Risk
7/9/2012
02:45 AM
Connect Directly
RSS
E-Mail
50%
50%

5 Business Trends Driving IAM Spending

Mobile, cloud, user productivity, contextual security, and compliance all drive adoption of identity and access management

As deperimeterization, data theft risks, and compliance mandates all converge to weigh on IT security shoulders at once, enterprises are looking more closely at the way they approach identity and access management (IAM). No longer content with manual processes and poor control of user accounts, enterprises will be taking out their pocketbooks in force for IAM projects in the coming years. According to analyst firm TechNavio, the global IAM market should see a steady growth rate of 8.2 percent through 2015.

This is not to say that most organizations are looking at IAM for the first time -- they're just spending more to move their deployments to the next level.

"More and more organizations are realizing that they need to move beyond phase one of identity implementations, purely relying on Active Directory and doing things manually," says Nishant Kaushik, chief architect at Identropy. "They're now moving more and more into a full-service IAM adoption to deal with the scale and agility with which they have to manage and govern things."

Dark Reading spoke with a range of IAM experts to find out what market forces are causing today's brand of "identity crisis." Here's what they named as the key drivers behind IAM spending today.

Cloud Adoption
Named by many experts as one of the biggest business driving forces behind enterprise IAM interest, cloud deployments rewrite the old model of managing user accounts and access.

"Most organizations are adopting private cloud datacenters as well as hosting services and applications in the cloud," says Eric Chiu, president and founder of HyTrust. "New technologies such as virtualization increase security and compliance risk given the 'god-like' powers of administrators. In addition, organizations lose control over their data and systems by utilizing cloud services."

The more cloud applications and sources within and outside the enterprise that need to be monitored and controlled, the faster an organization approaches entropy, warns Todd Clayton, founder of CoreBlox.

"As the number of applications and sources increase, it becomes increasingly more complex to manage the identities for those applications. User provisioning is typically a jumble of manual, error-prone processes that require the involvement of disparate teams," he says. "These teams don’t own the overall process. So no one is ultimately responsible for ensuring that the user is correctly provisioned."

According to Clayton, this can lead at best to a poor user experience but at worst unauthorized access to systems. And says Phil Lieberman, CEO of Lieberman Software, it is not something that can be contained by simple use of Active Directory.

"Over the last few years, the slow and unstoppable adoption of Microsoft Active Directory as the core identity management systems has begun to erode as companies force the adoption of cloud-based resources and applications that don't have the ability [easily or otherwise] to integrate external and internal identity management resources," he says.

BYOD And Mobile
Even as users are connecting to increasingly more applications every day, they're doing it from a wider range of devices than ever before. According to Julian Lovelock, vice president of product marketing at ActivIdentity, mobile security concerns are driving a large number of deployments in customer environments.

"More and more users are bringing their iPhones, Android phones, and tablets to work and using them for professional purposes," Lovelock says. "This shift has hastened the need to secure at least a section of those devices through 'containerization' in most cases. A solution that ensures the identity and access for these third-party devices is playing a strong role in the move to IAM for many organizations we work with."

According to Eric Olden, CEO of Symplified, clever IAM deployments are making it possible for organizations to solve that years-long consumerization conundrum of controlling user-owned devices without installing software on the mobile endpoint.

"IAM also provides a 'follow me' experience for employees across their phone, tablet, and PC so they can enjoy the same single sign-on and access permissions regardless of the access device," Olden says.

User Productivity
This "follow-me" experience not only bolsters security, but also wins user buy-in by reducing the productivity burdens of ungainly log-in processes. According to Pierluigi Stella, CTO of Network Box USA, much of today's IAM work is centered around maintaining security while reducing user frustration.

"IT departments do not want their users to get frustrated having to log on multiple times to multiple systems," Stella says. "They aim at having one place to identify users and correctly grant access data only on an as-needed basis."

The concern for productivity is a natural by-product of the aforementioned cloud and mobile explosion because not only do these converging trends open up increased risk, they also increase operational friction. That is why so many organizations are working to establish single sign on and federated identities.

"Having one identity which is managed securely and works across all your businesses services greatly lessens the risk and inconvenience of handling multiple log-ins," says Corey Nachreiner, senior network security strategist for WatchGuard Technologies. "As more IAM solutions and Web services support globally federated identities, it will become easier for users to manage their identity everywhere."

As Clayton puts it, IAM abstracts away the authentication process from applications. Doing so helps improve user satisfaction and can preemptively combat risky user end-arounds, says Olden.

"IAM can prevent employees from going behind IT's back by providing seamless access to cloud apps and services through single sign-on, while at the same time enforcing access control policies, authentication methods, and auditing usage of cloud-based apps," he says.

Empowering Contextual Security
Whether it is for public cloud or on-premise application access through mobile devices or desk-bound PCs, today's drive toward more robust IAM is following the general course of security's move toward contextual awareness, Nachreiner says.

"[It's] the idea that you can create policies based on knowing who, what, when, and from where a user or device is doing something," he says. "If you see a TFTP connection sending an AutoCAD document to an IP address in China, it has a very different connotation than if you see an authenticated user you know, with a C-level role, uploading that same AutoCAD document."

In both cases, a sensitive AutoCAD document leaves the network, he explains. But only one of them bodes well for the company.

"The only way to know the good transfer from the bad is having security controls that understand context. IAM solutions can provide some of this context to these context aware controls," he says.

The principle behind IAM's path to contextual security is simple, even if the execution is complex, says Nick Nikols, CTO of Quest Software.

"The only way to provide appropriate security while also permitting the convenience and fluidity of movement that today’s business demands is by having a solid understanding of who it is that is trying to access your data and resources," he says.

Governance And Compliance
Unsurprisingly, establishing that contextual whodunit aspect of security is really what the spirit of most of today's biggest regulatory mandates dictate, Nikols says.

"It really requires a sufficient identity and access management solution to cost-effectively address these compliance concerns," he says.

That is why compliance and corporate governance concerns continue to drive IAM spending considerably. Without visibility into individual user access behaviors, audits can quickly turn sour.

"Companies need to be able to quickly address information requests, attest to system access, and sign-off on regulations like SOX and other compliance requirements," Clayton says. "IAM technologies simplify the process of satisfying regulation requirements and can also generate the artifacts needed to show that the organization is compliant."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RWEEKS000
50%
50%
RWEEKS000,
User Rank: Apprentice
7/10/2012 | 7:39:57 PM
re: 5 Business Trends Driving IAM Spending
-

All of the points above are
certainly things we are seeing as well. I would just add managing risk to the
business as a key driver for IAM spending. With continued increases in data
breaches by both internal and external users, we are seeing a focus on managing
risk, in addition to demonstrating compliance and increasing efficiency. When
addressing risk, particularly risk based on user access to sensitive
information and critical applications, enterprises need a three-pronged
approach to identify, quantify and manage access risk. This approach will allow
business users to protect their data, determine if it has been or could be
leaked and react promptly, efficiently and appropriately to prevent or minimize
the effects of the when the leak occurs.

-

Rachel Weeks, Courion

SteveB
50%
50%
SteveB,
User Rank: Apprentice
7/10/2012 | 2:22:14 PM
re: 5 Business Trends Driving IAM Spending
Thanks for this! I wasn't aware that IAM could help with the BYOD issue, without installing software on endpoint devices. Now, I just have to figure out what the "clever IAM deployment" is that Eric refers to!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.