Identity Management Market Trends

by James G. Barr
Copyright 2015, Faulk ner Information Services. All Rights Reserved.
Docid: 00018887

Publication Date: 1507

Report Type: MARKET

Preview
Identity management, also called identity and access management (IAM), is an unavoidable part of doing
business in an age that is both digital and highly regulated. Regulatory and compliance rulings in both the public
and private sectors, to say nothing of normal risk management practices, are driving companies to devote extra
diligence to monitoring, measuring, auditing, and controlling the ways in which employees (and even applications)
interface with electronic systems. Accordingly, identity management has emerged as a central component of
access management and security strategies.
Report Contents:
Executive Summary
Market Dynamics
Market Leaders
Market Trends
Strategic Planning Implications
References
Web Links

Executive Summary
[return to top of this report]
Identity management refers to the control and automation of processes that regulate which users have access to
which resources. In this context, a user could be a person, server, host, or application. Rather than requiring IT
administrators to separately manage security for each resource, identity management solutions provide a single
point of administration for performing these functions.

Identity Management
According to the Control Objectives for Information and Related Technology (COBIT) - an information technology
(IT) governance standard widely adopted by US corporations to achieve Sarbanes-Oxley compliance - there are
five basic tenets of identity management1:
1. Uniqueness of Individuals - All users (internal, external and temporary) and their activity on IT systems
(business application, system operation, development and maintenance) should be uniquely identifiable.
2. "Need to Know" - User access rights to systems and data should be in line with defined and documented
business needs and job requirements.
3. Data Ownership - User access rights are requested by user management, approved by [the] system
owner, and implemented by the security-responsible person.
4. Central Administration - User identities and access rights are maintained in a central repository.

5. Management Infrastructure - Cost-effective technical and procedural measures are deployed and kept
current to establish user identification, implement authentication, and enforce access rights.

Identity Management Solution

A complete identity management solution not only automates the provisioning of accounts, it also provides a user
self-service password management tool, delegated administration that allows IT staff members to offload the
responsibility of user management to those who know the users best, and full auditing and reporting capabilities to
provide visibility into system access activity.
The central functions of an identity management solution include the following:
Consolidated User Administration - Provides a single platform to manage user accounts and profiles.
User Provisioning - Creates and deletes user accounts from systems throughout the user life cycle.
Single Sign-on - Authenticates the user for multiple applications requiring only one log on.
Password Management - Updates and synchronizes user profiles and passwords across multiple
applications.
Strong Authentication - Validates the user leveraging a mix of protection measures, including password,
digital token, and PIN.
Directory Management - Manages user accounts within a central setting, in many cases a Lightweight
Directory Access Protocol (LDAP) directory.
Web Access Control - Provides user account authorization within Web-based applications.

Market Dynamics
[return to top of this report]
Demand for identity management solutions is based primarily on external pressures in the form of government
regulations and internal pressures from enterprise officials who are trying to efficiently and cost-effectively
administer access to increasingly complex IT environments.

Government Regulations
The most notable of the recent US privacy regulations are HIPAA, Sarbanes-Oxley, Payment Card Industry Data
Security Standard (PCI DSS), and the Gramm-Leach-Bliley Act.
Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires organizations in the healthcare
sector to meet defined standards for the storage and transmission of data. Among other goals, the act intends to
ensure the security of confidential patient information when it is transmitted from one entity, such as a doctor's
office, to another, such as an insurance company or another doctor.
Sarbanes-Oxley (SOX) Act. The Sarbanes-Oxley Act establishes strict financial reporting requirements for USbased public companies and holds corporate executives accountable for ensuring that their companies follow
these rules.
Payment Card Industry Data Security Standard (PCI DSS). PCI regulations are designed to protect credit card
users from fraud and other abuses. PCI compliance requires companies to have provisions in place for physical
and electronic data protection, including two-factor authentication, password management, and others.
Gramm-Leach-Bliley Act (GLBA). This act restricts how and when financial institutions may share information
about their customers.
Globally, many other nations have enacted their own privacy legislation that affects corporations doing business in
their markets. For example, the European Union Privacy Act, Canada's Personal Information Protection and
Electronic Documents Act (PIPEDA), and the Japanese Personal Information Protection Act (JPIPA) all place
restrictions on the collection of and access to personal information that require, in turn, identity management
solutions to ensure that the data is not accessible to unauthorized individuals.

IT Administration Costs
Organizations are increasingly using their enterprise networks to provide resources and services to external
parties such as customers, suppliers, and business partners. This development complicates identity management
and creates the need for solutions to make such management easier and more affordable.
Internal and external password policies carry support and enforcement costs that drive up help desk expenses.
Some observers estimate that 30 percent of help desk calls are for simple password reset requests, at a cost of
$10 to $30 per event. As organizations continue to implement new enterprise applications, these costs will
continue to mount. By implementing a secure single sign-on solution, many of these costs can be reduced, if not
eliminated.
The enterprise user base is constantly in flux as new employees are hired, current employees change
assignments, other employees leave, contractors come and go, and customers, business partners, and suppliers
change. While these issues may seem disconnected, upon close examination it becomes clear that the common
thread they share is identity. Every decision that is made about granting access to resources causes a potential
security conflict. Identity management solutions ease the managerial burden of granting access and provide much
needed security along the way.
The market for identity management products continues to rise as enterprises attempt to cope with the growth of
users on their networks from both inside and outside their firewalls.

Privileged Identity Management

Owing to their higher level of access - and, thus, higher level of risk - privileged users (and user accounts) often
require a more demanding level of identity management. Privileged Identity Management solutions are widely
employed to secure, manage, and monitor all activities associated with privileged accounts. A subset of the
overall Global Identity and Access Management market, TechNavio predicts that the Global Privileged Identity
Management market will expand at a compound annual growth rate (CAGR) of 26.82 percent over the period from
2014 to 2019.
According to TechNavio, "One of the major drivers in the market is the increased use of mobile devices. Increased
usage of mobile devices and tablets has given rise to many identification issues. Employees can access
confidential information such as corporate emails and critical business information using these devices. To
overcome this, companies need a security solution to restrict employees from misusing confidential data through
fraudulent activities. Hence, companies are adopting privileged identity management solutions to secure their
network and provide safe access."
Prominent Privileged Identity Management providers include BeyondTrust Software, CA Technologies, CyberArk
Software, IBM, and Lieberman Software.2

Market Leaders
[return to top of this report]
The leading providers of identity management solutions include CA Technologies, Dell, EMC, IBM, Microsoft,
Novell, Oracle, and Symantec - not surprising since these firms are well established within the systems
management market space.
Each vendor offers a comprehensive solution, or set of solutions as befits a complex, multi-faceted function like
identity management. Consider, for example, Oracle Identity Manager 11g.

Oracle Identity Manager 11g

Oracle Identity Manager (OIM) is a highly flexible and scalable enterprise identity administration system that
provides operational and business efficiency by providing centralized administration and complete automation of
identity and user provisioning events across enterprise as well as extranet applications. It manages the entire

identity and role lifecycle to meet changing business and regulatory requirements and provides essential reporting
and compliance functionalities:
Account Reconciliation - OIM allows administrators to detect changes in access privileges originating outside
the identity management system. These account changes are potentially rogue activities and, therefore, trigger
various remediation activities through OIM including exception approvals, certification cycles, and de-provisioning
of entitlements or disabling accounts. Accounts can be linked in OIM either manually or by defining correlation
rules. By combining denial access policies, workflows, and reconciliation, an enterprise can execute the requisite
corrective actions when such orphan accounts are discovered in accordance with security and governance
policies.
Policy Enforcement & Compliance - OIM ensures that all provisioning triggered from it is compliant to various
enterprise-IT Audit policies. It also integrates with ERP IT audit policy engines such as Oracle Application Access
Controls Governor and SAP BusinessObjects GRC Access Control for ERP-level IT audit policy enforcement.

Market Trends
[return to top of this report]

Market Growth
According to TechNavio, the Global Identity and Access Management Market should grow at a CAGR of 12.90
percent over the period from 2014 to 2019.
Among the major market trends are:
The availability of SaaS-based IAM Solutions
An increased demand from small-to-medium-sized enterprises (SMEs)
The emergence of IDaaS (IAM as a Service)
The integration of IAM systems with other security components 3

Market Consolidation
In the past, the identity management market was an open field with specialty developers such as Oblix and RSA
competing directly against giants such as IBM and CA Technologies. Recently, however, large entrants in the
market have used a combination of acquisitions and internal development to enhance their positions and put
pressure on mid-sized competitors.

Federated Identity Management Identity Management in the Cloud

Companies have become increasingly concerned about security and identity management as they transition more
and more of their applications to the cloud. As a result, businesses are turning to federated identity management
solutions, which allow users to maintain their identities across Web services and e-commerce transactions and
between disparate organizations. Using federated management, a manufacturer could link its purchasing system
with the applications used by its various suppliers. The manufacturer could then check inventory and conduct
transactions through a supplier's system. A user's identity would be established on the manufacturer's side and
then that person's assigned network rights would be carried over as he or she accesses the supplier's
applications. The services would interact regardless of whether the organizations were using different applications
or platforms. Each Web service in use would be governed by a set of policies to be enforced and administered
through the identity management system.
Federated identity management strategies are particularly applicable to the latest applications being rolled out in
social media, and this need for security does not just apply to users needing to be careful about their own identity.
People should not be posting confidential information on their Facebook profiles, but if they do and one of their
friends has his or her identity stolen, that information could be read by the wrong people. In the consumer space,
companies are taking additional steps to authenticate their users, moving beyond the simple username and

password. Today, businesses, particularly financial services institutions, are requiring more customers to validate
their identity at login by answering security questions or acknowledging the correctness of a site key - a
designated image assigned to them that appears on screen.

Bring Your Own Device

Identity management will become an even more prominent element of enterprise security as more and more
organizations accept - or, in some cases, succumb to - the reality of the "bring your own device" movement. Bring
your own device (BYOD) describes when employees use their personally-owned devices for work purposes in
preference to or in addition to those supplied to them by the organization. Statistics regarding the extent of BYOD
vary widely, but all agree that it is growing fast. According to the Gartner Group, 90 percent of organizations will
support corporate applications of some sort on personal devices by 2014. Many believe that there are compelling
benefits for organizations that allow personal devices onto their network, including increased productivity, improved
user satisfaction, and greater flexibility.
A new generation of identity management solutions capable of accommodating a diverse and disparate set of
consumer-grade devices will quickly gain favor with enterprise officials.

Identity and Access Governance

In some circles, "identity management," or "identity and access management" (IAM), is in the process of evolving
into a new concept called "identity and access governance" (IAG). More than administering access to enterprise
systems and applications, IAG is concerned with "[mapping] the business role of end users (employees, partners,
citizens, or consumers) to the level and type of access they [require] to applications and data."4 The goal is to
better align identity management functions with enterprise business objectives.

IDaaS
According to analyst Linda Musthaler, "There is a small but growing market for IAM offered as a service, or
IDaaS. Interest in IDaaS comes from midsize to large enterprises that need to manage access to applications in
the cloud as well as to legacy on-premises applications. These organizations want a single IAM solution that can
provide secure account provisioning across both environments. They also want a solution that doesn't require a big
investment in outside expertise to develop or customize all the application connectors."5

The Obamacare Factor

According to CA Technologies, "The Obamacare rollout demonstrated [at least initially] the logistical challenges of
validating online identities in an accurate and scalable manner. As more and more users enroll in online services,
demand for identity proofing services will increase significantly."6

Marketing Considerations Will Influence Identity Management

CA also predicts that the enterprise chief marketing officer (CMO) "will become a new force for broad identity
management initiatives. Successful marketing depends on understanding customers needs and providing them
with a convenient experience for registration and enrollment. Allowing social login and maintaining a corporate
presence on social networks provides an opportunity to capture valuable customer data, including user identities,
social interaction patterns, and browsing and buying tendencies. The CMO will press for these capabilities to help
the enterprise engage with its customers, develop a stronger relationship with them, and improve loyalty."7

Strategic Planning Implications

[return to top of this report]
Control of user identification within organizations can cause internal tension, creating not so much a technical
challenge as a turf battle. Often times, deciding who is responsible for synchronizing user information across

departments determines the approval point for all exchanges of information. By doing so, entities within
enterprises may actually be re-writing their business process rules without knowing it. These problems are
complicated and amplified when coordinating identity management between separate organizations in a federated
environment. The most promising identity management solutions may not be the ones that offer the best technical
bells and whistles, but those that marry technology with an organization's business processes and strive to keep
the infighting in check.
Establishing and updating an identity management plan is not strictly an IT function. IT will be the primary
facilitator of the plan, but executive management should take the lead role in determining what resources
departments and individual users should be able to access. These policies should be based on overall corporate
protocol and on prevailing industry regulations.
The benefits that identity management solutions can offer organizations include the following:
Reduced risk - This is achieved through the secure control of access rights to a growing, diverse
community of partners, customers, and employees. Identity management gives enterprises quicker
response to internal audits and regulatory mandates as well. Identity management solutions also enable a
vital yet peripheral function: The dynamic tracking of physical and electronic accesses through various
enterprise systems and applications, thereby providing the extended benefit of asset management and
monitoring.
Reduced operational costs - By automating, delegating, and providing self-service interfaces to user
administration activities. Also, organizations can implement identity-based security without the aid of
specialty solutions. While providing some of the same security benefits, this approach requires significantly
more administration and may create inconveniences for users.
Enhanced user experience - By reducing multiple login requirements and removing or reducing the help
desk from the cycle of providing general support and resetting passwords.
Maintaining secure and accurate digital identities is vital for government agencies and nonprofits as well as
commercial enterprises. Identity management solutions enable government agencies to more accurately and
rapidly recognize authorized constituents for a range of programs, such as tax collection, healthcare delivery
services, and national defense. For private sector concerns, identity management solutions not only enable and
establish identity, they allow the enterprise to link together computer-based sales and prospect analysis
applications, market development analysis, and sales force automation systems: all data and information of a
competitive and highly secure nature that, if efficiently and securely shared, can lead to increased revenue while
reducing the cost of sales.
Organizations seeking comprehensive solutions that are easy to implement and maintain may find themselves
frustrated as they are required to perform customizations and discover that the solutions demand more
administration than expected, while offering fewer features than desired. These organizations may be better served
by implementing a point solution, such as an authentication tool, for a narrowly-defined, required function. If
needed, a comprehensive identity management solution could be implemented later, most likely through a phased
deployment.

References
[return to top of this report]
1

"COBIT 4.0." IT Governance Institute. 2005.

"Global Privileged Identity Management Market 2015-2019." Research and Mark ets. December 2014.

"Global Identity and Access Management (IAM) Market 2015-2019." Infiniti Research Limited. February 2015.

"Magic Quadrant for Identity and Access Governance." Gartner. December 15, 2011:2.

Linda Musthaler. "Identity and Access Management As a Cloud-Based Service Eliminates Time, Pain and
Cost." Network World. January 18, 2013.

"CA Technologies Predicts Key Trends for Identity and Access Management in 2014." CA Technologies.
January 9, 2014.
7

Ibid.

Web Links
[return to top of this report]
CA Technologies: http://www.ca.com/
Dell: http://www.dell.com/
EMC: http://www.emc.com/
IBM: http://www.ibm.com/
Microsoft: http://www.microsoft.com/
Novell: http://www.novell.com/
Oracle: http://www.oracle.com/
Symantec: http://www.symantec.com/

About the Author

[return to top of this report]
James G. Barr is a leading business continuity analyst and business writer with more than 30 years' IT
experience. A member of "Whos Who in Finance and Industry," Mr. Barr has designed, developed, and deployed
business continuity plans for a number of Fortune 500 firms. He is the author of several books, including How to
Succeed in Business BY Really Trying, a member of Faulkner's Advisory Panel, and a senior editor for Faulkner's
Security Management Practices. Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.
[return to top of this report]