Gartner

Newsroom

Egham, UK, March 12, 2009 View All Press Releases

Gartner Reveals Four Identity & Access Management Predictions for 2009 and Beyond

Analysts Discuss IAM Challenges and Opportunities at Gartner Identity & Access Management Summit 2009, 23-24 March in London

Gartner, Inc. has revealed its key predictions for identity & access management (IAM) between 2009 and 2011. Speaking ahead of the Gartner Identity & Access Management Summit 2009 in London, analysts have identified forward-looking assumptions around smart-card authentication, identity-aware networks, hosted IAM and out-of-band (OOB) authentication.

“There is a continuing need in this time of economic uncertainty and budgetary constraints for cost-effective, risk-appropriate IAM methods,” said Ant Allan, research vice president at Gartner. “This includes growing demand for identity-aware networking, host- and service-based IAM offerings and the search for protection from increasingly effective malware attacks against consumer accounts.”

By 2011, hosted IAM and IAM as a service will account for 20 per cent of IAM revenue.
Solution sets related to intelligence, administration, verification and access are evolving from software-centric platform delivery models to composite services models. These reduce the costs of implementation and use and prepare for a more-mature production-centric approach to delivering IAM as a service. Markets for first-generation hosted and managed IAM services address relatively mature implementations. They enable customers to focus their technical planning and delivery on less-mature feature sets such as access and intelligence.

A growing percentage of the revenue realised by IAM vendors and service providers will be made possible by the next step in the IAM maturity model, toward hosted IAM and IAM as a service. Gartner recommends that existing IAM solutions users evaluate service-based options for extending the solutions, rather than significantly upgrading those solutions. Those that have not deployed a significant IAM solution should include service and appliance options in their review to gauge the progress of IAM maturity and its suitability.

Through 2011, 20 per cent of smart-card authentication projects will be abandoned and 30 per cent scaled back in favour of lower-cost, lower-assurance authentication methods.
The use of smart cards with public-key credentials is generally regarded as a high-assurance authentication method. However, provisioning and managing smart cards and the necessary desktop infrastructure are relatively expensive. A risk-based approach may force some organisations to implement two or more authentication methods, which are likely to include smart cards. This will drive the adoption of versatile authentication servers (VASs), which provide a single infrastructure for multiple methods and a single integration point for the local network and heterogeneous downstream applications.

Gartner recommends that organisations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO).  

By 2011, 30 per cent of large corporate networks will become ‘identity aware’ by controlling access to some resources via user-based policies.
Most corporate networks are anonymous, because they forward packets based on internet protocol (IP) addresses, rather than users' identities. Adding identity awareness to networks to monitor user behaviour and enforce access based on a user's identity is identity-aware networking (IAN), which blocks access to resources that a user is not authorised to access. Some solutions also provide audit trails that satisfy auditors.

Gartner recommends that network managers and others responsible for IAM projects develop strategies for making networks identity aware. They must ensure that all new network infrastructure and network access control equipment purchases have the capability to support this strategy.

By 2010, approximately 15 per cent of global organisations storing or processing sensitive customer data will use OOB authentication for high-risk transactions.
The security measures that most financial institutions and other service providers have in place are proving inadequate in the face of new cyber-crime attacks against customer accounts. Man-in-the-browser (MITB) Trojan attacks in particular are rendering most installed stronger user authentication measures ineffective so organisations are turning to OOB user authentication and transaction verification for high-risk customer transactions.

Most global businesses that implement OOB authentication and transaction verification will use customer-owned landline and mobile phones as the ”something you hold” factor. Users must understand and trust OOB calls or SMS messages delivered to their phones and service providers must ensure that they have reliable working phone numbers (and backup numbers) for their customers. Another problem is that Trojan horses and other forms of malware now prevalent on PCs will become common on smartphones in the next few years, which may render OOB authentication methods that use smartphones insecure and ineffective.

“Organisations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions,” concluded Allan.

More information can be found in the report “Predicts 2009: Businesses Face pressure to Deliver IAM”, available on Gartner’s website.

About Gartner Identity & Access Management Summit 2009
Gartner analysts will further discuss IAM market dynamics at the annual Gartner Identity & Access Management Summit 2009 in London, 23-24 March. To register, please contact Holly Stevens, Gartner PR, on +44 (0)1784 267738 or at holly.stevens@gartner.com. For further information on the Summit, please visit www.europe.gartner.com/iam

Contacts
About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is a valuable partner in more than 14,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 6,100 associates, including more than 1,460 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.

Gartner Insight
Gartner Webinars