Digital identities and the open business

download Digital identities and the open business

of 21

Transcript of Digital identities and the open business

  • 8/22/2019 Digital identities and the open business

    1/21

    Copyright Quocirca 2013

    Bob TarzeyQuocirca Ltd

    Tel : +44 7900 275517

    Email: [email protected]

    Rob BamforthQuocirca Ltd

    Tel: +44 7802 175796

    Email: [email protected]

    Digital identities and the open business

    Identity and access management as a driver for business growth

    February 2013

    Identity and access management (IAM) systems are today used by the majority of

    European enterprises. Many of these are still installed on-premise but increasingly they

    are being supplemented by the use of on-demand IAM services (IAMaaS). The overall

    uptake represents a big increase from when Quocirca last surveyed the market in

    20091.

    Whilst IAM is important for managing the access rights of increasingly mobile

    employees, three other major drivers have encouraged businesses to invest despite the

    tight economic conditions: the opening up of more and more applications to external

    users, the growing use of cloud based services and the rise of social media. The ultimate

    aim with all three is to nurture new business processes, thereby finding and exploiting

    new opportunities.

    This report presents new research into the use and benefits of IAM and the relationship

    it has with these three drivers. The research is based on over three hundred interviews

    with senior IT managers in medium sized to large organisations in a range of business

    sectors across Europe. The report should be of interest to anyone wanting to better

    serve all types of users, whilst still keeping control over applications and data.

  • 8/22/2019 Digital identities and the open business

    2/21

    Digital identities and the open business

    Quocirca 2013 - 2 -

    Digital identities and the open businessIdentity and access management as a driver for business growth

    Effective identity and access management (IAM) is seen as an essential tool for enabling open interaction between a business

    and its users, be they consumers, employees or users that are employees of other businesses, such as partners or customers.

    Many businesses now have

    more external users than

    internal ones

    The majority of businesses now open up at least some of their applications to external users,

    with 58% saying they transact directly with users from other businesses and/or consumers.

    The scale of the business processes they are running that require this will often mean the

    number of external users exceeds internal ones. This has led to a rise in the uptake of IAM

    systems with advanced capabilities to handle multiple types of users.

    Advanced IAM also helps

    organisations embrace

    cloud services and social

    media

    97% of organisations that are enthusiastic about cloud-based services have deployed IAM in

    general and 65% are using IAM-as-a-service (IAMaaS); only 26% of cloud avoiders use any

    form of IAM. The single-sign-on (SSO) capability of such services acts as a broker and a

    central place to enforce usage policy between users and both on-premise and on-demand

    applications. Many businesses also recognise the value of social media, with the top

    motivation being to identify and communicate with potential customers.

    Deployment of IAM has

    increased markedly in the

    last three years

    When Quocirca last researched the IAM market in 20091, 25% had some form of IAM in

    place, with 52% saying it was planned although, for many, those plans were delayed.

    However, regardless of the ensuing tight economic conditions, 70% have now deployed IAM.

    For 27% this is a totally on-premise system, however, 22% have already chosen to use a pure

    on-demand system, whilst 21% have a hybrid deployment.

    The number of sources of

    identity is extending well

    beyond in-house directories

    Active Directory is the most widely used primary source of identity for employees (68% of

    respondents). For users from customer and partner organisations the most common sources

    of identity are their own directories (1112%). Secondary sources include the membership

    lists of professional bodies, for example legal and medical practitioners (78%) and

    government databases (23%). 12% use social media as a primary source of identity for

    consumers, 9% say it is secondary. These fairly low use rates of alternative sources suggest

    an untapped business opportunity, perhaps because currently deployed IAM tools do not

    facilitate it.

    IAM eases a number of

    management challenges

    The top IT management challenge eased by IAM is the enforcement and management of

    access policy. However, it is also about improving the user experience by providing easy

    federated access to multiple applications and enabling user self-service. Whilst there are

    many benefits for businesses to be gained from effective IAM it seems likely that IT

    departments are under-selling these benefits.

    The benefits of IAMaaS, in

    particular, are widely

    recognised

    The potential of IAMaaS is widely recognised even by those with pure on-premise IAM

    deployments. Lower management and ownership costs along with improved employee

    productivity top the list, with ease of integrating external users not far behind. Those who

    make extensive use of cloud-based services are especially likely to recognise the benefits of

    IAM in general and select IAMaaS in particular.

    Conclusions

    Having an identity and access management system in place is now seen as an imperative by many businesses to achieving a wide

    range of IT and business goals. Those organisations that lack effective IAM are likely to lag behind their competitors in many areas

    as more and more business-to-business (B2B) and business-to-consumer (B2C) transactions move online, cloud services become

    the mainstream source of IT applications and services for many businesses and social media takes centre stage as a source ofidentity.

  • 8/22/2019 Digital identities and the open business

    3/21

    Digital identities and the open business

    Quocirca 2013 - 3 -

    Introduction identity as the new perimeter

    Identity and access management (IAM) is all about a

    business authenticating and understanding its users.

    This includes its employees, but also the growing

    number of external users that a given business allows to

    access its applications (Figure 1), both those installed

    on-premise and those that are subscribed to as on-

    demand services. Identity and access management

    (IAM) systems are increasingly being seen as the bridge

    between users and applications; either of which can be

    inside or outside of the firewall that has traditionally

    been the boundary of a given organisations IT systems.

    This has led to the concept ofthe identity perimeter2.

    Some organisations say they no longer even have office-

    based employees, with all employees being consideredas mobile (just 8% said they had only office-based

    users). However, the biggest change is the degree to

    which consumers and the employees of customer

    organisations are being given access; 58% of the

    businesses surveyed have now opened up applications

    to users from customer organisations, consumers or

    both (the figure of 58% is derived by adding together

    the numbers for those who interact with consumers and

    those that interact with users of customer organisations

    and subtracting from the total those who say they

    interact with both). The main motivator is to transact

    directly with these external users online (Figure 2).

    IAM is also about making sure all users have convenient

    access to the resources they require, whilst maintaining

    appropriate levels of security and privacy and ensuring

    compliance requirements can be met. It is not about the

    creation and storage of identities per se. As this report

    will go on to show, effective IAM enables the federated

    use of a wide range of existing sources of identity. It also

    provides the balance between opening applications up

    to mobile and external users whilst making sure those

    applications, and the data to which they provide access,

    is appropriately protected.

    The degree of transaction with external users varies by

    sector. With growth in use of online banking, financial

    services organisations are the most likely to be

    interacting with consumers, with 54% already doing so,

    along with government organisations, 49% of which are

    already transacting online with citizens. Telcos (as

    service providers) lead when it comes to direct

    interaction with users in business customer

    organisations with 48% doing so already, with

    manufacturers coming in second at 42% with their

  • 8/22/2019 Digital identities and the open business

    4/21

    Digital identities and the open business

    Quocirca 2013 - 4 -

    complex supply chains. The profile of interaction is

    likely to change over time as the benefit of direct

    interaction is increasingly recognised and more and

    more products and services are sold directly.

    Beyond the opening up of applications to externalusers, there are two other major drivers for IAM.

    First, there is the increasing acceptance and take up

    of cloud services (Figure 3). The research

    unambiguously shows that those organisations that

    are making wide use of cloud services have also

    invested in IAM (see later section on IAMaaS). The

    main reasons for this are that IAM eases the way

    access to cloud-based services is granted and revoked

    and once a user has logged on once they can be given

    immediate access to multiple cloud services.

    Second is the rising use of social media (Figure 4), which can help businesses to better understand customer

    preferences and improve the overall customer experience. Many think there is huge business potential here;

    however, the number one reason for working with social media highlighted by this research is being able to identify

    and communicate with potential customers. Advanced IAM systems enable this by allowing users to make use of

    their own existing identities, which in turn enables easier interaction and should lead to faster business growth.

    Businesses need to recognise that the return on investment in IAM is not just improved security but an open ended

    business opportunity knowing your users through their digital identities and then being able to maximise their

    potential is the cornerstone for controlling interaction between a given business and the outside world.

    You and your digital identity, the rise of social media

    The age of bring-your-own-identity (BYOID)

    For one group in particular consumers social

    media is emerging as a key source of identity

    (Figure 5). Real world examples of this include

    organisations that have internet-centric business

    models, for example music download sites such

    as Spotify and charity giving sites such as

    JustGiving, that allow users to login using their

    Facebook identities; this makes it far easier for

    users to sign up and for donors to part with their

    money.

    However, usage looks set to expand into more

    conservative areas; for example, the UK

    government is also evaluating Facebook as part of

    the Identity Assurance (IDA) programme3, a way

    of better enabling secure transactions between

    public sector bodies and citizens. Is it even

    possible in the future that Facebook or Google identities could be the basis for access to online banking? This would

    not be such a huge step, according to a recent report from Virgin Media4, two thirds of UK banks have already

    speeded up customer service through use of Twitter.

  • 8/22/2019 Digital identities and the open business

    5/21

    Digital identities and the open business

    Quocirca 2013 - 5 -

    This has led to the emergence of the concept BYOID

    (bring-your-own-identity), something that may well

    extend beyond consumers all the way to employees in

    the fullness of time. Before too long employees may take

    their identities with them from one job to the next in asimilar way that many already do with their smartphones

    and other access devices (BYOD bring-your-own-device

    another industry trend that has already taken hold5).

    Many may consider that an identity taken from a social

    media site cannot be trusted. However, there are an

    increasing number of services that can be used to

    calculate the trust of such identities and set thresholds

    for when they are accepted. Such sites calculate that, if a

    user has been using the same Facebook identity for five

    years and has accumulated a long back history of

    communications, it is unlikely to be a fake. In fact,

    because of the controls many social media organisations

    place around creating accounts, using them to create fake

    identities is more difficult than doing so through a

    registration process that involves a new unique account

    being created specific to a given service.

    However, if social media sites are to be used as a source

    of identity, businesses need to be savvy about how they

    go about it. Marketing departments cannot expect to

    convert users of third party social media sites directly

    across to their own applications; neither can they expect

    users to login multiple times or fill out several forms with

    the same information. To truly embrace social media

    requires it to be fully integrated with IAM systems and

    used as a means of single-sign-on (SSO) to multiple

    resources. Any company not using this effectively may be

    losing sales.

    The increasing use of IAM

    Patterns of use for IAM

    The three trends outlined earlier the opening up of applications, the rising use of cloud and growing importance of

    social media added to an increasingly complex mix of identity sources, are all drivers behind the growing use of

    IAM. Figure 6 shows that there seems to have been considerable investment in IAM since Quocirca last published

    research in this area in 20091

    (which was focussed on privileged user management). 70% of organisations now have

    some sort of a system in place compared with around 25% just four years ago. Interestingly, around 50% said they

    had plans for IAM investment in 2009; plans which seem to have come to fruition despite the ensuing tight

    economic conditions. In a later section; The IAM empowered business, the report looks at the reasons IAM

    systems are seen as important for achieving a range of IT objectives.

    The use of on-demand IAM-as-a-service (IAMaaS) is on the rise; 22% say this is their primary way of implementing

    IAM with a further 21% saying they have a hybrid on-premise/on-demand deployment.

  • 8/22/2019 Digital identities and the open business

    6/21

    Digital identities and the open business

    Quocirca 2013 - 6 -

    This leaves 30% of companies with no IAM system at all, with smaller companies being the least likely (Figure 7).

    They will find it hard to open up access to applications in the way that that their competitors have. In the past small

    businesses may have considered that such systems were only affordable by large enterprises, however with the

    increasing availability of IAMaaS, where payment is by use, cost should no longer be a blocker.

    Authenticating users

    The data shown in Figure 8 examines the attitude the respondents had to various aspects of authenticating users. It

    is widely accepted that clearly establishing identities is essential. Overall, 84% of all respondents say the need to

    do so is true for their organisation.

    When it comes to checking identities,

    77% are likely to use strong

    authentication (this is especially true of

    telcos and financial services). However,

    only a small number of respondents say

    they use hardware token providers (as a

    primary source of identity), probablybecause of the cost. The main reason that

    businesses will have turned to hardware

    token providers as a source of identity in

    the first place is because they are also a

    source of strong authentication. Given

    the importance attached to strong

    authentication, many are probably

    seeking lower cost software-based

    alternatives that make use of spatial

    and/or temporal co-ordinates or making

    use of mobile phones (unsurprisingly,

    telcos take a lead here too).

    70% say they no longer rely entirely on

    usernames and passwords to authenticate users (again, this is especially true of telcos). IP addresses are used for

    authentication by 82%; if used alone this would be a concern because IP addresses can be spoofed by hackers who

    want to make their attacks appear to come from legitimate locations. However, it is unlikely that IP addresses are

    being used as a primary means of identity; they are probably just an additional attribute that may be used as part of

    a strong authentication process.

    As many as 54% say they sometimes transact without first establishing the identity of users. This was especially true

    of telcos (83%) and financial services (77%). There may be good reasons for this, for example when asking for a

    quote for insurance or mobile phone service plan many do not want to give all their details before seeing the cost.

    However, it is likely that, in other cases, collecting such information is simply seen as too arduous, which it need not

    be if the supporting IAM tools were in place. In many cases the customer experience could be improved.

  • 8/22/2019 Digital identities and the open business

    7/21

    Digital identities and the open business

    Quocirca 2013 - 7 -

    Multiple sources of identity

    Obviously, all organisations have some existing source of

    identity for their own employees. For 68% of the

    respondents to the current survey the main one is

    Microsoft Active Directory (Figure 9). When it comes to the

    broader community of users, Active Directory is less widely

    used. For mobile users and contractors it is still likely to be

    the main source, but less so.

    Whilst Active Directory is widely used, it, and most other

    directories, has not been designed to scale up for the

    emerging use cases where some organisations are now

    engaging with tens or hundreds of thousands of users from

    other businesses maybe millions of consumers.

    There are other challenges that are tricky to resolve with a

    policy that relies on a single organisational user directory.

    Many IT departments have to cope with mergers andacquisitions at some point; this may mean merging two

    different directories. With federated IAM, both can be

    maintained, at least in the short term, with both being use

    as identity sources. Many cloud-based applications also

    have their own directory of users, which can be integrated

    as part of single overall user identity in a federated IAM

    system and access provided via SSO.

    A growing minority of organisations are already exploiting

    other sources, either as a primary or secondary means of

    identifying and authenticating external users (Figures 10

    and 11). These include: The external directories of partner and customer

    organisations are the most widely used primary source

    of identity for users from customer and partner

    organisations.

    Professional body membership listings, for examplelegal and medical practitioners, are most commonly

    used as a secondary source of identity for users from

    customer and partner organisations.

    Government databases are used to a limited extent, anopportunity that could be exploited further.

    Social media, as pointed out in the introduction,

    currently is most likely to be used for consumers butwith huge future potential for all types of user as the

    age of BYOID dawns. As Figure 4 showed, identifying

    and communicating with potential new customers is

    currently a leading use case for social media, but there

    is a range of others, including analysis of customer likes

    and dislikes.

    Of course, this still leaves many organisations with no source of identity for external users, either because they are

    not engaging with them effectively through IT or because their current IAM capabilities do not allow them to, which

    may mean they are missing out on potential rich seams of user information to help attract new business.

  • 8/22/2019 Digital identities and the open business

    8/21

    Digital identities and the open business

    Quocirca 2013 - 8 -

    The IAM empowered business

    The growing diversity of users and the

    consequent range of sources of identity

    underlines why so many organisations have

    seen the need to invest in IAM tools that can

    link multiple identity sources and provide

    federated access based on policy.

    Figure 12 shows how respondents rated IAM as

    a means of enabling various IT management

    requirements. Top of the list was the

    enforcement of access policy for users; beyond

    this it was about improving the user experience

    through providing self-service and federated

    access as well as ease of provisioning.

    Scalability to cope with unknown numbers of

    users was low on the list; for some this may be

    because they do not understand the limitations

    of existing directories, or because they do not

    know there are tools that can help with this;

    others may simply take it for granted as they have such tools in place already. The perception of IAM as an enabler

    for access to cloud-based applications (software-as-a-service/SaaS) is also low, but the evidence of this research is

    that it can be a key enabler for those that are making extensive use of cloud services.

    Policy enforcement is generally achieved using advanced single-sign-on (SSO). Once a user is authenticated, all

    relevant resources are opened up and their use audited. There is a benefit to customers in doing this; from the

    earliest stages of interaction each individual can be assigned a unique internal identifier linked to a range of otherattributes, including their existing social and/or business identities, which, as far as they are concerned, is their

    primary identity.

    A new user can be provisioned once via SSO and have immediate access to both on-premise and cloud-based

    resources from any device (dependent on policy). Perhaps more importantly, their access to all resources can be de-

    provisioned in an instant when the need arises and there are no legacy passwords held in cookies etc. on their

    devices.

    SSO simplifies things for both the user and the access provider. It is about much more than a one-time validation of

    an identity. An SSO system acts as a hub and, based on the parameters associated with a given identity, it can

    control access to applications and data and enact policies about what a given user or class of users are entitled to

    with that access. Those actions can also be readily audited. Because such policies can be based on the results ofanalysis of content, it is still possible to deny access to certain classes of information even when documents are

    misclassified or stored in the wrong place.

    To engage with external users it is often necessary to be able to extend the metadata that describes a user. When

    this is the case, parameters can be added and used to decide what resources to allow or deny access to and, where

    needed, additional criteria required by different applications associated with a given identity. Flexibility is important

    as these parameters may change over time and new ones may need to be added.

    Most recognise that to deploy advanced IAM and to make use of federated services requires standards (Figure 13).

    LDAP, a general IAM standard for exchanging identity information between systems, topped the list, being seen as

  • 8/22/2019 Digital identities and the open business

    9/21

    Digital identities and the open business

    Quocirca 2013 - 9 -

    essential or useful by 88% of respondents. However, 60% recognised the growing importance of SCIM, a standard

    for simplifying identity management in the cloud.

    Although IAM has many potential business benefits making it easier to attract new customers, increasing business

    with existing customers, improved user experience and making business processes more efficient, all of which can

    provide an overall competitive edge IT departments seem to be underselling IAM. Many seem more aware of theIT operational benefits than the business ones (Figure 14). Although just under half felt it was true that the business

    is not interested in our IAM systems, it seems there are board members ready to listen.

    Those that have not persuaded their bosses to take an interest may fail to get the go ahead for enhanced or new

    investments. They should learn from the more insightful that are focussed on the business benefits and presenting

    these as an opportunity. And there is good news for all; the task of securing investment has been made easier by

    the increasing availability of IAM-as-a-service (IAMaaS).

  • 8/22/2019 Digital identities and the open business

    10/21

    Digital identities and the open business

    Quocirca 2013 - 10 -

    The emergence of IAM-as-a-service (IAMaaS)

    IAM-as-a-service (IAMaaS) is the provision of IAM capabilities on-demand over the internet; many such services

    provide all the capabilities of an on-premise system with additional benefits unique to IAMaaS, which are

    summarised in the next section (Table 2). Provision of IAMaaS may be direct from an IAM vendor or from a service

    provider using a vendors product. The number of vendors offering IAMaaS has risen in the last 45 years and many

    more buyers reviewing options for IAM will now be evaluating IAMaaS.

    The recognition of the benefits of IAMaaS is widespread (Figure 15), more so than its actual use, which, as reported

    earlier (Figure 6), was 22% for pure IAMaaS deployment and 21% for hybrid use, where IAMaaS is integrated with

    on-premise IAM. This combination has its own set of benefits, also outlined in the next section (Table 3). This

    understanding of the benefit of IAMaaS, even by those currently using a purely on-premise system or having no

    current IAM system, suggests plenty of opportunity for the providers of such services or those considering deploying

    them.

    Just as with IAM in general, respondents to the current survey were more likely to recognise the IT rather than the

    business benefits of IAMaaS, especially the operational cost savings (Figure 16). Many will also like the fact that, aswith most on-demand services, payment is out of operational expenditure (OPEX) rather than requiring upfront

    capital expenditure (CAPEX). There was also widespread recognition that IAMaaS can lead to improved employee

  • 8/22/2019 Digital identities and the open business

    11/21

    Digital identities and the open business

    Quocirca 2013 - 11 -

    productivity; for example access to a wide range of resources can be more easily made to an increasingly mobile

    workforce.

    All the business benefits of IAM in general making it easier to attract new customers, increasing business with

    existing customers, improved user experience and making business processes more efficient also apply to IAMaaS.

    Other benefits beyond the cost savings that apply to IAMaaS in particular include the ease of providing access to allusers, especially external ones.

    As was pointed out in the introduction (Figure 3), the acceptance of cloud-based services in general is now

    widespread. 22% of respondents can be considered to be cloud enthusiasts whilst another 23% can be considered

    to be cloud avoiders. Contrasting these two groups and their views on certain issues has proved to be interesting

    and will be the subject of a forthcoming Quocirca report6; for now, the current report will look at views on IAM in

    particular.

    First, respondents were asked about the importance of certain security technologies for providing access to cloud-

    based services (Figure 17). Even cloud avoiders accept they have to use at least some cloud services and see the

    need for audit trails and content filtering. Whilst cloud enthusiasts also recognise the same needs, they also widely

    acknowledge the benefits of IAM, SSO and linking identity and content through policy. These are all integral

    capabilities of most advanced IAM systems. In other words, cloud enthusiasts see IAM as essential for enabling their

    use of cloud.

    Also, as Figure 18 shows, the enthusiasts were far more likely to have deployed IAM, with 97% having something in

    place compared to just 26% of avoiders. Not surprisingly, the majority of enthusiasts (65%) are choosing IAMaaS

    either as their sole IAM capability or as part of a hybrid system. Of course, cause and effect may be debatable, we

    use cloud therefore we need IAM or because we have IAM we can use cloud, but the linkage is clear. Cloud-based

    services are going to continue to be seen as an effective way of delivering many IT services and IAM enables this. If

    you are using cloud-based services in general, why not use them for IAM too? Why not IAMaaS?

  • 8/22/2019 Digital identities and the open business

    12/21

    Digital identities and the open business

    Quocirca 2013 - 12 -

    The benefits of IAM

    Deployed effectively, IAM benefits both the business and the IT department. IAM is the key to the opening up of

    applications to external users, the exploitation of social media and the adoption of cloud services. The business and

    operational benefits are listed in the three tables that follow; first for IAM in general, then IAMaaS in particular and

    finally for hybrid deployments.

    Table 1: Benefits of advanced identity and access management

    BUSINESS BENEFITS OPERATIONAL BENEFITS

    Transacting directly with customers is the number one

    motivator for opening up applications to external

    users, with 87% of respondents saying it was a primary

    or secondary motivator. Advanced IAM enables

    businesses to transact securely and efficiently with a

    wide range of users.

    Enabling federated access to existing and new

    applications for both external users and employees is

    seen as one of the top IT management benefits of

    advanced IAM by around 80% of respondents.

    Advanced IAM enables business growth and innovation

    through supporting the simple creation of new online

    revenue streams and increased customer satisfaction.

    46% of respondents already recognised IAM as essential

    to achieving certain business goals.

    84% of respondents believe that clearly establishing

    identities is essential in ALL cases before commencing a

    transaction. Advanced IAM enables access to both

    cloud-based and on-premise applications to be

    controlled via a single identity.

    The process of mergers and acquisitions can be eased

    by the rapid sharing of resources, enabling the

    federating of two different directories of users from

    each organisation via IAM.

    82% of respondents believe IAM is essential to

    achieving IT security goals. Advanced IAM enables the

    rapid provisioning of all types of new users and, as

    important, their immediate and comprehensive de-

    provisioning when the relationship with a given user

    ends.

    User self-service was seen at the number two

    management benefit of IAM, selected by 81% of

    respondents. Allowing users to reset their own

    passwords and be automatically granted access to new

    applications based on policy is good for user experience

    and makes for more efficient IT operations. This

    increases customer satisfaction and reduces operational

    costs.

    The opening up of a wide range of alternative sources of

    identity via the use of open standards is essential to

    achieving federated IAM. 88% say LDAP is essential or

    useful and there is increasing awareness of SCIM, with

    60% saying it is essential or useful.

  • 8/22/2019 Digital identities and the open business

    13/21

    Digital identities and the open business

    Quocirca 2013 - 13 -

    Table 2: Benefits specific to IAM-as-a-service

    BUSINESS BENEFITS OPERATIONAL BENEFITS

    58% of businesses already provide direct access for

    consumers, business partner users or both to their

    applications. IAMaaS eases the provision of access as

    such systems are designed for remote access from the

    bottom-up.

    Lower cost of management was the top benefit cited

    for IAMaaS (52% of all respondents). As with any on-

    demand service, IAMaaS systems do not require

    installation and configuration, they can be rapidly

    deployed and do not require specialist in-house skills.

    As it is itself a cloud-based service, IAMaaS, in particular,

    enables the easy federation of applications from

    different cloud service providers for all types of user,

    easing the creation of new partnerships. 59% of

    respondents already recognised the benefit of this.

    Lower cost of ownership was cited by 50% of all

    respondents as a benefit of IAMaaS, which costs less to

    implement than an on-premise system due to

    economies of scale (shared infrastructure costs).

    As the use of IAMaaS is easily scalable, it can be

    expanded or contracted based on needs. For example,if a new consumer service is launched it may take off or

    flop; either way an under or over investment will not

    have been made.

    As with most on-demand services, payment is out of

    operational expenditure (OPEX) rather than requiringupfront capital expenditure (CAPEX). Costs are

    therefore on a more predictable pay-as-you-grow

    basis. This allows organisations to experiment with the

    benefits of advanced IAM and prove the value without

    major upfront investment, often by tackling a few

    tactical projects in the early days

    Identifying and communicating with potential new

    customers is one of the top reasons for business use of

    social media. Certain IAMaaS systems have pre-

    configured links to many social media sites, enabling

    easy integration into business processes and the

    growing use ofbring-your-own-identity (BYOID).

    IAMaaS improves IT productivity with no identity

    infrastructure to manage; IT staff are freed up to focus

    on other tasks and innovation.

    52% of all respondents saw improved employee

    productivity as a benefit of IAMaaS. It provides easy

    access to a wide range of resources for all employees,

    including those working remotely.

    IAMaaS, like all on-demand software services, provides

    immediate access to new features without the need to

    install updates and the down time that can entail.

    Table 3: Benefits specific to hybrid on-premise plus IAMaaS

    BUSINESS BENEFITS OPERATIONAL BENEFITS

    More sensitive applications can remain internalised,

    with access rights restricted to those listed on theinternal directory only, whilst transactional

    applications can be opened up to all via the IAMaaS

    system. This is an aid to the 81% who see IAM as

    necessary to achieving IT security goals.

    Continued use can be made of existing legacy IAM and

    directory deployments whilst advanced capabilities canbe integrated from an IAMaaS system.

    IAMaaS systems are already integrated with many cloud

    applications (e.g. Google Apps, Office 365 and WebEx).

    They are, therefore, ready-to-go for the business

    without have to rely on IT to configure or write

    interfaces. Adding IAMaaS to an existing on-premise

    deployment adds such capabilities at a click.

    Many cloud-based applications also have their own

    directory of users, which can be integrated as part of a

    single overall user identity in a federated IAM system

    with access provided via SSO, linked to on-premise

    applications via existing internal IAM.

  • 8/22/2019 Digital identities and the open business

    14/21

    Digital identities and the open business

    Quocirca 2013 - 14 -

    Conclusion

    Having an IAM system in place is now seen by many businesses as essential to achieving a wide range of IT and

    business goals. Primary amongst these are the opening up of more and more applications to external users, the

    growing use of cloud-based services and the rise of social media. The ultimate aim is to nurture new business

    processes, thereby finding and exploiting new opportunities. The number of businesses that have deployed IAM has

    increased dramatically over the last four years.

    Those organisations that lack effective IAM are likely to lag behind their competitors in these areas as more and

    more business-to-business and business-to-consumer transactions move online, cloud services become the

    mainstream source of IT applications and services for many businesses and social media takes centre stage as a

    source of identity. IAM has moved from a security tool to become a business enabler.

    The availability of IAMaaS has brought access to enterprise IAM capabilities within reach of smaller organisations

    and, for larger organisations with legacy IAM and directory systems, IAMaaS can provide them with the agility to

    embrace all these opportunities through integrating them into a hybrid system. This has led to a rapid growth in the

    use of IAMaaS either as the sole way a business deploys IAM or as part of an on-premise/on-demand hybriddeployment.

    However identity management is achieved, the majority of businesses now see it as essential. The statement made

    at the start of this report, that identity is the new perimeter, is already a reality and will become more so as IT users

    and applications disperse ever more and traditional IT security boundaries look more and more dated.

  • 8/22/2019 Digital identities and the open business

    15/21

    Digital identities and the open business

    Quocirca 2013 - 15 -

    Appendix 1 country level data

    Certain observations regarding the variation between organisations in different industry sectors have been made

    throughout the report. Some comment has also been made on the variations between organisations of different

    sizes, especially with reference to the deployment of IAM. These observations are made across all 337 surveys.

    Appendix 1 shows some of the variations between countries, although it should be pointed out that for some

    countries the samples are too small for significant conclusions to be drawn (see Appendix 2, Figure 31).

    Open up applications, attitude to cloud and adoption of social media

    Organisations in the Nordic and Benelux regions were more likely to be opening up their applications to consumers

    than those from further south; Iberia and Italy (Figure 19). However, a strong motivator for all to do so was to

    transact directly with customers (Figure 20). Conversely, Italian and Iberian organisations were the least likely to be

    cloud avoiders (Figure 21), so all have good reason to look at IAM, albeit with the reasons for doing so varying. The

    Nordics are leading the way with use of social media for identifying and communicating with potential customers

    (Figure 22), which ties in well with their enthusiasm for opening up applications to consumers.

  • 8/22/2019 Digital identities and the open business

    16/21

    Digital identities and the open business

    Quocirca 2013 - 16 -

    Deployment and use of IAM

    The Nordics may find it easier to embrace open applications and social media if more of them put IAM systems in

    place; they were some of the least likely to have done so. Overall, Iberian organisations were the most likely to have

    done so and the most likely to have deployed IAM-as-a-service (Figure 23). UK-based organisations are hot on

    strong authentication, with those in the Benelux region taking little interest (Figure 24).

    Italians were the least likely to see IAM an important for providing federated access to external users, whilst, in line

    with other findings, Nordics were keen. However, Italians were the most likely to extol the virtues of IAM for

    simplifying access to SaaS-delivered applications (Figure 25). The need for scalability of IAM for unknown numbers

    of users was most recognised amongst the countries with the largest populations (Figure 26), which makes sense,

    whilst only in the Nordics and Israel did the majority think IAM was very important for access policy

    management/enforcementalthough most saw it as at least fairly important.

  • 8/22/2019 Digital identities and the open business

    17/21

    Digital identities and the open business

    Quocirca 2013 - 17 -

    Benefits of IAMaaS

    Italians and Iberians were the most optimistic that the business was interested in their IAM systems (Figure 27) and

    in all areas but the UK the majority felt there were benefits to be had from IAMaaS (Figure 28). When it came to the

    benefits of IAMaaS, those from the Benelux region were again focussed on integrating external users, whilst Italians

    were the most interested in saving a bit of money, although this was important to all (Figure 29).

    Benelux, Israeli, Nordic and UK based organisations were the most likely to recognise the power of IAMaaS to open

    up new revenue streams, whilst the French and Italians were focussed on new business processes. The Iberians took

    little or no interest in either of these issues (Figure 30). That said, awareness of these business benefits needs to

    increase across the board to bring them more in line with the operational IT benefits.

  • 8/22/2019 Digital identities and the open business

    18/21

    Digital identities and the open business

    Quocirca 2013 - 18 -

    Appendix 2 demographics

    The following figures show the distribution of the research respondents by country, size, sector and job role:

  • 8/22/2019 Digital identities and the open business

    19/21

    Digital identities and the open business

    Quocirca 2013 - 19 -

    Appendix 3 references

    1 Privileged user Management Quocirca 2009

    http://www.quocirca.com/reports/430/privileged-user-management--its-time-to-take-control

    2 The identity perimeter Quocirca 2012

    http://www.quocirca.com/reports/791/the-identity-perimeter

    3 UK Cabinet Office web site

    http://www.cabinetoffice.gov.uk/resource-library/identity-assurance-enabling-trusted-transactions

    4 - Social media continues to rise in popularity among high street banks Virgin Media study

    http://www.virginmediabusiness.co.uk/News-and-events/News/News-archives/2012/Social-media-continues-to-

    rise-in-popularity-among-high-street-banks/

    5 Quocirca The data sharing paradox 2011

    http://www.quocirca.com/reports/620/the-data-sharing-paradox

    6 Forthcoming cloud report 2013

    Quocirca will be publishing a follow-on report on the use of cloud-based services

  • 8/22/2019 Digital identities and the open business

    20/21

    About CA Technologies

    CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex

    IT environments to support agile business services. Organisations leverage CA Technologies software and SaaS

    solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to

    the cloud.

    IT Security solutions from CA Technologies can help you enable and protect your business, while leveraging key

    technologies such as cloud, mobile, and virtualisation securely to provide the agility that you need to respond

    quickly to market and competitive events. Our identity and access management (IAM) solutions can help you

    enhance the security of your information systems so that you can improve customer loyalty and growth, while

    protecting your critical applications and data, whether located on-premise or in the cloud. With more than 3,000

    security customers and over 30 years experience in security management, CA offers pragmatic solutions that help

    reduce security risks, enable greater efficiencies and cost savings, and support delivering quick business value.

    CA CloudMinderTM

    provides enterprise-grade identity and access management capabilities as a hosted cloud service

    supporting both on-premise and cloud-based applications. Deployed as a service, CA CloudMinder drives

    operational efficiencies and cost efficiencies through speed of deployment, predictability of expense and reduced

    infrastructure and management needs.

    www.ca.com/mindyourcloud

  • 8/22/2019 Digital identities and the open business

    21/21

    Digital identities and the open business

    About Quocirca

    Quocirca is a primary research and analysis company specialising in the

    business impact of information technology and communications (ITC).

    With world-wide, native language reach, Quocirca provides in-depth

    insights into the views of buyers and influencers in large, mid-sized and

    small organisations. Its analyst team is made up of real-world

    practitioners with first-hand experience of ITC delivery who continuously

    research and track the industry and its real usage in the markets.

    Through researching perceptions, Quocirca uncovers the real hurdles to

    technology adoption the personal and political aspects of an

    organisations environment and the pressures of the need for

    demonstrable business value in any implementation. This capability to

    uncover and report back on the end-user perceptions in the market

    enables Quocirca to provide advice on the realities of technology

    adoption, not the promises.

    Quocirca research is always pragmatic, business orientated and

    conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that

    drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process

    enablement through better levels of understanding and the adoption of the correct technologies at the correct

    time.

    Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC

    products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of

    long term investment trends, providing invaluable information for the whole of the ITC community.

    Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that

    ITC holds for business. Quocircas clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec,

    along with other large and medium sized vendors, service providers and more specialist firms.

    Details of Quocircas work and the services it offers can be found at http://www.quocirca.com

    Disclaimer:

    This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may

    have used a number of sources for the information and views provided. Although Quocirca has attempted wherever

    possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors

    in information received in this manner.

    Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and

    reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details

    presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented

    here, including any and all consequential losses incurred by any organisation or individual taking any action based

    on such data and advice.

    All brand and product names are recognised and acknowledged as trademarks or service marks of their respective

    holders.

    REPORT NOTE:This report has been writtenindependently by Quocirca Ltdto provide an overview of theissues facing organisationswith regard to IAM.

    The report draws on Quocircasresearch and knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficient

    environment for future growth.