At Forrester Research Inc., we've heard from many of our clients that security is still the top driver behind the use of identity and access management tools. But, we've also seen an interesting shift since 2009: IT administration efficiency is now the second most common motivator, with 30% of respondents from a recent Forrester survey weighting this efficiency above regulatory compliance. Business agility is also a new factor, as business owners increasingly look to security professionals to solve business problems.
But, despite increased spending, security and risk professionals continue to face tough vendor selection decisions due to customization and user-friendliness requirements. Additionally, recent vendor acquisitions have left a wake of ongoing repercussions, such as Oracle Corp's acquisition of Sun Microsystems and its Identity Manager product, which effectively killed the Sun OpenSSO Web single sign-on project without providing an open source alternative. This has forced many enterprises to migrate to Oracle Identity Manager from Sun Identity Manger, without any usable migration tools, undoubtedly a difficult process.
Given these shifts, Forrester is predicting a few key trends that will affect identity and access management concepts in 2011, and beyond:
Prediction 1: Business agility will continue to rise in importance
Many security professionals stopped using access recertification tools -- which aid comparative analysis to determine if user access rights are valid and/or necessary -- on a periodic basis, recognizing that compliance is more than just generating a huge stack of audit records. Instead, they're providing continuous compliance to auditors by understanding how users obtain access to an application, offering the ability to perform access recertification outside of campaign cycles. Supporting this idea, access recertification has been gaining ground, even without direct provisioning. Additionally, business-friendly user interfaces, risk scoring, usage patterns highlighting and pattern recognition all point in this direction.
Prediction 2: Data security will come to depend on IAM
The recent WikiLeaks drama is a perfect example of the importance of information asset control and protection. The debacle could have been prevented, not only by tighter and more context-sensitive access control of applications, but also by preventing easy access to need-to-know information. Today, we're already seeing Web single sign-on, entitlement management, user account provisioning and access recertification adding features that support integration of data asset control with identity lifecycle management.
Prediction 3: Mobile devices will need to be managed via IAM systems
Today, mobile phones often act like portable PCs: They're being used to store sensitive data, to access business and personal applications, and to submit and approve access requests. And, on top of this, many users are opting to use thick-client applications (like a CRM application for their sales forces) from their mobile devices. Given the evolving mobile environment, security professionals will have several issues to consider, such as rethinking how to control access to corporate applications when users are signing on from a mobile browser, and applying identity access management features to mobile phones. While today's IAM tools are hardly mobile-browser friendly, expect this to change in 2011. IAM vendors will likely add email-based, fast track approvals and the ability to spawn sessions for system administration from a mobile device.
Prediction 4: IAM in the cloud will provide more than just access control
In 2011, Forrester is expecting a variety of vendors to provide trusted broker services for enterprise access to Software as a Service (SaaS) applications with single or reduced sign-on. This will likely mean access control to SaaS applications will expand into provisioning, access recertification and role management. Additionally, we're expecting organizations to increasingly pass user attributes from identity providers to service provider applications, in order to drive user entitlements. For example, verification of users through social networking sites will serve as a means to vet users to the company's external facing website for low-value, high-volume transactions.
With the increasing sophistication of fraud rings and security attacks, coupled with the rapid adoption of various mobile and post-PC devices and the changing business environment, it will be important to consider various questions when selecting your organization's next IAM product. For example, does the product recognize risk and patterns, making fraudulent activity easily identifiable? Or, more simply, does the product work from a mobile device? While mobile browser support is a minimum requirement, mechanisms for secure PKI certificate management and centralized access auditing should also be expected. But, most importantly, does the product help improve business agility and demonstrate value? By proving to budget holders that substantial savings are achievable, it will be much easier to sell the product internally.
About the author:
Andras Cser is principal analyst at Forrester Research. He will be speaking at Forrester's Security Forum EMEA, March 17-18 in London.