2009 European Identity and Access Management Survey · 6 2009 European Identity & Access Management...

2009 European Identity and Access Management Survey

A survey conducted by KPMG IT Advisory together with Everett

Advisory

Supported by eema and IIR

2 2009 European Identity & Access Management Survey

The findings at a glance

© 2009 KPMG International

3 Management Survey

2009 European Identity & Access


The value of Identity and Access Management (IAM) is still recognised and IAM is here to stay• Almost 90% of the survey participants have initiated one or more IAM projects

in the last year;• 70% of the respondents have a specifically allocated IAM budget.

Clearly the economic crisis has its impact on IAM, but IAM is still in the spotlight• A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%

reported budget cuts of more than 50%;• More than half of the respondents indicated a change of project scope;• Many organisations are quite confident that their original business case is still

applicable in this hard economic climate;• Despite budget cuts, almost three quarters of respondents entirely or partially

agreed that IAM investments should be increased instead of decreased due to the current economic climate.

Governance, Risk and Compliance is by far the main driver of IAM • Governance, Risk and Compliance is even more important than last year’s

survey indicated;• The vast majority of IAM projects are still focused on their organisation’s direct

employees;• Access attestation and certification services are ‘on the map’ and this is

possibly at the expense of the implementation of complete IAM solutions. This indicates a shift from more preventive controls to a detective approach focused on an organisation’s ‘crown jewels’.

There are still significant gaps between the expected and realised benefits of IAM• Although gaps between expectation and realisation still remain, over half of the

respondents were satisfied with the outcome of their IAM project;• Organisations face difficulties in measuring the costs, benefits and quality of

IAM services and related activities.

A lack of business buy-in is the main cause of IAM project failure• IAM projects are still mostly the responsibility of the IT department or the

Security Officer;• 50% of the respondents stated that the business was not ready for the

proposed solution;• 51% of the respondents indicated that there was a lack of support from

management and stakeholders.



Contents

01 Executive summary 5

02 Introduction 9

03 IAM projects – status and 12

impact of the economic crisis

04 Drivers and strategy 19

05 Architecture 22

06 Expected benefits, realisation 26

and satisfaction

Appendix A - Reference models 33

Appendix B - About the authors 36

Appendix C - European regions 39

5 Management Survey


01 Executive summary



KPMG IT Advisory and Everett, in cooperation with eema and IIR, are pleased to launch the report outlining the results of our 2009 European Identity and Access Management (IAM) Survey.

In order to contribute to the decision making process of organisations with regard to whether they should engage in IAM and with what type of initiative, we conducted the 2009 European IAM Survey as a follow-up to the IAM survey that KPMG conducted in 2008.

Combining insights and trends from over 125 organisations from various sectors and countries, in combination with analysis and our experience in conducting IAM projects and programmes, we believe our survey makes a significant contribution to IAM research. This survey also provides insight into recent developments in the area of IAM and the impact of the economic crisis as the results are compared against the results from the 2008 IAM Survey (where applicable).

John HermansAssociate partner, KPMG IT Advisory in the NetherlandsGlobal lead on Identity and Access Management

Peter ValkenburgMember of the Board of Everett GroupChief Technical Officer

Authors Survey

KPMG:John Hermans

Joris ter HartWillem Guensberg

Arjan van Vliet

Everett:Peter Valkenburg

Erik Frambach


7 Management Survey



One of the most important conclusions of this survey is that, as was already visible in the 2008 IAM Survey, IAM is here to stay. Even though the economic circumstances are quite different for many of the organisations that participated, the value of IAM is clearly recognised throughout all the sectors and throughout the whole of Europe.

• Almost 90% of the respondents have initiated one or more projects during the last three years;

• In 2008, one third of the respondents stated that they had no specific IAM budget. The results of the 2009 survey show more or less a similar view as 70% of the respondents have a specific IAM budget.

The Financial Services (FS) sector continues its position as an early adopter of IAM and in 2009 the Infrastructure, Government and Healthcare (IGH) sector has emerged as an early adopter, whereas last year IGH was classified as a late adopter (a so-called ‘laggard’). Despite the economic crisis, in general, the FS sector still has the highest IAM budgets.

However, the area of IAM did not escape the impact of the economic crisis. A quarter of the respondents reported budget cuts of 5%-50%, whereas 13% reported budget cuts of more than 50%. Still over half of the respondents indicate not having seen any (significant) impact on their IAM budget. However a majority of projects encountered an impact on the project scope due to the economic hard times. Strikingly, most are confident that the original IAM business case still holds.

The three main drivers analysed in this survey are:

• Governance, Risk and Compliance (GRC) – Being ‘in control’ and able to prove it;

• Operational excellence – Cost control and user experience;

• Business agility – Being ready for change.

Governance, Risk and Compliance is now even more important as the main driver of IAM than last year’s survey indicated. This applies to every sector and specifically to Financial Services, Infrastructure, Government and Healthcare and Information, Communication and Entertainment (ICE). In the Consumer Markets (CM) and Industrial Markets (IM) operational excellence is also of reasonable importance. In addition, we would like to mention that investing in business agility and operational excellence can reduce IAM costs in the mid to long term.



We expect these areas to be an opportunity when the economy recovers and organisations have the budget to make investments in projects in which the benefits with regard to expenses are realised within the mid to long term.

As part of GRC, access attestation and certification is now definitively ‘on the map’ of organisations. Almost 20% of the respondents indicated this to be a means of achieving project goals. Simultaneously, the implementation of a complete IAM solution dropped by approximately 50% towards 35%. These facts indicate a shift from an extended preventive approach towards a more detective approach focusing on an organisation’s ‘crown jewels’. This focused approach could also be a consequence of the economic crisis as only focusing on the critical information will decrease the expenses.

However, when we analyse the gaps between the expected and realised benefits of IAM projects, less than half of the respondents who expected significant benefits from access attestation and certification realised these benefits. This indicates that this is an evolving area which is not yet mature. In general, there is a significant gap between the expected and realised benefits in all areas of the main drivers. As in 2008, respondents cited the most prominent reason for failure as being that the business was not ready for the proposed solution and the lack of support from the business. Nevertheless, 50% of the respondents were satisfied with their IAM project outcome.

Despite the gap between the expected and realised benefits and the negative impact of the economic crisis, we conclude that the value of IAM is apparent to organisations as they are still investing in IAM. The challenge for the upcoming years is to realise the expected benefits. With limited budgets due the economic crisis, organisations have to make careful choices relating to the scope and the approach. This implies a need for strong program management and a clear roadmap for IAM.

9 Management Survey


02 Introduction




The 2009 European IAM Survey continues to explore the status of IAM projects within European organisations. This report extends the results of KPMG’s 2008 IAM Survey, and comparisons between the two are presented where applicable.

Several definitions of IAM are generally used. For the purpose of this survey, IAM is defined as:

To be more precise, the processes covered by IAM are user management, authentication management, authorisation management, access management, provisioning and monitoring and audit. A complete overview of the KPMG IAM reference model used for this survey is included in Appendix A.For this survey KPMG, Everett and the media partners eema and IIR invited a variety of European organisations to complete an online questionnaire. The answers to the questions were subsequently analysed by a KPMG/Everett team of IAM professionals. A detailed analysis of the results is provided in this report in order to help the reader gain insight into:

• The status of IAM projects seen across Europe;• The impact of the economic crisis on IAM budgets and project scope;• The drivers and strategy of IAM projects;• The level of benefit realisation and satisfaction with IAM projects.

A solid base of data was provided as 128 respondents from organisations located in 23 European countries participated in the survey. Among the respondents were a wide range of organisational representatives, from CEOs and CIOs to Security Officers and heads of internal audit. The group also contained participants from organisations of different sizes and from a variety of industries.

“The policies, processes and systems for efficiently and effectively governing and managing who has access to which resources within an organisation.”

11 Management Survey



The distribution of participants with respect to European region, size and sector was as follows:

Total number of respondents 128

Geographic region*

North (Denmark, England, Finland, Norway, Scotland) 34 %

East (Belarus, Czech Republic, Latvia, Romania, Russia) 9 %

South (Turkey, Cyprus, Greece, Italy, Spain) 12 %

West (Austria, Benelux, France, Germany, Switzerland) 37 %

Other 8 %

Size (number of IT users)

Less than 1,000 20 %

1,001-2,500 13 %

2,501-5,000 16 %

5,001-10,000 13 %

10,001-25,000 13 %

More than 25,000 25 %

Sector

Financial Services (FS) 39 %

Infrastructure, Government and Healthcare (IGH) 34 %

Information, Communication and Entertainment (ICE) 13 %

Industrial Markets (IM) 9 %

Consumer Markets (CM) 5 %

Reading aidChapter 3 of this report describes the current status of IAM projects and the impact of the economic crisis. In Chapter 4 the strategy and main drivers of IAM are elaborated. Subsequently, the IAM architecture is described in Chapter 5. In the final chapter the expected and realised benefits of IAM are addressed; this section also includes the participants’ ‘satisfaction’ with regard to the actual benefits and their ability to measure costs and benefits of IAM.

“The policies, processes and systems for efficiently and effectively governing and managing who has access to which resources within an organisation.”

* No significant differences were found between the four different geographical regions as described in the table. Therefore, the results presented in this report apply to the European region as a whole and are not divided by the four geographical regions.


03

IAM projects – status and impact of the economic crisis





Number of IAM projects initiated

Source: KPMG/Everett IAM survey, October 2009

As information is one of an organisation’s most valuable assets, control of access to this information forms an important part of an organisation’s day-to-day business.Around half (48%) of the respondent organisations had initiated one or two IAM projects during the last three years, 87% of organisations had initiated at least one IAM project and approximately a third (39%) had initiated more than three IAM projects. Of these 39%, 6% had initiated more than ten projects.

Observation in comparison to the 2008 IAM Survey: In 2008, all respondent organisations indicated that they had initiated one or more IAM projects in the last three years, whereas 13% of 2009 respondents indicated they had not initiated any IAM projects in the last three years.

Number of IAM projects by sector


13%

31%

2%6%

48%

None1 – 23 – 56 – 10More than 10 projects

None1 – 23 – 5

6 – 10More than 10 projects

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

OTH*

Sect

or

Authors’ note

IAM was already ‘here to stay’ in 2008, and the 2009 survey supports this impression. IAM is clearly of concern to all organisations, regardless of the sector in which they operate or the country in which they are based.

Over half of respondents indicated to have initiated one or more projects during the past three years. It appears that it is often insufficient to initiate only a single project, but that a sequence of projects is required in order to successfully achieve their organisation’s IAM end goals. A possible explanation may be that previous projects have failed, but based on our industry experience it appears more likely that an IAM programme, in which several projects are contained, enhances the chances of success. This supports the need for a strong programme management organisation and a clear roadmap with clearly defined phases and scoping.

The findings of this survey indicate that the FS sector can still be categorised as one of the ‘early adopters’ of IAM. Pressure to comply with banking regulations as well as national and international corporate governance legislation is relatively high in this sector, and this is assumed to be one of the drivers of IAM projects within the sector.

Contrary to 2008, in 2009 the IGH sector is also adopting IAM on a regular basis, whereas only a year ago IGH was categorised as a ‘late adopter’.

* Other



The FS and IGH sectors both represent a significant percentage of respondents who had initiated more than ten IAM projects over the past three years. The IM and CM sectors, on the other hand, display less IAM project initiation with a maximum of five initiated IAM projects.

Budgets Size of IAM budgets


Out of the budgets specifically allocated to address IAM over the next three years, 38% of the respondents plan to initiate projects with a budget up to EUR 250,000. 11% of respondents indicated that they have allocated a budget of over EUR 1 million. Compared to the results of the 2008 IAM Survey there are no big differences; in fact the results are almost the same.

As may be expected, smaller sized organisations (with less IT users) have smaller IAM budgets and vice-versa, with EUR 10 million+ IAM budgets only occurring in the organisations with over 5,000 employees. Overall, larger organisations appear to have more difficulty in determining the total IAM budget, as many respondents representing larger organisations indicated that they did not know its IAM budget. By contrast, 80% of respondents representing smaller organisations (up to 10,000 employees) were able to indicate the size of its IAM budget.

23%

31%

15%

12%8%6%

5%

Less than EUR 100,000EUR 100,001 – 250,000EUR 250,001 – EUR 500,000EUR 500,001 – EUR 1,000,000EUR 1,000,001 – EUR 10,000,000More than EUR 10,000,000Unknown




IAM budgets by sector


In 2009, budget allocations remain largely unchanged. In addition, the IM and ICE sectors have relatively small allocated IAM budgets.

Scope IAM Scope


Over 90% of the respondents indicated that IAM projects are still mainly focused on their organisation’s direct employees. This indicates that most IAM projects are focused on controlling access to internal systems and information. However, approximately a third of IAM projects target partner and/or supplier networks, and approximately a third target clients via IAM projects1.

Less than EUR 100,000EUR 100,001 – 250,000EUR 250,001 – EUR 500,000EUR 500,001 – EUR 1,000,000

EUR 1,000,001 – EUR 10,000,000More than EUR 10,000,000Unknown

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

OTH

Sect

or

Own employees Partner and/orsupplier network

Clients Unknown/other

100%

80%

60%

40%

20%

0%

94%

37% 33%

10%

Authors’ noteIt is still the FS sector that boasts the highest number of high-end budget ranges. This means that IAM budgets are generally higher in the FS sector. The IGH sector comes in a decent second in this category. One possible explanation is that these sectors specifically experience a relatively high pressure to comply with international rules and regulations (FS) and a relatively large number of IGH have begun over the last year. The IM and ICE sectors do not appear to have the IAM drivers to justify the same level of budget allocation. However, we note that the obligation to comply with stringent legislation is also becoming increasingly important in these sectors.

1Multiple answers were allowed for this question and therefore the total percentage is above 100%. This is applicable to all graphs in which the total percentage is above 100%.



Means to achieve project goals


With a fifth of respondents indicating attestation and certification solutions to be a means of achieving project goals, attestation and certification solutions have emerged to become one of the serious options on this chart. Common means (implementation of a new policy, a complete IAM solution, a user management and provisioning solution or enhanced authorisation) all represent a fairly similar number of respondents, with user management and provisioning as the most commonly used solution.

Impact of the economic crisis Impact on IAM budget


Although over half of respondents indicated not to have seen any (significant) impact on IAM budgets, over a third (37%) indicated that their IAM budget has been cut. A quarter of the respondents reported a 5%-50% cut, whereas 13% reported IAM budget cuts of over 50%. As might be expected, IAM budgets are under pressure as a result of the economic crisis.

The IAM budget is increased by more than 50%The IAM budget is increased by 5 – 50%No impact, (almost) unaffected IAM budgetThe IAM budget is cut by 5 – 50%EUR The IAM budget is cut by 5 – 50%

1% 7%

55%

24%

13%

New policy Complete IAM solution

Attestation and certification

Enhanced authorisation

Other

50%

40%

30%

20%

10%

0%

35%37%

44%

20%

31%

User managementand provisioning

11%

Authors’ note

As far as the respondent organisations are concerned, attestation and certification is now ‘on the map’. In general the means to achieve project goals are fairly evenly distributed over the five IAM approaches mentioned here, with only 11% of respondents resorting to other means to achieve their IAM project goals. This may be viewed as a sign of the maturity of the IAM market, as most respondents found the options to achieve their project goals readily available in today’s vendor portfolios.

The implementation of a complete IAM solution has dropped significantly towards 35% (a 50% drop). It is possible that the focused approach of targeting ‘crown jewel’ components of the information/application landscape has reduced the popularity of the complete solution. It is also possible that a shift has taken place from the more preventive complete approach to more detective solutions such as attestation and certification focused on the ‘crown jewels’.




However, 73% of respondents entirely or partially agreed that the economic crisis is another reason why their organisation should invest in IAM.

Impact on IAM budget by sector


Although some sectors were largely unaffected, over a third (37%) of respondents reported cuts in their IAM budget of more than 5%, especially in the FS, ICE and IGH sectors. CM does not appear to be impacted as of yet, however this might be distorted as almost 50% of the CM sector respondents indicated not knowing their IAM budget.

Impact on IAM budget by total IAM budget range


The IAM budget is increased by more than 50%The IAM budget is increased by 5 – 50%No impact, (almost) unaffected IAM budget

The IAM budget is cut by 5 – 50%The IAM budget is cut by more than 50%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

Sect

or

The IAM budget is increased by more than 50%The IAM budget is increased by 5 – 50%No impact, (almost) unaffected IAM budget

The IAM budget is cut by 5 – 50%The IAM budget is cut by more than 50%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

>10M

1M-10M

500K-1M

250-500K

100-250K

<100K

tota

l IAM

bud

get



It appears that the larger IAM budgets, and generally speaking the larger IAM projects, faced the hardest budget cuts in absolute terms (total EUR) and relative terms. Smaller organisations (with IAM budgets of up to EUR 10 million) experienced a range of IAM budget cuts (anywhere between 5%-50%) and the IAM budget increased in a relatively small number of organisations.

Impact on scope


Despite the fact that 55% of respondents indicated that the economic crisis has had no impact on their IAM budget, around 60% indicated that there was some impact on the project scope, ranging from the slowing down to complete stopping of IAM projects. Figures clearly indicate that projects are being impacted negatively across all sectors.

Impact on business caseThe IGH sector appeared to experience little effect of the economic crisis in this respect, as almost 90% of respondents believed that the economic crisis does not have an impact on the business case for IAM. Overall, over 70% of respondents indicated that there was no impact on the IAM business case. In addition, 80% of the respondents stated that the original IAM business case would still be accepted under the current circumstances.

No impactSlowing down (take more time for IAM projects)Redefining the project scope focussing on the crown jewels

Selecting or choosing a different approach

Stopping IAM projects

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

OTH

Sect

or

Authors’ note

The survey clearly indicates that IAM budgets are under pressure from the economic crisis. Over a third of respondents have already experienced budget cuts. We expect that this figure may rise in the next year as the budget cycle for 2010 in general is under pressure due to the economic crisis. Large organisations in the Financial Services sector have been hit especially hard in the crisis and, generally speaking, larger IAM projects face the hardest budget cuts in absolute terms (total EUR). However, respondents were generally confident that the original IAM business case would still be accepted under the current circumstances.


04Drivers and

strategy




Main IAM driver


The participants were asked to state their main IAM driver from the following options:

• Governance, Risk and Compliance; • Operational excellence; • Business agility.

Respondents indicated that Governance, Risk and Compliance is undoubtedly the main driver of IAM projects (72%). Operational excellence comes in second at 14% and business agility comes in third at 13%. Compared to the results of the 2008 IAM Survey, GRC has become even more important.

Main IAM drivers by sector


0% 20% 40% 60% 80% 100%

GRC

Operational excellence

Business agility

Dri

ver

72%

14%

13%

Business agilityOperational excellenceGRC

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

Sect

or

Authors’ noteThe relatively high weight of GRC as a main driver in the FS sector may be expected, as compliance requirements are traditionally important within this sector. In the IGH sector, GRC is also the key topic with regard to IAM. This could be due to the fact that governmental and healthcare organisations are facing more and more requirements with regard to information security and data privacy.




When we filter these results by sector, we find that FS, ICE and IGH represent the highest scores for GRC. Although GRC is also a factor in the ICE and CM sectors, the most important drivers in these sectors show a less pronounced bias towards GRC as the main driver. In the CM and the IM sectors, operational excellence turns out to be significantly more important than in the other sectors. Business agility is a more important driver in the IGH and IM sectors than in any other, most notably the FS sector.

IAM project approaches


When asked which project approaches are being used for IAM, many respondents reported that several different approaches were in use. However, there were also many respondents (25%) who reported that none of the project approaches we suggested were in place.

When we filter these results by sector, the most prevalent result is that in the CM and IM sectors around half of the respondents indicated that none of the stated approaches were being used and that within IM none of these methods were being used a lot. The IGH, ICE and FS sectors reported to be using all of the listed project approaches.

0% 20%10% 30% 40% 50% 60%

IM

CM

IGH

ICE

FS

Milestones in placeMeasurable milestonesAgreed across organization

Multi-year roadmapNone of the above

Sect

or

Authors’ noteThe FS sector appears to be the most mature in running its IAM projects. In this sector the lowest number of ‘none of the above’ was reported, and the number of ‘agreed across the organisation’ was the highest. The IM sector, on the other hand, appears to be the least mature; displaying low numbers for all of the above mentioned project management elements. The high score for FS is in line with previous observations in this survey.



Responsibility for IAM strategy


The IT department is still responsible for IAM strategy in 24% of the respondent organisations. The (Chief) Security Officer and the IT Manager form the majority of the positions responsible for IAM strategy. The position of (Chief) Risk Officer comes in third.

(Chief) Security OfficerIT manager(Chief) Risk Officer(Chief) Information OfficerIT architect(Chief) Financial OfficerProject managerSystem AdministratorOther

33%

24%

12%

10%

4%

3%3%

3%8%

Authors’ noteBased on the responsibilities for IAM strategy one can conclude that IAM projects are still often IT-driven and much less business-driven, which is a risk as the business may not be sufficiently involved in order to guarantee success. This may still be true if a (Chief) Security Officer initiates an IAM project, because security as such is still often not seen as a business objective, but rather an IT-based method of protecting the business. We believe a Business Manager, a CFO, a CIO, or perhaps the (Chief) Risk/Business Officer/Manager, who has direct responsibility for primary business processes, should take charge. With the growing importance of GRC the involvement of the business becomes even more important as GRC is a business issue.



05

Architecture



IAM and IT architecture


Within 63% of the respondent organisations a specific IAM architecture has been designed or IAM has been incorporated into the IT architecture. When broken down into sectors we find that IM scores the highest and that all sectors, except CM, score above 50%.

Architectural principles for IAM


According to the respondents, Central authorisations management is the most important principle for defining their organisation’s IAM need (39%). When organisations are selecting their required IAM solution, a large amount acquire the solution of their preferred supplier and only 18% perform a vendor selection in order to select a ‘best of breed’ solution.

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%CM FSICEIGHIM

78%

17%

58%

69% 70%

Open standards

Preferred supplier

Best of breed

50%

45%

40%

35%

30%

25%

20%

15%

10%

5%

0% Central authorizations management

Delegated authorizations management

Loosely or tightly coupled

Other/unknown

20%

34%

18%

39%

24%

9%11%

Authors’ noteThe FS sector scores high here (70%), which is to be expected, given the effort that many of these organisations typically have already put into information security and risk management frameworks. A possible reason for the IM sector’s high score could be that these organisations have standardised production processes and the IT architecture is therefore also more mature and aligned with these processes. The low score for the CM sector may indicate that IAM is often used for consumers facing a limited amount of applications that pose a fairly simple problem in terms of architecture. In any case, IAM is often a long-term and costly endeavour that requires strategic planning for which, we believe, architecture is a crucial component.

Authors’ noteMany organisations appear to rely on a preferred supplier rather than choose a ‘best of breed’ solution. This indicates the importance of an IAM solution that fits into an organisation’s current vendor and software landscape. Interestingly, only 50% of the respondents from the Government sector reported open standards as a principle of their organisation’s IAM solution. As these organisations tend to promote open standards, this appears to contradict their official policy. Nevertheless, this figure is still around twice as high as the overall figure.

When we asked the respondents about the most used standards and preferred practices, the most popular answer was ISO 27001 (information security) and ISO 27002 (information security management). Based on this answer we can conclude that there are no specific IAM standards and industry best practices in order to implement IAM.





Authentication mechanisms


Username and password is an authentication mechanism that was reported by all respondents. Tokens are also popular with more than 50% of the respondents. Smartcards or other certificate-based mechanisms scored 35%. RFID and biometrics were both reported at around 12%.

Current use of identity administrations


An industry best practice for IAM is the connection to an authoritative source for central identity administration. Nevertheless, 60% of the respondents reported that their IAM solution does not use an authoritative source.

0% 20% 40% 60% 80% 100%

Username & password

Tokens

Smart cards/certificates

RFID

Biometrics

Other

100%

54%

36%

11%

13%

1%

No administration of core user identity data / organizational reference data

Central identity administration, not linked to authoritative sources (such as HR system)

Central identity administration, directly linked to authoritative sources (every change in authoritative sources will result in change in identity administration)

14%

47%

39%

Authors’ noteStronger authentication mechanisms such as tokens and smartcards are well matured, especially tokens. The fact that the good-old username and password authentication still prevails indicates that these may be used for access not only to low risk information (systems), but also to high risk information (systems); thus raising their vulnerabilities.

Authors’ noteWe believe that connecting to an authoritative source is essential for any long-term viable IAM solution. A connection to an authoritative source can be used to align the joiner/mover/leaver process to the IAM administration and ultimately enable the business to determine which user accounts need to be allocated, modified and removed. Having a non-authoritative source connected to IAM will make it almost impossible to manage IAM administration and to leave it up to the business to decide which access a person needs to have. Fortunately over half of the respondents indicated that they intend to link their central identity administration to an authoritative source.



Expected benefits, realisation and

satisfaction

06




Expectations versus the realisation of IAM benefits

The participants were asked to rate their expected benefits of each driver and to rate the realisation of the expected benefits. The survey results show significant differences between the expected benefits and the realisation rate of the three main drivers:

• Governance,RiskandCompliance(GRC);• Operationalexcellence;• Businessagility.

The various areas used for measuring the benefits within the main drivers are elaborated in Appendix A.

Business agility

Realisation versus expectation

Area Percentage that expects significant2 improvements

Percentage that realised significant improvements

Adaptation to organisational structural changes

51% 26%

Extended enterprise 35% 15%

Application integration and exploitation

52% 25%




Area Percentage that expects significant improvements


Cost of service delivery 60% 32%

Quality of service delivery 66% 32%

User management and provisioning 83% 46%

Identity administration 68% 48%

Role administration 65% 39%

Credentials management 59% 36%


2 Significant is defined as categories 4 and 5 on a scale of 1-5.

06






User management and provisioning 83% 46%

Identity administration 68% 48%

Role administration 65% 39%

Credentials management 59% 36%


Governance, Risk and Compliance




Monitoring and reporting 67% 35%

Attestation 59% 25%

Cost control 39% 22%

Risk reduction 70% 39%

Segregation of duties 60% 35%


Satisfaction with results of IAM projects

The respondents were also asked to indicate the percentage of IAM projects which actually met with the expected improvements.

Percentage of IAM projects meeting expectations

Less than 10%11 – 25%26 – 50%51 – 75%76 – 100%100%

12%

8%

19%

19%

20%

22%

Authors’ noteGenerally speaking, the respondents have high expectations of IAM, however organisations appear to have fewer expectations of business agility and the realisation rate is also low in this area. This corresponds to the fact that business agility is perceived to be the least important driver of IAM.

The survey results show significant differences between the expected benefits and the realisation rate in the three main areas. Even in the area of GRC, which is seen as the most important driver of IAM, the realisation is far below the expectation. This may be explained by the fact that the processes of user management and provisioning are more mature in the market and that the area of GRC is still evolving. This could also indicate that there is too much focus on provisioning as part of the project process.

Considering the hard economic climate and the fact that GRC is one of the most important IAM driver for many organisations, it makes sense to focus on specific activities in order to realise the benefits in the area of GRC and to define these activities in a well-defined roadmap as this is also lacking in a lot of organisations. However, we would like to mention that investing in business agility and operational excellence can reduce IAM costs in the mid to long term. We expect these areas to be an opportunity when the economy recovers and organisations have the budget to make investments in projects in which the benefits with regard to expenses are realised within the mid to long term.





These facts confirm the analysis of benefits versus realisation by driver. Less than a quarter (22%) of respondents experienced IAM projects fully meeting their expectations by 100%. An analysis by sector shows that organisations in the FS, IGH and ICE sectors have the highest percentage of IAM projects meeting requirements. Around 40% of these organisations achieved their project goals for 75%-100% of their projects. There are also big differences in the ability to measure the effectiveness of the projects, e.g. in the IM and IGH sectors this was around 30%, or alternatively respondents stated that it was unknown whether the project goals were met. This was 50% in the CM sector, compared to around 10% in the FS and ICE sectors.

Percentage of IAM projects meeting requirements (per sector)

Source: KPMG/Everett IAM survey, October 2009 The participants were also asked to indicate to what extent they were satisfied with the project outcome.

Satisfaction with IAM project outcome


Less than 10%11 – 25%26 – 50%

51 – 75%76 – 100%100%

Unknown

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

OTH

Sect

or

Authors’ noteRespondents’ answers help to give an indication that organisations are apparently satisfied if the expected benefits are realised in more than 50% of their projects. A possible clarification could be that the original expectations were known to be too optimistic, or that it is common sense to accept that projects, in general, do not realise all of their expected benefits. The difference between the satisfaction level and number of successful projects can also be explained by the fact that many organisations lack insight into the benefits of IAM projects.

Very dissatisfiedNot satisfiedNeutralSatisfiedVery satisfied

3%

13%

35%41%

8%



A difference with the 2008 IAM Survey results is that in this survey more respondents were neutral (34%) than in 2008 (27%). Also this year, less respondents (6% decrease) were very dissatisfied with their IAM project outcome.

As a large amount of IAM projects still do not realise all of their goals, it is interesting to analyse why these projects fail. As in last year’s survey results, the business issues are seen as the biggest hurdle as lack of support from management and stakeholders is also a business issue.

Causes of project failure


Measuring costs and quality of IAM services

In the 2009 survey several questions were included related to the measurement of various aspects of IAM. In general, the majority of the respondent organisations face difficulties in measuring the costs and quality of IAM:

• 49% did not know or measure the costs related to IAM service delivery;

• 48% did not know or measure the quality of IAM service delivery;

• 37% did not know the costs related to the review (internal/external) of access rights as part of GRC.

The results also show that a large number of respondents want to realise cost reductions with regard to service delivery and GRC and want to improve the quality of service delivery. This can be difficult to realise without the necessary insight into the quality and costs.

0% 20%10% 30% 40% 50% 60%

Substantial excess ofthe allocated budget

Goals not achieved withinallocated time

Business was not ready for proposed/presented solution

Lack of support from management and/or stakeholders

Unrealistic goals,given time and budget

Project result did not provide a solution for the actual problem

Proposed/presented IAM technology did not integrate with existing IT

Other

8%

27%

50%

51%

39%

17%

20%

14%

Authors’ noteIn our view, the aim of IAM is to resolve business issues. The respondents indicate that it is still difficult to gain the commitment and involvement of the business. This can be a big risk for a project’s success rate as the business should be responsible for IAM and also because it becomes difficult to measure a projects benefits. Surprisingly the respondents indicated that technical issues are not a large hurdle compared to other reasons. In our firms’ experience the technical maturity of the IAM solution is still not ideal and as a result can be one of the biggest project risks. Technical issues often impede the realisation of the user requirements, which can cause issues with the business as its requirements are not met. In addition, technical issues can cause a budget overrun which is also a project risk.




Methods to measure IAM success


Lacking insight into IAM benefits


Although a reasonable number of organisations measure their IAM effectiveness, organisations are still struggling to gain insight into the benefits of IAM:

• 18% entirely agreed that they have a lack of insight into the benefits of IAM;

• 53% partially agreed that they have a lack of insight into the benefits of IAM;

• Only 8% entirely disagreed that they have a lack of insight and therefore have a proper insight into the benefits of IAM.

Authors’ noteOrganisations are facing difficulties in measuring the costs and quality of IAM service delivery and gaining insight into the benefits of IAM. This supports KPMG’s experience that a business case is often based on qualitative drivers and that it is still difficult to quantify the costs and also the benefits of IAM. This can be a risk when selling your business case internally and staying alive as a project in these economically turbulent times. It is therefore recommended to include benefits management into project and project portfolio management. Issues relating to measurement can also be an indication that an individual’s opinion of ‘realisation’ and ‘satisfaction’ is a subjective opinion and can also differ internally within organisations.

Entirely agreePartially agreePartially disagreeEntirely disagreeNeither agree nor disagree

8% 18%

52%

14%

8%

0% 20%10% 30% 40% 50% 60%

Compare to industry standards and best practices

Compare with organization specific predefined key performance indicators

Through external auditsand/or benchmarks

No measurement

Other

33%

29%

40%

29%

5%


Appendix





Definition of IAM

Several definitions of IAM are generally used. For the purpose of this survey, IAM is defined as:

“The policies, processes and systems forefficiently and effectively governing and managingwho has access to which resources within an organisation.”

To be more precise, IAM is the process of creating value and addressing IT governance and compliance through effective and efficient:

• Managementofusers;• Authenticationoftheidentityofusers;• ManagementofuseraccesstoITresources;• Monitoringwhatusersdowiththataccess.

KPMG IAM reference model KPMG’s experience with IAM has led to the development of an envisioned end-state; the KPMG IAM reference model:

A Reference models



The IAM processes supporting the business, as identified in the IAM reference architecture, are:

• User Management – Activities for the effective governance and management of the lifecycle of identities;

• Authentication Management – Activities for the effective governance and management of the process for determining that an entity is who or what it claims to be;

• Authorisation Management – Activities for the effective governance and management of the process for determining entitlement rights that decide what resources an entity is permitted to access in accordance with the organisation’s policies;

• Access Management – Enforcement of policies for access control in response to a request from an entity requiring access an IT resource within the organisation;

• Data Management and Provisioning – Propagation of identity and data for authorisation to IT resources via automated or manual processes;

• Monitoring and Audit – Monitoring, auditing and reporting compliance by users regarding access to resources within the organisation based on the defined policies.

Areas within the main IAM drivers

Business agility

Three areas are identified as follows:

• Adaptationtoorganisationalstructurechanges – Being able to quickly adapt (bulk) user access rights when changing the organisational structure (as a result of a reorganisation or with mergers and de-mergers);

• Extendedenterprise – Support for working with business partners and internal separate organisations in an extended enterprise, e.g. through federation;

• Applicationintegrationandexploitation – Fast integration of new applications or systems and how effectively the business applications and other services are exploiting the IAM infrastructure.





Six areas are identified as follows:

• Cost of service delivery – With regard to IAM, such as costs related to authorisation, the number of deficiencies requiring remediation and the increased productivity of end users due to quicker access to necessary applications and systems;

• Qualityofservicedelivery – How well the IAM processes and services are performing;

• User management and provisioning – Support for all aspects of user registration/de-registration and assigning/removing privileges and resources;

• Identity administration – Administration of core user identity data as well as organisational reference data (such as organisational tree/relationship between manager and employee);

• Role administration – Administration of access rights by using a grouping mechanism (e.g. roles). The grouping mechanism will be used during the access request process when requesting and approving access;

• Credentialsmanagement – Managing all aspects of user credentials (e.g. passwords, tokens) for authentication purposes.

Governance, Risk and Compliance

Five areas are identified as follows:

• Monitoringandreporting – Being able to overview (in near real-time) which users have access to what information and being able to efficiently generate GRC-related reports;

• Attestation – Being able to provide reports to be signed by: a) business process owners to attest the appropriateness of the design of access controls; b) line management to attest the correctness of the granted access rights;

• Costcontrol – Costs related to the preparation and execution of internal/external reviews of access rights;

• Riskreduction – Being in control of fraud risks due to a complete insight into end users’ access rights;

• Segregationofduties – Detecting and avoiding potentially conflicting roles (responsibilities) of end users.



About KPMG

KPMG is a global network of professional firms providing Audit, Tax and Advisory services. We operate in 144 countries and have 137,000 people working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International, a Swiss cooperative. Each KPMG firm is a legally distinct and separate entity and describes itself as such. KPMG International performs no professional services for clients nor, concomitantly, generates any revenue.

KPMG firms have performed a wide range of IAM projects and have a broad service offering, such as executing current state assessments, defining vision statements, developing (business) architectures, creating roadmaps, perform access attestation/certification projects and assisting in executing IAM audits.

Knowledge of IAM is embodied in our firms’ professionals; to emphasize that we pro-actively develop the knowledge of our people. Around the world we have a number of Centers of Excellence (CoE) for IAM, for the EMEA region this center is located in Amstelveen in the Netherlands.

As a result of our firms’ IAM project experience, we have gathered much information, identified “industry best practices” and have a detailed understanding of project perils and pitfalls. In 2007, KPMG developed a methodology for IAM projects, this methodology enables our firms to support clients locally and on a global scale.

About Everett

Everett is a systems integrator and consultancy firm with highly skilled professionals and unique hands-on experience. Everett has offices in Nieuwegein (head office), London (England), Milan (Italy) and Bangalore (India). Everett also provides 7x24 solution support services. Since its inception in 1999, Everett has proven itself as a leading specialist on Identity Enabled Service Platforms and middleware in general as applicable in Identity & Access management, GRC, Portal, Secure Remote Access, and Enterprise Application Integration technology.

Since new technologies and new concepts bring uncertainty Everett has developed ways to absorb that, while implementing. Everett’s interactive and iterative methodology EVOLVE embraces change and channels it to the desired result. Our consultants will assist you in this process as your consultant, architect, project manager or engineer. As a temporary addition to your team or as a project team with a clear mission and turn-key responsibility.

B About the authors




Everett strives for thought-leadership in its competences and it wants to work as a trusted advisor with the early adopters in any industry. Everett’s commitment is to deserve its reputation as ‘trusted to know’.

About eema and IIR

For 22 years, eema has been Europe’s leading independent, non-profit e-Identity & Security association, working with its European members, governmental bodies, standards organisations and interoperability initiatives throughout Europe to further e-Business and legislation.

Over the years IIR, an Informa Plc company, has constantly developed and refined the process of producing premium business events with a threefold aim of objectivity, timeliness and practical solutions. Featuring key industry experts, IIR conferences provide up-to-date information direct from practitioners who have found solutions to the challenges facing businesses today. By staying close to each market IIR ensures that the conference takes place at exactly the right time to provide you with the information you need, when you need it.



AustriaMichael SchirmbrandPartnerTel. +43 (1)3 133 [email protected]

BalticsAndris BriezeSenior ManagerTel. +371 6703 [email protected]

BelgiumAlain D’HoeSenoir Business Development ManagerTel. +32 (0)2 708 [email protected]

BulgariaNikola NyagolovSenior ManagerTel. +359 (2) 9697 [email protected]

Czech RepublicTomás KudelkaSenior ManagerTel. +42 (0)23 411 [email protected]

DenmarkMorten Klitgaard FriisPartnerTel. +45 3818 [email protected]

FranceLaurent GobbiPartnerTel. +33 1 [email protected]

FinlandPanu HärkönenManagement AdvisorTel. +35 (8)50 372 [email protected]

GermanyJörg AsmaPartnerTel. +49 221 2073 [email protected]

GermanyMarko VogelManagerTel. +49 201 455 [email protected]

HungaryTamas GaidoschPartnerTel. +36 1 887 [email protected]

ItalySaverio CelanoSenior ManagerTel. +39 [email protected]

LuxembourgMichael HofmannPartnerTel. +352 22 51 51 79 [email protected]

PolandKrzysztof RadziwonPartnerTel. +48 (22) 528 11 [email protected]

PortugalTiago ReisSenior ManagerTel. +351 210 110 [email protected]

RomaniaGabriel Mihai TanaseManagerTel. +40 (21) 201 22 [email protected]

RussiaNikolay LegkodimovSenior ManagerTel. +7 (495) [email protected]

SlovakiaPavol AdamecDirectorTel. +421 (2) [email protected]

SpainRamon PochPartnerTel. +34 [email protected]

SwitzerlandRoman HaltinnerSenior ConsultantTel. +41 44 249 [email protected]

The United KingdomMalcolm MarshallPartnerTel. +44 207 311 [email protected]

The NetherlandsJohn HermansAssociate PartnerTel. +31 (0)20 656 [email protected]

KPMG contacts




Northern Europe• Denmark• England• Finland• Norway• Scotland

Eastern Europe • Belarus• CzechRepublic• Latvia• Romania• Russia• Turkey

Southern Europe • Cyprus• Greece• Italy• Spain

Western Europe • Austria• Belgium• France• Germany• Luxembourg• Netherlands• Switzerland

C European regions

kpmg.com

Disclaimer information © Copyright information and publication details

Contact subhead: Univers 65 Bold 9pt; 12pt leading

Contact body: Univers 45 Light 9pt; 12pt leadingFirstname LastnameStreet addressCity/CountryTel +86 (10) 6505 6300Fax +86 (10) 6505 6301

Firstname LastnameStreet addressCity/CountryTel +86 (10) 6505 6300Fax +86 (10) 6505 6301



















The views and opinions expressed herein are those of the survey respondents and do not necessarily represent the views and opinions of KPMG International or KPMG member firms.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2009 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Printed in the Netherlands. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.158_1009

Contact us

KPMGJohn HermansAssociate Partner Tel +31 (0)20 656 [email protected]

EverettPeter Valkenburg Chief Technology OfficerTel +31 (0)30 659 [email protected]

2009 European Identity and Access Management Survey · 6 2009 European Identity & Access Management...

Documents

Transcript of 2009 European Identity and Access Management Survey · 6 2009 European Identity & Access Management...