microsoft and Vintela/Quest Software. Publication Date: 21 June 2005/ID Number: G00127743 Page 8 of 15
Analysis by John Enck 5.3 CCOW Standard Definition: A standard certified by the American National Standards Institute for single sign-on and context management that complements Health Level 7's emphasis on data interchange and workflow. It focuses on facilitating application integration at the point of use. Single sign-on allows the user access to multiple systems through a single, secure login. Context management (the synchronization of applications so that they are mutually aware of a set of real-world things, such as patients and encounters) allows users to interact with a number of systems through their native user interfaces as if they were one. Justification for Hype Cycle Position/Adoption Speed: In 2005, healthcare organizations will continue to focus on doing a better job on IAM in light of the Health Insurance Portability and Accountability Act (HIPAA) security deadline. Opportunities for context management will emerge as a result of IAM efforts and clinical context object workgroup (CCOW), and implementations will increase. Increased deployment of clinical workstations and physician portals, as well as the visual integration of disparate clinical systems to form the virtual electronic medical record, will also drive adoption. Business Impact Areas: A more streamlined clinical workflow, increased interoperability, ease of use, increased use of available information and enhanced patient safety. CCOW support for secure context management provides a healthcare standards basis for addressing HIPAA requirements. Benefit Rating: High. Market Penetration: Five percent to 20 percent of target audience. Maturity: Early mainstream. Example Vendors: BNX Systems, Carefx, Orion and Sentillion. Analysis by Barry Runyon 5.4 User Provisioning Definition: Managing user accounts and user profiles that are linked to each person across the IT environment via a combination of user roles and business rules. User provisioning also encompasses the capability to abstract and automatically correlate data from HR, customer relationship management, e-mail systems, other "identity stores" and managed systems. Fulfillment is handled by self-service requests, a line-management request or an HR system change. Justification for Hype Cycle Position/Adoption Speed: Implementations manage internal and external users. Limitations have been on managing the entire business process of accessrequest processing, as well as IT infrastructure additions and maintenance, not just the hire/fire process. Provisioning limits on scale and platform support also a concern. Business Impact Areas: When integrated with multiple applications (including access control), privileges and provisioning can offer significant return on investment over manual methods. Regulatory compliance is driving a number of user-provisioning implementations. Addressing compliance concerns is key. Market Penetration: Five percent to 20 percent of target audience. Publication Date: 21 June 2005/ID Number: G00127743 Page 9 of 15
Maturity: Early mainstream. Example Vendors: Abridean, Avatier, Beta Systems Software, bhold, BMC Software, Computer Associates, Courion, Evidian, Fischer International, HP, IBM, Microsoft, M-Tech, Novell, Open Systems Management, Oracle, Sentillion, Siemens, Sun Microsystems and Thor Technologies. Analysis by Roberta Witty 5.5 Meta-Directories Definition: Software products that synchronize and, optionally, aggregate identity data stored in multiple repositories. Justification for Hype Cycle Position/Adoption Speed: Meta-directories provide a proven and relatively quick-and-easy way to reduce user administration by synchronizing identity data among multiple repositories. Business Impact Areas: Can be used to automate security policies and implement user selfservice capabilities; however, most often used as a tool to reduce user administration overhead. Benefit Rating: High. Market Penetration: Twenty percent to 50 percent of target audience. Maturity: Mature mainstream. Example Vendors: IBM, Microsoft, Novell and Sun Microsystems. Analysis by John Enck 5.6 Smart Tokens Definition: Use of integrated-circuit-based cards for information systems access, and for holding digital credentials for security processes, such as encryption or digital signing. Justification for Hype Cycle Position/Adoption Speed: Smart cards are appealing to companies considering more than one application, such as physical security or cashless vending. However, alternative authentication methods, including multifunctional Universal Serial Bus tokens and cellular phone Short Message Service-enabled versions of one-time password systems, create less-expensive and simpler strong authentication because they do not require a reader. Business Impact Areas: Provide a convenient platform for multiple security functions. Symbolizes company trust in the employee. Market Penetration: One percent to 5 percent of target audience. Maturity: Early mainstream. Example Vendors: ActivCard, Axalto, Gemplus and RSA Security. Analysis by Clare Hirst 5.7 Enterprise Reduced Sign-On Definition: Consolidates the multiple sign-ons required by individual applications to reduce employees' password and user ID combinations. Publication Date: 21 June 2005/ID Number: G00127743 Page 10 of 15
Justification for Hype Cycle Position/Adoption Speed: Consolidated password routines and user self-service systems are available; however, "single" sign-on remains elusive, hence the term "reduced." Business Impact Areas: Simplifies the user experience and makes it more convenient, but arguably weakens security unless strong authentication methods are used for the initial sign-on. Market Penetration: Five percent to 20 percent of target audience. Maturity: Early mainstream. Example Vendors: ActivCard, BNX Systems, Citrix Systems, Computer Associates, Evidian, Imprivata, i-sprint, Novell, Passlogix, Protocom Development Systems, RSA Security, Sentillion and Version3. Analysis by Roberta Witty 6.0 Entering the Plateau 6.1 EAM Definition: Systems providing centralized authentication and authorization to Web-based applications. Justification for Hype Cycle Position/Adoption Speed: Extranet access management (EAM) systems have become a mature technology widely used by enterprises that deal with large numbers of Web applications, either internally or externally. Business Impact Areas: Extranet and intranet Web application portals. Market Penetration: More than 50 percent of target audience. Maturity: Mature mainstream. Example Vendors: Computer Associates, Entrust, IBM, Novell, Oracle, RSA Security and Sun Microsystems. Analysis by Ray Wagner 6.2 Password Management Definition: The automation of password resets via self-service and the synchronization of passwords across all integrated platforms and applications. Justification for Hype Cycle Position/Adoption Speed: Automating self-service password management is a typical first phase of an identity management implementation. Automation procedures are often integrated with the help desk toolset. Business Impact Areas: Enterprises can reduce their help desk call volume by more than 80 percent. Market Penetration: Twenty percent to 50 percent of target audience. Publication Date: 21 June 2005/ID Number: G00127743 Page 11 of 15
Maturity: Mature mainstream. Example Vendors: Avatier, Courion, M-Tech, Proginet and all user provisioning vendors. Analysis by Roberta Witty 6.3 Hardware Tokens Definition: Access authentication mechanisms that use a smart card or a device that displays a one-time password. Justification for Hype Cycle Position/Adoption Speed: One-time password functionality, formerly on proprietary tokens, is moving into multiple areas, such as Windows log-in, cell phone Short Message Service, PDAs and other devices. Universal Serial Bus hardware tokens are poised for growth. One-time password tokens and order-to-cash authentication have received increased attention in the banking sector. Business Impact Areas: Supports strong authentication. Market Penetration: Twenty percent to 50 percent of target audience. Maturity: Mature mainstream. Example Vendors: Aladdin Knowledge Systems, RSA Security, SafeNet and VeriSign. Analysis by Clare Hirst 7.0 Off the Hype Cycle 7.1 User ID and Password Definition: A combination of a known unique identifier (the ID) and a secret identifier (the password) that form the basic user authentication methodology and that is manually entered by a person to gain access to an electronic system. Justification for Omission: User IDs and passwords are now the standard, ubiquitous authentication methodology. They are not a choice but are required for every operating system, database and application. Analysis by Roberta Witty 7.2 Single Sign-On Definition: Consolidates the multiple sign-ons required by individual applications to reduce employees' password and user ID combinations to one sign-on to gain access to all electronic systems within the company. Justification for Omission: Single sign-on is a misnomer no one can achieve it without a homogeneous IT infrastructure. Therefore, Gartner now uses the term "enterprise reduced signon." Analysis by Roberta Witty Publication Date: 21 June 2005/ID Number: G00127743 Page 12 of 15
7.3 Kerberos Definition: A cryptographic-based technology for user authentication made standard by the Massachusetts Institute of Technology (MIT). Justification for Omission: MIT Kerberos is a complicated technology that requires expert-level Unix knowledge to implement. It has little cost justification because the application code must be modified to integrate with the central Kerberos single sign-on solution. Microsoft's integration of Kerberos with Active Directory is taking the lead in enterprise Kerberos use. Analysis by Roberta Witty 8.0 Conclusions Certain IAM technologies, such as password management, extranet access management and hardware tokens, have reached the Plateau of Productivity on Gartner's IAM Hype Cycle. Biometrics is at the Peak of Inflated Expectations, and although it seems likely certain forms of biometrics will eventually reach the Plateau of Productivity, it is still unclear what forms of biometrics will become truly mainstream. 9.0 Appendix A: Hype Cycle Phases, Benefit Ratings and Maturity Levels Table 1. Hype Cycle Phases Phase Technology Trigger Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Time to Plateau (Adoption Speed) Source: Gartner (June 2005) Definition A breakthrough, public demonstration, product launch or other event generates significant press and industry interest. During this phase of overenthusiasm and unrealistic projections, a flurry of wellpublicized activity by technology leaders results in some successes, but more failures, as the technology is pushed to its limits. The only enterprises making money are conference organizers and magazine publishers. Because the technology does not live up to its overinflated expectations, it rapidly becomes unfashionable. Media interest wanes, except for a few cautionary tales. Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the technology's applicability, risks and benefits. Commercial, off-the-shelf methodologies and tools ease the development process. The real-world benefits of the technology are demonstrated and accepted. Tools and methodologies are increasingly stable as they enter their second and third generations. The final height of the plateau varies according to whether the technology is broadly applicable or benefits only a niche market. Approximately 30 percent of the technology's target audience has adopted or is adopting the technology as it enters the Plateau. The time required for the technology to reach the Plateau of Productivity. Table 2. Benefit Ratings Benefit Rating Transformational Definition Enables new ways of doing business across industries that will result in major shifts in industry dynamics Publication Date: 21 June 2005/ID Number: G00127743 Page 13 of 15
Benefit Rating High Moderate Definition Enables new ways of performing horizontal or vertical applications that will result in significantly increased revenue or cost savings for an enterprise Provides incremental, but significant, improvements to established processes that will result in increased revenue or cost savings for an enterprise Low Slightly improves processes (for example, improved user experience) that will be difficult to translate into increased revenue or cost savings Source: Gartner (June 2005) Table 3. Maturity Levels Maturity Level Status Products/Vendors Embryonic In labs None Emerging Adolescent Early mainstream Mature mainstream Legacy Commercialization by vendors Pilots and deployments by industry leaders Maturing technology capabilities and process understanding Uptake beyond early adopters Proven technology Vendors, technology and adoption rapidly evolving Robust technology Not much evolution in vendors or technology Not appropriate for new developments Cost of migration constrains replacement First generation High price Much customization Second generation Less customization Third generation More out of box Methodologies Several dominant vendors Maintenance revenue focus Obsolete Rarely used Used/resale market only Source: Gartner (June 2005) RECOMMENDED READING "Understanding Gartner's Hype Cycles, 2005" Acronym Key and Glossary Terms AD CCOW DHCP EAM HIPAA IAM MIT Active Directory clinical context object workgroup Dynamic Host Configuration Protocol extranet access management Health Insurance Portability and Accountability Act identity and access management Massachusetts Institute of Technology Publication Date: 21 June 2005/ID Number: G00127743 Page 14 of 15
NAC PKI RADIUS network access control public-key infrastructure Remote Authentication Dial-In User Service This research is part of a set of related research pieces. See "Gartner's Hype Cycle Special Report for 2005" for an overview. REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Level 7, 40 Miller Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Latin America Headquarters Av. das Nações Unidas 12.551 9 andar WTC 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 21 June 2005/ID Number: G00127743 Page 15 of 15