G. Fartner - Why I fart

G00271424

Predicts 2016: Identity and AccessManagementPublished: 7 December 2015

Analyst(s): Ray Wagner, Ant Allan, Felix Gaehtgens, Gregg Kreizman, Anmol Singh, Earl Perkins

The evolving significance of IAM in security strategy is driving advancementsin recognition technologies, session monitoring, IDaaS and riskmanagement of privileged activity. IAM leaders should monitor these near-term events to adapt buying and management processes and engage IAMbest practices.

Key Findings Over the next few years, off-the-shelf analytics tools will make a greater contribution to the level

of trust across mainstream use cases.

Though identity and access management as a service (IDaaS) offerings provide rapidlydeployable user provisioning and solid Web access management functions, they lack deepidentity governance and administration functionality.

Because privileged access remains risky, more vendor privileged access management (PAM)offerings will feature capabilities to review privileged activity like advanced session recording,intelligent playback, and user and entity behavior analytics (UEBA).

Most user authentication methods applied for enterprise use cases do not provide the desiredidentity assurance for privileged operations on key business systems.

Recommendations Identify use cases that demand the combination of medium levels of trust and exceptional user

experience provided by recognition technologies.

Request that incumbent user authentication vendors provide their roadmaps regarding analyticsand various biometric modes, including passive modes.

Evaluate IDaaS adoption by analyzing the total cost of ownership of current on-premises IAMimplementations and support to determine whether to keep IAM in place or move all or part ofIAM to IDaaS.

Review privileged activity on a regular basis by using advanced session recording and replayfeatures for manual review based on risk scores. Utilize maturing UEBA technology to furtherdrive risk scoring and automatic responses to undesired activity.

Table of Contents

Strategic Planning Assumptions............................................................................................................. 2

Analysis..................................................................................................................................................2

What You Need to Know.................................................................................................................. 2

Strategic Planning Assumptions....................................................................................................... 3

A Look Back...................................................................................................................................10

Gartner Recommended Reading.......................................................................................................... 11

Strategic Planning AssumptionsBy 2019, use of passwords and tokens in medium-risk use cases will drop 55% due to theintroduction of recognition technologies.

By 2019, 40% of IDaaS implementations will replace on-premises IAM implementations, up from10% today.

By 2018, 25% of organizations up from less than 5% today will reduce data leakage incidentsby 33% by reviewing privileged session activity.

By 2019, more than 50% of organizations will implement risk-appropriate contextual authenticationfor privileged access management, up more than 30% from today.

AnalysisEvery year, Gartner analysts offer their predictions on what they see as the key issues facing themarkets they cover. Gartner's identity and access management (IAM) analysts have developed a setof predictions in this space for 2016 and beyond. IAM leaders should consider these forward-looking Strategic Planning Assumptions when allocating resources and selecting products andservices.

What You Need to Know

In this research, Gartner's IAM analysts are looking ahead of present-day markets for notable trendsin recognition technologies, session monitoring, IDaaS and risk-based authentication. In addition toStrategic Planning Assumptions in this research, several Gartner analysts use near-term flags tohelp clients track and closely monitor trends as they occur before the year of predicted full impact.

Page 2 of 12 Gartner, Inc. | G00271424

Strategic Planning Assumptions

Strategic Planning Assumption: By 2019, use of passwords and tokens in medium-risk use caseswill drop 55% due to the introduction of recognition technologies.

Analysis by: Ant Allan

Key Findings:

Recognition technologies combine big data analytics, passive biometric modes and device-embedded public-key credentials to provide trust in a claimed digital identity without the need forany active authentication act by the user. IAM leaders should be aware of the followingobservations:

Rather than providing a desired level of trust at login, recognition technologies can quickly rampup to and sustain the desired level of trust throughout a session.

The use of analytics techniques is already well-established in some authentication contexts and,in limited use cases, can eliminate the need for initial login passwords or even tokens.

Greater range and variety of identity-relevant data and increased power of analytic techniqueswill enable off-the-shelf analytics to make a greater contribution across mainstream use cases.

Passive biometric modes exploit the user's presence or normal activity when logging in andthroughout a session, making use of inputs already available on phones, tablets and many PCs.

Use of such modes remains niche. However, these modes can be implemented in software onmost devices, yielding multiple benefits over embedded fingerprint sensors, which have limitedpenetration and whose performance is constrained by device and OS vendors' engineeringdecisions.

The apps or software development kits (SDKs) that handle the biometric capture can alsoembed public-key credentials for message integrity and proof of origin, adding to the level oftrust.

Market Implications:

Recognition technologies will add value across a wide range of use cases that demand mediumlevels of trust coupled with exceptional user experience (UX).

Needs for recognition technologies arise in many consumer use cases, such as online banking,and also within organizations, particularly those that are pursuing digital workplace strategies.

These needs are felt most keenly in smartphone use cases, such as mobile banking. Gartnerexpects to see early adoption here.

Recognition technologies also add value in tablet, laptop and desktop use cases. While use ofphone-as-a-token methods is now well-established, if users can do without an ancillary devicewhen using their phones, they will expect the same UX with other endpoint devices.

Gartner, Inc. | G00271424 Page 3 of 12

Very few vendors combine analytics with passive biometric modes. Gartner projects thatpartnerships and acquisitions will broaden availability of recognition technologies within thenext two to three years.

Organizations may struggle to convince regulators and auditors that recognition technologiesprovide an appropriate level of trust, especially where existing and forthcoming regulations(potentially including European Banking Authority specifications for Internet payments) demandthe use of hardware tokens.

Established technologies, especially out-of-band push modes, will likely continue to satisfy theneeds of many organizations through 2019, but more and more will be augmented by analyticsand biometric modes, even if not superseded by full-blown recognition technologies.

Recommendations:

IAM and security leaders should:

Identify use cases requiring a combination of medium levels of trust and UX a combinationthat recognition technologies will offer.

Plan to orchestrate different tools from multiple vendors, at least in the midterm.

Press incumbent user authentication vendors regarding their investments in analytic capabilitiesbeyond current-generation contextual, adaptive techniques, as well as in passive biometricmodes.

Evaluate alternative vendors that will be able to provide recognition technologies alone or incombination. These might include online fraud detection (OFD), UEBA and other analytics-savvyvendors, as well as biometric platform vendors and individual biometric authentication vendors.

Related Research:

"Maverick* Research: The Death of Authentication"

"Market Guide for Online Fraud Detection"

"Magic Quadrant for User Authentication"

"Technology Overview: Adaptive Access Control"

"Enterprise Adaptive Access: Are We There Yet?"

Strategic Planning Assumption: By 2019, 40% of IDaaS implementations will replace on-premisesIAM implementations, up from 10% today.

Analysis by: Gregg Kreizman

Key Findings:

IDaaS has proven its value to buyers; the technology is useful for user provisioning and Web accessmanagement. The spread of cloud and mobile architectures also has led businesses to engage


IDaaS. Adoption has been sluggish, though, where enterprises choose to integrate identitygovernance and administration (IGA) functionality with legacy applications, and the customizationrequirements deter companies from engaging the cloud for IGA. IAM leaders should be aware of thefollowing observations:

Based on data collected from Gartner client interactions and vendor-supplied customer data,90% or more of IDaaS purchases are for Web-centric, shallow-functionality IDaaS offerings.These offerings provide excellent connectivity for SaaS and provide basic user provisioning andgood Web access management functions to support workforce B2C and B2B use cases. Theyalso deploy rapidly. They lack deep IGA functionality.

Deep function IDaaS offerings, which deliver IGA functionality and provide connectors to legacyapplications that are equivalent to traditional on-premises IGA tools, have been more difficult tosell. On-premises deployments of IGA tools are often heavily customized, and movingcustomized implementations to the cloud is not a scalable, high-volume proposition forvendors. There is also some correlation between the use of IGA tools and organizational sizeand cloud risk aversion.


Web-centric IDaaS vendors have had the most success selling to small and midsize businesses,although deal and implementation sizes have grown over time. Web-centric IDaaS vendorsexperiencing difficulties penetrating larger enterprises are developing deeper IGA functionality anduse partnerships to develop connectors for legacy application. However, these Web-centric IDaaSvendors will rightly resist requests for customization. There will continue to be a chasm between theIAM needs of larger, more complex, risk-averse organizations and what Web-centric IDaaS candeliver.

This will leave a significant portion of the available market with software that is self-managed oroutsourced to a managed service provider. An IDaaS vendor also might be willing to put upcustomized hosted instances for each customer. Customers of these customized offerings lose theeconomies of SaaS-based offerings and therefore have many of the same costs associated withtraditional on-premises deployments.

Gartner, though, has advised clients to avoid customization as much as possible. IGA tools havebecome more configurable, and vendors have even admonished customers to avoid customizationin favor of configuration. Another macro trend that will shape the nature of IDaaS adoption is thesteady movement of applications to cloud and mobile architectures. The need for legacy applicationsupport doesn't go away but diminishes somewhat over time. This combination of deeper functionalofferings that are configured rather than customized and the macro trend of more modernapplication architectures will lead to a greater portion of the market being willing to adopt IDaaS.Enhanced IAM features will offer sufficient quality in IDaaS to support a greater portion oforganizational IAM workloads.


Recommendations:

Investigate the total cost of ownership of current on-premises IAM implementations andsupport. Identify the business drivers for keeping IAM in place or move all or part of IAM toIDaaS. This investigation will provide a solid foundation for the decision to move to the cloud.The most common benefits cited of a move to IDaaS are fast time to value, agility for bringingon new applications and personnel-based staff concerns for traditional IAM deployments.

Evaluate vendors that provide deep functionality and legacy application support when reluctantto adopt IDaaS because of apparent lack of functional depth in the market.

Monitor advancements in IGA from Web-centric providers, and consider IDaaS once functionalneeds can be met and organizational benefits of IDaaS can be realized.

Related Research:

"Magic Quadrant for Identity and Access Management as a Service, Worldwide"

"Use Business Drivers and Cost Analysis to Make IDaaS Versus On-Premises Software DeliveryModel Choices"

Strategic Planning Assumption: By 2018, 25% of organizations up from less than 5% today will reduce data leakage incidents by 33% by reviewing privileged session activity.

Analysis by: Felix Gaehtgens

Key Findings:

Privileged activity in the administration of systems, networks, databases or applications is inherentlyrisky and requires a high level of trust and confidence. Much of this activity is performed by thirdparties consultants, contractors or outsourcing partners. Unless organizations track and reviewprivileged activity, they risk being blindsided by insider threats, malicious users or errors that causesignificant outages. To engage new options in this administration, IT, security and IAM leadersshould be aware of the following trends:

Session recording has become a common feature for many privileged session management(PSM) tools and virtual desktop infrastructure (VDI) servers. Several vendors in this space havedeveloped advanced features that streamline playback of session activity through intelligentfast-forward or time lapse, timelining with events or generation of searchable metadata.

Manually reviewing all privileged activity by humans is unrealistic. Organizations with moremature IT security are using risk scores derived from contextual information to decide whichprivileged session needs to be scrutinized.

Privileged activity generates a stream of distinct logged events from multiple sources that canbe correlated back to this activity by such tools as SIEM. The next phase of evolution utilizesUEBA to focus.


As UEBA technology evolves, dynamic risk scoring based on UEBA technology will in near realtime identify privileged access that is suspicious or risky for further analysis. UEBA will also bedesigned to stop undesired activity as it happens by triggering an autoresponse, therebyreducing breaches, data leakage and outages.

Near-Term Flag: More than 50% of PSM vendors will feature intelligent playback capabilities in theiroffering by 2017, up from 25% in 2015.

Near-Term Flag: By 2016, at least five PAM vendors will offer specialized UEBA tools for privilegedaccess or provide a significant integration between PAM tools and SIEM or UEBA.


Advanced playback capabilities will become a standard feature of PSM tools. Vendors that havethese features in 2015 will find it increasingly difficult to charge premiums for these featuresbeyond 2017.

Expert services for reviewing privileged activity will be outsourced to specialist security serviceproviders.

The synergies between UEBA and PAM will provide differentiation and drive integration throughpartnerships, developments and, ultimately, acquisitions by 2017.

Recommendations:

Classify systems by criticality and data by sensitivity or confidentiality. Calculate risk scores forprivileged access due to these factors. Use additional factors, such as an inherent trust level foran administrator, which may be lower when the administrator works for an outsourcingorganization and has just recently started activity. Determine a threshold above which privilegedactivity must be manually reviewed.

Use UEBA technology as it matures to automatically review privileged activity and assign riskscores to determine when privileged activity must be manually reviewed or an automatedresponse (such as locking out privileged users) must happen.

Leverage time spent reviewing privileged activity by highlighting good and bad practices, anduse this to improve your standard practices. Use information in order to learn and documentcomplex techniques.

Related Research:

"Market Guide for Privileged Access Management"

"How to Secure Remote Privileged Access for Third Parties"

"Market Guide for User and Entity Behavior Analytics"


Strategic Planning Assumption: By 2019, more than 50% of organizations will implement risk-appropriate contextual authentication for privileged access management, up more than 30% fromtoday.

Analysis by: Anmol Singh

Key Findings:

Organizations remain challenged when balancing security risks associated with privileged access tosensitive and critical systems and applications against the requirements for operational efficiencies.Many organizations extend incumbent user authentication methods to IT administrators for gainingsecured access to privileged accounts and systems. IT security and IAM leaders should make anote of these developing trends:

Weak authentication methods used for privileged access could greatly dilute the efficacy andeffectiveness of well-established PAM controls for managing privileged access.

Higher-trust methods such as one-time password (OTP) hardware tokens or X.509 smart tokensaren't practical authentication form factors for granting privileged access to vendors and otherthird-party users, who only require sporadic access on a temporary basis.

Traditional authentication methods focus on initial authentication and therefore aren't well-suited for use cases requiring maintenance of trust over the entire course of a privileged usersession.

Use of adaptive authentication for privileged access not only provides better user experienceand therefore enhances administrator engagement and operational efficiency, but alsodetermines high-risk authentication requests in real time.

Contextual authentication techniques significantly increase the levels of trust and accountabilityby means of context evaluation throughout a user's privileged session, and not just at the timeof session establishment.

Near-Term Flag: By 2018, more than 40% of organizations will move away from rule-based accesscontrols and plan to invest in adaptive access controls for securing privileged access to critical ITsystems, up more than 20% from today.

Near-Term Flag: By 2018, more than 50% of PAM vendors will invest heavily in incorporatingcontextual and adaptive techniques for authentication of privileged users, either through organicdevelopment or in partnership with user authentication vendors, up from less than 20% today.


The growing need for organizations to maintain operational efficiencies in the face of security risksassociated with privileged access will have several implications:

More organizations will use contexts to determine high-risk authentication requests anddetection of anomalous privileged activity.


As more and more organizations begin to implement a risk-based model leveraging contextawareness and analysis for privileged access, the market will continue to see a growingdemand for better accuracy in real-time authentication decisions.

Organizations will elevate the level of trust by initially layering adaptive authenticationtechniques with higher-trust methods such as one-time password (OTP) hardware tokens or X.509 smart tokens for step-up authentication. This will occur while the risk-appropriate adaptivecapabilities are in early phases of learning and activity profile baselining.

More PAM vendors will invest in exploring contextual data points derived from user's activityand entity behavior analytics approaches. These efforts will strive for a more accuratedetermination of risks implied from certain types of administrator behavior.

As the demand for adaptive authentication grows for privileged access use cases, we will seemore partnerships and collaboration opportunities between PAM and user authenticationvendors to offer seamless integration of adaptive authentication capabilities to PAM systems.

Recommendations:

Assess using context-aware access controls that make use of certain predefined inputs todynamically determine the privileged access decision: Allow access, deny access or elevatetrust via step-up authentication.

Consider using additional contexts that can be applied at a more granular level to implement arisk-appropriate model for authorizing access to privileged systems and accounts based on theevaluated risk score.

Utilize system attributes host name, host ID, Internet Protocol (IP) and Media Access Control(MAC) addresses and application identifiers as initial contexts for automated authenticationin application-to-application password management (AAPM). Some PAM vendors such asHitachi ID Systems offer several contexts to choose from in order to authenticate theapplication-to-password vault for credentials retrieval (see "Market Guide for Privileged AccessManagement" for more details).

Integrate adaptive access controls for user authentication to PSM tools in order to establishprivileged session to target systems and provide single sign-on capability to administrators.

Identify and utilize contexts that can be applied at regular intervals throughout a privilegedsession in progress to enable continuous authentication by maintaining trust over the entirecourse of a privileged user session.

Related Research:

"Market Guide for Privileged Access Management"

"Twelve Best Practices for Privileged Access Management"

"Technology overview for Adaptive Access Control"


A Look Back

In response to your requests, we are taking a look back at some key predictions from previous years.We have intentionally selected predictions from opposite ends of the scale one where we werewholly or largely on target, as well as one we missed.

On Target 2011 Prediction: By the end of 2015, more than 50% of cloud-based IAM offeringswill be hybrid solutions. (Original analysis by Gregg Kreizman.)

In 2011, Gartner defined a "hybrid" cloud-based IAM solution as using enterprise-based IAMsoftware and scalable service-based technologies integrated for cloud computing. Since then, amarket for IDaaS has steadily grown to support several use cases, including workforce access toSaaS and on-premises applications, B2C and B2B. Workforce use cases lead to IDaaS adoption. Inalmost all workforce use cases, and in some other use cases, the IDaaS is "bridged" to enterpriseuser repositories for identity synchronization and to support single sign-on following an initialauthentication to on-premises directories and access products. IDaaS vendors also providefederation and proxy functionality to serve on-premises applications and SaaS. These vendors havedemonstrated high scalability, particularly with consumer-facing implementations.

Missed 2012 Prediction: Pressured by IDaaS alternatives, average IAM product licensing will fallan average of 25% by 2015. (Original analysis by Earl Perkins.)

As of October 2015, the introduction of effective IDaaS solutions has not resulted in a reduction intraditional IAM product licensing of 25%. While the IDaaS market itself has grown aggressively, theoverall impact of traditional IAM markets is still not substantial. This is due to several reasons:

IDaaS-to-IDaaS competitiveness: While IDaaS has made significant progress in the generalIAM market and continues to grow in use and function, most price savings created by thisgrowth have occurred within the IDaaS market itself. IDaaS remains a competitive opportunityfor both smaller companies as well as early entrants from major platform as a service (PaaS)providers. This trend will continue.

Different buyers: Most IDaaS sales are driven largely by Web-architected application targets,employee-to-SaaS and consumer-facing needs.

Feature comparison with traditional IAM: While IDaaS solutions continue to improve yearly,functionality has not advanced at the pace predicted in 2012.

Gartner still believes that by 2019, 25% of IAM purchases will use the IDaaS delivery model upfrom less than 10% in 2014. Whether these purchases will supplant existing enterprise-based IAMsolutions is uncertain. Traditional IAM has experienced minor price decreases in some areas,particularly in access management. IAM costs continue to be nontrivial for most organizationsbecause of the continued complexity of the identity environment, the expansion of responsibilities inoperational technology (OT) and the Internet of Things (IoT), and the nature and sophistication ofthreats to identity (see "Magic Quadrant for Identity and Access Management as a Service,Worldwide" for more information).


Gartner Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Cool Vendors in Education, 2014"

"Managing Identities, Access and Trust for Digital Workplace Success"

"Market Guide for User and Entity Behavior Analytics"

"Technology Overview: Phone-as-a-Token Authentication Methods"

Evidence

Gartner sees a variety of passive mode solutions in commercial use: face; iris and scleral veinrecognition; keyboard dynamics (typing rhythm/cadence); gesture dynamics (pointer andtouchscreen movements); and handling dynamics (motion-based mode using deviceaccelerometers and gyros).


GARTNER HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Regional HeadquartersAUSTRALIABRAZILJAPANUNITED KINGDOM

For a complete list of worldwide locations,visit http://www.gartner.com/technology/about.jsp

2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to accessthis publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information containedin this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Thispublication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinionsexpressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see Guiding Principles on Independence and Objectivity.


Strategic Planning AssumptionsAnalysisWhat You Need to KnowStrategic Planning AssumptionsA Look Back

Gartner Recommended Reading

Documents

G. Fartner - Why I fart