Press Release

Egham, UK, March 12, 2009 View All Press Releases

Gartner Reveals Four Identity & Access Management Predictions for 2009 and Beyond

Analysts Discuss IAM Challenges and Opportunities at Gartner Identity & Access Management Summit 2009, 23-24 March in London

Gartner, Inc. has revealed its key predictions for identity & access management (IAM) between 2009 and 2011. Speaking ahead of the Gartner Identity & Access Management Summit 2009 in London, analysts have identified forward-looking assumptions around smart-card authentication, identity-aware networks, hosted IAM and out-of-band (OOB) authentication.

“There is a continuing need in this time of economic uncertainty and budgetary constraints for cost-effective, risk-appropriate IAM methods,” said Ant Allan, research vice president at Gartner. “This includes growing demand for identity-aware networking, host- and service-based IAM offerings and the search for protection from increasingly effective malware attacks against consumer accounts.”

By 2011, hosted IAM and IAM as a service will account for 20 per cent of IAM revenue.
Solution sets related to intelligence, administration, verification and access are evolving from software-centric platform delivery models to composite services models. These reduce the costs of implementation and use and prepare for a more-mature production-centric approach to delivering IAM as a service. Markets for first-generation hosted and managed IAM services address relatively mature implementations. They enable customers to focus their technical planning and delivery on less-mature feature sets such as access and intelligence.

A growing percentage of the revenue realised by IAM vendors and service providers will be made possible by the next step in the IAM maturity model, toward hosted IAM and IAM as a service. Gartner recommends that existing IAM solutions users evaluate service-based options for extending the solutions, rather than significantly upgrading those solutions. Those that have not deployed a significant IAM solution should include service and appliance options in their review to gauge the progress of IAM maturity and its suitability.

Through 2011, 20 per cent of smart-card authentication projects will be abandoned and 30 per cent scaled back in favour of lower-cost, lower-assurance authentication methods.
The use of smart cards with public-key credentials is generally regarded as a high-assurance authentication method. However, provisioning and managing smart cards and the necessary desktop infrastructure are relatively expensive. A risk-based approach may force some organisations to implement two or more authentication methods, which are likely to include smart cards. This will drive the adoption of versatile authentication servers (VASs), which provide a single infrastructure for multiple methods and a single integration point for the local network and heterogeneous downstream applications.

Gartner recommends that organisations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO).  

By 2011, 30 per cent of large corporate networks will become ‘identity aware’ by controlling access to some resources via user-based policies.
Most corporate networks are anonymous, because they forward packets based on internet protocol (IP) addresses, rather than users' identities. Adding identity awareness to networks to monitor user behaviour and enforce access based on a user's identity is identity-aware networking (IAN), which blocks access to resources that a user is not authorised to access. Some solutions also provide audit trails that satisfy auditors.

Gartner recommends that network managers and others responsible for IAM projects develop strategies for making networks identity aware. They must ensure that all new network infrastructure and network access control equipment purchases have the capability to support this strategy.

By 2010, approximately 15 per cent of global organisations storing or processing sensitive customer data will use OOB authentication for high-risk transactions.
The security measures that most financial institutions and other service providers have in place are proving inadequate in the face of new cyber-crime attacks against customer accounts. Man-in-the-browser (MITB) Trojan attacks in particular are rendering most installed stronger user authentication measures ineffective so organisations are turning to OOB user authentication and transaction verification for high-risk customer transactions.

Most global businesses that implement OOB authentication and transaction verification will use customer-owned landline and mobile phones as the ”something you hold” factor. Users must understand and trust OOB calls or SMS messages delivered to their phones and service providers must ensure that they have reliable working phone numbers (and backup numbers) for their customers. Another problem is that Trojan horses and other forms of malware now prevalent on PCs will become common on smartphones in the next few years, which may render OOB authentication methods that use smartphones insecure and ineffective.

“Organisations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions,” concluded Allan.

More information can be found in the report “Predicts 2009: Businesses Face pressure to Deliver IAM”, available on Gartner’s website.

About Gartner Identity & Access Management Summit 2009
Gartner analysts will further discuss IAM market dynamics at the annual Gartner Identity & Access Management Summit 2009 in London, 23-24 March. To register, please contact Holly Stevens, Gartner PR, on +44 (0)1784 267738 or at For further information on the Summit, please visit

About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.