everett & mckinsey identity and access management 2009 survey

8/8/2019 Everett & McKinsey Identity and Access Management 2009 Survey

1/40

2009 European Identity and AccessManagement Survey

A survey conducted by KPMG IT Advisory together with Everett

Advisory

Supported by eema and IIR


2/40

2 2009 European Identity & AccessManagement Survey

The findingsat a glance

2009 KPMG International


3/40

3Management Survey

2009 European Identity & Access


The value o Identity and Access Management (IAM) is still recognised

and IAM is here to stay

Almost 90% of the survey participants have initiated one or more IAM projects

in the last year;

70% of the respondents have a specifically allocated IAM budget.

Clearly the economic crisis has its impact on IAM, but IAM is still in the

spotlight

A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%

reported budget cuts of more than 50%;

More than half of the respondents indicated a change of project scope;

Many organisations are quite confident that their original business case is still

applicable in this hard economic climate;

Despite budget cuts, almost three quarters of respondents entirely or partially

agreed that IAM investments should be increased instead of decreased due to

the current economic climate.

Governance, Risk and Compliance is by ar the main driver o IAM

Governance, Risk and Compliance is even more important than last years

survey indicated; The vast majority of IAM projects are still focused on their organisations direct

employees;

Access attestation and certification services are on the map and this is

possibly at the expense of the implementation of complete IAM solutions.

This indicates a shift from more preventive controls to a detective approach

focused on an organisations crown jewels.

There are still signiicant gaps between the expected and realised beneits

o IAM

Although gaps between expectation and realisation still remain, over half of the

respondents were satisfied with the outcome of their IAM project;

Organisations face difficulties in measuring the costs, benefits and quality of

IAM services and related activities.

A lack o business buy-in is the main cause o IAM project ailure

IAM projects are still mostly the responsibility of the IT department or the

Security Officer;

50% of the respondents stated that the business was not ready for the

proposed solution;

51% of the respondents indicated that there was a lack of support from

management and stakeholders.


4/40



Contents

01 Executive summary 5

02 Introduction 9

03 IAM projects status and 12impact of the economic crisis

04 Drivers and strategy 19

05 Architecture 22

06 Expected benefits, realisation 26and satisfaction

Appendix A - Reference models 33

Appendix B - About the authors 36

Appendix C - European regions 39


5/40

5Management Survey


01Executivesummary 2009 KPMG International


6/40


7/40

7Management Survey



One of the most important conclusions of this survey is that, as was already

visible in the 2008 IAM Survey, IAM is here to stay. Even though the economic

circumstances are quite different for many of the organisations that participated,

the value of IAM is clearly recognised throughout all the sectors and throughout

the whole of Europe.

Almost 90% of the respondents have initiated one or more projects during the

last three years;

In 2008, one third of the respondents stated that they had no specific IAM

budget. The results of the 2009 survey show more or less a similar view as

70% of the respondents have a specific IAM budget.

The Financial Services (FS) sector continues its position as an early adopter of

IAM and in 2009 the Infrastructure, Government and Healthcare (IGH) sector

has emerged as an early adopter, whereas last year IGH was classified as a late

adopter (a so-called laggard). Despite the economic crisis, in general, the FS

sector still has the highest IAM budgets.

However, the area of IAM did not escape the impact of the economic crisis.

A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%reported budget cuts of more than 50%. Still over half of the respondents

indicate not having seen any (significant) impact on their IAM budget. However

a majority of projects encountered an impact on the project scope due to

the economic hard times. Strikingly, most are confident that the original IAM

business case still holds.

The three main drivers analysed in this survey are:

Governance, Risk and Compliance (GRC)

Being in control and able to prove it;

Operational excellence Cost control and user experience;

Business agility Being ready for change.

Governance, Risk and Compliance is now even more important as the main

driver of IAM than last years survey indicated. This applies to every sector and

specifically to Financial Services, Infrastructure, Government and Healthcare and

Information, Communication and Entertainment (ICE). In the Consumer Markets

(CM) and Industrial Markets (IM) operational excellence is also of reasonable

importance. In addition, we would like to mention that investing in business

agility and operational excellence can reduce IAM costs in the mid to long term.


8/40



We expect these areas to be an opportunity when the economy recovers and

organisations have the budget to make investments in projects in which the

benefits with regard to expenses are realised within the mid to long term.

As part of GRC, access attestation and certification is now definitively on the

map of organisations. Almost 20% of the respondents indicated this to be

a means of achieving project goals. Simultaneously, the implementation of a

complete IAM solution dropped by approximately 50% towards 35%.

These facts indicate a shift from an extended preventive approach towards a

more detective approach focusing on an organisations crown jewels. This

focused approach could also be a consequence of the economic crisis as only

focusing on the critical information will decrease the expenses.

However, when we analyse the gaps between the expected and realised

benefits of IAM projects, less than half of the respondents who expected

significant benefits from access attestation and certification realised these

benefits. This indicates that this is an evolving area which is not yet mature. In

general, there is a significant gap between the expected and realised benefits in

all areas of the main drivers. As in 2008, respondents cited the most prominent

reason for failure as being that the business was not ready for the proposed

solution and the lack of support from the business. Nevertheless, 50% of therespondents were satisfied with their IAM project outcome.

Despite the gap between the expected and realised benefits and the negative

impact of the economic crisis, we conclude that the value of IAM is apparent to

organisations as they are still investing in IAM. The challenge for the upcoming

years is to realise the expected benefits. With limited budgets due the economic

crisis, organisations have to make careful choices relating to the scope and

the approach. This implies a need for strong program management and a clear

roadmap for IAM.


9/40

9Management Survey


02Introduction



10/40



The 2009 European IAM Survey continues to explore the status of IAM projects

within European organisations. This report extends the results of KPMGs 2008

IAM Survey, and comparisons between the two are presented where applicable.

Several definitions of IAM are generally used. For the purpose of this survey,

IAM is defined as:

To be more precise, the processes covered by IAM are user management,

authentication management, authorisation management, access management,

provisioning and monitoring and audit. A complete overview of the KPMG

IAM reference model used for this survey is included in Appendix A.

For this survey KPMG, Everett and the media partners eema and IIR invited

a variety of European organisations to complete an online questionnaire. The

answers to the questions were subsequently analysed by a KPMG/Everett team

of IAM professionals. A detailed analysis of the results is provided in this report

in order to help the reader gain insight into:

The status of IAM projects seen across Europe;

The impact of the economic crisis on IAM budgets and project scope;

The drivers and strategy of IAM projects;

The level of benefit realisation and satisfaction with IAM projects.

A solid base of data was provided as 128 respondents from organisations located

in 23 European countries participated in the survey. Among the respondents

were a wide range of organisational representatives, from CEOs and CIOs

to Security Officers and heads of internal audit. The group also contained

participants from organisations of different sizes and from a variety of industries.

The policies, processes and systems for efficiently

and effectively governing and managing who has accessto which resources within an organisation.


11/40

11Management Survey



The distribution of participants with respect to European region, size and sector

was as follows:

Total number o respondents 128

Geographic region*

North (Denmark, England, Finland, Norway, Scotland) 34%

East (Belarus, Czech Republic, Latvia, Romania, Russia) 9%

South (Turkey, Cyprus, Greece, Italy, Spain) 12%

West (Austria, Benelux, France, Germany, Switzerland) 37%

Other 8%

Size (number o IT users)

Less than 1,000 20%

1,001-2,500 13%

2,501-5,000 16%

5,001-10,000 13%

10,001-25,000 13%

More than 25,000 25%

Sector

Financial Services (FS) 39%

Infrastructure, Government and Healthcare (IGH) 34%

Information, Communication and Entertainment (ICE) 13%

Industrial Markets (IM) 9%

Consumer Markets (CM) 5%

Reading aid

Chapter 3 of this report describes the current status of IAM projects and the

impact of the economic crisis. In Chapter 4 the strategy and main drivers of IAM

are elaborated. Subsequently, the IAM architecture is described in Chapter 5.

In the final chapter the expected and realised benefits of IAM are addressed;

this section also includes the participants satisfaction with regard to the actual

benefits and their ability to measure costs and benefits of IAM.

* No significant differences

were found between the four

different geographical regions as

described in the table. Therefore,

the results presented in this

report apply to the European

region as a whole and are not

divided by the four geographical

regions.


12/40


03IAM projects status and impact of

the economic crisis 2009 KPMG International


13/40

13Management Survey



Number o IAM projects initiated

Source: KPMG/Everett IAM survey, October 2009

As information is one of an organisations most valuable assets, control of access

to this information forms an important part of an organisations day-to-day business.

Around half (48%) of the respondent organisations had initiated one or two IAM

projects during the last three years, 87% of organisations had initiated at least

one IAM project and approximately a third (39%) had initiated more than threeIAM projects. Of these 39%, 6% had initiated more than ten projects.

Observation in comparison to the 2008 IAM Survey: In 2008, all respondent

organisations indicated that they had initiated one or more IAM projects in the

last three years, whereas 13% of 2009 respondents indicated they had not initiated

any IAM projects in the last three years.

Number o IAM projects by sector


13%

31%

2%6%

48%

None

1 2

3 5

6 10

More than 10 projects

None

1 2

3 5

6 10

More than 10 projects

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%

IM

CM

IGH

ICE

FS

OTH*

Sector

Authors note

IAM was already here to stay in 2008,

and the 2009 survey supports this

impression. IAM is clearly of concern

to all organisations, regardless of the

sector in which they operate or the

country in which they are based.

Over half of respondents indicated to

have initiated one or more projects

during the past three years. It appears

that it is often insufficient to initiate only

a single project, but that a sequence

of projects is required in order to

successfully achieve their organisations

IAM end goals. A possible explanation

may be that previous projects have

failed, but based on our industry

experience it appears more likely that

an IAM programme, in which several

projects are contained, enhances thechances of success. This supports

the need for a strong programme

management organisation and a clear

roadmap with clearly defined phases

and scoping.

The findings of this survey indicate that

the FS sector can still be categorised

as one of the early adopters of IAM.

Pressure to comply with banking

regulations as well as national and

international corporate governance

legislation is relatively high in this

sector, and this is assumed to be one

of the drivers of IAM projects within the

sector.

Contrary to 2008, in 2009 the IGH

sector is also adopting IAM on a regular

basis, whereas only a year ago IGH was

categorised as a late adopter.

* Other


14/40



The FS and IGH sectors both represent a significant percentage of respondents

who had initiated more than ten IAM projects over the past three years. The

IM and CM sectors, on the other hand, display less IAM project initiation with a

maximum of five initiated IAM projects.

Budgets

Size o IAM budgets


Out of the budgets specifically allocated to address IAM over the next three

years, 38% of the respondents plan to initiate projects with a budget up to EUR

250,000. 11% of respondents indicated that they have allocated a budget of over

EUR 1 million. Compared to the results of the 2008 IAM Survey there are no big

differences; in fact the results are almost the same.

As may be expected, smaller sized organisations (with less IT users) have smaller

IAM budgets and vice-versa, with EUR 10 million+ IAM budgets only occurring in

the organisations with over 5,000 employees. Overall, larger organisations appear

to have more difficulty in determining the total IAM budget, as many respondents

representing larger organisations indicated that they did not know its IAM

budget. By contrast, 80% of respondents representing smaller organisations (up

to 10,000 employees) were able to indicate the size of its IAM budget.

23%

31%

15%

12%8%

6%

5%

Less than EUR 100,000

EUR 100,001 250,000

EUR 250,001 EUR 500,000

EUR 500,001 EUR 1,000,000

EUR 1,000,001 EUR 10,000,000

More than EUR 10,000,000

Unknown


15/40

15Management Survey



IAM budgets by sector


In 2009, budget allocations remain largely unchanged. In addition, the IM and

ICE sectors have relatively small allocated IAM budgets.

Scope

IAM Scope


Over 90% of the respondents indicated that IAM projects are still mainly focused

on their organisations direct employees. This indicates that most IAM projects

are focused on controlling access to internal systems and information. However,approximately a third of IAM projects target partner and/or supplier networks, and

approximately a third target clients via IAM projects1.

Less than EUR 100,000

EUR 100,001 250,000

EUR 250,001 EUR 500,000

EUR 500,001 EUR 1,000,000

EUR 1,000,001 EUR 10,000,000

More than EUR 10,000,000

Unknown

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IM

CM

IGH

ICE

FS

OTH

Sector

Own employees Partner and/orsupplier network

Clients Unknown/other

100%

80%

60%

40%

20%

0%

94%

37%33%

10%

Authors note

It is still the FS sector that boasts the

highest number of high-end budget

ranges. This means that IAM budgets

are generally higher in the FS sector.

The IGH sector comes in a decent

second in this category. One possible

explanation is that these sectors

specifically experience a relatively high

pressure to comply with international

rules and regulations (FS) and a relatively

large number of IGH have begun over

the last year. The IM and ICE sectors

do not appear to have the IAM drivers

to justify the same level of budget

allocation. However, we note that the

obligation to comply with stringent

legislation is also becoming increasingly

important in these sectors.

1Multiple answers were allowed for this question and therefore the total percentage is above 100%.

This is applicable to all graphs in which the total percentage is above 100%.


16/40



Means to achieve project goals


With a fifth of respondents indicating attestation and certification solutions to be

a means of achieving project goals, attestation and certification solutions have

emerged to become one of the serious options on this chart. Common means

(implementation of a new policy, a complete IAM solution, a user management

and provisioning solution or enhanced authorisation) all represent a fairly similar

number of respondents, with user management and provisioning as the most

commonly used solution.

Impact of the economic crisis

Impact on IAM budget


Although over half of respondents indicated not to have seen any (significant)

impact on IAM budgets, over a third (37%) indicated that their IAM budget has

been cut. A quarter of the respondents reported a 5%-50% cut, whereas 13%

reported IAM budget cuts of over 50%. As might be expected, IAM budgets are

under pressure as a result of the economic crisis.

The IAM budget is increased by more than 50%

The IAM budget is increased by 5 50%

No impact, (almost) unaffected IAM budget

The IAM budget is cut by 5 50%EUR

The IAM budget is cut by 5 50%

1% 7%

55%

24%

13%

New policy CompleteIAM solution

Attestationand certification

Enhancedauthorisation

Other

50%

40%

30%

20%

10%

0%

35%37%

44%

20%

31%

User managementand provisioning

11%

Authors note

As far as the respondent organisations

are concerned, attestation and

certification is now on the map. In

general the means to achieve project

goals are fairly evenly distributed over

the five IAM approaches mentioned

here, with only 11% of respondents

resorting to other means to achieve

their IAM project goals. This may be

viewed as a sign of the maturity of the

IAM market, as most respondents found

the options to achieve their project

goals readily available in todays vendor

portfolios.

The implementation of a complete

IAM solution has dropped significantly

towards 35% (a 50% drop). It is

possible that the focused approach of

targeting crown jewel components ofthe information/application landscape

has reduced the popularity of the

complete solution. It is also possible that

a shift has taken place from the more

preventive complete approach to more

detective solutions such as attestation

and certification focused on the crown

jewels.


17/40

17Management Survey



However, 73% of respondents entirely or partially agreed that the economic

crisis is another reason why their organisation should invest in IAM.

Impact on IAM budget by sector


Although some sectors were largely unaffected, over a third (37%) of

respondents reported cuts in their IAM budget of more than 5%, especially in the

FS, ICE and IGH sectors. CM does not appear to be impacted as of yet, however

this might be distorted as almost 50% of the CM sector respondents indicated

not knowing their IAM budget.

Impact on IAM budget by total IAM budget range






The IAM budget is cut by more than 50%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%

IM

CM

IGH

ICE

FS

Sec

tor





The IAM budget is cut by more than 50%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%

>10M

1M-10M

500K-1M

250-500K

100-250K


18/40



It appears that the larger IAM budgets, and generally speaking the larger IAM

projects, faced the hardest budget cuts in absolute terms (total EUR) and

relative terms. Smaller organisations (with IAM budgets of up to EUR 10 million)

experienced a range of IAM budget cuts (anywhere between 5%-50%) and the

IAM budget increased in a relatively small number of organisations.

Impact on scope


Despite the fact that 55% of respondents indicated that the economic crisis

has had no impact on their IAM budget, around 60% indicated that there was

some impact on the project scope, ranging from the slowing down to complete

stopping of IAM projects. Figures clearly indicate that projects are being

impacted negatively across all sectors.

Impact on business case

The IGH sector appeared to experience little effect of the economic crisis inthis respect, as almost 90% of respondents believed that the economic crisis

does not have an impact on the business case for IAM. Overall, over 70% of

respondents indicated that there was no impact on the IAM business case. In

addition, 80% of the respondents stated that the original IAM business case

would still be accepted under the current circumstances.

No impact

Slowing down (take more time for IAM projects)

Redefining the project scope focussing on

the crown jewels

Selecting or choosing a differentapproach

Stopping IAM projects

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%

IM

CM

IGH

ICE

FS

OTH

Sector

Authors note

The survey clearly indicates that IAM

budgets are under pressure from

the economic crisis. Over a third of

respondents have already experienced

budget cuts. We expect that this figure

may rise in the next year as the budget

cycle for 2010 in general is under

pressure due to the economic crisis.

Large organisations in the Financial

Services sector have been hit especially

hard in the crisis and, generally

speaking, larger IAM projects face the

hardest budget cuts in absolute terms

(total EUR). However, respondents were

generally confident that the original IAM

business case would still be accepted

under the current circumstances.


19/40


04Drivers and

strategy



20/40



Main IAM driver


The participants were asked to state their main IAM driver from the following

options:

Governance, Risk and Compliance;

Operational excellence;

Business agility.

Respondents indicated that Governance, Risk and Compliance is undoubtedly the

main driver of IAM projects (72%). Operational excellence comes in second at

14% and business agility comes in third at 13%. Compared to the results of the

2008 IAM Survey, GRC has become even more important.

Main IAM drivers by sector


0% 20% 40% 60% 80% 100%

GRC

Operational excellence

Business agility

Driver

72%

14%

13%

Business agility


GRC

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%

IM

CM

IGH

ICE

FS

S

ector

Authors note

The relatively high weight of GRC as

a main driver in the FS sector may be

expected, as compliance requirements

are traditionally important within

this sector. In the IGH sector, GRC

is also the key topic with regard to

IAM. This could be due to the fact

that governmental and healthcare

organisations are facing more and more

requirements with regard to information

security and data privacy.


21/40

21Management Survey



When we filter these results by sector, we find that FS, ICE and IGH represent

the highest scores for GRC. Although GRC is also a factor in the ICE and CM

sectors, the most important drivers in these sectors show a less pronounced

bias towards GRC as the main driver. In the CM and the IM sectors, operational

excellence turns out to be significantly more important than in the other sectors.

Business agility is a more important driver in the IGH and IM sectors than in any

other, most notably the FS sector.

IAM project approaches


When asked which project approaches are being used for IAM, many

respondents reported that several different approaches were in use. However,

there were also many respondents (25%) who reported that none of the project

approaches we suggested were in place.

When we filter these results by sector, the most prevalent result is that in the

CM and IM sectors around half of the respondents indicated that none of the

stated approaches were being used and that within IM none of these methods

were being used a lot. The IGH, ICE and FS sectors reported to be using all of

the listed project approaches.

0% 20%10% 30% 40% 50% 60%

IM

CM

IGH

ICE

FS

Milestones in place

Measurable milestones

Agreed across organization

Multi-year roadmap

None of the above

Sector

Authors note

The FS sector appears to be the most

mature in running its IAM projects.

In this sector the lowest number of

none of the above was reported,

and the number of agreed across the

organisation was the highest. The IM

sector, on the other hand, appears to

be the least mature; displaying low

numbers for all of the above mentioned

project management elements. The

high score for FS is in line with previous

observations in this survey.


22/40


23/40

23Management Survey


05Architecture



24/40 2009 KPMG International

IAM and IT architecture


Within 63% of the respondent organisations a specific IAM architecture has been

designed or IAM has been incorporated into the IT architecture. When broken

down into sectors we find that IM scores the highest and that all sectors, except

CM, score above 50%.

Architectural principles or IAM


According to the respondents, Central authorisations management is the most

important principle for defining their organisations IAM need (39%). When

organisations are selecting their required IAM solution, a large amount acquire

the solution of their preferred supplier and only 18% perform a vendor selection

in order to select a best of breed solution.

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

CM FSICEIGHIM

78%

17%

58%

69% 70%

Openstandards

Preferredsupplier

Best ofbreed

50%

45%

40%

35%

30%

25%

20%

15%

10%

5%

0%Central

authorizationsmanagement

Delegatedauthorizationsmanagement

Loosely ortightly coupled

Other/unknown

20%

34%

18%

39%

24%

9%11%

Authors note

The FS sector scores high here (70%),

which is to be expected, given the effort

that many of these organisations typically

have already put into information security

and risk management frameworks. A

possible reason for the IM sectors high

score could be that these organisations

have standardised production processes

and the IT architecture is therefore also

more mature and aligned with these

processes. The low score for the CM

sector may indicate that IAM is often

used for consumers facing a limited

amount of applications that pose a fairly

simple problem in terms of architecture.

In any case, IAM is often a long-term and

costly endeavour that requires strategic

planning for which, we believe,

architecture is a crucial component.

Authors note

Many organisations appear to rely on a

preferred supplier rather than choose a

best of breed solution. This indicates

the importance of an IAM solution that

fits into an organisations current vendor

and software landscape. Interestingly,

only 50% of the respondents from

the Government sector reported

open standards as a principle of their

organisations IAM solution. As these

organisations tend to promote open

standards, this appears to contradict

their official policy. Nevertheless, this

figure is still around twice as high as the

overall figure.

When we asked the respondents about

the most used standards and preferred

practices, the most popular answer

was ISO 27001 (information security)

and ISO 27002 (information securitymanagement). Based on this answer

we can conclude that there are no

specific IAM standards and industry best

practices in order to implement IAM.



25/40

25Management Survey



Authentication mechanisms


Username and password is an authentication mechanism that was reported by all

respondents. Tokens are also popular with more than 50% of the respondents.

Smartcards or other certificate-based mechanisms scored 35%. RFID and

biometrics were both reported at around 12%.

Current use o identity administrations


An industry best practice for IAM is the connection to an authoritative source for

central identity administration. Nevertheless, 60% of the respondents reported

that their IAM solution does not use an authoritative source.

0% 20% 40% 60% 80% 100%

Username & password

Tokens

Smart cards/certificates

RFID

Biometrics

Other

100%

54%

36%

11%

13%

1%

No administration of core user identity data /organizational reference data

Central identity administration,not linked to authoritative sources(such as HR system)

Central identity administration, directly linkedto authoritative sources (every change inauthoritative sources will result in change inidentity administration)

14%

47%

39%

Authors note

Stronger authentication mechanisms

such as tokens and smartcards are well

matured, especially tokens. The fact that

the good-old username and password

authentication still prevails indicates that

these may be used for access not only

to low risk information (systems), but

also to high risk information (systems);

thus raising their vulnerabilities.

Authors note

We believe that connecting to an

authoritative source is essential for

any long-term viable IAM solution. A

connection to an authoritative source

can be used to align the joiner/mover/

leaver process to the IAM administration

and ultimately enable the business

to determine which user accounts

need to be allocated, modified and

removed. Having a non-authoritative

source connected to IAM will makeit almost impossible to manage IAM

administration and to leave it up to the

business to decide which access a

person needs to have. Fortunately over

half of the respondents indicated that

they intend to link their central identity

administration to an authoritative source.


26/40



Expected benefits,realisation and

satisfaction

06


27/40

27Management Survey



Expectations versus the realisation of IAM benefits

The participants were asked to rate their expected benefits of each driver and to

rate the realisation of the expected benefits. The survey results show significant

differences between the expected benefits and the realisation rate of the three

main drivers:

Governance,RiskandCompliance(GRC);

Operationalexcellence;

Businessagility.

The various areas used for measuring the benefits within the main drivers are

elaborated in Appendix A.

Business agility

Realisation versus expectation

Area Percentage that

expects signiicant2improvements

Percentage that

realised signiicantimprovements

Adaptation to organisational

structural changes51% 26%

Extended enterprise 35% 15%

Application integration and

exploitation52% 25%





expects signiicant

improvements

Percentage that

realised signiicant

improvements

Cost of service delivery 60% 32%

Quality of service delivery 66% 32%

User management andprovisioning

83% 46%

Identity administration 68% 48%

Role administration 65% 39%

Credentials management 59% 36%


2 Significant is defined as categories 4 and 5 on a scale of 1-5.


28/40





expects signiicant

improvements

Percentage that

realised signiicant

improvements

User management and provisioning 83% 46%

Identity administration 68% 48%

Role administration 65% 39%

Credentials management 59% 36%


Governance, Risk and Compliance


Area Percentage thatexpects signifcantimprovements

Percentage thatrealised signifcantimprovements

Monitoring and reporting 67% 35%

Attestation 59% 25%

Cost control 39% 22%

Risk reduction 70% 39%

Segregation of duties 60% 35%


Satisfaction with results of IAM projects

The respondents were also asked to indicate the percentage of IAM projects

which actually met with the expected improvements.

Percentage o IAM projects meeting expectations

Less than 10%

11 25%

26 50%

51 75%

76 100%

100%

12%

8%

19%

19%

20%

22%

Authors note

Generally speaking, the respondents

have high expectations of IAM, however

organisations appear to have fewer

expectations of business agility and

the realisation rate is also low in this

area. This corresponds to the fact that

business agility is perceived to be the

least important driver of IAM.

The survey results show significant

differences between the expected

benefits and the realisation rate in the

three main areas. Even in the area

of GRC, which is seen as the most

important driver of IAM, the realisation

is far below the expectation. This

may be explained by the fact that the

processes of user management and

provisioning are more mature in the

market and that the area of GRC is stillevolving. This could also indicate that

there is too much focus on provisioning

as part of the project process.

Considering the hard economic climate

and the fact that GRC is one of the

most important IAM driver for many

organisations, it makes sense to focus

on specific activities in order to realise

the benefits in the area of GRC and to

define these activities in a well-defined

roadmap as this is also lacking in a lot of

organisations. However, we would like

to mention that investing in business

agility and operational excellence can

reduce IAM costs in the mid to long

term. We expect these areas to be an

opportunity when the economy recovers

and organisations have the budget to

make investments in projects in which

the benefits with regard to expenses are

realised within the mid to long term.



29/40

29Management Survey



These facts confirm the analysis of benefits versus realisation by driver. Less

than a quarter (22%) of respondents experienced IAM projects fully meeting their

expectations by 100%.

An analysis by sector shows that organisations in the FS, IGH and ICE sectors

have the highest percentage of IAM projects meeting requirements. Around 40%

of these organisations achieved their project goals for 75%-100% of their projects.

There are also big differences in the ability to measure the effectiveness of the

projects, e.g. in the IM and IGH sectors this was around 30%, or alternatively

respondents stated that it was unknown whether the project goals were met. This

was 50% in the CM sector, compared to around 10% in the FS and ICE sectors.

Percentage o IAM projects meeting requirements (per sector)


The participants were also asked to indicate to what extent they were satisfied

with the project outcome.

Satisaction with IAM project outcome


Less than 10%

11 25%

26 50%

51 75%

76 100%

100%

Unknown

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1 00%

IM

CM

IGH

ICE

FS

OTH

Sector

Authors note

Respondents answers help to give

an indication that organisations are

apparently satisfied if the expected

benefits are realised in more than 50%

of their projects. A possible clarification

could be that the original expectations

were known to be too optimistic, or

that it is common sense to accept

that projects, in general, do not realise

all of their expected benefits. The

difference between the satisfaction

level and number of successful projects

can also be explained by the fact that

many organisations lack insight into the

benefits of IAM projects.

Very dissatisfied

Not satisfied

Neutral

Satisfied

Very satisfied

3%

13%

35%

41%

8%


30/40



A difference with the 2008 IAM Survey results is that in this survey more

respondents were neutral (34%) than in 2008 (27%). Also this year, less

respondents (6% decrease) were very dissatisfied with their IAM project

outcome.

As a large amount of IAM projects still do not realise all of their goals, it is

interesting to analyse why these projects fail. As in last years survey results,

the business issues are seen as the biggest hurdle as lack of support from

management and stakeholders is also a business issue.

Causes o project ailure


Measuring costs and quality of IAM services

In the 2009 survey several questions were included related to the measurement

of various aspects of IAM. In general, the majority of the respondent organisations

face difficulties in measuring the costs and quality of IAM:

49% did not know or measure the costs related to IAM service delivery;

48% did not know or measure the quality of IAM service delivery;

37% did not know the costs related to the review (internal/external) of access

rights as part of GRC.

The results also show that a large number of respondents want to realise costreductions with regard to service delivery and GRC and want to improve the

quality of service delivery. This can be difficult to realise without the necessary

insight into the quality and costs.

0% 20%10% 30% 40% 50% 60%

Substantial excess ofthe allocated budget

Goals not achieved withinallocated time

Business was not ready forproposed/presented solution

Lack of support from managementand/or stakeholders

Unrealistic goals,given time and budget

Project result did not provide a

solution for the actual problem

Proposed/presented IAM technologydid not integrate with existing IT

Other

8%

27%

50%

51%

39%

17%

20%

14%

Authors note

In our view, the aim of IAM is to resolve

business issues. The respondents

indicate that it is still difficult to gain

the commitment and involvement of

the business. This can be a big risk

for a projects success rate as the

business should be responsible for

IAM and also because it becomes

difficult to measure a projects benefits.

Surprisingly the respondents indicated

that technical issues are not a large

hurdle compared to other reasons. In

our firms experience the technical

maturity of the IAM solution is still not

ideal and as a result can be one of the

biggest project risks. Technical issues

often impede the realisation of the user

requirements, which can cause issues

with the business as its requirements

are not met. In addition, technical issuescan cause a budget overrun which is

also a project risk.


31/40

31Management Survey



Methods to measure IAM success


Lacking insight into IAM beneits


Although a reasonable number of organisations measure their IAM effectiveness,

organisations are still struggling to gain insight into the benefits of IAM:

18% entirely agreed that they have a lack of insight into the benefits of IAM;

53% partially agreed that they have a lack of insight into the benefits of IAM;

Only 8% entirely disagreed that they have a lack of insight and therefore have

a proper insight into the benefits of IAM.

Authors note

Organisations are facing difficulties

in measuring the costs and quality

of IAM service delivery and gaining

insight into the benefits of IAM. This

supports KPMGs experience that

a business case is often based on

qualitative drivers and that it is still

difficult to quantify the costs and also

the benefits of IAM. This can be a

risk when selling your business case

internally and staying alive as a project

in these economically turbulent times.

It is therefore recommended to include

benefits management into project and

project portfolio management. Issues

relating to measurement can also be

an indication that an individuals opinion

of realisation and satisfaction is a

subjective opinion and can also differ

internally within organisations.

Entirely agree

Partially agree

Partially disagree

Entirely disagree

Neither agree nor disagree

8%18%

52%

14%

8%

0% 20%10% 30% 40% 50% 60%

Compare to industry standardsand best practices

Compare with organization specificpredefined key performance indicators

Through external auditsand/or benchmarks

No measurement

Other

33%

29%

40%

29%

5%


32/40


Appendix



33/40


34/40



The IAM processes supporting the business, as identified in the IAM reference

architecture, are:

User Management Activities for the effective governance and management

of the lifecycle of identities;

Authentication Management Activities for the effective governance and

management of the process for determining that an entity is who or what it

claims to be;

Authorisation Management Activities for the effective governance and

management of the process for determining entitlement rights that decide

what resources an entity is permitted to access in accordance with the

organisations policies;

Access Management Enforcement of policies for access control in response

to a request from an entity requiring access an IT resource within the

organisation;

Data Management and Provisioning Propagation of identity and data for

authorisation to IT resources via automated or manual processes;

Monitoring and Audit Monitoring, auditing and reporting compliance by

users regarding access to resources within the organisation based on the

defined policies.

Areas within the main IAM drivers

Business agility

Three areas are identified as follows:

Adaptationtoorganisationalstructurechanges Being able to quickly

adapt (bulk) user access rights when changing the organisational structure (as a

result of a reorganisation or with mergers and de-mergers);

Extendedenterprise Support for working with business partners and internal

separate organisations in an extended enterprise, e.g. through federation;

Applicationintegrationandexploitation Fast integration of new

applications or systems and how effectively the business applications and

other services are exploiting the IAM infrastructure.


35/40

35Management Survey




Six areas are identified as follows:

Cost o service delivery With regard to IAM, such as costs related to

authorisation, the number of deficiencies requiring remediation and the

increased productivity of end users due to quicker access to necessary

applications and systems;

Qualityofservicedelivery How well the IAM processes and services are

performing;

User management and provisioning Support for all aspects of user

registration/de-registration and assigning/removing privileges and resources;

Identity administration Administration of core user identity data as well as

organisational reference data (such as organisational tree/relationship between

manager and employee);

Role administration Administration of access rights by using a grouping

mechanism (e.g. roles). The grouping mechanism will be used during theaccess request process when requesting and approving access;

Credentialsmanagement Managing all aspects of user credentials (e.g.

passwords, tokens) for authentication purposes.

Governance, Risk and Compliance

Five areas are identified as follows:

Monitoringandreporting Being able to overview (in near real-time) which

users have access to what information and being able to efficiently generate

GRC-related reports;

Attestation Being able to provide reports to be signed by: a) business

process owners to attest the appropriateness of the design of access controls;

b) line management to attest the correctness of the granted access rights;

Costcontrol Costs related to the preparation and execution of internal/

external reviews of access rights;

Riskreduction Being in control of fraud risks due to a complete insight into

end users access rights;

Segregationofduties Detecting and avoiding potentially conflicting roles

(responsibilities) of end users.


36/40



About KPMG

KPMG is a global network of professional firms providing Audit, Tax and Advisory

services. We operate in 144 countries and have 137,000 people working in

member firms around the world. The independent member firms of the KPMG

network are affiliated with KPMG International, a Swiss cooperative. Each KPMG

firm is a legally distinct and separate entity and describes itself as such. KPMG

International performs no professional services for clients nor, concomitantly,

generates any revenue.

KPMG firms have performed a wide range of IAM projects and have a broad

service offering, such as executing current state assessments, defining vision

statements, developing (business) architectures, creating roadmaps, perform

access attestation/certification projects and assisting in executing IAM audits.

Knowledge of IAM is embodied in our firms professionals; to emphasize that we

pro-actively develop the knowledge of our people. Around the world we have a

number of Centers of Excellence (CoE) for IAM, for the EMEA region this center

is located in Amstelveen in the Netherlands.

As a result of our firms IAM project experience, we have gathered much

information, identified industry best practices and have a detailed

understanding of project perils and pitfalls. In 2007, KPMG developed a

methodology for IAM projects, this methodology enables our firms to support

clients locally and on a global scale.

About Everett

Everett is a systems integrator and consultancy firm with highly skilled

professionals and unique hands-on experience. Everett has offices in Nieuwegein

(head office), London (England), Milan (Italy) and Bangalore (India). Everett also

provides 7x24 solution support services. Since its inception in 1999, Everett has

proven itself as a leading specialist on Identity Enabled Service Platforms and

middleware in general as applicable in Identity & Access management, GRC,

Portal, Secure Remote Access, and Enterprise Application Integration technology.

Since new technologies and new concepts bring uncertainty Everett has

developed ways to absorb that, while implementing. Everetts interactive

and iterative methodology EVOLVE embraces change and channels it to the

desired result. Our consultants will assist you in this process as your consultant,

architect, project manager or engineer. As a temporary addition to your team oras a project team with a clear mission and turn-key responsibility.

B About the authors


37/40

37Management Survey



Everett strives for thought-leadership in its competences and it wants to work as

a trusted advisor with the early adopters in any industry. Everetts commitment is

to deserve its reputation as trusted to know.

About eema and IIR

For 22 years, eema has been Europes leading independent, non-profit e-Identity& Security association, working with its European members, governmental

bodies, standards organisations and interoperability initiatives throughout Europe

to further e-Business and legislation.

Over the years IIR, an Informa Plc company, has constantly developed and

refined the process of producing premium business events with a threefold aim

of objectivity, timeliness and practical solutions. Featuring key industry experts,

IIR conferences provide up-to-date information direct from practitioners who have

found solutions to the challenges facing businesses today. By staying close to

each market IIR ensures that the conference takes place at exactly the right time

to provide you with the information you need, when you need it.


38/40



Austria

Michael Schirmbrand

Partner

Tel. +43 (1)3 133 2656

[email protected]

Baltics

Andris Brieze

Senior Manager

Tel. +371 6703 [email protected]

Belgium

Alain DHoe

Senoir Business Development Manager

Tel. +32 (0)2 708 4391

[email protected]

Bulgaria

Nikola Nyagolov

Senior Manager

Tel. +359 (2) 9697 320

[email protected]

Czech Republic

Toms Kudelka

Senior Manager

Tel. +42 (0)23 411 2388

[email protected]

Denmark

Morten Klitgaard Friis

PartnerTel. +45 3818 3445

[email protected]

France

Laurent Gobbi

Partner

Tel. +33 1 55687441

[email protected]

Finland

Panu Hrknen

Management Advisor

Tel. +35 (8)50 372 5866

[email protected]

Germany

Jrg Asma

Partner

Tel. +49 221 2073 6233

[email protected]

Germany

Marko Vogel

Manager

Tel. +49 201 455 [email protected]

Hungary

Tamas Gaidosch

Partner

Tel. +36 1 887 7139

[email protected]

Italy

Saverio Celano

Senior Manager

Tel. +39 340-9049639

[email protected]

Luxembourg

Michael Hofmann

Partner

Tel. +352 22 51 51 79 25

[email protected]

Poland

Krzysztof Radziwon

PartnerTel. +48 (22) 528 11 37

[email protected]

Portugal

Tiago Reis

Senior Manager

Tel. +351 210 110 000

[email protected]

Romania

Gabriel Mihai Tanase

Manager

Tel. +40 (21) 201 22 22

[email protected]

Russia

Nikolay Legkodimov

Senior Manager

Tel. +7 (495) 9374444

[email protected]

Slovakia

Pavol Adamec

Director

Tel. +421 (2) [email protected]

Spain

Ramon Poch

Partner

Tel. +34 914563400

[email protected]

Switzerland

Roman Haltinner

Senior Consultant

Tel. +41 44 249 3118

[email protected]

The United Kingdom

Malcolm Marshall

Partner

Tel. +44 207 311 5456

[email protected]

The Netherlands

John Hermans

Associate PartnerTel. +31 (0)20 656 8394

[email protected]

KPMG contacts


39/40

39Management Survey



Northern Europe Denmark

England

Finland

Norway

Scotland

Eastern Europe Belarus

CzechRepublic

Latvia Romania

Russia

Turkey

Southern Europe Cyprus

Greece

Italy

Spain

Western Europe Austria

Belgium

France

Germany Luxembourg

Netherlands

Switzerland

C European regions


40/40

kpmg.com

Disclaimer information Copyright information and publicationdetails

Contact subhead: Univers 65 Bold

9pt; 12pt leading

Contact body: Univers 45 Light

9pt; 12pt leading

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

Firstname Lastname

Street address

City/Country

Tel +86 (10) 6505 6300

Fax +86 (10) 6505 6301

The views and opinions expressed herein are those of the survey respondentsand do not necessarily represent the views and opinions of KPMG International orKPMG member firms.

2009 KPMG International. KPMG International is a Swisscooperative. Member firms of the KPMG network ofindependent firms are affiliated with KPMG International.KPMG International provides no client services. No member

Contact us

KPMGJohn Hermans

Associate Partner

Tel +31 (0)20 656 8394

[email protected]

www.kpmg.nl

Everett

Peter Valkenburg

Chief Technology Officer

Tel +31 (0)30 659 2255

[email protected]

everett & mckinsey identity and access management 2009 survey

Documents