Five Business Drivers of Identity and Access Management



Similar documents
Research. Identity and Access Management Defined

Use This Eight-Step Process for Identity and Access Management Audit and Compliance

Security and Identity Management Auditing Converge

Key Issues for Identity and Access Management, 2008

The Four "A's" of Information Security

How to Develop an Effective Vulnerability Management Process

Q&A: The Many Aspects of Private Cloud Computing

The Five Competencies of MRM 'Re-' Defined

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Gartner Updates Its Definition of IT Infrastructure Utility

Business Intelligence Focus Shifts From Tactical to Strategic

Managing IT Risks During Cost-Cutting Periods

Toolkit: Reduce Dependence on Desk-Side Support Technicians

The Current State of Agile Method Adoption

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Selection Requirements for Business Activity Monitoring Tools

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

IT asset management (ITAM) will proliferate in midsize and large companies.

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Risk Intelligence: Applying KM to Information Risk Management

Overcoming the Gap Between Business Intelligence and Decision Support

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Consider Identity and Access Management as a Process, Not a Technology

Research Agenda and Key Issues for Converged Infrastructure, 2006

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Key Issues for Data Management and Integration, 2006

Cloud IaaS: Security Considerations

IT Operational Considerations for Cloud Computing

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Now Is the Time for Security at the Application Level

Tactical Guideline: Minimizing Risk in Hosting Relationships

The Identity and Access Management Market Landscape

Discovering the Value of Unified Communications

Real-Time Decisions Need Corporate Performance Management

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Roundup of Business Intelligence and Information Management Research, 1Q08

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

User Survey Analysis: Usage Plans for SaaS Application Software, France, Germany and the U.K., 2009

Organizations Must Employ Effective Data Security Strategies

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

Dutch University's Successful Enterprise System Implementation Yields Valuable Lessons

Private Cloud Computing: An Essential Overview

Governance Is an Essential Building Block for Enterprise Information Management

Successful EA Change Management Requires Five Key Elements

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Best Practices for Confirming Software Inventories in Software Asset Management

Document the IT Service Portfolio Before Creating the IT Service Catalog

2009 Gartner FEI Technology Study: XBRL in the U.S. Enterprise

The IT Service Desk Market Is Ready for SaaS

Cloud IaaS: Service-Level Agreements

Gartner Defines Enterprise Information Architecture

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

ERP, SCM and CRM: Suites Define the Packaged Application Market

Understanding Vulnerability Management Life Cycle Functions

Business Intelligence Platform Usage and Quality Dynamics, 2008

Eight Critical Forces Shape Enterprise Data Center Strategies

The What, Why and When of Cloud Computing

The Six Triggers for Using Data Center Infrastructure Management Tools

GARTNER EXP CIO TOOLKIT: THE FIRST 100 DAYS. Executive Summary

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

Agenda for Supply Chain Strategy and Enablers, 2012

Recognize the Importance of Digital Marketing

Global Talent Management Isn't Just Global

X.509 Certificate Management: Avoiding Downtime and Brand Damage

The Next Generation of Functionality for Marketing Resource Management

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Gartner's View on 'Bring Your Own' in Client Computing

Case Study: Social Networking Tool Becomes Essential Workplace Infrastructure at Deloitte

IT Architecture Is Not Enterprise Architecture

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

Transcription:

Research Publication Date: 31 October 2003 ID Number: SPA-21-3673 Five Business Drivers of Identity and Access Management Roberta J. Witty The primary reasons to implement IAM solutions are business facilitation, cost containment, operational efficiency, IT risk management and regulatory compliance. IAM also ensures a secure access control infrastructure. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW Identity and access management projects are much more than technology implementations they have real business value by reducing direct costs, improving operational efficiency and enabling regulatory compliance. Alerting senior management to IAM's business benefits will help with project approval and investment allocation. STRATEGIC PLANNING ASSUMPTION(S) By 2005, 60 percent of Global 1000 enterprises will implement IAM products from one or two primary vendors (0.8 probability). By 2005, operational efficiency and cost containment will be the primary business drivers for enterprisewide IAM implementations (0.8 probability). ANALYSIS The five business drivers (see Figure 1) for implementing the components of an identity and access management (IAM) solution are: Business facilitation Cost containment Operational efficiency IT risk management Regulatory compliance Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 2 of 8

Figure 1. The Five IAM Business Drivers Business Units Regulatory Compliance! Gramm-Leach-Bliley Act! HIPAA! 21 CFR Part 11! North American Electric Reliability Council! Sarbanes-Oxley Chief Information Security Officer Risk Management! Audit management! Terminations! Policy-based compliance! Strong authentication! Strong audit trail Source: Gartner Research (October 2003) Business Facilitation! Customer self-registration! Portal and personalization! Outsourcing! Customer retention CIO CFO Cost Containment! Reduce/avoid staff Security administration Help desk! Common IAM architecture! Non-IT services Help Desk Security Administration Operational Efficiency! Improved service-level agreement (less than 24 hours)! Productivity savings! User convenience! Security administration reporting Some drivers are more applicable to one component of the IAM solution than another (see Table 1). Cost containment and IT risk management are the primary reasons for the majority of IAM implementations for internal user access. Business facilitation is the primary driver for implementations that address external user access control. Because all IAM components assist with regulatory compliance, the majority of enterprises deal with this business driver as a supporting motivator for implementing a "best practice" information security program. Table 1. IAM Business Drivers and Components Business Facilitation Cost Containment Operational Efficiency IT Risk Management Regulatory Compliance Authentication Services X X X X Enterprise Single Sign-On X X X Password Management X X X X X User Provisioning, Metadirectory, Identity Administration Operating-System Security X X X X X Database Security X X X X Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 3 of 8

Extranet Access Management, Identity Administration Source: Gartner Research (October 2003) Business Facilitation X X X X X To provide easier, faster access to enterprise information for customers, trading partners and employees, increasingly via the Internet, you also must provide the appropriate security infrastructure for such an environment. Reasons to implement an IAM solution for business facilitation include: Customer Self-Registration When the number of customers reaches hundreds of thousands, enterprises can't manage the security administration requirements of all users through manual measures. They must automate, or they can't deliver the service. When automating, enterprises offload the administrative costs to end-user departments or customers. Extranet access management (EAM) products typically are used for end-user self-registration. Portal and Personalization Implementation More business services are being delivered via portals that provide a common access interface, as well as to deliver personalized services to the end user. Portals must authenticate and authorize users. The delivery of personalized services can leverage the information repository that is also used for authentication and authorization. Directories and EAM products are key components to portal and personalization projects. Outsourcing When enterprises outsource their IT operations, the outsourcing service provider often assumes the security administration responsibility for their clients. To make this operation cost-effective and efficient for both parties, and to provide a separation of duties among its outsourcing customers, the outsourcing service provider must have a well-defined security administration function. Service providers often use user provisioning products to provide this function internally to their operations. Customer Retention Customers are demanding; if you don t make it easy for them to use your service, they ll leave you for a competitor with which it is easier to do business. The cost of obtaining a new customer is high the cost to retain a customer can be even higher. Marketing managers use various types of tactics to retain customers, including self-service password resets and single sign-on (SSO) functionality. Cost Containment Current staffing levels can't accommodate enterprises' growing needs for day-to-day security administration activities at the help desk or security administration groups. Regardless of an economic upturn or downturn, enterprises want cost-cutting measures. IAM solutions are one of the few areas within the information security program that can provide you with direct savings. Reduce or Avoid Adding Staff In the typical enterprise, help desk personnel, system administrators and security administrators handle user access requests on a daily basis. In some enterprises, the help desk call volume that is associated with password problems is as high as 80 percent. (The help desk has other problems, such as a very short password change policy for all applications for example, 30 days.) Adding a system or application to the IT environment often means training someone on that new technology, or acquiring additional talent to handle it from a security administration perspective. However, it is rare to find an enterprise that eliminates staff doing security administration activity. Usually these people are reassigned to other, sometimes long-neglected, information security activities, such as audit log monitoring. You can reduce the costs of the security administration process by using password management, user provisioning and EAM products. Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 4 of 8

Common IAM Architecture By establishing a common IAM architecture, you can eliminate the costs that are associated with design and development "one-offs" in each application development group; reduce or eliminate platform-specific hardware and software that is supporting security administration activities; and ease application integration by providing a common authentication and authorization infrastructure. Directories, password management, user provisioning and EAM products are the backbones of an IAM architecture. Non-IT Services Once you have implemented a user provisioning product, you will see the benefits of the system outside of the information security domain. Non-IT resources, such as physical security access devices, cellular phones and pagers (and other devices that have a monthly service fee), can be better-managed at the time of issuance. More importantly, when the device's user leaves the enterprise, the monthly bill can be eliminated more quickly. Operational Efficiency Enterprises want a faster fulfillment process for access requests, as well as improved user convenience through the use of IAM solutions. Password management, user provisioning, EAM and SSO products deliver on this business driver. Improved Service-Level Agreements Achieving an access request fulfillment turnaround time of 24 hours or less, which is a requirement in a growing number of enterprises, can be achieved only via automation. With an average of 18 user accounts per internal user, creating 18 accounts in a day, including approvals, can't be done manually. Productivity Savings Automating the IAM process results in time savings in many areas: Revenue-producing employees and contractors get access to needed resources and can start working within their first few days of employment. Reducing the time frame for approving access requests means less time spent by middle and senior management on these approvals. A nice feature in some IAM products is a "one-click" approval process, which eliminates even more time from the approval process. Approvers don't have to go into the user provisioning product to approve the request; they can use the secure e-mail facility to send the approval, once they are notified via e-mail. Enabling users to change their passwords not only eliminates help desk cost, but also reduces the time spent by users to change the password. Thus, they can work when they want to, and can get back to work sooner than the average 20 minutes spent going through the help desk. User Convenience Password management and SSO products put end users in control and make for happier users overall. They are critical components for ensuring customer retention. Security Administration Reporting Enterprises must produce reports for day-to-day security administration purposes. Obtaining this information from a centralized facility increases operational efficiency. IT Risk Management The ability to prove the security of your access control infrastructure is an important requirement for day-to-day security administration activities and auditing purposes, and to obtain and maintain customers. In addition, the ability to implement and maintain regulatory requirements is a "must do" for certain industries. All components of the IAM solution, except for SSO which has its detractors who perceive a lowered level of security through its use aid in ensuring a secure access control infrastructure. Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 5 of 8

Audit Management Responding to audits in a timely manner saves money for auditors, system administrators, security administrators and managers. Terminations Disabling terminated users' access immediately following their termination results in reduced exposure for enterprises. With no facility that identifies user accounts enterprisewide, it is 99 percent probable that one will be missed. This account may allow a disgruntled employee or hacker to breach the enterprise's security. Policy-Based Compliance Automatically implementing and maintaining IAM policies, such as password formation, change and history policies, roles and privileges, and business hours usage, are central to an IAM solution. Automation helps reduce the cost of log monitoring because you can focus on access exceptions. Strong Authentication For industries such as financial services and healthcare, providing a stronger authentication mechanism other than user ID and password is a requirement based on the confidentiality and sensitivity of the information being accessed, including the IAM product. Strong Audit Trail Nonrepudiation may be a requirement for the event log entries of the IAM component for industries that must have a strong access control infrastructure. Regulatory Compliance The regulations for the financial services, healthcare, pharmaceutical and other industries regulated by the U.S. Food and Drug Administration, as well as electric energy industries, require the establishment of a secure access control infrastructure. The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (also known as the Sarbanes-Oxley Act) is causing U.S. public companies and foreign enterprises with U.S. operations to address their internal control infrastructure. Specific regulations and their IAM focus include: Financial Services The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 secure access to customer information. Healthcare/Medical The Health Insurance Portability and Accountability Act (HIPAA) limit access to individual healthcare information to the minimum access necessary to perform job functions (roles) that are related to treatment, payment and healthcare operations. Part 11 of the U.S. Title 21 Code of Federal Regulations (21 CFR Part 11) maintain a chain of validity and integrity of data submitted as a part of a new drug application. That is, logging each unique individual or machine responsible for the creation of, change to or deletion of data that supports an electronic submission of a new drug application. Electric Utilities The North American Electric Reliability Council Urgent Action Standard 1200: Section 1204, Electronic Access Control identify and implement electronic access controls for access to critical cyberassets within the electronic security perimeter. Section 1207, Personnel identify all personnel, including contractors and service vendors, who are granted electronic or physical access to critical cyberassets. Section 1210, Information Protection maintain a document that identifies the access limitations to sensitive information related to critical cyberassets. Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 6 of 8

Public U.S. Companies and Foreign Companies Traded on U.S. Markets, Including Their Subsidiaries Sarbanes-Oxley auditing and separating duties for access to information or transactions that could affect enterprises' financial statements. Industries Best-Suited for an IAM Solution Regulated industries have a vested interest in implementing many, if not all, IAM components. Other industries that are implementing IAM technologies include: Retail Retail institutions have an annual staff turnover of close to 100 percent. Also, they have to contend with holiday hiring cycles that put strain on their ability to handle the security administration needs of these new users. Education Similar to retail, educational institutions have cycles in their user population (academic terms). They also must ensure that the accounts associated with users who are no longer affiliated with the institution are removed from the IT environment. Some institutions have discovered ex-students and ex-teachers using institution-owned computer processing facilities to run private businesses. Government State governments are greatly interested in delivering state services to their constituencies via the Internet. Thus, they need an access control infrastructure that can manage millions of users, most of whom have only occasional need to access government services (for example, for yearly tax returns). Manufacturing Enterprise resource planning implementations have forced many manufacturing companies to develop roles and associated access rights for their workforces. To maintain these roles, many of these companies turn to user provisioning products otherwise, their role-based access control structures would be out of date in six to 12 months. Key Issues How will enterprises manage the complexity of authentication and access control in a highly distributed world? Acronym Key CFR Code of Federal Regulations EAM HIPAA IAM SSO extranet access management Healthcare Information Portability and Accountability Act identity and access management single sign-on This research is part of a set of related research pieces. See "The Growing Need for Identity and Access Management" for an overview. Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 7 of 8

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Level 7, 40 Miller Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Latin America Headquarters Av. das Nações Unidas 12.551 9 andar WTC 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 31 October 2003/ID Number: SPA-21-3673 Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information