Forrester’s Security & Risk Research Spotlight – The IAM Playbook For 2015

When I first became research director of Forrester's S&R team more than five years ago, I was amazed to discover that 30% to 35% of the thousands of client questions the team fielded each year were related to Identity and Access Management(IAM).

Share

When I first became research director of Forrester's S&R team more than five years ago, I was amazed to discover that 30% to 35% of the thousands of client questions the team fielded each year were related to IAM.

And it’s still true today. Even though no individual technology within IAM has reached the dizzying heights of other buzz inducing trends (e.g. DLP circa 2010 and actionable threat intelligence circa 2014), IAM has remained a consistent problem/opportunity within security. Why? I think it’s because:

  • Business and tech leaders are afraid to confront IAM. Like all the random boxes in my basement that seem to accumulate on their own, IAM is such a mess that most leaders don't know where or how to start. Large enterprises in particular often have multiple repositories of employee identities that they’ve amassed through global expansions, mergers, and acquisitions, plus they struggle with the complexities of employee joiner/mover/leaver processes.
  •   No single team owns identity. IAM is a cornerstone of security but it’s also critical to onboarding and managing access rights in applications and data for employees, streamlining business operations with partners, and it can make the difference between a customer experience that makes consumers feel confident sharing sensitive data with you or hating your guts because they can’t remember a password of special characters, capital letters, and numbers plus the name of their favorite pet and a teacher from the second grade. Most IAM initiatives require a cross-functional team with a strong enough leader to actually get something done. Forrester clients tell us their enterprise IAM projects can resemble the complexity of an ERP implementation from the late 1990s (having got my start in technology working insane hours for a large consultancy on ERP implementations, this description never fails to send waves of sympathy and shivers down my spine).
  •  Too many firms have homegrown solutions and lack a compelling IAM strategy & vision. If you want to successfully manage the identities and access controls of thousands of employees, contractors, and other user populations, you’re going to need a mature commercial solution. Especially if you want IAM to support business enablement and not just operational cost savings and meeting compliance mandates. And it can be more than that, it can help enable business agility while improving security.
  • New IAM requirements emerge all the time. The rapid adoption of mobile apps and cloud services, together with a multitude of new partnerships and new channels of customer engagement, has "extended" the identity boundary of today's digital business. Today, IAM involves far more than just provisioning employees with corporate resources and enforcing the appropriate access. IAM for the digital business means the ability to oversee access by a variety of populations. And it means your work is never done. You must continuously stay on top of new multifactor authentication methods, keep an eye on and implement the alphabet soup of identity standards, and explore new capabilities.

That’s why I’m focusing on The Identity And Access Management Playbook For 2015. Recently updated, the playbook consists of 13 integrated reports and tools that help you understand where IAM is today and where it's heading in the future, and then plan, implement, and optimize all of your IAM-related initiatives. Here are a few key reports that I want to highlight

We update every report in the playbook while researching new trends and solutions throughout the year. Right now, our subteam of IAM analysts and researchers (Andras Cser, Merritt Maxim, and Jennie Duong) are examining the zombie of the IAM technology ecosystem: the password. If you want to be a part of it, read Merritt’s blog post about it and take the survey!

Posted by Stephanie Balaouras

"Recommended For You"

The future of ITSM drops the 'IT' and replaces it with automation How to proactively prepare for Windows 8