Forrester TechRadar - Identity and Access Management - Q2 2008

June 18, 2008

Forrester TechRadar: Identity And Access Management, Q2 2008by Andras Cser for Security & Risk Professionals

Making Leaders Successful Every Day

For Security & Risk ProfessionalsIncludes a Forrester TechRadar June 18, 2008

Forrester TechRadar: Identity And Access Management, Q2 2008by Andras Cser with Jonathan Penn and Allison Herald

Market Seeks Solutions That Support Business And IT Flexibility And Compliance

EXECUT I V E S U M MA RYIdentity and access management (IAM) continues to be a fragmented eld of disjointed technologies with dicult and expensive implementation cycles and even more costly eorts in the wake of bad technology decisions. Products that give quick answers to immediate security and audit problems (privileged user and password management, identity audit, enterprise single sign-on) continue to excel and move fast along our adoption curves. While these products deliver demonstrable value, they oftentimes complicate the CISOs plan to establish a unied IAM portfolio. More established IAM products (Web single sign-on, provisioning, and directories) continue providing security and eciency benets for organizations that can aord their adoption. Standalone password management and metadirectories continue their decline, being subsumed by provisioning and virtual directories.

TABLE O F CO N T E N TS2 The State Of Plans For Identity And Access Management 2 Why The Future Of Identity And Access Management Matters 3 Overview: Forresters TechRadar For Identity And Access Management 8 IAM TechRadar: Business Benets Of IAM Are Eclipsing Compliance NeedsWHAT IT MEANS

N OT E S & R E S O U R C E SForrester interviewed 15 vendors and users, including: Autonomic Networks, Bayshore Networks, BHOLD COMPANY, CA, Eurekify, IBM, Novell, Oracle, Passlogix, Rohati Systems, and Sun Microsystems, for this report.

Related Research Documents Identity-Management-As-A-Service April 2, 2008The Forrester Wave: Identity And Access Management, Q1 2008 March 14, 2008 Identity Management Market Forecast: 2007 To 2014 February 6, 2008

21 Major Centers Of Gravity Will Form In Identity And Access Management 21 Supplemental Material

2008, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each gure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reect judgment at the time and are subject to change. To purchase reprints of this document, please email [email protected].

2

Forrester TechRadar: Identity And Access Management, Q2 2008For Security & Risk Professionals

THE STATE OF PLANS FOR IDENTITY AND ACCESS MANAGEMENT Pressures continue to mount on organizations to keep up with compliance, cost savings, and IT administration eciency improvement initiatives. As a result, they still lack a strategy vision of IAM, and view it as a collection of disjointed technologies and tools to pass audits or remediate audit ndings. Leading organizations realize its value in improving eciency, and they spend time analyzing business and IT processes, selecting an array of smoothly interoperating products, and understanding long-term implications and potential IT and business benets of IAM solutions. Organizations that have already implemented IAM piecemeal to address tactical issues (privileged user and password management, identity audit point solutions, or enterprise single sign-on) are increasingly looking toward adopting user account provisioning, comprehensive enterprise role management, and Web single sign-on (SSO) solutions to enable them to realize ease-of-use and business benets from IAM. WHY THE FUTURE OF IDENTITY AND ACCESS MANAGEMENT MATTERS Identity and access management plays a large role in an organizations IT portfolio because:

IAM addresses key regulatory compliance concerns. Whenever CISOs need to show evidence

of compliance in identity life-cycle management and application access, IAM solutions provide a great array of centralized auditing and trending features (often providing templates for an integrated reporting solution). These audit trails give relatively easy and readily available answers to who got access to what application, who approved it, and when. Segregation of duties (SoD) ensures that no conicts of interest exist between access rights for a user within one application and across multiple applications. Centralized policy management and enforcement of SoD needs capable IAM solutions for entitlement management and role management.

IAM reduces the cost of IT administration. Automating workow for approvals, making

automatic (and often rule-based) changes to administered endpoint systems, creating sets of pre-approved access roles, and automating password resets are all examples of IT administration cycle time reduction. Organizations striving for prociency in using integrated IAM solutions are extending IAM Web services for use by line-of-business applications in a reusable manner, thus creating an identity fabric.1

All applications have identity and related security and risk implications. Identities

for legacy and new applications will need to be managed securely within the frameworks of information risk management and compliance. Automating creation, modication, and removal of user identities in applications yields signicant IT administration eciencies and cycle time reductions.

June 18, 2008

2008, Forrester Research, Inc. Reproduction Prohibited


3

Business relationships continue to evolve, and identity issues grow increasingly complex.With outsourcing, rightsourcing, innovation networks, and mergers and acquisitions on the rise, traditional IAM models will cease to be sucient for managing these new relationships. Companies adopting a suitable model early for managing these relationships will enjoy competitive advantages.

OVERVIEW: FORRESTERS TECHRADAR FOR IDENTITY AND ACCESS MANAGEMENT Forrester Research gives guidance as to what technologies organizations need to track in the next 10 years to remain on top of eective identity management to help solve signicant risk, compliance, and business value challenges. To help security and risk management professionals plan their next decade of investments in IAM, Forrester investigated the current state of 14 of the most important technologies (see Figure 1). We examined past research, interviewed experts in the eld, and conducted detailed research with multiple current or potential users of each of the technologies. We used the data collected to assess four things: 1) the current state of the technology; 2) the technologys potential impact on customers businesses; 3) the time experts think the technology will need to reach the next stage of maturity; and 4) the technologys overall trajectory, from minimal success to signicant success.2 In this TechRadar, we also highlight integration points, synergies, and development dynamics between IAM products. This overview helps security practitioners make the right decisions concerning which technologies to invest in and how to preserve value of IAM investment during a time of economic recession. Why Do These 14 Technologies Appear In The TechRadar? We included technologies with a signicant installed base and about which we routinely answer our IT clients and vendors inquiries. Some products we consider cornerstones of current IAM oerings, others we see playing an important role in shaping the future landscape of IAM. We left out certain solution areas which are not core technologies or which we view as features rather than standalone products (e.g., identity proong, help desk solutions that perform password resets, risk based authentication). We also focused on enterprise identity management and thus excluded IAM solutions that are specic to a particular application (enterprise resource planning, email) or platform (e.g., Windows, the mainframe).


June 18, 2008

4


Figure 1 Forrester TechRadar: Identity And Access Management, Q2 08 Technologies EvaluatedDirectoriesDenition

Directories, or LDAP directories, store identity and security information (user names, passwords, security question/answer pairs, etc.) and can be accessed using the LDAP protocol. Some organizations use LDAP directories as an authoritative source of information about their employees and partners. LDAP services provide centralized authentication and authorization information about users to LDAP-enabled applications. Address books and white pages aggregate user information stored in a hierarchical format and provide fast access to applications. CA, IBM, Microsoft, Novell, Oracle, Siemens AG, Sun Microsystems $31,000 to $200,000. Implementation costs depend on the number of identities stored in the directory.

Usage scenario

Vendors Estimated cost to implement

Enterprise single sign on (E-SSO)Denition

E-SSO desktop applications recognize the layout of various Web-based and thick-client applications. Upon invocation of the application, the E-SSO application automatically logs the user in without the user having to enter their credentials. Healthcare workstations, retail and banking shared desktop workspaces, multi-factor desktop authentication before starting proprietary or closed legacy applications, and mining roles and account linkage information. ActivIdentity, BMC Software, CA, Citrix Systems, Evidian, IBM/Encentuate, Imprivata, Novell, Oracle, Passlogix, Sentillion $214,000 depends on the number of users.

Usage scenario


Entitlement managementDenition Usage scenario

Entitlement management is a centralized way of managing ne-grained access based on user, resource, and context. Centralized access policy management for Microsoft SharePoint and other portals, relational database management system (RDBMS) systems, document management systems BEA AquaLogic Enterprise Security/Oracle, CA, IBM, Oracle, Cisco Systems/Securent, Vanguard Integrity Professionals $150,000 and up depends on the number and availability of plug ins into applications and the number of users.Source: Forrester Research, Inc.

Vendors Estimated cost to implement45768

June 18, 2008



5

Figure 1 Forrester TechRadar: Identity And Access Management, Q2 08 Technologies Evaluated (Cont.)FederationDenition

Federation (or identity federation) allows two or more organizations to trust each others identities and authentication decisions. Identity providers authenticate users and send assertions to service providers who trust those assertions. This way, service providers do not have to manage user names and passwords. Outsourced services, portal environments, and healthcare providers all deal with users whose identities are maintained in a dierent place from where the identities are used. Financial services and mobile carriers who fold third-party applications into their customer portals. BMC Software, CA, IBM, Microsoft, Novell, Oracle, Ping Identity, Sun Microsystems, Symlabs $211,000 heavily depends on the number of partners in federated relationships.

Usage scenario


Identity auditDenition

Identity audit products answer the following questions: who has access to what resources and how can I prove my knowledge to auditors? The identity audit products typically provide read-only access to application repositories and discover segregation of duty issues, and help remediate these issues through integration with a provisioning system. Identity audit is used most often when organizations have to map out who has access to what applications, mostly due to an audit nding or a security breach. Aveksa, NetVision, SailPoint Technologies $50,000 to $100,000 for initial implementation, depending on the number of applications reviewed.

Usage scenario Vendors Estimated cost to implement

MetadirectoriesDenition

Metadirectories provide identity data synchronization and aggregation services. An entry in a metadirectory is a composited image from many dierent data sources, using data synchronization. Metadirectories typically use LDAP to represent their data. Holding companies with many lines of business typically use metadirectories to create a unied white pages service. Most large organizations have users with accounts in multiple repositories; metadirectories help maintain consistency of identity data stored redundantly across these accounts. IBM, Microsoft, Novell, Oracle, Siemens AG, Sun Microsystems $146,000 depends on the number of users in the metadirectory and the number of connected systems.Source: Forrester Research, Inc.

Usage scenario



June 18, 2008

6


Figure 1 Forrester TechRadar: Identity And Access Management, Q2 08 Technologies Evaluated (Cont.)Multi-factor authenticationDenition

Multi-factor authentication allows organizations to supplement user name/password authentication with a second, and if needed, a third factor credential. The second or third factors can be based on something you know (out-of-band authentication, second password, static and dynamic security questions and answers; have (one-time password tokens, grids, USB tokens, smartcards); are (biometrics); or do (keystroke dynamics, motion analysis). High-risk and condential data, applications, and transactions need to be protected by more than a password. Partial list: ActivIdentity, Aladdin Knowledge Systems, AdminOne, Arcot Systems, Authentify Technology, Entrust, Gemalto, iMagic Software, PassMark Software, PortWise, Secure Computing (Secure SafeWord), TriCipher, RSA Security, VASCO Data Security, Valimo Wireless, VeriSign $50,000 - $75,000 depending on the number of users. It is also important to distinguish between the cost of the tokens and the cost of the software solution providing the infrastructure for accepting the tokens.

Usage scenario Vendors

Estimated cost to implement

Password managementDenition

Password management allows users to reset their passwords without having to call a help desk. When the password is reset, it is also propagated automatically to all connected systems, and thus all endpoint passwords are kept in sync. This results in a client using multiple user names but a single password to access applications. Forgotten password recovery self-service and password synchronization. Avatier, Courion, Hitachi ID Systems, Passlogix, Proginet $50,000 to $100,000 depending on the number of the connected systems and number of users.

Usage scenario Vendors Estimated cost to implement

Privileged user and password management (PUPM)Denition

PUPM solutions perform the management change, verication, checkout, and check-in of sensitive and administrative user IDs and passwords to both human administrators and also applications. Managing shared-account (administrator) passwords, managing temporary and workow granting of administrative and root access to system administrators, application-to-application sensitive password management, workow approvals for granting passwords. The solutions are available as appliances or software only formats. CA, Cyber-Ark, Cloakware, e-DMZ Security, IBM, Lieberman Software, Symark $127,000 depends on the number of administrators using the PUPM solution and the number of connected systems.Source: Forrester Research, Inc.

Usage scenario


June 18, 2008



7

Figure 1 Forrester TechRadar: Identity And Access Management, Q2 08 Technologies Evaluated (Cont.)ProvisioningDenition

User account provisioning solutions manage identity life cycles (onboarding, oboarding, and status changes), submission and approval of user access rights, and auditing of the above processes. Provisioning solutions are used to automatically make changes to target systems based on HR feed-based provisioning, access request submission and approval workows, provisioning role maintenance, and auditing. Avatier, Beta Systems Software AG, BMC Software, CA, Courion, Evidian, Fischer International, IBM, Microsoft, Hitachi ID Systems, Novell, Oracle, SAP, Siemens AG, Sun Microsystems $630,000 depends on the number and kind of connected systems (whether they require a custom connector to be developed), depth of workow customization, and the number of users.

Usage scenario

Vendors


Role managementDenition

Role management allows creation and life-cycle management of enterprise job roles. These enterprise job roles contain logical groups of application entitlements. Enterprise job roles are then assigned (either by rule-based provisioning or by request-approval workows) to people in real and virtual organizations. Financial services, energy, healthcare, manufacturing, higher education, and government Although provisioning vendors also provide support for enterprise IT role management, the following vendors extend roles to business roles to be managed by the business: BHOLD COMPANY, Eurekify, Oracle, Prodigen, Sun Microsystems. Largely depends on the organizations size and activity type. SMBs can implement role mining and design projects for around $300,000 to $500,000, while large, complex organizations will face $500,000 to $1 million price tags.

Usage scenario Vendors


User-centric identityDenition

User-centric identity allows users to authenticate at an identity provider, then select which user prole attributes will be relayed to the service provider with the authentication token obtained at the identity provider. Online marketplaces, online retailers, and software-as-a-service providers IBM (Higgins framework), Microsoft CardSpace, Novell Bandit, OpenID N/A

Usage scenario Vendors Estimated cost to implement45768

Source: Forrester Research, Inc.


June 18, 2008

8


Figure 1 Forrester TechRadar: Identity And Access Management, Q2 08 Technologies Evaluated (Cont.)Virtual directoriesDenition

Virtual directories are data services and virtualization engines. Instead of synchronizing data (as metadirectories do), they provide dynamic, customizable, and virtual LDAP views overlaid on many data sources (LDAP, RDBMS, at les, etc.). Use cases include hiding sensitive record attributes from unauthorized applications, protocol translation, LDAP directory joins, and schema transformations also includes avoiding data recertication. Oracle, Radiant Logic, SAP, Sun Microsystems, Symlabs $115,000

Usage scenario


Web single sign-on (SSO)Denition Usage scenario

Web SSO allows a user to log in to a Web application and then move to another application without being prompted again for authentication. Integration of disparate Web applications into one unied framework. Portals, nancial services applications consisting of several, and badly developed, modules. BMC Software, CA, Entrust, Evidian, IBM, Novell, Oracle, RSA Security, Symlabs, Sun Microsystems $187,000 heavily depends on the number of onboarded applications, applications support for externalizing authentication, and the number of users.Source: Forrester Research, Inc.


IAM TECHRADAR: BUSINESS BENEFITS OF IAM ARE ECLIPSING COMPLIANCE NEEDS In mapping the futures of IAM technologies, we found that (see Figure 2):

Business users demand direct use of products and business abstractions. Many

implementations faced grim realities of IAM: By the time the solution is designed and implemented, the business environment has changed, forcing IT to change roles and policies in the solution. Because of this, IT is increasingly trying to delegate the management of IAM policies to those business units using them. This is prompting IAM vendors to support abstractions in their products to express business terms, using easily understood and customizable labels and descriptions in access management, role management, and provisioning products. For example, in access recertication, the provisioning application indicates to the manager that his/her employee belongs to a role called Branch Teller, instead of indicating that the employee is a member of an LDAP group with a cryptic name.

Fragmentation of identity data remains a challenging reality. Few companies have

consolidated their identity repositories; internal employee information is typically stored

June 18, 2008



9

separately from vendor and partner information, and even within each user group identities may reside in multiple stores. This data fragmentation and siloed ownership causes diculties with management of policies for role assignments, provisioning, access control, and entitlements.

Consumers needs play a minor role compared to enterprises needs. Many consumers have

expressed privacy concerns about the dissemination of personally identiable information and called for better user controls as to what attributes of their personal information they want to submit to an online retailer or other service provider. Although user-centric identity management technologies would make this possible, their deployment is not nancially justied for the majority of service providers.

Figure 2 Forrester TechRadar: Identity And Access Management, Q2 08Trajectory: Signicant success Moderate success Minimal success Time to reach next phase: < 1 year 5 to 10 years 1 to 3 years > 10 years 3 to 5 years

DirectoriesWeb SSO

High Business value-add, adjusted for uncertaintyProvisioning

MediumVirtual directoriesMulti-factor authN

E-SSO

LowEntitlement mgmt.

Role mgmt. PUPM

Password mgmt.

Federation

Metadirectories

Negative User-centric identity

Identity audit

Creation

Survival

Growth Ecosystem phase

Equilibrium

Decline

45768 2008, Forrester Research, Inc. Reproduction Prohibited

Source: Forrester Research, Inc.

June 18, 2008

10


Creation: Identity Audit And Entitlement Management Show Promise These relatively new technologies today generate comparatively little revenue and are being adopted by leading-edge companies only. While identity audit and entitlements show promise, user-centric identity fails to gain support. Forrester sees entitlement management as a gamechanging technology altering the future of access management. Forrester assessed game-changing technologies and found that products leading to tangible business benets will nd greater adoption in (see Figure 3):

Entitlement management. This technology is focused on a centralized denition, management,

and enforcement of externalized, application-level, ne-grained authorizations, and entitlements. Two forms of entitlement management are competing for IT users attention. The rst is software-based entitlement management, which requires opening up the application and integrating it with the policy enforcement point of the entitlement management system. This type of solution is currently inhibited by the lack of support from enterprise application vendors. The other form of entitlement management is based on inspecting payload of network packets, which requires minimal to no involvement of application developers or opening up applications.

Identity audit. These solutions provide a systematic view into the organizations resources andanswer the following questions: who has access to what and why? Companies that suered a security or data breach or that were hit with poor audit reports are the most likely to use these solutions, constituting the rst phase of a more comprehensive IAM project consisting of role management and provisioning deployment.

User-centric identity management. Used primarily in a federated business-to-consumers

(B2C) context, this technology allows users to take direct control of their personally identiable information and limit how their proles attributes are being sent to service providers from identity providers. Enterprises are not yet displaying signicant interest in adopting usercentric identity management, as they believe they can control internal exchange of personal information reliably. North American consumers have not asked service providers and online retailers loudly enough to support this technology, and European government-issued IDs have not provided enough pull-through for this technology.

June 18, 2008



11

Figure 3 Forrester TechRadar: Creation Phase TechnologiesEntitlement managementWhy the Creation phase? Business value-add, adjusted for uncertainty Time to reach next phase

The XML Access Control Markup Language (XACML) on which most entitlement products policy repositories are based is a relatively new technology in its infancy of adoption. Negative. The primary value of entitlement management will be in enterprises centrally managing and enforcing segregation of duties among ne-grained access in and across various applications, allowing them to avoid audit ndings and remediation costs. 1 to 3 years. Although capable to address immediate concerns of centrally managing and enforcing access to portals, collaboration sites, databases, and document management systems, Forrester expects this technology to mature rapidly and to converge with Web SSO in the long term. Signicant success. In its current implementation form, entitlement management deployment requires some application modication (externalizing authorization from the application). Current independent software vendor (ISV) support for entitlement management is none to minimal but is expected to grow with the adoption of XACML and federation. Appearance of network-based entitlement management solutions (Autonomic Networks, Bayshore Networks, PacketMotion, Rohati Systems) will allow companies to keep their legacy applications intact and enforce centralized entitlement policies at the network layer by performing deep, packet-level inspection.

Trajectory (known or prospective)

Identity auditWhy the Creation phase?

Especially among organizations hit with an auditing nding, standalone deployment of identity audit solutions is rapidly gaining acceptance. However, users are quickly realizing the need to expand to and integrate with other areas of IAM to provide preventive enforcement of segregation of duties: access management, identity management, and user account provisioning. Negative. The long-term business value add of identity audits alone is limited, as the question any organization needs to answer after identifying segregation of duty issues is how to x the problem. Although remediation of these issues can happen manually, systemic and closed-loop management usually requires deployment of a provisioning system. 1 to 3 years. Identity audit products will probably converge with enterprise role-management solutions, and to some degree, both entitlement management and user account provisioning solutions, to provide the full circle of preventive and corrective enforcement of segregation of duties. Moderate success. Inability to x noncompliance issues easily with pure-play identity auditing products limits this technologys applicability.Source: Forrester Research, Inc.

Business value-add, adjusted for uncertainty

Time to reach next phase

Trajectory (known or prospective)45768


June 18, 2008

12


Figure 3 Forrester TechRadar: Creation Phase Technologies (Cont.)User-centric identity managementWhy the Creation phase?

User-centric identity solutions are starting to emerge as users grow concerned about dissemination of their personally identiable information. Lack of technology standardization, perceived value in enterprises, and interoperable universal acceptance frameworks hinder adoption. Negative. Businesses can benet from collecting user information (tracking user behaviors, segmenting users, reselling customer information). These benets will eclipse concerns and liabilities related to lost user records. Enterprises will have a hard time justifying building internal user-centric identity solutions for their employees. 1 to 3 years. Adoption of user-centric identity will depend on software-as-a-service companies adoption of federated technologies. Minimal success. Real growth of user-centric identities will be fueled by wide adoption in B2C and C2C federated relationships, social networks, software-as-a-service, and the emergence of trusted identity providers. Partnership and circle of trust creation concerns that exist with current federation implementations remain valid with user-centric identities. Forrester expects well-adopted federation technologies to incorporate user-centricity.Source: Forrester Research, Inc.


Time to reach next phase Trajectory (known or prospective)

45768

Survival: Federation, Virtual Directory, Role Management Oer Flexibility And Eciency These technologies have found some adoption and are deployed in production at several organizations, varying in size. All these technologies oer a promise for the long term. These technologies have a limited customer base and have not yet garnered wide adoption but are on their way to doing so (see Figure 4). These technologies are:

Privileged user and password management (PUPM). PUPM solutions allow passwords

to sensitive accounts (system administrator, root, etc.) to be centrally stored and divulged only temporarily to system administrators or applications. All password releases are audited, and passwords can also be automatically updated on managed systems once the system administrator checks in the password. Most organizations deploy PUPM to reduce the risk of managing sensitive passwords, increase operational stability, and address audit ndings. PUPM solutions have also started to provide more ne-grained auditing information as to what the administrator did after checking out the administrator password. In the future, PUPM solutions will combine dissemination of administrative passwords, auditing of administrative access, and ne-grained policy denition of what administrators can and cannot do; they will also aid in determining minimal privilege levels for system administrators.

Virtual directories. Virtual directories provide a dynamic, reconciled, and aggregated view

into multiple data sources containing user identity information. Typical use cases for virtual

June 18, 2008



13

directories are temporary data consolidation projects, avoidance of data recertication, and allowing decoupling of the provisioning process from application development. Virtual directories can also prevent certain data elds from being exposed to certain callers.

Role management. These products allow discovery and grouping of application-level, ne-

grained authorizations and entitlements into enterprise roles. These roles can then be assigned based on an authoritative feed from an HR system or on requests from managers and employees. Emerging key dierentiators for role management solutions include integration with leading ERP systems role structures (SAP, Oracle), management of versioning and temporality of roles, and integration with legacy provisioning and newer identity audit products.

Federation. Federated identity and access management enables organizations to form circles

of trust with their partners and accept security tokens and assertions for authentication; in the future it will allow for federated user account provisioning and enterprise role management. Federations adoption is hampered by: 1) lack of legal templates that can be used to create circles of trust; 2) lack of technical ability to create dynamic federation agreements; 3) dierent technology maturity levels of partners; and 4) lack of scalability in extending federated relationships to a large number of partners. Vendors will continue to simplify deployment of federated access management products, creating lightweight, standalone solutions that dont require deployment of a full-blown Web SSO solution. SAML, OpenID, WS-Federation, and CardSpace will be supported not only for producing and accepting tokens, but also for protocol translation, nally making Project Concordia a reality.


June 18, 2008

14


Figure 4 Forrester TechRadar: Survival Phase TechnologiesPrivileged user and password management (PUPM)Why the Survival phase? Business value-add, adjusted for uncertainty

PUPM vendors have experienced double- and triple-digit growth due to organizations needing to close audit ndings around managing administrative access. Low. Business value comes from: 1) fewer audit ndings and reduced cost to remediate those audit ndings associated with management of administrative passwords; 2) clear accountability and auditing of the use of administrative passwords; and 3) increased password strength and automatic and periodic changing of administrative passwords. 1 to 3 years. PUPM solutions will integrate more tightly with user account provisioning, entitlement management, identity auditing, and role management solutions. PUPM solutions are increasingly called for in managing application-to-application password, granularly enforcing and auditing system administrator activity, and limiting access to system administrators. Moderate success. Its being a standalone, often appliance-based solution with relatively low implementation costs and integration to a provisioning system helps with easy business justication of the solution.



Virtual directoriesWhy the Survival phase?

Most vendors (with the exception of Radiant Logic and Symlabs) have been acquired by IAM vendors. Forrester expects a broader adoption of virtual directories, especially in large companies with many business lines where there is a need for an integrated, corporate-wide directory but where organizational silos in data ownership prevent directory and identity services consolidation. Medium. In addition to providing virtual and real-time views into non-LDAP technologies (RDBMS, at les) and extensive data and schema transformation capabilities of virtual directories, virtual directories create an up-to-date and mashed-up information representation from all multiple data sources. Virtual directories also allow that account provisioning and application development can be completely decoupled from each other. The provisioning solution can use a virtual directory front end to provision users to the business applications user repository. Data stewardship and some performance issues still remain with the use of virtual directories. 1 to 3 years. Adoption of virtual directories are accelerated by the adoption of user account provisioning solutions. Adoption of role based access control in applications development and the need to avoid data recertication (which is a mandate when using metadirectories) also help businesses quickly realize value with virtual directories. Signicant success. Virtual directories require no modication of back-end user repositories, add extensive and customizable logging of data access and data transformation services, and present minimal overhead in low to medium volume data access scenarios. These features allow organizations to reach data compliance relatively inexpensively.Source: Forrester Research, Inc.




45768

June 18, 2008



15

Figure 4 Forrester TechRadar: Survival Phase Technologies (Cont.)Role managementWhy the Survival phase? Business value-add, adjusted for uncertainty Time to reach next phase

Role management is growing as businesses realize that business and IT role denitions need to be unied and increasingly managed by the business. Low. Organizations can dene provisioning, segregation of duties rules, and enforce identity auditing processes much quicker when they use enterprise role management. 1 to 3 years. Today, role design has a signicant element of services cost associated with role mining and denition. Business process dierences and organizational challenges require highly sophisticated role management features (role mining, denition, auditing, versioning, certication), which will take time to be developed and shrink-wrapped to reduce the cost of implementation service costs and to be fully usable by business. Many organizations are looking to resolve identity audit ndings before starting to implement enterprise roles. Signicant success. Forrester continues to see segregation of duties and compliance requirements take the front seat for business drivers behind IAM. Role management provides a very powerful abstraction and enforcement paradigm for eective user account provisioning, access control, and identity auditing.


FederationWhy the Survival phase?

Federation has been struggling to nd acceptance. Lack of legal frameworks for creating circles of trust, no trusted identity providers, abundance of incompatible protocols, and varying maturity of IAM across partners all contributed to lower-than-expected adoption. Low. Organizations today often undertake the risk of exchanging user information over unreliable channels. Scaling the currently bilateral federation model to many (potentially thousands of) partners raises questions around hidden implementation costs. Federation today lacks mechanisms for trusting digital signatures or provisioning, which are increasingly important use cases. Current technology does not address the eort of adding new partners into the federated ecosystem, hampering scalability. 1 to 3 years. Adoption of software-as-a-service will help proliferation of federation albeit in a dierent form. Risks and liabilities associated with losing identity information and passwords will have to outweigh benets that organizations can reap from maintaining user marketing and security information. Emergence of trusted identity providers, trusted broker networks, and vendors providing interoperability between disparate protocols (SAML, OpenID, CardSpace, WS-Federation) will be the cornerstone of success for federation technologies. Moderate success. Federation will mature, but creating circles of trust will remain a legal problem that a technology solution cannot answer. Trusted broker networks and workspaces will provide federation technologies required to connect organizations reliably and in a scalable way.Source: Forrester Research, Inc.




45768


June 18, 2008

16


Growth: Security Administration And Identity Assurance Address Key Market Concerns Security administration through provisioning is gaining acceptance due to maturity of solutions available, improved product quality, and decreased need for extensive customizations (see Figure 5). Forrester found that the following technologies are fueling IAMs market growth:3

Provisioning. User account provisioning has been the workhorse of IAM growth. It has

been integrating enterprise role management and identity audit for a long time, even though its abstractions were too IT-based, providing very little support for business users. Newer provisioning products have come a long way in improvements for automatically discovering endpoint schemas, managing workows, providing unied access-request interfaces to users, and automating endpoint connector development. System integrators have accumulated a sizeable body of business-process reengineering and implementation expertise and are now able to oer their customers signicantly reduced implementation times of provisioning systems. Vendors are working with traditional physical access management systems to provide a one-stop shopping experience for their customers for employee onboarding and offboarding.

Multi-factor authentication. Strong authentication solutions, one-time password hardware

and software tokens, public key certicate-based digital signatures and encryption, smartcards, out-of-band authentication, and biometrics all fall into the fragmented domain of multi-factor authentication products. These solutions add strength and security to passwords, and are also used for authentication and in risk-based authorization. These solutions require signicant integration eorts when deployed with enterprise single sign-on (E-SSO) or Web SSO systems and are provisioned. Manufacturing, energy, oil, and gas verticals (where smartcards are already well-adopted) are the easiest areas for adoption, while healthcare struggles with unique, almost real-time login and session management requirements and lack of adoption by physicians.

E-SSO. Enterprise single sign-on systems allow users to enjoy a reduced sign-on experience. ESSO solutions require no application modication, provide simple password reset self services, and enable organizations to easily protect a large number of legacy, thick-client applications with multi-factor authentication. Thus, E-SSO is regarded as a forerunner of IAM clients report easy implementations that bring immediate end user benets. Most traditional IAM vendors have partnerships with E-SSO vendors or provide OEM E-SSO solutions themselves.

June 18, 2008



17

Figure 5 Forrester TechRadar: Growth Phase TechnologiesProvisioningWhy the Growth phase?

Extensive out-of-the-box capabilities for supporting regulatory compliance, simplifying access request and approval workows, reducing IT administration cycle time, enforcing segregation of duties with job-role-based access control, and improving security by detection and removal of orphaned accounts are the factors behind the rapid growth of provisioning. High. Although the barriers to entry into provisioning are relatively high (business process denition, development of customized connectors, and workows), small to medium-size enterprises are opting to implement it. The greatest value of provisioning is seen in easier IT administration, accountability of account and privilege assignments, streamlined business processes, reduced IT administration cycle times, reduced help desk call volumes, and minimized remediation cost for audit ndings. 3 to 5 years. As solutions become easier to architect and implement and support more requirements out-of-the-box, they will nd increased adoption with small and medium-size businesses. Signicant success. Convergence of IT and business role management, password management, user self-service, and eventually privileged user and password management will all contribute to the success of provisioning.


Time to reach next phase Trajectory (known or prospective)

Multi-factor authenticationWhy the Growth phase?

Multi-factor authentication has grown signicantly during the past ve years and has added exciting new technologies that allow implicit second-factor authentication such as IP geolocation, machine ngerprint, and out-of-band authentication to be used before or instead of asking the user to enter a one-time password from a hardware token. Low. Businesses have realized that passwords are insecure. Some verticals are forced to adopt multi-factor authentication due to a security exposure/breach or audit nding. As such, multi-factor authentication is considered a pure cost item required to prevent future breaches. 3 to 5 years. Forrester foresees adaptive and risk-based authorization to be subsumed into generic Web access management (early signs of this are the acquisition of Bharosa by Oracle and CAs partnership with Arcot Systems). Multi-factor authentication will continue to exist as a separate and fragmented market. Moderate success. This market is currently too fragmented, and integration with existing E-SSO and Web SSO solutions poses signicant challenges.Source: Forrester Research, Inc.

Business value-add, adjusted for uncertainty Time to reach next phase

Trajectory (known or prospective)45768


June 18, 2008

18


Figure 5 Forrester TechRadar: Growth Phase Technologies (Cont.)Enterprise single sign-on (E-SSO)Why the Growth phase? Business value-add, adjusted for uncertainty

E-SSOs relative ease to implement makes it an ideal candidate to implement the rst phases of IAM. IBMs recent acquisition of Encentuate will lead to extended growth for E-SSO. Medium. Implementing E-SSO does not require extensive application modication eorts and provides enterprises with: 1) reduced sign-on time and improved user experience; 2) access pattern auditing information, which can lead to savings in license costs and better enterprise job role denitions; 3) basic password reset functionality (reducing help desk call volumes); 4) user-established and reliable linkage information between accounts across various user repositories; and 5) ability to protect closed, legacy applications with strong authentication. However, centralized administration of E-SSO clients can be costly at large organizations, osetting E-SSOs value. Since E-SSO requires a desktop client component to be installed, it does not scale well for B2C solutions. 1 to 3 years. E-SSO vendors are building vertical specic solutions (healthcare, manufacturing), and are moving into privileged user and password management and shared accounts management. Customers asking for biometrics, strong and adaptive authentication, and authorization will also fuel growth of E-SSO. Moderate success. E-SSO will continue to help growth of IAM due to its ease of implementation and ability to produce quick wins and benets in IAM, which is notorious for its long project timelines.Source: Forrester Research, Inc.



45768

Equilibrium: Directories Remain Core; Web SSO Supports Expansion Of Digital Business Transaction processing performance requirements and mission-critical infrastructure build-out in IAM propelled these technologies to become very mature oerings with advanced high-availability, disaster recovery, and operations support. Once deployed, these technologies become part of the backbone of the organizations IT infrastructure, making them rather dicult to replace or phase out (see Figure 6):

Web SSO. After user account provisioning, Web SSO provides the second-largest revenue

stream for IAM suite vendors. Web SSO continues to expand in both B2C and B2B relationships, providing improved end user experience and security to users. Future growth of Web SSO will come from: 1) integration of risk-based and adaptive authorization technologies; 2) better policy management integration with XACML policy stores and entitlement management solutions; 3) ner granularity of policy denition; and 4) exposing policy objects in more business-friendly terms to non-IT users.

Directories. Lightweight directory access protocol (LDAP) directories represent the largest

deployments in IAM today. Hundreds of millions of objects are routinely stored in LDAP user stores; with the expansion of mobile carriers in Asia, Forrester expects capacities to reach the 2008, Forrester Research, Inc. Reproduction Prohibited

June 18, 2008


19

one billion mark by 2009 to 2010. LDAP functionality will continue to evolve with replication capabilities extended to federated user information exchange. Virtual directory and directory router/load balancer functionality will be subsumed eventually into LDAP directory products.Figure 6 Forrester TechRadar: Equilibrium Phase TechnologiesWeb single sign-on (SSO)Why the Equilibrium phase? Business value-add, adjusted for uncertainty

Web SSO is a well-understood and mature technology. Its integration with most commercial Web applications is supported by application and/or IAM vendors. High. Web SSO improves end user experience, allows for centralized authentication, and authorization policy denition and management. Externalizing authentication (and in some cases authorization) also yields signicant business benets in increased security, code reuse, and reduced application development cycle times. >10 years. Once applications are integrated into a Web SSO environment, change will happen only infrequently. As more and more thick-client applications are converted to be Web-based, Web SSO will need to support these Web-based applications. Forrester expects Web SSO to subsume adaptive authentication in three to ve years. Signicant success. Substantially improved application security, convergence with adaptive and strong authentication, entitlement management, user self-service, and distributed Web SSO solutions will continue to underpin Web SSOs importance in any IAM suite vendors product portfolio.



DirectoriesWhy the Equilibrium phase?

Enterprises have mostly implemented some kind of directory service to store internal and external user authentication and authorization information. Oftentimes, this service holds only a certain user group (e.g., employees), or an enterprise may have many directories of separate and/or overlapping user populations. High. A safe and centralized repository for passwords and other identity data signicantly reduces the need for IT administration. Most commercially available modern business applications support the LDAP authentication. This means that users existing in the LDAP directory will automatically have access to applications that use the directory for their user repository and can use the password in the directory for all applications. This reduces the need for users to remember multiple user names and passwords and thus reduces password reset calls. 5 to 10 years. Adoption of directory technology and associated centralizing projects will eventually become less relevant as federation and other information/identity services make this information more available to applications regardless of where it is stored. Signicant success. Directories provide a very good revenue model for vendors as they are typically priced based on the number of user entities in the directory. With the growth of mobile carriers, government e-initiatives, and online services in general, a large number of consumers need to be represented in these LDAP services.Source: Forrester Research, Inc.June 18, 2008




45768 2008, Forrester Research, Inc. Reproduction Prohibited

20


Decline: Metadirectories And Password Management Are Reaching Obsolescence Point solutions are on the decline as organizations cannot realize the same value for their investment as they can from implementing virtual directories or user account provisioning. The following technologies are related to fairly basic administrative functions (see Figure 7):

Metadirectories. Metadirectories were popular before virtual directories could meet

performance requirements of enterprises. Metadirectories will continue to decline due to the cost of moving and recertifying data, weak workow capabilities during data transformations, and growth of user account provisioning.

Password management. Password reset and synchronization solves only a small piece of theidentity life-cycle management problem. It can rarely be used to address audit ndings and continues to decline due to user account provisioning taking center stage. Pure password management requirements can be met with E-SSO or provisioning solutions.

Figure 7 Forrester TechRadar: Decline Phase TechnologiesMetadirectoriesWhy the Decline phase? Business value-add, adjusted for uncertainty Time to reach next phase Trajectory (known or prospective)

The emergence of feed-based user account provisioning, workow-based data synchronization, and request approvals have made metadirectories obsolete. Negative. As metadirectories store user information pulled from many data sources, their business value is reduced by the need to recertify data in the metadirectory any time a new back-end information source is added to the metadirectory ecosystem. 3 to 5 years. Metadirectories are phased out by the emergence of virtual directories and advanced data reconciliation features of provisioning systems. Minimal success. Value for money, performance and stability issues, and data recertication cost account for metadirectories not reaching their full potential.

Password managementWhy the Decline phase?

Password management (self-service password reset and password synchronization) is continuing to decline due to organizations looking to solving the more systemic problems of identity management and identity life-cycle management using provisioning and identity audit solutions. Low. Password managements main business value is the reduction of password-related help desk call volumes representing a subset of provisionings business value. 5 to 10 years. Password management will be subsumed into user account provisioning and privileged user and password management (PUPM). Moderate success. Password management has often served and will continue to serve as the initial project for organizations implementing identity management.Source: Forrester Research, Inc.

Business value-add, adjusted for uncertainty Time to reach next phase Trajectory (known or prospective)

45768

June 18, 2008



21

W H AT I T M E A N S

MAJOR CENTERS OF GRAVITY WILL FORM IN IDENTITY AND ACCESS MANAGEMENTIAM will present fewer implementation challenges and IAM stacks will coalesce around four centers of gravity. Forrester expects products within these centers of gravity to be standalone and integrated oerings built on a common and in many cases shared identity backbone.

User account provisioning will continue to improve in ease of implementation.In addition to continuing to provide user self-service and delegated administration functionality, provisioning will integrate enterprise IT and business role management, identity audit and access certication, and parts of PUPM that allow temporary elevation of users permissions to make them short-term system administrators.

Access management will expand. Access management will eventually comprise Web SSO,ne-grained authorization and entitlement management, E-SSO, risk-based and adaptive authorization, and parts of PUPM which allow ne-grained denition and enforcement of policies that determine what systems administrators can do.

Directories will incorporate virtualization services. Directory evolution will focus onperformance improvements and will incorporate features of virtual directories. Directories will continue to serve as trusted user repository technology, especially for B2C deployments.

Federation will remain separate, but integrated into IAM stacks. Identity federationsolutions will continue to develop into lightweight standalone products (though they will also integrate cleanly with Web access management solutions), providing user-centric features, expanded federated provisioning, and protocol translation for easier integration.

SUPPLEMENTAL MATERIAL Online Resource The underlying spreadsheet that exposes all of Forresters analysis of each of the 14 technologies in the TechRadar (Figure 2) is available online. Data Sources Used In This Forrester TechRadar Forrester used a combination of two data sources to analyze each technologys current ecosystem phase, business value adjusted for uncertainty, time to reach next phase, and trajectory:

Expert interviews. Forrester interviewed experts on each technology, including scientists inlabs, academics, developers, and evangelists. Forrester interviewed a total of 15 experts.

Current and prospective customer and user interviews. Forrester interviewed current andpotential customers and users for each technology to understand current and prospective uses for the technologies and their impact on the customers businesses and the users work. Forrester performed a total of four of these detailed interviews.


June 18, 2008

22


The Forrester TechRadar Methodology Forrester uses the TechRadar methodology to make projections for more than a decade into the future of the use of technologies in a given category. We make these predictions based on the best information available at a given point in time. Forrester intends to update its TechRadar assessments on a regular schedule to assess the impact of future technical innovation, changing customer and end user demand, and the emergence of new complementary organizations and business models. Heres the detailed explanation of how the TechRadar works:

The x axis: We divide technology ecosystem maturity into ve sequential phases.

Technologies move naturally through ve distinct stages: 1) creation in labs and early pilot projects; 2) survival in the market; 3) growth as adoption starts to take o; 4) equilibrium from the installed base; and 5) decline into obsolescence as other technologies take their place. Forrester placed each of the 14 identity and access management technologies in the appropriate phase based on the level of development of its technology ecosystem, which includes customers, end users, vendors, complementary services organizations, and evangelists.4

The y axis: We measure customer success with business value-add, adjusted for uncertainty.

Seven factors dene a technologys business value-add: 1) evidence and feedback from implementations; 2) the investment required; 3) the potential to deliver business transformation; 4) criticality to business operations; 5) change management or integration problems; 6) network eects; and 7) market reputation. Forrester then discounts potential customer business valueadd for uncertainty. If the technology and its ecosystem are at an early stage of development, we have to assume that its potential for damage and disruption is higher than that of a betterknown technology.5

The z axis: We predict the time the technologys ecosystem will take to reach the next

phase. Enterprise architects need to know when a technology and its supporting constellation of investors, developers, vendors, and services rms will be ready to move to the next phase; this allows them to plan not just for the next year but for the next decade. Of course, hardware moves more slowly than software because of its physical production requirements, but all technologies will fall into one of ve windows for the time to reach the next technology ecosystem phase: 1) less than one year; 2) between one and three years; 3) between three and ve years; 4) between ve and 10 years; and 5) more than 10 years.6

The curves: We plot technologies along one of three possible trajectories. All technologieswill broadly follow one of three paths as they progress from creation in the labs through to decline: 1) signicant success and a long lifespan; 2) moderate success and a medium to long lifespan; and 3) minimal success and a medium to long lifespan. We plot each of the 14 most important technologies for IAM on one of the three trajectories to help enterprise architects allocate their budgets and technology research time more eciently.7 The highest point of all

June 18, 2008



23

three of the curves occurs in the middle of the Equilibrium phase; this is the peak of business value-add for each of the trajectories and at this point, the adjustment for uncertainty is relatively minimal because the technology is mature and well-understood.

Position on curve: Where possible, we use this to ne-tune the z axis. We represent the time

a technology and its ecosystem will take to reach the next phase of ecosystem development with the ve windows above. Thus, technologies with more than 10 years until they reach the next phase will appear close to the beginning of their ecosystem phase; those with less than one year will appear close to the end. However, lets say we have two technologies that will both follow the moderate success trajectory, are both in the Survival phase, and will both take between one and three years to reach the next phase. If technology A is likely to only take 1.5 years and technology B is likely to take 2.5 years, technology A will appear further along on the curve in the Survival phase. In contrast, if technologies A and B are truly at equal positions along the x, y, and z axes, well represent them side by side.

Experts Interviewed For This Document Aveksa CA Courion Covisint Deloitte Energy East Eurekify ENDNOTES1

Fischer International IBM KPN International Novell Oracle Radiant Logic Sun Microsystems

Redesigning the enterprise architecture for identity and access management (IAM) is an important task. As organizations requirements become more complex, and to keep administrative costs down, IAM functionality needs to be increasingly externalized from business applications. When this task is completed successfully, IT and business benets are clearly in evidence. Business benets include deeper insight into the eectiveness of policy management, reduced operational risk, and higher compliance. IT benets are easier administration and outsourcing of IAM functions, reduced application development cycle times through code reuse, and architectural exibility to support mergers and acquisitions and other organizational changes. Although there are early examples of organizations gaining such benets by adopting an identity-as-a-service (IDaaS) framework, organizations should look at IDaaS as a long-term strategic eort and proceed incrementally, not only with the technical implementation, but in maturing their identity related policy and management processes and strengthening interdepartmental relationships. See the April 2, 2008, Identity-Management-As-A-Service report.


June 18, 2008

24


2

Identity and access management (IAM) is the entire aspect of maintaining a persons complete set of information, spanning multiple identities and establishing the relationship among these various identities with the goal of improving data consistency, data accuracy, and data systems security in an ecient manner. IAM helps extend business services, improve eciency and eectiveness, and allow for better governance and accountability. See the April 14, 2008, Topic Overview: Identity And Access Management report. The identity management or identity and access management (IAM) market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014 (including revenues from both products and implementation services). Provisioning accounts for half of IAM market revenues today, but it will account for nearly two-thirds of all IAM revenues by 2014. Even after years of healthy adoption rates, the IAM market is actually just beginning its trajectory toward broad adoption and deep penetration. Moreover, during the next seven years, we will also see buying behavior migrating from point products to identity suites and, to a lesser extent, from products to managed services. Meanwhile, vendors will decompose products into service-oriented architecture (SOA)-enabled functions, repackaged in the form of identity-asa-service (IDaaS). See the February 2, 2008, Identity Management Market Forecast: 2007 To 2014 report. Note that the ve phases are not of any prescribed length of time. For the typical technology ecosystem proles for each of the ve phases, see Figure 3 in the introductory report. See the August 1, 2007, Introducing Forresters TechRadar Research report. We outline the detailed questions we ask to determine business value adjusted for uncertainty in Figure 4 of the introductory report. See the August 1, 2007, Introducing Forresters TechRadar Research report. Forrester will include relatively few technologies that we predict will take more than 10 years to reach the next ecosystem phase. Expect to see these 10-year-plus technologies only in the Creation phase for fundamental hardware innovations and in the Equilibrium and Decline phases for hardware and software on the great success trajectory. We provide details on how we predict the amount of time that a given technology will take to reach the next phase of technology ecosystem evolution in the introductory report. See the August 1, 2007, Introducing Forresters TechRadar Research report. We provide detailed information and examples of how we predict the amount of time that a technology will take to reach the next phase of ecosystem development (alternatively called velocity or velocity rating) in the introductory report. See the August 1, 2007, Introducing Forresters TechRadar Research report.

3

4

5

6

7

June 18, 2008


Making Leaders Successful Every DayHeadquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 Email: [email protected] Nasdaq symbol: FORR www.forrester.com Research and Sales Oces Australia Brazil Canada Denmark France Germany Hong Kong India For a complete list of worldwide locations, visit www.forrester.com/about. For information on hard-copy or electronic reprints, please contact the Client Resource Center at +1 866.367.7378, +1 617.617.5730, or [email protected]. We oer quantity discounts and special pricing for academic and nonprot institutions. Israel Japan Korea The Netherlands Switzerland United Kingdom United States

Forrester Research, Inc. (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. For more than 24 years, Forrester has been making leaders successful every day through its proprietary research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com.

45768

Forrester TechRadar - Identity and Access Management - Q2 2008

Documents

Transcript of Forrester TechRadar - Identity and Access Management - Q2 2008