Aberdeen ppt-iam integrated-db-06 20120412

© AberdeenGroup 2011

IAM Integrated

Analyzing the “Platform” versus

“Point Solution” Approach

Spring 2012

Derek E. Brink, BS, MBA, CISSP

Vice President & Research Fellow, IT Security / IT GRC

[email protected]

mailto:[email protected]

© AberdeenGroup 2011 2

Outline

Introductions

Myself

Research methodology

Benchmark study on IAM

Business context

Aberdeen’s research findings

Summary and recommendations

Additional resources


Introductions Derek E. Brink, CISSP – www.linkedin.com/in/derekbrink

VP & Research Fellow covering topics in IT Security and IT GRC

at Aberdeen Group, a Harte-Hanks Company

I help organizations to improve their security and compliance initiatives

by researching, writing about and speaking about the people, processes

and technologies that correspond most strongly with the top performers

Adjunct Professor in Graduate Professional Studies at Brandeis University

I help individuals to improve their critical thinking, leadership skills and

communication skills by teaching graduate courses in information

assurance

Senior high-tech executive experienced in strategy development and

execution, corporate / business development, product management and

product marketing

RSA Security, IBM, Gradient, Sun Microsystems, Hewlett-Packard

MBA – Harvard Business School

BS Applied Mathematics – Rochester Institute of Technology

http://www.linkedin.com/in/derekbrink


Aberdeen’s Unique Research Methodology Fact-based, “benchmarking” style

Pressures

Actions

Capabilities

Enabling Technologies

Respondents are differentiated

based on key performance

indicators

Correlation of “people, process

and technologies” with results

ave

rag

e

lag

gin

g

lea

din

g


Benchmark Study on Identity and Access Management (IAM) Business Context: Increased Complexity of the Enterprise Computing Environment

Ide

ntitie

s

End-Users

Endpoints

Applications

Data

Hosts

Ac

ce

ss

Provisioning

Intelligence

• Employees

• Temporary employees / contractors

• Mobile / remote users

• Business Partners

• Customers

• Privileged Users

#, type

#, type

Repositories

#, type

# applications

time to provision

time to ∆

time to de-provision

time to integrate apps, roles

% customization vs. % configuration

# FTE admins

# roles

unauthorized access

audit deficiencies

data loss or exposure

total annual cost

% orphans Drivers, Inhibitors for investment

Strategies

Capabilities (people, process)

Enabling Technologies

“platform” vs. “best of breed”


Outline

Introductions

Business context

End-users

Endpoints

Applications and data

The cost complexity and compliance





Business Context Evolving End-User Populations

In Aberdeen’s 2011 study on managing identities and access:

For every 100 employees there are another 27 temporary employees or contractors

Of this combined population, about 2 out of 5 (39%) are supported as mobile / remote users

Externally, support for business partners adds still another 20% to the total end-user count –

And this updated figure is then more than doubled when adding in support for the organization's external customers

Effects of changing end-user populations

Increased security- and compliance-related risks

Pressure on the necessary supporting infrastructure (e.g., including all people, process, technology, hardware, software, services, training and support)

• The days of enterprise end-users being largely synonymous with internal employees are over


Business Context Evolving Endpoint Complexity

Enterprise end-users increasingly have an expectation of access to enterprise resources from any place, at any time, from any mobile platform

94% support access to enterprise email

89% support access to enterprise contacts

89% support access to enterprise calendar

87% support access to enterprise web-based apps

45% support access to corporate network or Wi-Fi

Of particular note is the growing population of mobile endpoint devices that are not provisioned and managed by the enterprise

72% of respondents in Aberdeen’s study on enterprise mobility support corporate-owned devices

62% support employee-owned devices

Greater diversity and complexity of the enterprise IT

infrastructure creates corresponding challenges to the enterprise's ability to maintain some semblance of visibility and control

• Momentum behind greater diversity and complexity of the enterprise IT infrastructure continues to mount


Business Context Evolving Characteristics of Enterprise Applications and Data

Data volume and type

More data

Larger files

More file types

Data flow

Increased collaboration, both within and across organizational boundaries

Greater pressure to provide faster access to information, any time, any location, any device

Greater complexity for access

More users

Diverse populations

More user-managed devices

Applications / services

Currently supported: 215

Routinely accessed by typical enterprise end-users: 56 (26%)

Routinely accessed using strong authentication: 8 (14%)

• Enterprise data is generally not created to be hidden away – it is generally created to be shared

• This naturally increases the need for the means to access enterprise resources, securely and reliably


Business Context The cost of Complexity also amplifies the cost of Compliance

Attestation refers to the

periodic validation that end-

users have appropriate access

rights, i.e., as part of providing

assurance that the right end-

users have the right access to

the right resources at the right

times.

Separation of duties (or

segregation of duties) refers

to dividing tasks and

associated privileges for certain

business processes among

more than one individual, to

help prevent potential abuse or

fraud.

• In the context of their identity and access management initiatives, many organizations struggle with

implementing repeatable approaches to demonstrating compliance with regulatory requirements such as

attestation and separation of duties (SoD) … and this is consuming more and more of their IT budgets


Outline

Introductions

Business context


Vendor-integrated “platform” approach

vs. enterprise-integrated “point solution” approach

Quantification of benefits




Aberdeen’s Research Findings Approach to Selecting and Deploying IAM Solutions (all respondents)

47%

47% 53%

53%

0%

20%

40%

60%

80%

100%

Current Planned

Pe

rce

nta

ge

of R

esp

on

de

nts

(N

=1

55

)

Vendor-integrated / "Platform" approach

Enterprise-integrated / "Point Solution"

approach

• Across all respondents, a discernable shift from integration of point solutions to a “platform” approach

• Average number of individual / point solutions currently deployed: between 4 and 5


Analysis “Platform” vs. “Point Solution”

Aberdeen’s research shows a discernable shift from enterprise self-integration of point solutions for IAM toward more of a vendor-integrated approach Some solution providers refer to this as an IAM "platform“

Others emphasize vendor integration, but feel that the term "platform" implies a lack of flexibility and choice

Aberdeen’s perspective Any approach that shifts the burden of integration from the

enterprise to the solution provider is a welcome trend

Analysis of organizations adopting each approach provides additional insights

Platform approach (N=32)

Point Solution approach (N=39)


Summary of Findings Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM

Benefits Description and Derivation of Benefits Platform vs. Point

Solution

Increased

end-user

productivity

Timely provisioning and modification of end-user access to existing

applications or services can save companies hundreds of dollars per end-

user per year in terms of convenience, productivity and downtime, and

significantly enhance the overall end-user experience.

Advantage:

Platform approach




Solution

Increased

end-user

productivity




significantly enhance the overall end-user experience.

Advantage:

Platform approach

Adoption of the Platform Approach to Managing Identities and Access Translates to Tangible Business Value (average for each respective metric)

Platform (N=32)

Point Solution (N=39)

Platform Advantage

Increased

end-user

productivity

Provide emergency access (e.g., forgotten username or password)

2.0 hours 2.3 hours 11% faster

Reset a password or PIN (e.g., help desk or end-user self-service)





Solution

Reduced

risk

Rapid de-provisioning of end-user access, on the other hand, is more about

cost avoidance than it is about cost savings – e.g., by reducing the window

of vulnerability from orphaned accounts and minimizing the potential for

downstream misuse. Periodic attestation of access privileges and

enforcement for separation of duties are also critical elements of reducing

risk.

Advantage:

Platform approach




Solution

Reduced

risk






risk.

Advantage:

Platform approach


Platform (N=32)


Platform Advantage

Reduced

risk

Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster

Suspend / revoke / de-provision end-user access to an existing app 3.7 hours 6.8 hours 46% faster

Average dormant / orphaned accounts found (as a % of total number of accounts)

3.7% 6.5% 44% faster

Average dormant / orphaned accounts found = none 13% 3% 4.3-times

higher




Solution

Increased

agility

Given the dynamic changes in enterprise end-user populations and

application portfolios, faster time to integrate a new application or integrate

a new end-user role with the enterprise's IAM infrastructure translates to

flexibility and agility to compete more effectively. Pre-integration and

workflow spanning IAM components cuts out the complexity and overhead

of synchronization.

Advantage:

Platform approach




Solution

Increased

agility






of synchronization.

Advantage:

Platform approach


Platform (N=32)


Platform Advantage

Increased

agility

Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster

Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster




Solution

Enhanced

security

and

compliance

Fewer incidents of unauthorized access to enterprise resources related to

IAM translates to a huge benefit in terms of cost avoidance, particularly

given the high average cost per incident found in Aberdeen's studies.

Consistent enforcement of policies and consistent, consolidated reporting

for compliance translates to fewer audit deficiencies related to IAM, and the

liberation of IT resources for more strategic projects.

Advantage:

Platform approach




Solution

Enhanced

security

and

compliance







Advantage:

Platform approach


Platform (N=32)


Platform Advantage

Enhanced

security and

compliance

Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer

Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer




Solution

Reduced

total cost

Efficiency of the vendor-integrated approach translates to support for

higher scale with fewer FTE admin resources, at lower total annual cost per

end-user per year. Common management interfaces across components

enable policies which are consistent and easier to administer. Both

"internal" and "external" end-users are managed by the same system.

Advantage:

Platform approach




Solution

Reduced

total cost





"internal" and "external" end-users are managed by the same system.

Advantage:

Platform approach


Platform (N=32)


Platform Advantage

Reduced

total cost

Total annual cost related to IAM initiatives (e.g., including all people, process, technology, hardware,

software, services, training, support)

$8.90 per end-user

per year

$17.10 per end-user

per year 48% lower

Total end-users per FTE IAM administrator 5,500 2,000 2.75-times

more




Solution

Increased

end-user

productivity




significantly enhance the overall end-user experience. Advantage:

Platform approach

Reduced

risk






risk.

Increased

agility






of synchronization.

Enhanced

security

and

compliance







Reduced

total cost






Details of Analysis Adoption of the Platform Approach to IAM Translates to Tangible Business Value


Platform (N=32)


Platform Advantage

Increased

end-user

productivity

Provide emergency access (e.g., forgotten username or password)


Reset a password or PIN (e.g., help desk or end-user self-service)


Reduced

risk

Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster

Suspend / revoke / de-provision end-user access to an existing application


Average dormant / orphaned accounts found (as a % of total number of accounts)

3.7% 6.5% 44% faster

Average dormant / orphaned accounts found = none 13% 3% 4.3-times

higher

Increased

agility

Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster

Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster

Enhanced

security and

compliance

Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer

Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer

Reduced

total cost

Total annual cost related to IAM initiatives (e.g., including all people, process, technology, hardware,

software, services, training, support)

$8.90 per end-user

per year

$17.10 per end-user

per year 48% lower

Total end-users per FTE IAM administrator 5,500 2,000 2.75-times

more


Current Capabilities Knowledge Management, by Maturity Class and by Approach

67%

59% 58%

47%49%

56%

15%

24%21%

55%

59%

33%

28%

50%

49%

0%

20%

40%

60%

Workflow-based approval for

exceptions

Standardized workflow for the IAM

lifecycle

Standardized audit, analysis and

reporting

Pe

rce

nta

ge

of R

esp

on

de

nts

(N

=1

55

)

Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%)

Platform Approach (N=32) Point Solution (N=39)

• Workflow for IAM lifecycle; workflow-based approval for exceptions; standardized audit and reporting

• Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard


Current Capabilities Performance Management, by Maturity Class and by Approach

67%

63%

57%56%

49%

45%

35%

24% 25%

63%

56%

45%

36%

68%

50%

0%

20%

40%

60%

Audit and reporting for who approved

access privileges and when

Periodic validation that end-users

have appropriate access rights

Enforcement for separation of duties

Pe

rce

nta

ge

of R

esp

on

de

nts

(N

=1

55

)

Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%)

Platform Approach (N=32) Point Solution (N=39)

• Effective audit and reporting, attestation, and enforcement for separation of duties

• Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard


How IAM Capabilities Are Achieved Configuration (out-of-the-box) vs. Customization (coding)

58% 56% 53% 53%

42% 44% 47% 47%

0%

20%

40%

60%

80%

100%

Platform

Approach (N=32)

Best-in-Class

(Top 20%)

Point Solution

Approach (N=39)

All Others (Other

80%)

Pe

rce

nta

ge

of R

esp

on

de

nts

(N

=1

55

)

Customization

Configuration

• Leaders are slightly more able than all others to achieve IAM capabilities by configuration than by coding

• Adopters of the Platform approach have pushed this advantage a bit further; no impact for Point Solution

• Cost implications are obvious; vendor enhancements in this area would receive strong market welcome


Outline

Introductions

Business context





Summary

Based on more a study of more than 160 respondents, Aberdeen's

analysis of 32 enterprises which have adopted the vendor-integrated

(Platform) approach to identity and access management, and 39

organizations which have adopted the enterprise-integrated (Point

Solution) approach, showed that the vendor-integrated approach

correlates with the realization of significant advantages –

including

Increased end-user productivity

Reduced risk

Increased agility

Enhanced security and compliance

Reduced total cost.


Recommendations Crawl / Walk / Run (1 of 3)

Adopt a primary strategic focus. Which of the following strategies supports the most compelling business case for your organization's investments in IAM: convenience and productivity for end-users? Compliance and security requirements? Consistency of policies for managing identities and access to corporate resources? Cost savings and cost avoidance through greater efficiency and effectiveness? The essential first step is to identify the strategy that is most compelling for your organization to get started, and begin.

Put someone in charge. Having a responsible executive or team with primary ownership for important enterprise-wide initiatives is consistently correlated with the achievement of top results. IAM initiatives are consistent with this pattern.

Prioritize security control objectives as a function of requirements for risk, audit and compliance. Emphasizing security before compliance, rather than the other way around, reduces the probability of overlaps in controls (which waste resources) or gaps (which increase vulnerabilities).

• Aberdeen's research consistently confirms the merits of a pragmatic "Crawl, Walk, Run" approach as

the basic template for successful enterprise-wide initiatives



Establish consistent policies for end-user identities and end-user access to enterprise resources. As the expression of management's intent for the business, consistent policies are the foundation for any successful IAM initiative.

Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions. Standardization and automation of workflow should not mean automatic approval, however – on the contrary, increased involvement and accountability for approvals puts a greater responsibility on the business owners rather than on the IT staff.

Standardize audit, analysis and reporting for IAM projects, including reporting for who approved access and when, periodic validation that end-users have appropriate access, and enforcement for separation of duties. Quarterly attestation reviews, for example, are common to address requirements for regulatory compliance.



Evaluate and select IAM solutions. Pay special attention to the level of

integration and intelligence provided by the IAM solution provider(s), versus

the degree of integration that remains to be completed by the enterprise.

Another critical consideration is the proportion of capabilities that can be

achieved by configuration (i.e., out-of-the-box) versus customization (i.e.,

coding and services). Proposals which are disproportionately heavy with

professional services from vendors or their third-party business partners do

not move a given solution from the enterprise-integrated category to the

vendor-integrated category.


Recommendations – Additional Considerations

New approaches

Organizational (vs. departmental)

Lifecycle

Vendor integrated / interoperable

Higher scale at lower total cost

New identity-enabled opportunities

Social

Mobile

Cloud SoMoClo™

Evolution Social + Mobile + Cloud = Business Transformation

CLOUD

© 2011 Aberdeen Group ALL RIGHTS RESERVED


Outline

Introductions

Business context





www.oracle.com/Identity

Aberdeen Online Identity Assessment Benchmark your own organization against those in the report