everett & mckinsey identity and access management 2009 survey
TRANSCRIPT
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
1/40
2009 European Identity and AccessManagement Survey
A survey conducted by KPMG IT Advisory together with Everett
Advisory
Supported by eema and IIR
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
2/40
2 2009 European Identity & AccessManagement Survey
The findingsat a glance
2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
3/40
3Management Survey
2009 European Identity & Access
2009 KPMG International
The value o Identity and Access Management (IAM) is still recognised
and IAM is here to stay
Almost 90% of the survey participants have initiated one or more IAM projects
in the last year;
70% of the respondents have a specifically allocated IAM budget.
Clearly the economic crisis has its impact on IAM, but IAM is still in the
spotlight
A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%
reported budget cuts of more than 50%;
More than half of the respondents indicated a change of project scope;
Many organisations are quite confident that their original business case is still
applicable in this hard economic climate;
Despite budget cuts, almost three quarters of respondents entirely or partially
agreed that IAM investments should be increased instead of decreased due to
the current economic climate.
Governance, Risk and Compliance is by ar the main driver o IAM
Governance, Risk and Compliance is even more important than last years
survey indicated; The vast majority of IAM projects are still focused on their organisations direct
employees;
Access attestation and certification services are on the map and this is
possibly at the expense of the implementation of complete IAM solutions.
This indicates a shift from more preventive controls to a detective approach
focused on an organisations crown jewels.
There are still signiicant gaps between the expected and realised beneits
o IAM
Although gaps between expectation and realisation still remain, over half of the
respondents were satisfied with the outcome of their IAM project;
Organisations face difficulties in measuring the costs, benefits and quality of
IAM services and related activities.
A lack o business buy-in is the main cause o IAM project ailure
IAM projects are still mostly the responsibility of the IT department or the
Security Officer;
50% of the respondents stated that the business was not ready for the
proposed solution;
51% of the respondents indicated that there was a lack of support from
management and stakeholders.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
4/40
4 2009 European Identity & AccessManagement Survey
2009 KPMG International
Contents
01 Executive summary 5
02 Introduction 9
03 IAM projects status and 12impact of the economic crisis
04 Drivers and strategy 19
05 Architecture 22
06 Expected benefits, realisation 26and satisfaction
Appendix A - Reference models 33
Appendix B - About the authors 36
Appendix C - European regions 39
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
5/40
5Management Survey
2009 European Identity & Access
01Executivesummary 2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
6/40
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
7/40
7Management Survey
2009 European Identity & Access
2009 KPMG International
One of the most important conclusions of this survey is that, as was already
visible in the 2008 IAM Survey, IAM is here to stay. Even though the economic
circumstances are quite different for many of the organisations that participated,
the value of IAM is clearly recognised throughout all the sectors and throughout
the whole of Europe.
Almost 90% of the respondents have initiated one or more projects during the
last three years;
In 2008, one third of the respondents stated that they had no specific IAM
budget. The results of the 2009 survey show more or less a similar view as
70% of the respondents have a specific IAM budget.
The Financial Services (FS) sector continues its position as an early adopter of
IAM and in 2009 the Infrastructure, Government and Healthcare (IGH) sector
has emerged as an early adopter, whereas last year IGH was classified as a late
adopter (a so-called laggard). Despite the economic crisis, in general, the FS
sector still has the highest IAM budgets.
However, the area of IAM did not escape the impact of the economic crisis.
A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%reported budget cuts of more than 50%. Still over half of the respondents
indicate not having seen any (significant) impact on their IAM budget. However
a majority of projects encountered an impact on the project scope due to
the economic hard times. Strikingly, most are confident that the original IAM
business case still holds.
The three main drivers analysed in this survey are:
Governance, Risk and Compliance (GRC)
Being in control and able to prove it;
Operational excellence Cost control and user experience;
Business agility Being ready for change.
Governance, Risk and Compliance is now even more important as the main
driver of IAM than last years survey indicated. This applies to every sector and
specifically to Financial Services, Infrastructure, Government and Healthcare and
Information, Communication and Entertainment (ICE). In the Consumer Markets
(CM) and Industrial Markets (IM) operational excellence is also of reasonable
importance. In addition, we would like to mention that investing in business
agility and operational excellence can reduce IAM costs in the mid to long term.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
8/40
8 2009 European Identity & AccessManagement Survey
2009 KPMG International
We expect these areas to be an opportunity when the economy recovers and
organisations have the budget to make investments in projects in which the
benefits with regard to expenses are realised within the mid to long term.
As part of GRC, access attestation and certification is now definitively on the
map of organisations. Almost 20% of the respondents indicated this to be
a means of achieving project goals. Simultaneously, the implementation of a
complete IAM solution dropped by approximately 50% towards 35%.
These facts indicate a shift from an extended preventive approach towards a
more detective approach focusing on an organisations crown jewels. This
focused approach could also be a consequence of the economic crisis as only
focusing on the critical information will decrease the expenses.
However, when we analyse the gaps between the expected and realised
benefits of IAM projects, less than half of the respondents who expected
significant benefits from access attestation and certification realised these
benefits. This indicates that this is an evolving area which is not yet mature. In
general, there is a significant gap between the expected and realised benefits in
all areas of the main drivers. As in 2008, respondents cited the most prominent
reason for failure as being that the business was not ready for the proposed
solution and the lack of support from the business. Nevertheless, 50% of therespondents were satisfied with their IAM project outcome.
Despite the gap between the expected and realised benefits and the negative
impact of the economic crisis, we conclude that the value of IAM is apparent to
organisations as they are still investing in IAM. The challenge for the upcoming
years is to realise the expected benefits. With limited budgets due the economic
crisis, organisations have to make careful choices relating to the scope and
the approach. This implies a need for strong program management and a clear
roadmap for IAM.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
9/40
9Management Survey
2009 European Identity & Access
02Introduction
2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
10/40
10 2009 European Identity & AccessManagement Survey
2009 KPMG International
The 2009 European IAM Survey continues to explore the status of IAM projects
within European organisations. This report extends the results of KPMGs 2008
IAM Survey, and comparisons between the two are presented where applicable.
Several definitions of IAM are generally used. For the purpose of this survey,
IAM is defined as:
To be more precise, the processes covered by IAM are user management,
authentication management, authorisation management, access management,
provisioning and monitoring and audit. A complete overview of the KPMG
IAM reference model used for this survey is included in Appendix A.
For this survey KPMG, Everett and the media partners eema and IIR invited
a variety of European organisations to complete an online questionnaire. The
answers to the questions were subsequently analysed by a KPMG/Everett team
of IAM professionals. A detailed analysis of the results is provided in this report
in order to help the reader gain insight into:
The status of IAM projects seen across Europe;
The impact of the economic crisis on IAM budgets and project scope;
The drivers and strategy of IAM projects;
The level of benefit realisation and satisfaction with IAM projects.
A solid base of data was provided as 128 respondents from organisations located
in 23 European countries participated in the survey. Among the respondents
were a wide range of organisational representatives, from CEOs and CIOs
to Security Officers and heads of internal audit. The group also contained
participants from organisations of different sizes and from a variety of industries.
The policies, processes and systems for efficiently
and effectively governing and managing who has accessto which resources within an organisation.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
11/40
11Management Survey
2009 European Identity & Access
2009 KPMG International
The distribution of participants with respect to European region, size and sector
was as follows:
Total number o respondents 128
Geographic region*
North (Denmark, England, Finland, Norway, Scotland) 34%
East (Belarus, Czech Republic, Latvia, Romania, Russia) 9%
South (Turkey, Cyprus, Greece, Italy, Spain) 12%
West (Austria, Benelux, France, Germany, Switzerland) 37%
Other 8%
Size (number o IT users)
Less than 1,000 20%
1,001-2,500 13%
2,501-5,000 16%
5,001-10,000 13%
10,001-25,000 13%
More than 25,000 25%
Sector
Financial Services (FS) 39%
Infrastructure, Government and Healthcare (IGH) 34%
Information, Communication and Entertainment (ICE) 13%
Industrial Markets (IM) 9%
Consumer Markets (CM) 5%
Reading aid
Chapter 3 of this report describes the current status of IAM projects and the
impact of the economic crisis. In Chapter 4 the strategy and main drivers of IAM
are elaborated. Subsequently, the IAM architecture is described in Chapter 5.
In the final chapter the expected and realised benefits of IAM are addressed;
this section also includes the participants satisfaction with regard to the actual
benefits and their ability to measure costs and benefits of IAM.
* No significant differences
were found between the four
different geographical regions as
described in the table. Therefore,
the results presented in this
report apply to the European
region as a whole and are not
divided by the four geographical
regions.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
12/40
12 2009 European Identity & AccessManagement Survey
03IAM projects status and impact of
the economic crisis 2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
13/40
13Management Survey
2009 European Identity & Access
2009 KPMG International
Number o IAM projects initiated
Source: KPMG/Everett IAM survey, October 2009
As information is one of an organisations most valuable assets, control of access
to this information forms an important part of an organisations day-to-day business.
Around half (48%) of the respondent organisations had initiated one or two IAM
projects during the last three years, 87% of organisations had initiated at least
one IAM project and approximately a third (39%) had initiated more than threeIAM projects. Of these 39%, 6% had initiated more than ten projects.
Observation in comparison to the 2008 IAM Survey: In 2008, all respondent
organisations indicated that they had initiated one or more IAM projects in the
last three years, whereas 13% of 2009 respondents indicated they had not initiated
any IAM projects in the last three years.
Number o IAM projects by sector
Source: KPMG/Everett IAM survey, October 2009
13%
31%
2%6%
48%
None
1 2
3 5
6 10
More than 10 projects
None
1 2
3 5
6 10
More than 10 projects
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%
IM
CM
IGH
ICE
FS
OTH*
Sector
Authors note
IAM was already here to stay in 2008,
and the 2009 survey supports this
impression. IAM is clearly of concern
to all organisations, regardless of the
sector in which they operate or the
country in which they are based.
Over half of respondents indicated to
have initiated one or more projects
during the past three years. It appears
that it is often insufficient to initiate only
a single project, but that a sequence
of projects is required in order to
successfully achieve their organisations
IAM end goals. A possible explanation
may be that previous projects have
failed, but based on our industry
experience it appears more likely that
an IAM programme, in which several
projects are contained, enhances thechances of success. This supports
the need for a strong programme
management organisation and a clear
roadmap with clearly defined phases
and scoping.
The findings of this survey indicate that
the FS sector can still be categorised
as one of the early adopters of IAM.
Pressure to comply with banking
regulations as well as national and
international corporate governance
legislation is relatively high in this
sector, and this is assumed to be one
of the drivers of IAM projects within the
sector.
Contrary to 2008, in 2009 the IGH
sector is also adopting IAM on a regular
basis, whereas only a year ago IGH was
categorised as a late adopter.
* Other
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
14/40
14 2009 European Identity & AccessManagement Survey
2009 KPMG International
The FS and IGH sectors both represent a significant percentage of respondents
who had initiated more than ten IAM projects over the past three years. The
IM and CM sectors, on the other hand, display less IAM project initiation with a
maximum of five initiated IAM projects.
Budgets
Size o IAM budgets
Source: KPMG/Everett IAM survey, October 2009
Out of the budgets specifically allocated to address IAM over the next three
years, 38% of the respondents plan to initiate projects with a budget up to EUR
250,000. 11% of respondents indicated that they have allocated a budget of over
EUR 1 million. Compared to the results of the 2008 IAM Survey there are no big
differences; in fact the results are almost the same.
As may be expected, smaller sized organisations (with less IT users) have smaller
IAM budgets and vice-versa, with EUR 10 million+ IAM budgets only occurring in
the organisations with over 5,000 employees. Overall, larger organisations appear
to have more difficulty in determining the total IAM budget, as many respondents
representing larger organisations indicated that they did not know its IAM
budget. By contrast, 80% of respondents representing smaller organisations (up
to 10,000 employees) were able to indicate the size of its IAM budget.
23%
31%
15%
12%8%
6%
5%
Less than EUR 100,000
EUR 100,001 250,000
EUR 250,001 EUR 500,000
EUR 500,001 EUR 1,000,000
EUR 1,000,001 EUR 10,000,000
More than EUR 10,000,000
Unknown
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
15/40
15Management Survey
2009 European Identity & Access
2009 KPMG International
IAM budgets by sector
Source: KPMG/Everett IAM survey, October 2009
In 2009, budget allocations remain largely unchanged. In addition, the IM and
ICE sectors have relatively small allocated IAM budgets.
Scope
IAM Scope
Source: KPMG/Everett IAM survey, October 2009
Over 90% of the respondents indicated that IAM projects are still mainly focused
on their organisations direct employees. This indicates that most IAM projects
are focused on controlling access to internal systems and information. However,approximately a third of IAM projects target partner and/or supplier networks, and
approximately a third target clients via IAM projects1.
Less than EUR 100,000
EUR 100,001 250,000
EUR 250,001 EUR 500,000
EUR 500,001 EUR 1,000,000
EUR 1,000,001 EUR 10,000,000
More than EUR 10,000,000
Unknown
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
IM
CM
IGH
ICE
FS
OTH
Sector
Own employees Partner and/orsupplier network
Clients Unknown/other
100%
80%
60%
40%
20%
0%
94%
37%33%
10%
Authors note
It is still the FS sector that boasts the
highest number of high-end budget
ranges. This means that IAM budgets
are generally higher in the FS sector.
The IGH sector comes in a decent
second in this category. One possible
explanation is that these sectors
specifically experience a relatively high
pressure to comply with international
rules and regulations (FS) and a relatively
large number of IGH have begun over
the last year. The IM and ICE sectors
do not appear to have the IAM drivers
to justify the same level of budget
allocation. However, we note that the
obligation to comply with stringent
legislation is also becoming increasingly
important in these sectors.
1Multiple answers were allowed for this question and therefore the total percentage is above 100%.
This is applicable to all graphs in which the total percentage is above 100%.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
16/40
16 2009 European Identity & AccessManagement Survey
2009 KPMG International
Means to achieve project goals
Source: KPMG/Everett IAM survey, October 2009
With a fifth of respondents indicating attestation and certification solutions to be
a means of achieving project goals, attestation and certification solutions have
emerged to become one of the serious options on this chart. Common means
(implementation of a new policy, a complete IAM solution, a user management
and provisioning solution or enhanced authorisation) all represent a fairly similar
number of respondents, with user management and provisioning as the most
commonly used solution.
Impact of the economic crisis
Impact on IAM budget
Source: KPMG/Everett IAM survey, October 2009
Although over half of respondents indicated not to have seen any (significant)
impact on IAM budgets, over a third (37%) indicated that their IAM budget has
been cut. A quarter of the respondents reported a 5%-50% cut, whereas 13%
reported IAM budget cuts of over 50%. As might be expected, IAM budgets are
under pressure as a result of the economic crisis.
The IAM budget is increased by more than 50%
The IAM budget is increased by 5 50%
No impact, (almost) unaffected IAM budget
The IAM budget is cut by 5 50%EUR
The IAM budget is cut by 5 50%
1% 7%
55%
24%
13%
New policy CompleteIAM solution
Attestationand certification
Enhancedauthorisation
Other
50%
40%
30%
20%
10%
0%
35%37%
44%
20%
31%
User managementand provisioning
11%
Authors note
As far as the respondent organisations
are concerned, attestation and
certification is now on the map. In
general the means to achieve project
goals are fairly evenly distributed over
the five IAM approaches mentioned
here, with only 11% of respondents
resorting to other means to achieve
their IAM project goals. This may be
viewed as a sign of the maturity of the
IAM market, as most respondents found
the options to achieve their project
goals readily available in todays vendor
portfolios.
The implementation of a complete
IAM solution has dropped significantly
towards 35% (a 50% drop). It is
possible that the focused approach of
targeting crown jewel components ofthe information/application landscape
has reduced the popularity of the
complete solution. It is also possible that
a shift has taken place from the more
preventive complete approach to more
detective solutions such as attestation
and certification focused on the crown
jewels.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
17/40
17Management Survey
2009 European Identity & Access
2009 KPMG International
However, 73% of respondents entirely or partially agreed that the economic
crisis is another reason why their organisation should invest in IAM.
Impact on IAM budget by sector
Source: KPMG/Everett IAM survey, October 2009
Although some sectors were largely unaffected, over a third (37%) of
respondents reported cuts in their IAM budget of more than 5%, especially in the
FS, ICE and IGH sectors. CM does not appear to be impacted as of yet, however
this might be distorted as almost 50% of the CM sector respondents indicated
not knowing their IAM budget.
Impact on IAM budget by total IAM budget range
Source: KPMG/Everett IAM survey, October 2009
The IAM budget is increased by more than 50%
The IAM budget is increased by 5 50%
No impact, (almost) unaffected IAM budget
The IAM budget is cut by 5 50%
The IAM budget is cut by more than 50%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%
IM
CM
IGH
ICE
FS
Sec
tor
The IAM budget is increased by more than 50%
The IAM budget is increased by 5 50%
No impact, (almost) unaffected IAM budget
The IAM budget is cut by 5 50%
The IAM budget is cut by more than 50%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%
>10M
1M-10M
500K-1M
250-500K
100-250K
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
18/40
18 2009 European Identity & AccessManagement Survey
2009 KPMG International
It appears that the larger IAM budgets, and generally speaking the larger IAM
projects, faced the hardest budget cuts in absolute terms (total EUR) and
relative terms. Smaller organisations (with IAM budgets of up to EUR 10 million)
experienced a range of IAM budget cuts (anywhere between 5%-50%) and the
IAM budget increased in a relatively small number of organisations.
Impact on scope
Source: KPMG/Everett IAM survey, October 2009
Despite the fact that 55% of respondents indicated that the economic crisis
has had no impact on their IAM budget, around 60% indicated that there was
some impact on the project scope, ranging from the slowing down to complete
stopping of IAM projects. Figures clearly indicate that projects are being
impacted negatively across all sectors.
Impact on business case
The IGH sector appeared to experience little effect of the economic crisis inthis respect, as almost 90% of respondents believed that the economic crisis
does not have an impact on the business case for IAM. Overall, over 70% of
respondents indicated that there was no impact on the IAM business case. In
addition, 80% of the respondents stated that the original IAM business case
would still be accepted under the current circumstances.
No impact
Slowing down (take more time for IAM projects)
Redefining the project scope focussing on
the crown jewels
Selecting or choosing a differentapproach
Stopping IAM projects
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%
IM
CM
IGH
ICE
FS
OTH
Sector
Authors note
The survey clearly indicates that IAM
budgets are under pressure from
the economic crisis. Over a third of
respondents have already experienced
budget cuts. We expect that this figure
may rise in the next year as the budget
cycle for 2010 in general is under
pressure due to the economic crisis.
Large organisations in the Financial
Services sector have been hit especially
hard in the crisis and, generally
speaking, larger IAM projects face the
hardest budget cuts in absolute terms
(total EUR). However, respondents were
generally confident that the original IAM
business case would still be accepted
under the current circumstances.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
19/40
19 2009 European Identity & AccessManagement Survey
04Drivers and
strategy
2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
20/40
20 2009 European Identity & AccessManagement Survey
2009 KPMG International
Main IAM driver
Source: KPMG/Everett IAM survey, October 2009
The participants were asked to state their main IAM driver from the following
options:
Governance, Risk and Compliance;
Operational excellence;
Business agility.
Respondents indicated that Governance, Risk and Compliance is undoubtedly the
main driver of IAM projects (72%). Operational excellence comes in second at
14% and business agility comes in third at 13%. Compared to the results of the
2008 IAM Survey, GRC has become even more important.
Main IAM drivers by sector
Source: KPMG/Everett IAM survey, October 2009
0% 20% 40% 60% 80% 100%
GRC
Operational excellence
Business agility
Driver
72%
14%
13%
Business agility
Operational excellence
GRC
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%
IM
CM
IGH
ICE
FS
S
ector
Authors note
The relatively high weight of GRC as
a main driver in the FS sector may be
expected, as compliance requirements
are traditionally important within
this sector. In the IGH sector, GRC
is also the key topic with regard to
IAM. This could be due to the fact
that governmental and healthcare
organisations are facing more and more
requirements with regard to information
security and data privacy.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
21/40
21Management Survey
2009 European Identity & Access
2009 KPMG International
When we filter these results by sector, we find that FS, ICE and IGH represent
the highest scores for GRC. Although GRC is also a factor in the ICE and CM
sectors, the most important drivers in these sectors show a less pronounced
bias towards GRC as the main driver. In the CM and the IM sectors, operational
excellence turns out to be significantly more important than in the other sectors.
Business agility is a more important driver in the IGH and IM sectors than in any
other, most notably the FS sector.
IAM project approaches
Source: KPMG/Everett IAM survey, October 2009
When asked which project approaches are being used for IAM, many
respondents reported that several different approaches were in use. However,
there were also many respondents (25%) who reported that none of the project
approaches we suggested were in place.
When we filter these results by sector, the most prevalent result is that in the
CM and IM sectors around half of the respondents indicated that none of the
stated approaches were being used and that within IM none of these methods
were being used a lot. The IGH, ICE and FS sectors reported to be using all of
the listed project approaches.
0% 20%10% 30% 40% 50% 60%
IM
CM
IGH
ICE
FS
Milestones in place
Measurable milestones
Agreed across organization
Multi-year roadmap
None of the above
Sector
Authors note
The FS sector appears to be the most
mature in running its IAM projects.
In this sector the lowest number of
none of the above was reported,
and the number of agreed across the
organisation was the highest. The IM
sector, on the other hand, appears to
be the least mature; displaying low
numbers for all of the above mentioned
project management elements. The
high score for FS is in line with previous
observations in this survey.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
22/40
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
23/40
23Management Survey
2009 European Identity & Access
05Architecture
2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
24/40 2009 KPMG International
IAM and IT architecture
Source: KPMG/Everett IAM survey, October 2009
Within 63% of the respondent organisations a specific IAM architecture has been
designed or IAM has been incorporated into the IT architecture. When broken
down into sectors we find that IM scores the highest and that all sectors, except
CM, score above 50%.
Architectural principles or IAM
Source: KPMG/Everett IAM survey, October 2009
According to the respondents, Central authorisations management is the most
important principle for defining their organisations IAM need (39%). When
organisations are selecting their required IAM solution, a large amount acquire
the solution of their preferred supplier and only 18% perform a vendor selection
in order to select a best of breed solution.
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
CM FSICEIGHIM
78%
17%
58%
69% 70%
Openstandards
Preferredsupplier
Best ofbreed
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%Central
authorizationsmanagement
Delegatedauthorizationsmanagement
Loosely ortightly coupled
Other/unknown
20%
34%
18%
39%
24%
9%11%
Authors note
The FS sector scores high here (70%),
which is to be expected, given the effort
that many of these organisations typically
have already put into information security
and risk management frameworks. A
possible reason for the IM sectors high
score could be that these organisations
have standardised production processes
and the IT architecture is therefore also
more mature and aligned with these
processes. The low score for the CM
sector may indicate that IAM is often
used for consumers facing a limited
amount of applications that pose a fairly
simple problem in terms of architecture.
In any case, IAM is often a long-term and
costly endeavour that requires strategic
planning for which, we believe,
architecture is a crucial component.
Authors note
Many organisations appear to rely on a
preferred supplier rather than choose a
best of breed solution. This indicates
the importance of an IAM solution that
fits into an organisations current vendor
and software landscape. Interestingly,
only 50% of the respondents from
the Government sector reported
open standards as a principle of their
organisations IAM solution. As these
organisations tend to promote open
standards, this appears to contradict
their official policy. Nevertheless, this
figure is still around twice as high as the
overall figure.
When we asked the respondents about
the most used standards and preferred
practices, the most popular answer
was ISO 27001 (information security)
and ISO 27002 (information securitymanagement). Based on this answer
we can conclude that there are no
specific IAM standards and industry best
practices in order to implement IAM.
24 2009 European Identity & AccessManagement Survey
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
25/40
25Management Survey
2009 European Identity & Access
2009 KPMG International
Authentication mechanisms
Source: KPMG/Everett IAM survey, October 2009
Username and password is an authentication mechanism that was reported by all
respondents. Tokens are also popular with more than 50% of the respondents.
Smartcards or other certificate-based mechanisms scored 35%. RFID and
biometrics were both reported at around 12%.
Current use o identity administrations
Source: KPMG/Everett IAM survey, October 2009
An industry best practice for IAM is the connection to an authoritative source for
central identity administration. Nevertheless, 60% of the respondents reported
that their IAM solution does not use an authoritative source.
0% 20% 40% 60% 80% 100%
Username & password
Tokens
Smart cards/certificates
RFID
Biometrics
Other
100%
54%
36%
11%
13%
1%
No administration of core user identity data /organizational reference data
Central identity administration,not linked to authoritative sources(such as HR system)
Central identity administration, directly linkedto authoritative sources (every change inauthoritative sources will result in change inidentity administration)
14%
47%
39%
Authors note
Stronger authentication mechanisms
such as tokens and smartcards are well
matured, especially tokens. The fact that
the good-old username and password
authentication still prevails indicates that
these may be used for access not only
to low risk information (systems), but
also to high risk information (systems);
thus raising their vulnerabilities.
Authors note
We believe that connecting to an
authoritative source is essential for
any long-term viable IAM solution. A
connection to an authoritative source
can be used to align the joiner/mover/
leaver process to the IAM administration
and ultimately enable the business
to determine which user accounts
need to be allocated, modified and
removed. Having a non-authoritative
source connected to IAM will makeit almost impossible to manage IAM
administration and to leave it up to the
business to decide which access a
person needs to have. Fortunately over
half of the respondents indicated that
they intend to link their central identity
administration to an authoritative source.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
26/40
26 2009 European Identity & AccessManagement Survey
2009 KPMG International
Expected benefits,realisation and
satisfaction
06
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
27/40
27Management Survey
2009 European Identity & Access
2009 KPMG International
Expectations versus the realisation of IAM benefits
The participants were asked to rate their expected benefits of each driver and to
rate the realisation of the expected benefits. The survey results show significant
differences between the expected benefits and the realisation rate of the three
main drivers:
Governance,RiskandCompliance(GRC);
Operationalexcellence;
Businessagility.
The various areas used for measuring the benefits within the main drivers are
elaborated in Appendix A.
Business agility
Realisation versus expectation
Area Percentage that
expects signiicant2improvements
Percentage that
realised signiicantimprovements
Adaptation to organisational
structural changes51% 26%
Extended enterprise 35% 15%
Application integration and
exploitation52% 25%
Source: KPMG/Everett IAM survey, October 2009
Operational excellence
Realisation versus expectation
Area Percentage that
expects signiicant
improvements
Percentage that
realised signiicant
improvements
Cost of service delivery 60% 32%
Quality of service delivery 66% 32%
User management andprovisioning
83% 46%
Identity administration 68% 48%
Role administration 65% 39%
Credentials management 59% 36%
Source: KPMG/Everett IAM survey, October 2009
2 Significant is defined as categories 4 and 5 on a scale of 1-5.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
28/40
28 2009 European Identity & AccessManagement Survey
2009 KPMG International
Realisation versus expectation
Area Percentage that
expects signiicant
improvements
Percentage that
realised signiicant
improvements
User management and provisioning 83% 46%
Identity administration 68% 48%
Role administration 65% 39%
Credentials management 59% 36%
Source: KPMG/Everett IAM survey, October 2009
Governance, Risk and Compliance
Realisation versus expectation
Area Percentage thatexpects signifcantimprovements
Percentage thatrealised signifcantimprovements
Monitoring and reporting 67% 35%
Attestation 59% 25%
Cost control 39% 22%
Risk reduction 70% 39%
Segregation of duties 60% 35%
Source: KPMG/Everett IAM survey, October 2009
Satisfaction with results of IAM projects
The respondents were also asked to indicate the percentage of IAM projects
which actually met with the expected improvements.
Percentage o IAM projects meeting expectations
Less than 10%
11 25%
26 50%
51 75%
76 100%
100%
12%
8%
19%
19%
20%
22%
Authors note
Generally speaking, the respondents
have high expectations of IAM, however
organisations appear to have fewer
expectations of business agility and
the realisation rate is also low in this
area. This corresponds to the fact that
business agility is perceived to be the
least important driver of IAM.
The survey results show significant
differences between the expected
benefits and the realisation rate in the
three main areas. Even in the area
of GRC, which is seen as the most
important driver of IAM, the realisation
is far below the expectation. This
may be explained by the fact that the
processes of user management and
provisioning are more mature in the
market and that the area of GRC is stillevolving. This could also indicate that
there is too much focus on provisioning
as part of the project process.
Considering the hard economic climate
and the fact that GRC is one of the
most important IAM driver for many
organisations, it makes sense to focus
on specific activities in order to realise
the benefits in the area of GRC and to
define these activities in a well-defined
roadmap as this is also lacking in a lot of
organisations. However, we would like
to mention that investing in business
agility and operational excellence can
reduce IAM costs in the mid to long
term. We expect these areas to be an
opportunity when the economy recovers
and organisations have the budget to
make investments in projects in which
the benefits with regard to expenses are
realised within the mid to long term.
Source: KPMG/Everett IAM survey, October 2009
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
29/40
29Management Survey
2009 European Identity & Access
2009 KPMG International
These facts confirm the analysis of benefits versus realisation by driver. Less
than a quarter (22%) of respondents experienced IAM projects fully meeting their
expectations by 100%.
An analysis by sector shows that organisations in the FS, IGH and ICE sectors
have the highest percentage of IAM projects meeting requirements. Around 40%
of these organisations achieved their project goals for 75%-100% of their projects.
There are also big differences in the ability to measure the effectiveness of the
projects, e.g. in the IM and IGH sectors this was around 30%, or alternatively
respondents stated that it was unknown whether the project goals were met. This
was 50% in the CM sector, compared to around 10% in the FS and ICE sectors.
Percentage o IAM projects meeting requirements (per sector)
Source: KPMG/Everett IAM survey, October 2009
The participants were also asked to indicate to what extent they were satisfied
with the project outcome.
Satisaction with IAM project outcome
Source: KPMG/Everett IAM survey, October 2009
Less than 10%
11 25%
26 50%
51 75%
76 100%
100%
Unknown
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%
IM
CM
IGH
ICE
FS
OTH
Sector
Authors note
Respondents answers help to give
an indication that organisations are
apparently satisfied if the expected
benefits are realised in more than 50%
of their projects. A possible clarification
could be that the original expectations
were known to be too optimistic, or
that it is common sense to accept
that projects, in general, do not realise
all of their expected benefits. The
difference between the satisfaction
level and number of successful projects
can also be explained by the fact that
many organisations lack insight into the
benefits of IAM projects.
Very dissatisfied
Not satisfied
Neutral
Satisfied
Very satisfied
3%
13%
35%
41%
8%
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
30/40
30 2009 European Identity & AccessManagement Survey
2009 KPMG International
A difference with the 2008 IAM Survey results is that in this survey more
respondents were neutral (34%) than in 2008 (27%). Also this year, less
respondents (6% decrease) were very dissatisfied with their IAM project
outcome.
As a large amount of IAM projects still do not realise all of their goals, it is
interesting to analyse why these projects fail. As in last years survey results,
the business issues are seen as the biggest hurdle as lack of support from
management and stakeholders is also a business issue.
Causes o project ailure
Source: KPMG/Everett IAM survey, October 2009
Measuring costs and quality of IAM services
In the 2009 survey several questions were included related to the measurement
of various aspects of IAM. In general, the majority of the respondent organisations
face difficulties in measuring the costs and quality of IAM:
49% did not know or measure the costs related to IAM service delivery;
48% did not know or measure the quality of IAM service delivery;
37% did not know the costs related to the review (internal/external) of access
rights as part of GRC.
The results also show that a large number of respondents want to realise costreductions with regard to service delivery and GRC and want to improve the
quality of service delivery. This can be difficult to realise without the necessary
insight into the quality and costs.
0% 20%10% 30% 40% 50% 60%
Substantial excess ofthe allocated budget
Goals not achieved withinallocated time
Business was not ready forproposed/presented solution
Lack of support from managementand/or stakeholders
Unrealistic goals,given time and budget
Project result did not provide a
solution for the actual problem
Proposed/presented IAM technologydid not integrate with existing IT
Other
8%
27%
50%
51%
39%
17%
20%
14%
Authors note
In our view, the aim of IAM is to resolve
business issues. The respondents
indicate that it is still difficult to gain
the commitment and involvement of
the business. This can be a big risk
for a projects success rate as the
business should be responsible for
IAM and also because it becomes
difficult to measure a projects benefits.
Surprisingly the respondents indicated
that technical issues are not a large
hurdle compared to other reasons. In
our firms experience the technical
maturity of the IAM solution is still not
ideal and as a result can be one of the
biggest project risks. Technical issues
often impede the realisation of the user
requirements, which can cause issues
with the business as its requirements
are not met. In addition, technical issuescan cause a budget overrun which is
also a project risk.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
31/40
31Management Survey
2009 European Identity & Access
2009 KPMG International
Methods to measure IAM success
Source: KPMG/Everett IAM survey, October 2009
Lacking insight into IAM beneits
Source: KPMG/Everett IAM survey, October 2009
Although a reasonable number of organisations measure their IAM effectiveness,
organisations are still struggling to gain insight into the benefits of IAM:
18% entirely agreed that they have a lack of insight into the benefits of IAM;
53% partially agreed that they have a lack of insight into the benefits of IAM;
Only 8% entirely disagreed that they have a lack of insight and therefore have
a proper insight into the benefits of IAM.
Authors note
Organisations are facing difficulties
in measuring the costs and quality
of IAM service delivery and gaining
insight into the benefits of IAM. This
supports KPMGs experience that
a business case is often based on
qualitative drivers and that it is still
difficult to quantify the costs and also
the benefits of IAM. This can be a
risk when selling your business case
internally and staying alive as a project
in these economically turbulent times.
It is therefore recommended to include
benefits management into project and
project portfolio management. Issues
relating to measurement can also be
an indication that an individuals opinion
of realisation and satisfaction is a
subjective opinion and can also differ
internally within organisations.
Entirely agree
Partially agree
Partially disagree
Entirely disagree
Neither agree nor disagree
8%18%
52%
14%
8%
0% 20%10% 30% 40% 50% 60%
Compare to industry standardsand best practices
Compare with organization specificpredefined key performance indicators
Through external auditsand/or benchmarks
No measurement
Other
33%
29%
40%
29%
5%
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
32/40
32 2009 European Identity & AccessManagement Survey
Appendix
2009 KPMG International
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
33/40
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
34/40
34 2009 European Identity & AccessManagement Survey
2009 KPMG International
The IAM processes supporting the business, as identified in the IAM reference
architecture, are:
User Management Activities for the effective governance and management
of the lifecycle of identities;
Authentication Management Activities for the effective governance and
management of the process for determining that an entity is who or what it
claims to be;
Authorisation Management Activities for the effective governance and
management of the process for determining entitlement rights that decide
what resources an entity is permitted to access in accordance with the
organisations policies;
Access Management Enforcement of policies for access control in response
to a request from an entity requiring access an IT resource within the
organisation;
Data Management and Provisioning Propagation of identity and data for
authorisation to IT resources via automated or manual processes;
Monitoring and Audit Monitoring, auditing and reporting compliance by
users regarding access to resources within the organisation based on the
defined policies.
Areas within the main IAM drivers
Business agility
Three areas are identified as follows:
Adaptationtoorganisationalstructurechanges Being able to quickly
adapt (bulk) user access rights when changing the organisational structure (as a
result of a reorganisation or with mergers and de-mergers);
Extendedenterprise Support for working with business partners and internal
separate organisations in an extended enterprise, e.g. through federation;
Applicationintegrationandexploitation Fast integration of new
applications or systems and how effectively the business applications and
other services are exploiting the IAM infrastructure.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
35/40
35Management Survey
2009 European Identity & Access
2009 KPMG International
Operational excellence
Six areas are identified as follows:
Cost o service delivery With regard to IAM, such as costs related to
authorisation, the number of deficiencies requiring remediation and the
increased productivity of end users due to quicker access to necessary
applications and systems;
Qualityofservicedelivery How well the IAM processes and services are
performing;
User management and provisioning Support for all aspects of user
registration/de-registration and assigning/removing privileges and resources;
Identity administration Administration of core user identity data as well as
organisational reference data (such as organisational tree/relationship between
manager and employee);
Role administration Administration of access rights by using a grouping
mechanism (e.g. roles). The grouping mechanism will be used during theaccess request process when requesting and approving access;
Credentialsmanagement Managing all aspects of user credentials (e.g.
passwords, tokens) for authentication purposes.
Governance, Risk and Compliance
Five areas are identified as follows:
Monitoringandreporting Being able to overview (in near real-time) which
users have access to what information and being able to efficiently generate
GRC-related reports;
Attestation Being able to provide reports to be signed by: a) business
process owners to attest the appropriateness of the design of access controls;
b) line management to attest the correctness of the granted access rights;
Costcontrol Costs related to the preparation and execution of internal/
external reviews of access rights;
Riskreduction Being in control of fraud risks due to a complete insight into
end users access rights;
Segregationofduties Detecting and avoiding potentially conflicting roles
(responsibilities) of end users.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
36/40
36 2009 European Identity & AccessManagement Survey
2009 KPMG International
About KPMG
KPMG is a global network of professional firms providing Audit, Tax and Advisory
services. We operate in 144 countries and have 137,000 people working in
member firms around the world. The independent member firms of the KPMG
network are affiliated with KPMG International, a Swiss cooperative. Each KPMG
firm is a legally distinct and separate entity and describes itself as such. KPMG
International performs no professional services for clients nor, concomitantly,
generates any revenue.
KPMG firms have performed a wide range of IAM projects and have a broad
service offering, such as executing current state assessments, defining vision
statements, developing (business) architectures, creating roadmaps, perform
access attestation/certification projects and assisting in executing IAM audits.
Knowledge of IAM is embodied in our firms professionals; to emphasize that we
pro-actively develop the knowledge of our people. Around the world we have a
number of Centers of Excellence (CoE) for IAM, for the EMEA region this center
is located in Amstelveen in the Netherlands.
As a result of our firms IAM project experience, we have gathered much
information, identified industry best practices and have a detailed
understanding of project perils and pitfalls. In 2007, KPMG developed a
methodology for IAM projects, this methodology enables our firms to support
clients locally and on a global scale.
About Everett
Everett is a systems integrator and consultancy firm with highly skilled
professionals and unique hands-on experience. Everett has offices in Nieuwegein
(head office), London (England), Milan (Italy) and Bangalore (India). Everett also
provides 7x24 solution support services. Since its inception in 1999, Everett has
proven itself as a leading specialist on Identity Enabled Service Platforms and
middleware in general as applicable in Identity & Access management, GRC,
Portal, Secure Remote Access, and Enterprise Application Integration technology.
Since new technologies and new concepts bring uncertainty Everett has
developed ways to absorb that, while implementing. Everetts interactive
and iterative methodology EVOLVE embraces change and channels it to the
desired result. Our consultants will assist you in this process as your consultant,
architect, project manager or engineer. As a temporary addition to your team oras a project team with a clear mission and turn-key responsibility.
B About the authors
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
37/40
37Management Survey
2009 European Identity & Access
2009 KPMG International
Everett strives for thought-leadership in its competences and it wants to work as
a trusted advisor with the early adopters in any industry. Everetts commitment is
to deserve its reputation as trusted to know.
About eema and IIR
For 22 years, eema has been Europes leading independent, non-profit e-Identity& Security association, working with its European members, governmental
bodies, standards organisations and interoperability initiatives throughout Europe
to further e-Business and legislation.
Over the years IIR, an Informa Plc company, has constantly developed and
refined the process of producing premium business events with a threefold aim
of objectivity, timeliness and practical solutions. Featuring key industry experts,
IIR conferences provide up-to-date information direct from practitioners who have
found solutions to the challenges facing businesses today. By staying close to
each market IIR ensures that the conference takes place at exactly the right time
to provide you with the information you need, when you need it.
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
38/40
38 2009 European Identity & AccessManagement Survey
2009 KPMG International
Austria
Michael Schirmbrand
Partner
Tel. +43 (1)3 133 2656
Baltics
Andris Brieze
Senior Manager
Tel. +371 6703 [email protected]
Belgium
Alain DHoe
Senoir Business Development Manager
Tel. +32 (0)2 708 4391
Bulgaria
Nikola Nyagolov
Senior Manager
Tel. +359 (2) 9697 320
Czech Republic
Toms Kudelka
Senior Manager
Tel. +42 (0)23 411 2388
Denmark
Morten Klitgaard Friis
PartnerTel. +45 3818 3445
France
Laurent Gobbi
Partner
Tel. +33 1 55687441
Finland
Panu Hrknen
Management Advisor
Tel. +35 (8)50 372 5866
Germany
Jrg Asma
Partner
Tel. +49 221 2073 6233
Germany
Marko Vogel
Manager
Tel. +49 201 455 [email protected]
Hungary
Tamas Gaidosch
Partner
Tel. +36 1 887 7139
Italy
Saverio Celano
Senior Manager
Tel. +39 340-9049639
Luxembourg
Michael Hofmann
Partner
Tel. +352 22 51 51 79 25
Poland
Krzysztof Radziwon
PartnerTel. +48 (22) 528 11 37
Portugal
Tiago Reis
Senior Manager
Tel. +351 210 110 000
Romania
Gabriel Mihai Tanase
Manager
Tel. +40 (21) 201 22 22
Russia
Nikolay Legkodimov
Senior Manager
Tel. +7 (495) 9374444
Slovakia
Pavol Adamec
Director
Tel. +421 (2) [email protected]
Spain
Ramon Poch
Partner
Tel. +34 914563400
Switzerland
Roman Haltinner
Senior Consultant
Tel. +41 44 249 3118
The United Kingdom
Malcolm Marshall
Partner
Tel. +44 207 311 5456
The Netherlands
John Hermans
Associate PartnerTel. +31 (0)20 656 8394
KPMG contacts
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
39/40
39Management Survey
2009 European Identity & Access
2009 KPMG International
Northern Europe Denmark
England
Finland
Norway
Scotland
Eastern Europe Belarus
CzechRepublic
Latvia Romania
Russia
Turkey
Southern Europe Cyprus
Greece
Italy
Spain
Western Europe Austria
Belgium
France
Germany Luxembourg
Netherlands
Switzerland
C European regions
-
8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey
40/40
kpmg.com
Disclaimer information Copyright information and publicationdetails
Contact subhead: Univers 65 Bold
9pt; 12pt leading
Contact body: Univers 45 Light
9pt; 12pt leading
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
Firstname Lastname
Street address
City/Country
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301
The views and opinions expressed herein are those of the survey respondentsand do not necessarily represent the views and opinions of KPMG International orKPMG member firms.
2009 KPMG International. KPMG International is a Swisscooperative. Member firms of the KPMG network ofindependent firms are affiliated with KPMG International.KPMG International provides no client services. No member
Contact us
KPMGJohn Hermans
Associate Partner
Tel +31 (0)20 656 8394
www.kpmg.nl
Everett
Peter Valkenburg
Chief Technology Officer
Tel +31 (0)30 659 2255