Upload
oracleidm
View
847
Download
1
Embed Size (px)
DESCRIPTION
Derek Brink's Presentation
Citation preview
© AberdeenGroup 2011
IAM Integrated
Analyzing the “Platform” versus
“Point Solution” Approach
Spring 2012
Derek E. Brink, BS, MBA, CISSP
Vice President & Research Fellow, IT Security / IT GRC
© AberdeenGroup 2011 2
Outline
Introductions
Myself
Research methodology
Benchmark study on IAM
Business context
Aberdeen’s research findings
Summary and recommendations
Additional resources
© AberdeenGroup 2011 3
Introductions Derek E. Brink, CISSP – www.linkedin.com/in/derekbrink
VP & Research Fellow covering topics in IT Security and IT GRC
at Aberdeen Group, a Harte-Hanks Company
I help organizations to improve their security and compliance initiatives
by researching, writing about and speaking about the people, processes
and technologies that correspond most strongly with the top performers
Adjunct Professor in Graduate Professional Studies at Brandeis University
I help individuals to improve their critical thinking, leadership skills and
communication skills by teaching graduate courses in information
assurance
Senior high-tech executive experienced in strategy development and
execution, corporate / business development, product management and
product marketing
RSA Security, IBM, Gradient, Sun Microsystems, Hewlett-Packard
MBA – Harvard Business School
BS Applied Mathematics – Rochester Institute of Technology
© AberdeenGroup 2011 4
Aberdeen’s Unique Research Methodology Fact-based, “benchmarking” style
Pressures
Actions
Capabilities
Enabling Technologies
Respondents are differentiated
based on key performance
indicators
Correlation of “people, process
and technologies” with results
ave
rag
e
lag
gin
g
lea
din
g
© AberdeenGroup 2011 5
Benchmark Study on Identity and Access Management (IAM) Business Context: Increased Complexity of the Enterprise Computing Environment
Ide
ntitie
s
End-Users
Endpoints
Applications
Data
Hosts
Ac
ce
ss
Provisioning
Intelligence
• Employees
• Temporary employees / contractors
• Mobile / remote users
• Business Partners
• Customers
• Privileged Users
#, type
#, type
Repositories
#, type
# applications
time to provision
time to ∆
time to de-provision
time to integrate apps, roles
% customization vs. % configuration
# FTE admins
# roles
unauthorized access
audit deficiencies
data loss or exposure
total annual cost
% orphans Drivers, Inhibitors for investment
Strategies
Capabilities (people, process)
Enabling Technologies
“platform” vs. “best of breed”
© AberdeenGroup 2011 6
Outline
Introductions
Business context
End-users
Endpoints
Applications and data
The cost complexity and compliance
Aberdeen’s research findings
Summary and recommendations
Additional resources
© AberdeenGroup 2011 7
Business Context Evolving End-User Populations
In Aberdeen’s 2011 study on managing identities and access:
For every 100 employees there are another 27 temporary employees or contractors
Of this combined population, about 2 out of 5 (39%) are supported as mobile / remote users
Externally, support for business partners adds still another 20% to the total end-user count –
And this updated figure is then more than doubled when adding in support for the organization's external customers
Effects of changing end-user populations
Increased security- and compliance-related risks
Pressure on the necessary supporting infrastructure (e.g., including all people, process, technology, hardware, software, services, training and support)
• The days of enterprise end-users being largely synonymous with internal employees are over
© AberdeenGroup 2011 8
Business Context Evolving Endpoint Complexity
Enterprise end-users increasingly have an expectation of access to enterprise resources from any place, at any time, from any mobile platform
94% support access to enterprise email
89% support access to enterprise contacts
89% support access to enterprise calendar
87% support access to enterprise web-based apps
45% support access to corporate network or Wi-Fi
Of particular note is the growing population of mobile endpoint devices that are not provisioned and managed by the enterprise
72% of respondents in Aberdeen’s study on enterprise mobility support corporate-owned devices
62% support employee-owned devices
Greater diversity and complexity of the enterprise IT
infrastructure creates corresponding challenges to the enterprise's ability to maintain some semblance of visibility and control
• Momentum behind greater diversity and complexity of the enterprise IT infrastructure continues to mount
© AberdeenGroup 2011 9
Business Context Evolving Characteristics of Enterprise Applications and Data
Data volume and type
More data
Larger files
More file types
Data flow
Increased collaboration, both within and across organizational boundaries
Greater pressure to provide faster access to information, any time, any location, any device
Greater complexity for access
More users
Diverse populations
More user-managed devices
Applications / services
Currently supported: 215
Routinely accessed by typical enterprise end-users: 56 (26%)
Routinely accessed using strong authentication: 8 (14%)
• Enterprise data is generally not created to be hidden away – it is generally created to be shared
• This naturally increases the need for the means to access enterprise resources, securely and reliably
© AberdeenGroup 2011 10
Business Context The cost of Complexity also amplifies the cost of Compliance
Attestation refers to the
periodic validation that end-
users have appropriate access
rights, i.e., as part of providing
assurance that the right end-
users have the right access to
the right resources at the right
times.
Separation of duties (or
segregation of duties) refers
to dividing tasks and
associated privileges for certain
business processes among
more than one individual, to
help prevent potential abuse or
fraud.
• In the context of their identity and access management initiatives, many organizations struggle with
implementing repeatable approaches to demonstrating compliance with regulatory requirements such as
attestation and separation of duties (SoD) … and this is consuming more and more of their IT budgets
© AberdeenGroup 2011 11
Outline
Introductions
Business context
Aberdeen’s research findings
Vendor-integrated “platform” approach
vs. enterprise-integrated “point solution” approach
Quantification of benefits
Summary and recommendations
Additional resources
© AberdeenGroup 2011 12
Aberdeen’s Research Findings Approach to Selecting and Deploying IAM Solutions (all respondents)
47%
47% 53%
53%
0%
20%
40%
60%
80%
100%
Current Planned
Pe
rce
nta
ge
of R
esp
on
de
nts
(N
=1
55
)
Vendor-integrated / "Platform" approach
Enterprise-integrated / "Point Solution"
approach
• Across all respondents, a discernable shift from integration of point solutions to a “platform” approach
• Average number of individual / point solutions currently deployed: between 4 and 5
© AberdeenGroup 2011 13
Analysis “Platform” vs. “Point Solution”
Aberdeen’s research shows a discernable shift from enterprise self-integration of point solutions for IAM toward more of a vendor-integrated approach Some solution providers refer to this as an IAM "platform“
Others emphasize vendor integration, but feel that the term "platform" implies a lack of flexibility and choice
Aberdeen’s perspective Any approach that shifts the burden of integration from the
enterprise to the solution provider is a welcome trend
Analysis of organizations adopting each approach provides additional insights
Platform approach (N=32)
Point Solution approach (N=39)
© AberdeenGroup 2011 14
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased
end-user
productivity
Timely provisioning and modification of end-user access to existing
applications or services can save companies hundreds of dollars per end-
user per year in terms of convenience, productivity and downtime, and
significantly enhance the overall end-user experience.
Advantage:
Platform approach
© AberdeenGroup 2011 15
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased
end-user
productivity
Timely provisioning and modification of end-user access to existing
applications or services can save companies hundreds of dollars per end-
user per year in terms of convenience, productivity and downtime, and
significantly enhance the overall end-user experience.
Advantage:
Platform approach
Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)
Platform (N=32)
Point Solution (N=39)
Platform Advantage
Increased
end-user
productivity
Provide emergency access (e.g., forgotten username or password)
2.0 hours 2.3 hours 11% faster
Reset a password or PIN (e.g., help desk or end-user self-service)
1.1 hours 1.6 hours 30% faster
© AberdeenGroup 2011 16
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Reduced
risk
Rapid de-provisioning of end-user access, on the other hand, is more about
cost avoidance than it is about cost savings – e.g., by reducing the window
of vulnerability from orphaned accounts and minimizing the potential for
downstream misuse. Periodic attestation of access privileges and
enforcement for separation of duties are also critical elements of reducing
risk.
Advantage:
Platform approach
© AberdeenGroup 2011 17
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Reduced
risk
Rapid de-provisioning of end-user access, on the other hand, is more about
cost avoidance than it is about cost savings – e.g., by reducing the window
of vulnerability from orphaned accounts and minimizing the potential for
downstream misuse. Periodic attestation of access privileges and
enforcement for separation of duties are also critical elements of reducing
risk.
Advantage:
Platform approach
Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)
Platform (N=32)
Point Solution (N=39)
Platform Advantage
Reduced
risk
Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster
Suspend / revoke / de-provision end-user access to an existing app 3.7 hours 6.8 hours 46% faster
Average dormant / orphaned accounts found (as a % of total number of accounts)
3.7% 6.5% 44% faster
Average dormant / orphaned accounts found = none 13% 3% 4.3-times
higher
© AberdeenGroup 2011 18
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased
agility
Given the dynamic changes in enterprise end-user populations and
application portfolios, faster time to integrate a new application or integrate
a new end-user role with the enterprise's IAM infrastructure translates to
flexibility and agility to compete more effectively. Pre-integration and
workflow spanning IAM components cuts out the complexity and overhead
of synchronization.
Advantage:
Platform approach
© AberdeenGroup 2011 19
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased
agility
Given the dynamic changes in enterprise end-user populations and
application portfolios, faster time to integrate a new application or integrate
a new end-user role with the enterprise's IAM infrastructure translates to
flexibility and agility to compete more effectively. Pre-integration and
workflow spanning IAM components cuts out the complexity and overhead
of synchronization.
Advantage:
Platform approach
Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)
Platform (N=32)
Point Solution (N=39)
Platform Advantage
Increased
agility
Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster
Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster
© AberdeenGroup 2011 20
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Enhanced
security
and
compliance
Fewer incidents of unauthorized access to enterprise resources related to
IAM translates to a huge benefit in terms of cost avoidance, particularly
given the high average cost per incident found in Aberdeen's studies.
Consistent enforcement of policies and consistent, consolidated reporting
for compliance translates to fewer audit deficiencies related to IAM, and the
liberation of IT resources for more strategic projects.
Advantage:
Platform approach
© AberdeenGroup 2011 21
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Enhanced
security
and
compliance
Fewer incidents of unauthorized access to enterprise resources related to
IAM translates to a huge benefit in terms of cost avoidance, particularly
given the high average cost per incident found in Aberdeen's studies.
Consistent enforcement of policies and consistent, consolidated reporting
for compliance translates to fewer audit deficiencies related to IAM, and the
liberation of IT resources for more strategic projects.
Advantage:
Platform approach
Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)
Platform (N=32)
Point Solution (N=39)
Platform Advantage
Enhanced
security and
compliance
Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer
Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer
© AberdeenGroup 2011 22
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Reduced
total cost
Efficiency of the vendor-integrated approach translates to support for
higher scale with fewer FTE admin resources, at lower total annual cost per
end-user per year. Common management interfaces across components
enable policies which are consistent and easier to administer. Both
"internal" and "external" end-users are managed by the same system.
Advantage:
Platform approach
© AberdeenGroup 2011 23
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Reduced
total cost
Efficiency of the vendor-integrated approach translates to support for
higher scale with fewer FTE admin resources, at lower total annual cost per
end-user per year. Common management interfaces across components
enable policies which are consistent and easier to administer. Both
"internal" and "external" end-users are managed by the same system.
Advantage:
Platform approach
Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)
Platform (N=32)
Point Solution (N=39)
Platform Advantage
Reduced
total cost
Total annual cost related to IAM initiatives (e.g., including all people, process, technology, hardware,
software, services, training, support)
$8.90 per end-user
per year
$17.10 per end-user
per year 48% lower
Total end-users per FTE IAM administrator 5,500 2,000 2.75-times
more
© AberdeenGroup 2011 24
Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased
end-user
productivity
Timely provisioning and modification of end-user access to existing
applications or services can save companies hundreds of dollars per end-
user per year in terms of convenience, productivity and downtime, and
significantly enhance the overall end-user experience. Advantage:
Platform approach
Reduced
risk
Rapid de-provisioning of end-user access, on the other hand, is more about
cost avoidance than it is about cost savings – e.g., by reducing the window
of vulnerability from orphaned accounts and minimizing the potential for
downstream misuse. Periodic attestation of access privileges and
enforcement for separation of duties are also critical elements of reducing
risk.
Increased
agility
Given the dynamic changes in enterprise end-user populations and
application portfolios, faster time to integrate a new application or integrate
a new end-user role with the enterprise's IAM infrastructure translates to
flexibility and agility to compete more effectively. Pre-integration and
workflow spanning IAM components cuts out the complexity and overhead
of synchronization.
Enhanced
security
and
compliance
Fewer incidents of unauthorized access to enterprise resources related to
IAM translates to a huge benefit in terms of cost avoidance, particularly
given the high average cost per incident found in Aberdeen's studies.
Consistent enforcement of policies and consistent, consolidated reporting
for compliance translates to fewer audit deficiencies related to IAM, and the
liberation of IT resources for more strategic projects.
Reduced
total cost
Efficiency of the vendor-integrated approach translates to support for
higher scale with fewer FTE admin resources, at lower total annual cost per
end-user per year. Common management interfaces across components
enable policies which are consistent and easier to administer. Both
© AberdeenGroup 2011 25
Details of Analysis Adoption of the Platform Approach to IAM Translates to Tangible Business Value
Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)
Platform (N=32)
Point Solution (N=39)
Platform Advantage
Increased
end-user
productivity
Provide emergency access (e.g., forgotten username or password)
2.0 hours 2.3 hours 11% faster
Reset a password or PIN (e.g., help desk or end-user self-service)
1.1 hours 1.6 hours 30% faster
Reduced
risk
Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster
Suspend / revoke / de-provision end-user access to an existing application
3.7 hours 6.8 hours 46% faster
Average dormant / orphaned accounts found (as a % of total number of accounts)
3.7% 6.5% 44% faster
Average dormant / orphaned accounts found = none 13% 3% 4.3-times
higher
Increased
agility
Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster
Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster
Enhanced
security and
compliance
Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer
Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer
Reduced
total cost
Total annual cost related to IAM initiatives (e.g., including all people, process, technology, hardware,
software, services, training, support)
$8.90 per end-user
per year
$17.10 per end-user
per year 48% lower
Total end-users per FTE IAM administrator 5,500 2,000 2.75-times
more
© AberdeenGroup 2011 26
Current Capabilities Knowledge Management, by Maturity Class and by Approach
67%
59% 58%
47%49%
56%
15%
24%21%
55%
59%
33%
28%
50%
49%
0%
20%
40%
60%
Workflow-based approval for
exceptions
Standardized workflow for the IAM
lifecycle
Standardized audit, analysis and
reporting
Pe
rce
nta
ge
of R
esp
on
de
nts
(N
=1
55
)
Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%)
Platform Approach (N=32) Point Solution (N=39)
• Workflow for IAM lifecycle; workflow-based approval for exceptions; standardized audit and reporting
• Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard
© AberdeenGroup 2011 27
Current Capabilities Performance Management, by Maturity Class and by Approach
67%
63%
57%56%
49%
45%
35%
24% 25%
63%
56%
45%
36%
68%
50%
0%
20%
40%
60%
Audit and reporting for who approved
access privileges and when
Periodic validation that end-users
have appropriate access rights
Enforcement for separation of duties
Pe
rce
nta
ge
of R
esp
on
de
nts
(N
=1
55
)
Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%)
Platform Approach (N=32) Point Solution (N=39)
• Effective audit and reporting, attestation, and enforcement for separation of duties
• Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard
© AberdeenGroup 2011 28
How IAM Capabilities Are Achieved Configuration (out-of-the-box) vs. Customization (coding)
58% 56% 53% 53%
42% 44% 47% 47%
0%
20%
40%
60%
80%
100%
Platform
Approach (N=32)
Best-in-Class
(Top 20%)
Point Solution
Approach (N=39)
All Others (Other
80%)
Pe
rce
nta
ge
of R
esp
on
de
nts
(N
=1
55
)
Customization
Configuration
• Leaders are slightly more able than all others to achieve IAM capabilities by configuration than by coding
• Adopters of the Platform approach have pushed this advantage a bit further; no impact for Point Solution
• Cost implications are obvious; vendor enhancements in this area would receive strong market welcome
© AberdeenGroup 2011 31
Outline
Introductions
Business context
Aberdeen’s research findings
Summary and recommendations
Additional resources
© AberdeenGroup 2011 32
Summary
Based on more a study of more than 160 respondents, Aberdeen's
analysis of 32 enterprises which have adopted the vendor-integrated
(Platform) approach to identity and access management, and 39
organizations which have adopted the enterprise-integrated (Point
Solution) approach, showed that the vendor-integrated approach
correlates with the realization of significant advantages –
including
Increased end-user productivity
Reduced risk
Increased agility
Enhanced security and compliance
Reduced total cost.
© AberdeenGroup 2011 33
Recommendations Crawl / Walk / Run (1 of 3)
Adopt a primary strategic focus. Which of the following strategies supports the most compelling business case for your organization's investments in IAM: convenience and productivity for end-users? Compliance and security requirements? Consistency of policies for managing identities and access to corporate resources? Cost savings and cost avoidance through greater efficiency and effectiveness? The essential first step is to identify the strategy that is most compelling for your organization to get started, and begin.
Put someone in charge. Having a responsible executive or team with primary ownership for important enterprise-wide initiatives is consistently correlated with the achievement of top results. IAM initiatives are consistent with this pattern.
Prioritize security control objectives as a function of requirements for risk, audit and compliance. Emphasizing security before compliance, rather than the other way around, reduces the probability of overlaps in controls (which waste resources) or gaps (which increase vulnerabilities).
• Aberdeen's research consistently confirms the merits of a pragmatic "Crawl, Walk, Run" approach as
the basic template for successful enterprise-wide initiatives
© AberdeenGroup 2011 34
Recommendations Crawl / Walk / Run (2 of 3)
Establish consistent policies for end-user identities and end-user access to enterprise resources. As the expression of management's intent for the business, consistent policies are the foundation for any successful IAM initiative.
Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions. Standardization and automation of workflow should not mean automatic approval, however – on the contrary, increased involvement and accountability for approvals puts a greater responsibility on the business owners rather than on the IT staff.
Standardize audit, analysis and reporting for IAM projects, including reporting for who approved access and when, periodic validation that end-users have appropriate access, and enforcement for separation of duties. Quarterly attestation reviews, for example, are common to address requirements for regulatory compliance.
© AberdeenGroup 2011 35
Recommendations Crawl / Walk / Run (3 of 3)
Evaluate and select IAM solutions. Pay special attention to the level of
integration and intelligence provided by the IAM solution provider(s), versus
the degree of integration that remains to be completed by the enterprise.
Another critical consideration is the proportion of capabilities that can be
achieved by configuration (i.e., out-of-the-box) versus customization (i.e.,
coding and services). Proposals which are disproportionately heavy with
professional services from vendors or their third-party business partners do
not move a given solution from the enterprise-integrated category to the
vendor-integrated category.
© AberdeenGroup 2011 36
Recommendations – Additional Considerations
New approaches
Organizational (vs. departmental)
Lifecycle
Vendor integrated / interoperable
Higher scale at lower total cost
New identity-enabled opportunities
Social
Mobile
Cloud SoMoClo™
Evolution Social + Mobile + Cloud = Business Transformation
CLOUD
© 2011 Aberdeen Group ALL RIGHTS RESERVED
© AberdeenGroup 2011 37
Outline
Introductions
Business context
Aberdeen’s research findings
Summary and recommendations
Additional resources
© AberdeenGroup 2011 38
www.oracle.com/Identity
Aberdeen Online Identity Assessment Benchmark your own organization against those in the report