IDENTITY CRISIS

How to Balance Digital Transformation and User Security

Organizations are facing the need for improved capabilities in managing identities and access as part of their journey through Digital Transformation. Managing customer identities becomes the standard, beyond traditional employee-focused IAM (Identity and Access Management). IDaaS (Identity as a Service) supports organizations in balancing new business requirements with the regulatory compliance challenges they are facing, while also being able to handle the need for rapidly and securely on-boarding cloud services and scaling to potentially millions of customers.

IDENTITY CRISIS

How to Balance Digital Transformation and User Security

Content

4. Introduction

6. Highlights

8. Business Enablement

11. Cost and Deployment

14. Control

18. Summary and Recommendations

3.

IDENTITY CRISIS

How to Balance Digital Transformation and User Security

4. Introduction

Distribution of respondents across industries[Values above 100% due to rounded values]

FIGURE 1

4. Introduction 05.

KuppingerCole and PAC Pierre Audoin Consultants conducted a survey on Identity as a Service (IDaaS) in January and February 2016. The survey was run in the US, United Kingdom, Benelux (Belgium, Netherlands, Luxemburg), the Nordics (Denmark, Sweden, Norway, Finland), and Germany. Overall, 831 responses were collected.

IDaaS embraces services for Identity & Access Management (IAM) provided either by a Managed Service provider or as a cloud service, in contrast to on-premise deployments. The market is also referred to as Cloud IAM (Cloud Identity & Access Management). Within IDaaS, we see a variety of approaches, ranging from solely enabling single sign-on of users for cloud services to fully managing identity and access of complex on-premise IT infrastructures as a service. This survey focused on the general demand for delivering various types of IDaaS services and not on a particular technical use case.

The survey was conducted across all sectors, with a good coverage of all major industries. The minimal size of responding organizations was limited to 500 managed identities, both employees and consumers. One third

of the organizations covered are in the range of 5,000 to 50,000 managed identities, while 40% have more than 50,000 identities under management and 7% are managing more than 1 million users.

The majority of respondents were from IT departments, working in either IT Services (47%) or IT Security (29%), while the other participants work in departments such as Sales & Marketing, HR, or Finance. Of the respondents, 21% have roles as architect or designer of IAM systems, with another 16% being involved in IAM projects. The remainder are either actively managing identities and access or are familiar with the business requirements of IAM and IDaaS in particular.

The survey delivers insight into the current state of IAM in organizations and their willingness to move to IDaaS solutions. Organizations are considering IDaaS solutions as a blanket replacement for existing IAM implementations whilst also investigating the possibility of migrating limited specific functionality to IDaaS solutions to address high visibility risks and issues currently facing in their IAM strategies and deployments.

Introduction

8% Telecoms, Media & Entertainment

8% Distribution & Transportation

7% Healthcare

6% Consumer Products & Retail

4% Automotive

4% Energy & Utilities

1% Aerospace & Defence

Manufacturing 21% Other 15% Financial Services 14% Public Sector 13%

6. Highlights

6. Highlights 7.

> 62% of the organizations report a very high or high priority given to enabling or extending access for consumers and customers to their IT systems in the short-medium term. However, only 26% of the organizations feel they are equipped for adequately providing access management for all types of users beyond their employees.

> 84% of the organizations report a high or very high priority given to supporting different types of access management, such as alternative authentication methods and social logins. However, only 21% of the organizations are currently equipped with such solutions for adaptive authentication.

> While 85% of US based organizations already have a solution in place for secure onboarding and consumer access management, only 70% of European organizations have such solutions deployed or are currently running a project.

> 88% of the responding organizations have a high priority for strong identity governance, audit and compliance support of their IAM solutions. Only 2% have low or no priority.

> 85% of the organizations claim that it is critical or very critical to be able to onboard new cloud services quickly, including mechanisms and processes for user management and access.

> 88% of the organizations rate efficient IAM processes as very important or critical. 79% of the organizations rate it as very important or mandatory that their IT service providers deliver such standardized best practice processes.

> 68% of the responding organizations report an increase in their IAM budgets, with 28% of the organizations reporting a strong increase.

> Customers both from the US and Europe expect IDaaS data centers to be located in their country/region. Close to 90% of the respondents in both regions prefer or mandate data centers in their country or region.

Highlights

9.8. Business Enablement

Business Enablement

The cloud is already a reality for most organizations and user management in the hybrid IT environment is commonplace. Seamless Identity and Access Management for hybrid IT environments is critical as User Access Management is the only security mechanism still in the hands of the organization, with traditional physical and application security controls outsourced to cloud service providers. IDaaS can help to unify, centralize and simplify the management of user identities and access across all types of service and application deployment models.

Identity and Access Management is no longer just about employees. Managing consumers and customers is a key capability, as is the management of partners and joint ventures. The scalability of IDaaS helps in managing large numbers of customers, consumers and other stakeholders.

9.8. Business Enablement

In this age of Digital Transformation, organizations have to be more agile than ever before. Changing business models and processes, new business partnerships, and ever-changing relationships with customers lead to changing business requirements for IAM. As such, IAM must be able to support the agility business needs to succeed. This includes support for the cloud and for seamlessly managing all types of internal and external users.

Simplifying access for all users, extending the network to the cloud and new groups of users, and a deep understanding in particular of customer access must become cornerstones of an IAM strategy in the age of Digital Transformation. IDaaS has strong potential for helping organizations put in place IAM controls that support new and increasing business demand.

Most organizations today describe the state of their IT infrastructure as hybrid, with 55% of the respondents opting for that term, indicating a mix of on-premise and cloud services. Some 30% consider themselves as traditional with all or most of their IT still internally hosted. A further 15% claim that they have a “cloud IT” platform, relying primarily on cloud services and managed applications. These numbers show that managing the access of cloud services users is a very real challenge for at least 70% of the organizations surveyed.

This strong demand for cloud services also shows up in the rating for the criticality of on-boarding new cloud services rapidly and efficiently with well managed identities and access. 85% of the organizations rate this as critical or very critical for their success. That figure varies only slightly between various countries. While European countries are all in the 80% to 85% range, 95% of the US organizations rate this capability as critical or very critical.

Organizations need to provide controlled access to cloud services rapidly. IDaaS provides an efficient interface for onboarding new cloud services rapidly, utilizing industry standard connectors instead of complex manual setup and configuration of connectors in on-premise IAM systems.

70% of the organizations state that consumers currently have access to at least some of their systems. However, 88% of the participants stated that it is important, critical,

or very critical for their organizations to enable or extend access for consumers in the short to medium term. Thus managing identities and access of consumers becomes more and more important to organizations.

However, while only 63% of people from IT Services and IT Security indicated such access being critical or very critical to their organization, 79% of the respondents from Sales & Marketing stated this as being critical or very critical. These numbers indicate that a gap still exists between the IT and the business view. IT people remain more focused on the traditional area of employee and business partner access, while consumer-facing departments have a higher demand for managing all types of users.

State of IT Infrastructure FIGURE 2

55% Hybrid

30% Traditional

15% Cloud

The majority of organizations describe the state of their IT infrastructure as “hybrid”.

Our IT strategy is to move to “cloud only” IAM lead of a leading European logistics company

a convenient and secure manner. A little more than 50% of the European organizations are still struck in the deployment phase for such solutions.

Part of this growing demand for supporting customers, beyond the traditional employee IAM, is the need to flexibly scale with the growing number of business partners, consumers and ‘things’ accessing on-premise or cloud-based IT systems. 81% of all organizations consider this capability as critical. There is little variation between different countries. Obviously, scalability is easier to achieve with cloud-based IDaaS, with elasticity being one of the main characteristics of cloud services.

11.10. Business Enablement

When organizations are asked if they feel they are already equipped to adequately manage access for all types of users, beyond their employees and including consumers, only 26% of the organizations state that they have such solutions in place. The majority of organizations have started a project for improving their IAM capabilities, while still roughly a quarter of the responding organizations do not even have a project in place.

Interestingly, while 49% of the US-based organizations claim that they are already equipped with such solutions, only 15% to 17% of the organizations surveyed in Germany, UK, Benelux, and the Nordics state that they are ready to support all types of users in both

FIGURE 3Organizations that are already equipped to support secure and convenient access for all types of users (per country)

US 49%

France 25%

Germany 17%

Benelux & Nordics 15%

UK 15%

We need to support all types of identities, beyond the employees – consumers must be managed by our IAM as well CISO of world-leading consumer goods company

11.10. Business Enablement

Organizations understand the need for best practice, well thought-out IAM processes and expect them to be delivered by their IAM suppliers. Most on-premise solutions today lack such support. IDaaS makes it easier to deliver such processes and, due to the cloud deployment model, to easily customize such processes.

IAM is increasingly understood as a cornerstone of Information Security. Budgets are growing. IDaaS supports organizations in achieving more with their budgets.

Cost and Deployment

12. Cost and Deployment

IAM is typically considered from a cost perspective only, despite the potential for improving business processes and interaction with customers. Complex, long-running projects that miss the targets for both cost and time are said to be common for on-premise IAM deployments.

IDaaS offers strong potential for rapid deployments of IAM solutions to a broader range of users, reducing the challenges involved with on-premise implementations of IAM. However, customers have clear expectations of IDaaS solutions, such as well-defined standard processes being delivered as part of the service.

88% of the organizations rate efficient IAM processes as very important or critical. 79% of the organizations rate it as very important or mandatory that their IT service providers deliver such standardized best practice processes.

IAM suppliers are expected to provide best practice standard processes as part of the solution, according to the vast majority of organizations. This is indicated by 79% of all responding organizations expecting their IAM suppliers to deliver best practice standard processes as part of the solution. In Germany and France, the value is slightly higher with 82% and 84% respectively. In the US, 93% of the organizations expect such standard processes. Unfortunately, the majority of traditional on-premise IAM products do not include such standard processes and implementation of processes commonly is cumbersome and costly. IDaaS can support customers by providing both a better experience and simpler tools – configuration instead of coding – for adaptation and implementation of processes.

When looking at the perception that most IAM projects are long-running and do not meet their targets (regarding implementation time, project costs and benefits delivered), the numbers collected at first glance show a different picture. Only a small portion of projects are rated as being poor or very poor on delivery. Interestingly, while 76% of respondents not in implementer, architect, or designer roles have a positive opinion of projects being on time and on budget, only 65% of the architects and designers share that opinion. Also, only 51% of the architects or designers believe that the current initiatives meet the organizational cost reduction targets of the current IAM initiatives, compared to an overall rating of 66%. When analyzing the job titles of attendees, the numbers show that IT Security people have the most critical view of the current projects, compared in particular to people from non-IT departments.

When looking at the budget situation behind these initiatives, only 58% of the organizations state having a separate IAM budget. In many organizations, IAM budgets are either specifically approved projects or part of Information Security or IT Security budgets, or sometimes even IT Infrastructure.

On the other hand, budgets have increased significantly for 2016 in contrast to 2015. 68% of the organizations report an increase, with only 1% reporting a decrease. 28% of all organizations report a strong increase of at least 10%, with 4% indicating that their budgets have grown by more than 50% compared to last year. These numbers prove both the overall growing awareness of the need for investments in Information Security and the specific understanding that IAM is a core capability for any organization.

Aside from cost, the location of data centers becomes an important aspect of the move to IDaaS. Security, privacy, and data protection concerns, as well as regional and industry regulation, cause organizations to favor local data centers.

13.

FIGURE 4Rating of the quality of project delivery and cost reduction of current IAM initiatives

Very poor 1% 3%

Poor 6% 6%

Acceptable 23% 25%

Good 42% 38%

Very good 28% 28%

Deploying on-premise IAM has proven being a cumbersome and costly process for our organization IT Infrastructure lead of a large German insurance company

PROJECT DELIVERY COST REDUCTION

12. Cost and Deployment

Customers from both the US and Europe expect IDaaS data centers to be located in their country or region (e.g. the region of the European Union). Close to 90% of the respondents in both regions prefer or mandate data centers in their country or region.

Interestingly, there are no clear preferences for the provider of IDaaS services. While 70% of the organizations prefer managed services provided by partners they are already working with, 68% are also comfortable with leading software vendors providing such services and 56% would even accept a start-up to provide such services. Apparently, the capabilities of the services, such as strong process support, are more important than the type of service provider itself.

13.

Budget changes for IAM 2015 to 2016 FIGURE 5

Decreased 1%

Stable 28%

Slightly increased (up to 10%) 40%

Significantly increased (10-50%) 24%

Increased by more than 50% 4%

Don’t Know 3%

14. Control

Control

Identity and Access Management is a cornerstone of implementing IT Governance and fulfilling the regulatory compliance requirements. IDaaS platforms must support this demand.

The days of username/password or one single One Time Password (OTP) token approach are past. Modern solutions must support a variety of authentication methods, including social logins. IDaaS services are ideally suited to support a multitude of different authentication mechanisms due to their service approach, wide range of support for protocols and standards, economies of scale when adding capability, and the rapid deployment approach they enable.

14. Control 15.

Moving from on-premise IT services to cloud-based services further increases the challenge of enforcing IT Governance and fulfilling regulatory compliance requirements. This demand exists for all types of IAM solutions and is considered a major requirement for the vast majority of companies.

On the other hand, despite ever-tightening regulations, organizations are facing the need to deal with access from more types of devices than ever before, in particular mobile users and their own devices – just think about how customer and consumer access differs from how employees access applications and services. Thus organizations have to implement solutions that support a variety of authentication schemes, in particular from the broad range of mobile devices with an increasing number of built-in authentication technologies. Balancing the demand for flexibility in access with the need for security and governance is a growing challenge for most organizations.

This change is due in part to the growing demand for supporting social logins, i.e. an authentication dependant on a third party identity verification such as Facebook, Twitter or LinkedIn. Support for social logins for employees is considered as highly important or mandatory by 53% of organizations. For customers, the corresponding value is 63%. It is clear that social login is of importance for all users, but in particular for customer access.

Beyond social logins as one specific approach for authenticating users, organizations are showing a strong demand for solutions that allow them to support the increasing number of methods and devices people can use to access the organization’s IT systems. 84% of the survey respondents consider such support being of high or very high priority. There are some differences between countries, with Germany showing the lowest rating and Benelux & Nordics indicating the highest priority for this type of solutions. The trend for Benelux & Nordics is most likely based on the extensive deployment and use of public and banking ID cards in these regions – support for flexible authentication is already a more common requirement.

On the other hand, only 21% of organizations state that they are already equipped with solutions for adaptive authentication that can deal with various types of authentication mechanisms and the varying security level of the authenticators. One third of the organizations are not even running a project in this area.

Another element of adaptive authentication is risk awareness. When asked how critical it is for the organization to have the means to authenticate users and control their access in a way that adapts to the actual level of risk and the context of the user (e.g. location or device), 94% state this as being critical or very critical for employee access. In the US, that value is up to 99%. For customer access, the overall value is 86%, with the US again showing a bigger demand with a value of 97%.

Organizations’ demand for the flexible support of different authentication methods is significant

FIGURE 6

Benelux & Nordics 96%

US 93%

UK 90%

France 83%

Germany 74%

We only are able to manage the risk of mobile users, external partners, and customers accessing our systems when we have comprehensive support for adaptive authentication Enterprise IT Security Architect of a pharmaceutical company

FIGURE 7

Adaptive authentication, supporting a variety of authentication mechanisms, and risk-based authentication mechanisms are a must for IAM. Organizations rate this capability as critical. Again, while this capability is well-understood as being critical, the majority of organizations are not yet there. While 53% of US organizations claim to have such solutions in place, the other extreme is Germany with only 17% of organizations stating that they have already deployed such solutions. Nonetheless close to half of the organizations surveyed report that they are currently running projects in this area, underlying a clear trend to increase capability for adaptive authentication controls.

FIGURE 8

Another area the survey analyzed is the demand for better analytics of identities, user access and overall user behavior based on so-called “Big Data” technologies that allow for the collection and advanced analysis of large amounts of data. 57% of the organizations indicate that such capability is critical or very critical to them already today, with a lower rate in some European regions. When asked whether they would rate this capability as critical or very critical in two years from now, the value rises to 71%. Despite all concerns regarding data protection and privacy, organizations are increasingly looking at ways to better analyze the behavior of their users. This is driven by both security and marketing requirements. Understanding anomalous behavior is an important element of cyber defense, while a better understanding of the behavior of customers facilitates the delivery of tailored services.

While this capability is considered as critical, the reality is that only 21% of the responding organizations already have such solutions in place, while another 39% claim to have a project running in this area. When looking at the 11% of organizations that haven’t done anything yet and which have nothing planned, 41% state that they believe their organization must be equipped with such solutions.

Another important area is managing access for users. This includes the need to have adequate tools and processes in place that support account creation,

entitlement management, and access approvals. While 64% of organizations rate their maturity in this area as good or very good for employees, 45% of the organizations see significant weaknesses when it comes to managing customer access. This can be explained by the fact that most organizations have invested in their employee IAM for years, while managing customer identities with IAM tools is still a relatively new requirement for many organizations.

It is clear that managing access of both customers and employees in a simple and fast manner is considered critical or very critical by most organizations. For employees, 94% of the organizations rate this at the level of critical or very critical; for customers, 83% of organizations apply this rating. This indicates that customer IAM is already perceived as a critical IAM capability, even while it is not yet implemented well in many organizations.

FIGURE 9

Certain aspects of identity and access management are delivered through self-service that allows users to manage their accounts and request their own attributes. The demand for such IAM self-service capability is significant for all types of users.

88% of the responding organizations also indicate a high priority afforded to strong audit and compliance support of their IAM solutions. Only 2% have low or no priority for this. However, strong support for such requirements is still relatively low when compared to other IAM capabilities.

FIGURE 10

While 46% of the organizations indicate that they are well-equipped with solutions for managing access and approvals and another 31% indicate that they have projects running, only 17% state that they have a mature solution for audit and compliance around identities and their access entitlements in place. Another 54% have projects running in this area. This high number of projects is due to the ever-increasing requirements for achieving regulatory compliance and the audit pressure many organizations are experiencing in that area.

16. Control

16. Control 17.

Deployment rate for Adaptive Authentication and currently running projects

FIGURE 7 State of deployment of Big Data Analytics tools for analyzing the user behavior

FIGURE 8

Demand for IAM self- service capability is significant for all types of users

FIGURE 9 Current state of deployments and projects for critical IAM capabilities

FIGURE 10

11% Nothing done yet and nothing planned

29% Nothing done but we’re thinking about it

39% We’re doing a project on that

21% We’re already equipped

Internal Users 82%

Partners 75%

Customer Accounts 73%

Contractors 68%

Joint Ventures 65%

CURRENT PROJECT IN PLACE

Social Login 64%

Guest Users 63%CURRENT PROJECT IN PLACE

Access request and approval

Self-service IAM

Audit and compliance

Overall

Germany

US

54% 17%

46% 29%

31% 46%

31% 53%

49% 17%

40% 22%

18. Summary and Recommendations

18. Summary and Recommendations 19.

IDaaS (Identity as a Service) helps organizations balance new business requirements with the regulatory compliance challenges they are facing, while also supporting the need for rapidly and securely on-boarding cloud services and scaling to potentially millions of customers.

Organizations are facing the need for improving their IAM infrastructure due to the changing business demand. Managing not only employees but also customers is a key emerging business requirement. Another is the need for supporting adaptive authentication.

The ability to rapidly and securely on-board new cloud services is also a common requirement to most organizations. While most organizations, regardless of their location, share the same view on traditional and new business requirements, the current state of IAM in the majority of organizations proves that there still are significant gaps in their current deployments.

IDaaS is a promising approach for addressing the challenges and business demand more rapidly at lower cost. At the same time, IDaaS helps organizations achieve more flexibility in supporting cloud services and adaptive authentication requirements, as well as improved scalability. Clearly, IDaaS is not the only way to respond to the ever-increasing demand for new IAM capabilities – but it is a logical and efficient way to overcome some of the common challenges and pitfalls of IAM.

Organizations considering moving to IDaaS, either to augment or replace their existing IAM infrastructure, should carefully consider the capabilities of these services. Support for standardized IAM processes is high on the requirements list of organizations. Local data centers are another important requirement. Good support for the leading cloud services and excellent capabilities in the area of adaptive authentication are also sought-after by most customers. Furthermore, support for existing on-premise applications and strong support of governance features are important requirements.

In summary, we strongly recommend organizations to evaluate the potential of today’s IDaaS offerings in addition to, or as replacement of, existing on-premise IAM. However, organizations should always keep in mind that these solutions must support all of their IT – all users, all types of devices and access, all deployment models for IT services, with particular attention to in-house developments and legacy applications. Thus, hybrid approaches where IDaaS complements existing on-premise IAM infrastructure present a valid deployment option. This hybrid model provides strong support for existing on-premise environments, potentially leveraging existing IAM investment whilst still benefiting from the many benefits offered by emerging IDaaS services.

At the same time, there is no doubt that native IDaaS implementations are gaining ground due to the ever increasing adoption of hybrid and cloud-only IT infrastructure to support scalability and flexibility requirements arising from Digital Transformation.

Summary andRecommendations

CapgeminiWith more than 180,000 people in over 40 countries, Capgemini is one of the world’s foremost providers of consulting, technology and outsourcing services. The Group reported 2015 global revenues of EUR 11.9 billion. Together with its clients, Capgemini creates and delivers business, technology and digital solutions that fit their needs, enabling them to achieve innovation and competitiveness. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore®, its worldwide delivery model.Learn more about us at www.capgemini.com

KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.For further information, please visit www.kuppingercole.com or contact clients@kuppingercole.com

CXP GroupFounded in 1976, Pierre Audoin Consultants (CXP Group) is part of the CXP Group, the leading independent European research and consulting firm for the software, IT services and digital transformation industry. The CXP Group offers its customers comprehensive support services for the evaluation, selection and optimization of their software solutions and of IT services providers, and accompanies them in optimizing their sourcing and investment strategies. As such, the CXP Group supports ICT decision makers in their digital transformation journey. Further, the CXP Group assists software and IT services providers in optimizing their strategies and go-to-market approaches with quantitative and qualitative analyses as well as consulting services. Public organizations and institutions equally base the development of their IT policies on our reports.The CXP Group consists of three branches: Le CXP, BARC (Business Application Research Center) and Pierre Audoin Consultants (CXP Group).For more information, please visit: www.CXP Group-online.com - http://cxpgroup.com

Rightshore® is a trademark belonging to Capgemini.

© 2016 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole’s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Graphic design: Avant Midi. Photographies: Thinkstock.