Research. Identity and Access Management Defined



Similar documents
The Four "A's" of Information Security

Five Business Drivers of Identity and Access Management

Use This Eight-Step Process for Identity and Access Management Audit and Compliance

Security and Identity Management Auditing Converge

Key Issues for Identity and Access Management, 2008

The Identity and Access Management Market Landscape

How to Develop an Effective Vulnerability Management Process

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Selection Requirements for Business Activity Monitoring Tools

The Five Competencies of MRM 'Re-' Defined

Gartner Updates Its Definition of IT Infrastructure Utility

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Consider Identity and Access Management as a Process, Not a Technology

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Research Agenda and Key Issues for Converged Infrastructure, 2006

Organizations Must Employ Effective Data Security Strategies

Overcoming the Gap Between Business Intelligence and Decision Support

Discovering the Value of Unified Communications

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

IT asset management (ITAM) will proliferate in midsize and large companies.

The What, Why and When of Cloud Computing

Q&A: The Many Aspects of Private Cloud Computing

Business Intelligence Platform Usage and Quality Dynamics, 2008

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Governance Is an Essential Building Block for Enterprise Information Management

Eight Critical Forces Shape Enterprise Data Center Strategies

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Research. Mastering Master Data Management

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Toolkit: Reduce Dependence on Desk-Side Support Technicians

IT Operational Considerations for Cloud Computing

ERP, SCM and CRM: Suites Define the Packaged Application Market

Gartner Defines Enterprise Information Architecture

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Integrating Hitachi ID Suite with WebSSO Systems

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

The Electronic Signature Market Is Poised to Take Off

Business Intelligence Focus Shifts From Tactical to Strategic

The Current State of Agile Method Adoption

Understanding Vulnerability Management Life Cycle Functions

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

The IT Service Desk Market Is Ready for SaaS

The Seven Building Blocks of MDM: A Framework for Success

Best Practices for Confirming Software Inventories in Software Asset Management

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Private Cloud Computing: An Essential Overview

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Key Issues for Data Management and Integration, 2006

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

Tactical Guideline: Minimizing Risk in Hosting Relationships

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

Cloud IaaS: Security Considerations

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

Real-Time Decisions Need Corporate Performance Management

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

Managing IT Risks During Cost-Cutting Periods

Mainframe Modernization: When Migration Is the Answer

The Six Triggers for Using Data Center Infrastructure Management Tools

Data in the Cloud: The Changing Nature of Managing Data Delivery

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

Cloud IaaS: Service-Level Agreements

Case Study: Lexmark Uses MDM to Turn Information Into a Business Asset

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

Recognize the Importance of Digital Marketing

Repurposing Old PCs as Thin Clients as a Way to Save Money

Emerging PC Life Cycle Configuration Management Vendors

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

NGFWs will be most effective when working in conjunction with other layers of security controls.

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Risk Intelligence: Applying KM to Information Risk Management

Document the IT Service Portfolio Before Creating the IT Service Catalog

Dutch University's Successful Enterprise System Implementation Yields Valuable Lessons

Transcription:

Research Publication Date: 4 November 2003 ID Number: SPA-21-3430 Identity and Access Management Defined Roberta J. Witty, Ant Allan, John Enck, Ray Wagner An IAM solution requires multiple products from multiple vendors. It also results in business process change. Obtain senior management support and phase in the IAM implementation according to your "pain points." Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW Identity and access management solutions are a growing "must have" for enterprises of all sizes and industries. Knowing which product to start and end with in the overall implementation, and why, can help reduce the investment in providing you with a secure access control infrastructure. You should: Phase in the implementation based on your most pressing "pain point(s)" for example, directory services proliferation vs. growing help desk costs for password management vs. failed electronic data processing audits for security administration. Establish a road map for long-term application integration analyze the resources required to integrate homegrown or commercial off-the-shelf applications to ensure business value. STRATEGIC PLANNING ASSUMPTION(S) By 2005, where user provisioning and EAM products are both implemented, identity administration will be performed by a common administration console (0.8 probability). By 2005, EAM vendors that don't provide enterprise identity administration functions or products, or comprehensive IAM suites (or partner solutions), will disappear (0.8 probability). By 2005, the capabilities of metadirectories will have merged into user provisioning products and there will be only one market for user provisioning products (0.8 probability). By year-end 2004, password management vendors that don't provide user provisioning products will go out of business (0.8 probability). By 2005, the complexity of integrating the components of IAM solutions will cause 60 percent of enterprises to choose product suites that are owned or licensed by, and supported through, one vendor (0.7 probability). ANALYSIS Managing user accounts and privileges user access management isn't getting easier. The related "enterprise directory" project has proved to be an elusive goal. As enterprises externalize their business processes over the Internet to customers and trading partners, they have expanded the number and types of users with which they must contend. Accordingly, more users need access to IT resources; platform environments will remain complex and heterogeneous; and Web services are driving the need to manage transactions, as well as user access to IT resources. Thus, enterprises no longer can effectively manage user access to the heterogeneous IT environment (for example, external and internal user identity information repositories, databases, operating systems, and applications) for multiple access purposes, such as business roles, password management rules and business hours access policies. Directories and platform-specific security administration products can't address all of the demands of a well-managed and automated security administration function. Therefore, a range of other technologies, including user provisioning and extranet access management (EAM) products, have evolved to address enterprises' growing need for user account and privilege administration. No product does everything user account management, privilege management, password management and single sign-on (SSO) across all platforms and for all application types. A multiproduct implementation is the only way to meet these enterprise requirements. Publication Date: 4 November 2003/ID Number: SPA-21-3430 Page 2 of 6

Vendors are addressing this multiproduct approach by delivering identity and access management (IAM) product suites. The Four "A's" of Information Security Enterprises need to ensure that users are properly identified and that these identities are validated to IT resources this is authentication. They need to know that users can only access what their job function allows them to access within the enterprise this is authorization. They need to have a consolidated, enterprisewide view and way to manage user access this is administration. Finally, they need to ensure that the activities associated with user access (administration and real-time enforcement) are logged for day-to-day monitoring, regulatory and investigative purposes this is audit. These four "A's" of information security (see Figure 1) will be delivered by emerging IAM technologies. Figure 1. User Identities, Transactions, Roles, Policies and Privileges Identity Management Administration Access Management Real-Time Enforcement Administer Audit Authenticate Authorize Authentication Services Enterprise Single Sign-On Password Management User Provisioning Metadirectory Enterprise Access Management Identity Administration Physical Resources Applications Databases Directories Security Systems Operating Systems Source: Gartner Research (November 2003) Interest in IAM grew rapidly in the first half of 2003. For fiscal 2003, the IAM market is forecast to have a compound annual growth rate of 12 percent, according to Gartner Dataquest. Administration Through Identity Management IAM solutions solve two main functions: administration and real-time enforcement. Identity management solutions address enterprises' need to administer (create, modify and delete) user accounts, user profiles and corporate policies across the heterogeneous IT environment via a combination of user roles and business rules. Also included as part of administration activities is the capability to abstract and automatically correlate data from HR, customer relationship Publication Date: 4 November 2003/ID Number: SPA-21-3430 Page 3 of 6

management and e-mail systems (and other "identity stores"), and from the managed systems. Fulfillment is accomplished in a variety of ways: In response to a self-service request for example, self-registration A line management request for example, the manager has a new employee who starts work on a certain date or a user needs access to an application A change in an HR system for example, employee termination A bulk load for purposes of a new application or merger/acquisition These activities must be monitored for regulatory and investigative purposes. The markets and associated functionalities within identity management are: Password management includes simplified help desk password reset, self-service password reset and password synchronization, including bidirectional synchronization. Password synchronization can be a problem for the information security organization because if the single password is guessed by a hacker, then he or she has access to many more applications than if there was a unique password for each application. This could cause more harm. However, the information security organization's resistance to password synchronization can be overcome if the password formation, history and retention capability of the password management product can provide a stronger password management position enterprisewide. User provisioning encompasses user account management (create, modify and delete user accounts and privileges) for access to the heterogeneous IT resources. Enterprises typically use user provisioning to manage internal user access. User provisioning products act as the single point of administration for legacy and client/server application environments, as well as corporate utilities such as e-mail. Most user provisioning products offer password management functionality, delegated administration, a role-based access control model, workflow (a distinguishing feature from earlier consolidated security administration products) and automated fulfillment of the access request. Some products offer synchronization of user profile information among authoritative sources of user identity information. Metadirectories include user account management (create, modify and delete user accounts and privileges) for access to the authoritative sources of user identity information. Metadirectories also provide data accuracy and precedence for those user identity repositories, as well as synchronizing the user profile information. Historically, metadirectory products have lacked functionality such as password management, role management and workflow, which are standard functions of user provisioning products. Starting in 2001, metadirectory vendors have rounded out their offerings and are starting to look like user provisioning vendors. By 2005, the capabilities of metadirectories will have merged into user provisioning products and there will be only one market for user provisioning products (0.8 probability). Real-Time Enforcement Via Access Management Real-time enforcement is addressed by access management solutions that can enforce, in real time, an access control policy (or policies) for each user of enterprise IT resources. The two information security activities involved in the real-time enforcement process are authentication and authorization. Users must be identified, their identities must be validated, and a decision must be made whether they are authorized to access the requested resource. Some enterprises must perform dynamic authorization to resources based on the status of the user at the time of the access request. For example, if a customer has purchased more than $500,000 worth of merchandise within the past 12 months, he or she gets access to platinum-level services (for Publication Date: 4 November 2003/ID Number: SPA-21-3430 Page 4 of 6

example, free shipping or financing options). The customer who has purchased only $200 worth of merchandise within the past 12 months must pay for shipping and must use a credit card. The markets and associated functionality within access management are: Authentication services help identify users and validate their identities. This area contains multiple markets: Directory services store user identity information, include technologies such as LDAP, X.500, relational databases and others. Virtual directory technologies can be used to ease the administration and real-time authentication problems of user identity information that is being stored in many repositories, each with its own schema and owner. User authentication products, such as public-key infrastructure, tokens and biometrics, provide multifactor identity validation. SSO products enable a user to access multiple computer platforms or applications after being authenticated with a single password. SSO products support interenterprise and intraenterprise SSO for non-web applications (complex because of the need to manage multiple authentication protocols) and Web applications (simple because of the common authentication token known as a "cookie"). Federated identity services, which are best defined by the Liberty Alliance and Microsoft Passport, provide a "trusted" authentication environment. The enterprise that is being asked to grant access to the user (the "consumer") can trust the user identity information provided by the user's initial authentication service (the "producer"). Authentication management infrastructure products offer a single "authentication gateway" to target systems. The gateway supports a variety of authentication technologies. It requests the user to provide the appropriate authentication method based on the requirement of the application being accessed. Enterprise access management is the real-time enforcement for authorization to an IT resource based on an access policy. Enterprise access management also comprises multiple markets: Operating-system access enforcement is delivered through products such as RACF, CA-ACF2 and CA-Top Secret for the mainframe, native platform access control services and third-party products for AS/400, Unix, NT and others. Database row and column access is provided by products such as Oracle's Label Security. EAM, also known as Web access management, offers integrated IAM for Web-based applications. Initial implementations focused on external user access. However, the growing use of portals for employee access is also driving demand for EAM solutions. Most products offer self-service password reset, delegated administration (including user self-service), a role-based access control model, workflow and automated fulfillment of the access request. Functional Overlaps There is functional overlap in the area of administration for IAM products. IAM products need an interface to manage the product and to add, modify and delete users, as well as some level of Publication Date: 4 November 2003/ID Number: SPA-21-3430 Page 5 of 6

delegated administration. User provisioning and EAM products have further overlap in the areas of workflow, role management, delegated administration and password management. Enterprises are looking for one interface to manage all user access to legacy and client/server applications and Web-enabled applications regardless of the user's relationship to the enterprise. Thus, vendors in the user provisioning and EAM markets are providing such functionality at an abstracted level that Gartner calls identity administration. Identity administration functionality is provided through a common console that can direct the user provisioning and EAM products to fulfill on the access request. By 2005, where user provisioning and extranet access management products are both implemented, identity administration will be performed by a common administration console (0.8 probability). The Future of IAM Markets More vendors are offering more components in the overall IAM solution stack because the activities of the IAM markets are related to the management of user access, and enterprises want to manage user access from a common, integrated facility. Vendors such as IBM/Tivoli, Computer Associates International, Novell, RSA Security, Entrust and Netegrity offer integrated products in the two main areas of IAM: user provisioning and EAM. Through 2005, more vendors are expected to do the same at the risk of being shut out of the IAM space altogether. Key Issues How will enterprises manage the complexity of authentication and access control in a highly distributed world? Acronym Key EAM extranet access management IAM SSO identity and access management single sign-on This research is part of a set of related research pieces. See "The Growing Need for Identity and Access Management" for an overview. REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Level 7, 40 Miller Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Latin America Headquarters Av. das Nações Unidas 12.551 9 andar WTC 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 4 November 2003/ID Number: SPA-21-3430 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information