Forrester_IAM

Making Leaders Successful Every Day

April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Modelby Andras Cserfor Security & Risk Professionals

www.forrester.com

© 2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please email [email protected]. For additional reproduction and usage information, see Forrester’s Citation Policy located at www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

For Security & Risk Professionals

ExECuTIvE SuMMARyAn identity and access management (IAM) maturity model is necessary for assessing your current state against industry best practices, understanding your performance relative to that of your peers, and creating a long-term strategy and road map. We based the Forrester IAM maturity model on our extensive research, the 100 client inquiries that we field each quarter, and the more than 20 maturity assessments that we have conducted during the past two years. It is a nonlinear, versatile model that provides direct help for IAM strategy creation. It provides comprehensive coverage of three key IAM domains: 1) governance and value; 2) access management; and 3) identity management. While other models treat technology and processes separately, we infuse technology with processes. You can evaluate each increasingly difficult area in each module and score yourself objectively based on simple yes/no criteria, leading to a composite IAM maturity score for your organization.

TAblE oF ConTEnTSMaturity Models Guide IAM Assessments And Strategy Creation . . .

. . . But Conventional Linear Maturity Models Are Not Much Help For Execution

The Forrester IAM Maturity Model Is Modular, Easy To Use, And Effective

Use The Forrester IAM Maturity Model To Measure And Improve IAM

RECoMMEndATIonS

Prioritize Governance And Easy-To-Implement Areas First

noTES & RESouRCESThis report is based on more than 20 IAM assessments that Forrester produced with our clients; it also includes feedback and conversations with many major IAM vendors.

Related Research Documents“Introducing The Forrester Information Security Maturity Model”July 27, 2010

“best Practices: Enterprise Role Management”September 30, 2008

“user Account Provisioning For The Midmarket”August 20, 2007

April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Modeldefining Strategy, Proving value, And Increasing Automationby Andras Cserwith Stephanie balaouras and nicholas M. Hayes

2

3

3

8

11

www.forrester.com

http://www.forrester.com/go?docid=56671&src=58874pdf




© 2011, Forrester Research, Inc. Reproduction ProhibitedApril 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals

2

MATURITy MoDELS GUIDE IAM ASSESSMENTS AND STRATEGy CREATIoN . . .

Two of the most common inquiries we answer at Forrester are “How are we as an organization doing compared with our peers?” and “What is the next step for us as we build out our IAM infrastructure and strategy?” Answers to both questions are critical when you want to recruit or maintain support from executive sponsors such as the CISO or CIO for your IAM processes and projects. Both questions are hard to answer in a vacuum. To answer the first question, you have to standardize the data collection and evaluation from other organizations and present this data in a sanitized but still meaningful manner to your executives. Of course, obtaining this information to begin with is very difficult. Finding the answer to the second question is even more difficult: You must identify the areas that need improvement and the order in which you have to fight fires. The above are the reasons why many organizations look to maturity models. Maturity models help you:

· Set your own baseline. You can clearly see in a structured manner where you are in terms of progress on a comprehensive map. This map can open your eyes to technology areas or issues that you may not have even been aware of before you started using the maturity model. You can’t build a credible IAM strategy without understanding where you are while continuing to serve your customers — the patient’s heart has to pump blood even during triple bypass surgery.

· Focus on your progress. If you re-evaluate the assessment model every six to 12 months you will be able to see how you’re progressing. This is especially useful for creating executive presentations that highlight the elevation gain and progress that the organization has made since the last evaluation and help make IAM what it should be: an iterative process.

· Build a comprehensive IAM strategy. Once you understand the total picture of your IAM landscape, you can start to balance your immediate requirements and mid-term and long-term goals and bring them together in a solid strategy plan.

· Set achievable goals. As with any other IT project, one of the biggest issues is executive enthusiasm. People get excited about IAM and want it to solve the most complex role management and user account provisioning issues for them in six months. This is obviously not a realistic requirement. You will have to understand where you are in maturity and plan realistic projects that you will be able to complete successfully before the budgeted deadline.

· Calibrate your spending on IAM. Although we’d like to believe that everyone wants to build a solid strategy, we realize that most organizations don’t want to be IAM heroes; they just want to spend the minimum on managing access and identities and be on par with their competitors and peer organizations.

© 2011, Forrester Research, Inc. Reproduction Prohibited April 1, 2011


3

. . . BUT CoNvENTIoNAL LINEAR MATURITy MoDELS ARE NoT MUCH HELP FoR ExECUTIoN

Conventional linear models expect you to implement one area or process after another. Forrester has worked with clients attempting to use this type of model, and they always have challenges and serious concerns. What are the issues with these linear models? They:

· Don’t account for differing IAM maturity levels. Most organizations are more mature in either identity or access. For example, a company may have a solid access recertification program but not a web single sign-on program. Alternatively, a university may have a good password reset program but no way of performing access recertifications. A linear maturity model can’t appropriately evaluate such organizations, because it works on the assumption that the organization will implement one technology area or process after the other — something that’s not a reality for most organizations.

· Lack specific evaluation criteria and prescriptive advice. Many maturity models lack a well-defined, detailed set of criteria to help clients determine what is required for each level of maturity. Without detailed criteria, there can be huge discrepancies and misunderstandings between how the authors have defined the evaluation criteria and how security and risk professionals interpret the criteria. In addition, if evaluation criteria are too vague or too subjective, it’s not clear what’s required to achieve the next higher level of maturity for each domain or function.

· Don’t provide a holistic view of IAM. Conventional maturity models skew their focus mainly on processes and people. While these are extremely important, identity and access management is the automation of these processes and controls. If the maturity model covers 80% people and process aspects, then automation is too much of an afterthought — and this is where people struggle most. We all have our process manuals nicely stacked in our drawers.

THE FoRRESTER IAM MATURITy MoDEL IS MoDULAR, EASy To USE, AND EFFECTIvE

Our maturity model is different from other maturity models. We divide aspects of IAM into three major domains: governance and value, access management, and identity management (see Figure 1)

Within each domain are evaluation categories encompassing people, process, and technology (but with a strong focus on technology or automation). The model automatically scores each category by evaluating a list of your “Yes” and “No” responses to specific criteria. Each scored category rolls up into a score for the entire domain (see Figure 2).



4

Figure 1 domains In The Forrester Composite IAM Maturity Model

Source: Forrester Research, Inc.58874

Governance and value

How to have sound ownership, business justi�cation for IAM

Access management

How to keep the bad guys outand allow controlled access

to the good guys

Identity management

How to manage the workforcejoiner, mover, leaver, andrecerti�cation processes

Figure 2 Forrester’s Composite IAM Maturity Model


Governance and value

Access management Identity management

Governance and strategy

Demonstrated value

Prov

isio

ning

and

dele

gate

d ad

min

istr

atio

n

Pass

wor

d m

anag

emen

t

Dire

ctor

y in

fras

truc

ture

Job

role

man

agem

ent

Acce

ss re

cert

i�ca

tion

Des

ktop

sin

gle

sign

-on

Entit

lem

ent m

anag

emen

t

Priv

ilege

did

entit

y m

anag

emen

t

Fede

ratio

n an

d cl

oud

IAM

Web

sin

gle

sign

-on



5

Governance And value Focuses on The organizational Aspects And Strategy of IAM

There is no working IAM process without appropriate executive support, governance, and business value that was demonstrated in the recent past. In the governance and value domain, we look at the following evaluation categories:

· Governance and strategy — keeps the IAM program on track. This category seeks to demonstrate if there is executive sponsorship, a well-defined IAM strategy that is up-to-date, and effective marketing of the IAM strategy and the process/program itself. This category also demonstrates if appropriate IAM training plans exist. Without a well-defined IAM strategy that has the support of executive management, you run the risk that IAM projects are never-ending, there is lost momentum for IAM, and there is rework, confusion, and battles between departments as to who should own IAM.

· Demonstrated value — helps convince naysayers of the value of IAM. Every IAM project needs a business justification. We have seen too many senior executives shoot down projects because of a perceived lack of value. In this category, we evaluate how the organization is tracking call center metrics, IAM project costing, IAM-related employee and business partner satisfaction, and formal definitions of IAM value. The risks of failing to demonstrate IAM value are: 1) losing the attention of executive stakeholders; 2) lack of focus on IAM; and 3) inability to secure funding for subsequent IAM project phases.

Access Management Keeps your Assets Secure

Security remains one of the biggest motivating factors for IAM projects. Security and risk professionals want to ensure that current employees, former employees, business partners, and consumers don’t have access to — and don’t walk away with — sensitive information. The access management domain includes the following categories:

· Desktop single sign-on — provides an easy entry point into IAM implementation. Since desktop single sign-on (desktop SSO) requires no application customization and often provides support for password reset self-service, many organizations start with this category.1 In this category, we look at criteria such as: 1) whether desktop SSO is integrated with password reset; 2) how many applications desktop SSO covers; 3) how it integrates with multifactor authentication and other IAM technologies; and 4) how its logs are monitored. Without desktop SSO, you run the risk of users spending extensive time on finding passwords, diminished levels of customer services, and excessive costs of integrating multifactor authentication with applications.

· Privileged identity management — controls how administrators gain access to systems. Do you remember when a disgruntled system administrator held the servers at the city of San Francisco hostage?2 High-privileged users can bypass all application-enforced access controls. You need to manage their access to routers, domain controllers, servers, and other critical



6

infrastructure components carefully. In this category, we look at the following: 1) how well you have defined firecall procedures and systems covered by privileged identity management (PIM), and 2) if there is integration of host access control and help desk systems with PIM. If you don’t implement proper controls for privileged users, you run the risk of service-level degradation, audit remediation costs, developers accessing (sensitive) production data, and disgruntled employees taking down your infrastructure or holding you hostage.

· Web single sign-on — relieves application developers from security implementation. Sure, one benefit of using web SSO is the ability for end users to access applications without having to log in repeatedly, but the biggest benefit comes from the ability for application developers to avoid having to maintain security and login/authentication codes in their applications. This greatly reduces application maintenance costs and improves application security. In this category, we look at the following: 1) application coverage of web SSO; 2) procedures for web SSO implementation; 3) integration of multifactor and risk-based authentication; and 3) self-service password reset with web SSO. If you don’t implement web SSO, you run the risk of spending too much on application development, users spending too much time logging in to applications, increased cross-site scripting attack surface in applications, and the cost and complexity of managing too many passwords for users.

· Entitlement management — clears the way to check for segregation of duties violations. Are your users giving away too much data through their SharePoint portals? Entitlement management (EM) can help here. Compliance regulations require most organizations to not only check for segregation of duties (SoD) violations but also to enforce them in and among applications. Many companies use EM to create a standard framework for defining and enforcing entitlement in applications — especially in-house developed applications. In this category, we look at the following: 1) application coverage of EM; 2) how SharePoint sites are protected; and 3) how you protect unstructured data and databases. If you don’t implement EM, you run the risk of being unable to detect SoD violations and having high application development costs due to the need to recode applications when business policies change.

· Federation and cloud IAM — allow the owner organization to manage its users. Do you manage your partners’ end user data on their own internal infrastructure? In traditional IAM, the application owner usually manages the user name, password, and log in for all users of the application. Moving to federation allows the application owner to let go of managing user names and passwords of users that they do not directly control (business partners, consumers, etc.) and allows those users to use their home login and password management facilities. IAM to cloud applications is still in its nascent phase, but the proliferation of SaaS applications (and sensitive data in them) demands extending enterprise IAM to these applications. In this category, we look at the following: 1) how SAML is used to access SaaS applications; 2) how users’ access is recertified in SaaS applications; 3) how the organization can onboard and troubleshoot a new SaaS application; and 4) the extent to which the company is using cloud-



7

based IAM services. The risks of not implementing federation and cloud-based IAM include excessive costs of managing other organizations’ users’ passwords and identities, unauthorized access to SaaS applications after users terminate, and users having to remember too many passwords for SaaS applications.

Identity Management Helps With Regulatory Compliance And Improves Service Delivery

Managing access recertifications and processes for employees who are joining, moving, or leaving (joiners, movers, leavers) is important not only from a security perspective but also from a compliance perspective. We regularly speak to companies that can’t support their growth or M&A activity without the right blend of identity management services such as provisioning, access recertification, and job role management. This domain includes the following categories:

· Directory infrastructure — the foundation of IAM. Are you struggling to consolidate your Active Directory instances? This is the most common finding of our assessments: companies invariably struggle with the right ownership, maintenance, and cleanup of user repositories. Having the right set of processes and governance around directories is a must for any organization that wants to manage users’ identities effectively. In this category, we evaluate the following: 1) centralized ownership for directories; 2) user ID naming conventions; 3) attribute authority; 4) the number of authentication repositories; and 5) processes for schema updates. The risks of not having a solid process for managing directory infrastructures are excessive downtimes, lack of reliable deprovisioning for ex-users, and low user data quality.

· Password management — helps eliminate users having to remember too many passwords. Users often complain about the number of passwords they have to remember, the excessive number and different cycles of password changes for different applications, and time wasted calling the help desk to reset passwords. In this category, we look at the following: 1) how uniformly you enforce password policies across the organization, and 2) the percentage of applications you cover with self-service password reset. The risks of not having a robust password management infrastructure include too many and not enforceable password policies, too many password change cycles, and compromised passwords being very hard to detect.

· Access recertification — brings the biggest gains in compliance and automation. Knowing and certifying who should have access to what rights in applications is the most important aspect of identity and access management — even if this process doesn’t include fulfillment of access rights granting and revocation. In this category we look at: 1) how automated the process is; 2) how users are impacted by it; 3) how the recertification campaigns are monitored and kept on track by compliance oversight folks; and 4) how users’ activities (and not just entitlements) are monitored for making recertification decisions. The risks of not automating access recertification include spending too much on unreliable manual processes, having SoD violations expose the company to financial risk, and credential-sharing among users.



8

· Provisioning and delegated administration — streamline the identity life-cycle process. Do your users complain that they have to wait weeks before they get all their access because certain managers delay an access request approval decision? It’s critical that reliable human resources information drive at least some part of the joiner, mover, and leaver processes for freeing up your IT administrators to do more value-add tasks and having a better security and compliance stature. In this category we examine: 1) how many systems are covered by automatic user account provisioning; 2) how well orphan accounts are detected and eliminated; 3) how business partners are provided with a delegated system administrator interface to manage their own access to the company’s IT systems; and 4) how user accounts are locked after a certain period of user inactivity. The risks of not automating the provisioning and deprovisioning process are audit findings and fines, users waiting excessive periods of time to get all their access, and spending too much on IT staff.

· Job role management — helps deprovisioning and approvals and eliminates SoD violations. If you have high-traffic, high-attrition, task-oriented roles (e.g., call center, branch staff, retail associates) where you need to grant and revoke access for many people, job role management can help by providing prescriptive, template-based ways of determining what access rights someone should have in that position — without managers needing to approve every single provisioning request. In this category we look at: 1) how roles are defined and recertified; 2) how SoD checks are performed; and 3) what processes are in place for assigning and revoking movers to and from job roles. The risks of not having a job role system include copying/modeling users’ access rights for joiner and mover processes resulting in too much privilege, SoD violations going undetected between applications, and deprovisioning of users being ineffective and error-prone.

USE THE FoRRESTER IAM MATURITy MoDEL To MEASURE AND IMPRovE IAM

We recommend that before evaluating your IAM maturity, you use the Forrester Information Security Maturity Model to understand the maturity of identity and access management compared with other security functions at your organization.3 It’s possible that there are other categories in information security that require your attention and prioritization first. If you have determined that IAM is a priority, then this model will help you set your IAM maturity baseline, target specific categories for remediation, and track your progress over time.

Self-Assessment: Defining Levels of IAM Maturity

For the maturity model to work, it must measure each component in the same way. Forrester used the same maturity levels as seen in the Forrester Security Maturity Model, which are based on the evaluation scale from the COBIT maturity level definitions. They are: 0 — nonexistent; 1 — ad hoc; 2 — repeatable; 3 — defined; 4 — measured; and 5 — optimized (see Figure 3).



9

Figure 3 Forrester Maturity level definitions


Level Characteristics0 — Nonexistent

1 — Ad hoc

2 — Repeatable

3 — De�ned

4 — Measured

5 — Optimized

Not understood, not formalized, need is not recognized

Occasional, not consistent, not planned, disorganized

Intuitive, not documented, occurs only when necessary

Documented, predictable, evaluated occasionally, understood

Well-managed, formal, often automated, evaluated frequently

Continuous and e�ective, integrated, proactive, usually automated

Self-Assessment: Scoring And Assessing your IAM Maturity Level

Begin by scoring your security program by answering “Yes” or “No” to the 60 evaluation criteria questions in the Self-Assessment worksheet of the tool. As you do so, the Scoring Summary and Maturity Stage Results worksheets will update automatically. When you look at your Maturity Stage Results, you’ll be able to quickly identify domains that need attention (see Figure 4-1). Then when you look at your Scoring Summary worksheet, categories within domains that are particularly problematic (categories that scored less than 2.00) will be highlighted in red (see Figure 4-2).



10

Figure 4 The Maturity Model Shows users Where They need To Improve The Most


Sample IAM Maturity Stage Results4-1

Sample IAM Maturity Scoring Summary4-2



11

R E C o M M E n d A T I o n S

PRIoRITIzE GovERNANCE AND EASy-To-IMPLEMENT AREAS FIRST

The goal of taking the IAM self-assessment is not just to benchmark and understand where you are but also to gain objective input into which categories you have to focus on in your IAM strategy. Creating and maintaining an effective IAM strategy from the Forrester Identity And Access Management Maturity Model is relatively easy if you follow the steps below:

· Pay special attention to the domains that score less than 2.00. If you have a domain that scored less than 2.00 (highlighted in red in the Scoring Summary worksheet and summarized on the Maturity Stage Results), focus on that domain first. If you have more than one red domain, we recommend focusing on getting the governance and value domain in decent shape. Having the right ownership and stakeholder commitment is the foundation of a solid IAM strategy and program.

· Within each domain, focus on the easiest-to-implement areas first. We designed our IAM model such that categories to the left of the maturity curve are easier to implement than categories to the right (refer again to Figure 2). For example, in the access management domain, desktop SSo and PIM are easier to implement than enterprise SSo. So if you have multiple categories that scored less than 2.00 (highlighted in red on the Scoring Summary worksheet) in a particular domain, you should focus on the categories that come first. This ensures that you learn how to crawl before you run.

· Keep the number of your immediate, short-term projects to three. This is the maximum number of projects that you can realistically undertake and demonstrate results for within three to four months — the typical attention span of a CIo or CISo. Keep in mind that your primary bottleneck is likely to be communication to business partners and application developers in the categories you’re trying to improve. If you spread yourself too thin, you won’t be able to show tangible results.

· Evaluate and track your IAM maturity every year. you’ll have to show progress against your baseline at least once a year to maintain the momentum of your IAM projects. Reassessing your maturity annually and demonstrating progress will keep your stakeholders confident that there is both a cohesive IAM strategy that’s on the right track and a clear focus for future improvements.

ENDNoTES1 Desktop or enterprise single sign-on (E-SSO) is a relatively easy way to provide end user convenience

and to get started in identity and access management (IAM). The end user benefits of E-SSO are obvious. Because E-SSO automatically logs end users in to their applications, they no longer have to remember multiple IDs and passwords and they no longer waste time contacting the help desk when they forget their credentials. However, few security professionals are aware of the security benefits of E-SSO — of which



12

there are many. It: 1) allows system administrators to hide passwords from users and revoke user access quickly when necessary; 2) enables multifactor authentication of any application; and 3) paves the way for a broader IAM initiative. Forrester expects that in the future, E-SSO will allow security professionals to perform more effective entitlement enforcement in legacy applications and support less expensive employee fraud prevention. We recommend that you use E-SSO as the first point of entry into IAM and use its benefits to build the business case for implementing more complex technologies such as provisioning, access recertifications, and role management. See the November 9, 2010, “Enterprise Single Sign-On: The Fast Lane To Identity And Access Management” report.

2 Source: Angela Moscaritolo, “Disgruntled San Francisco admin sentenced to four years,” SC Magazine, August 9, 2010 (http://www.scmagazineus.com/disgruntled-san-francisco-admin-sentenced-to-four-years/article/176596/).

3 If you need guidance with determining which areas of your overall security program you should focus on, Forrester recommends that you begin by completing Forrester’s own Security Maturity Model. See the July 27, 2010, “Introducing The Forrester Information Security Maturity Model” report.




Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and forward-

thinking advice to global leaders in

business and technology. Forrester

works with professionals in 19 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peer

executive programs. For more than 27

years, Forrester has been making IT,

marketing, and technology industry

leaders successful every day. For more

information, visit www.forrester.com.

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

M a k i n g l e a d e r s S u c c e s s f u l E v e r y d a y

58874

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.

For a complete list of worldwide locationsvisit www.forrester.com/about.

Research and Sales Offices

Forrester has research centers and sales offices in more than 27 cities

internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai;

Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

www.forrester.com

mailto:[email protected]