Derek Brink's Presentation

1. IAM Integrated
Analyzing the “Platform” versus
“Point Solution” Approach
Spring 2012
Derek E. Brink, BS, MBA, CISSP
Vice President & Research Fellow, IT Security / IT GRC
Derek.Brink@aberdeen.com

2. Outline
 Introductions
 Myself
 Research methodology
 Benchmark study on IAM
 Business context
 Aberdeen’s research findings
 Summary and recommendations
 Additional resources
2

3. Introductions
Derek E. Brink, CISSP – www.linkedin.com/in/derekbrink
 VP & Research Fellow covering topics in IT Security and IT GRC
at Aberdeen Group, a Harte-Hanks Company
 I help organizations to improve their security and compliance initiatives
by researching, writing about and speaking about the people, processes
and technologies that correspond most strongly with the top performers
 Adjunct Professor in Graduate Professional Studies at Brandeis University
 I help individuals to improve their critical thinking, leadership skills and
communication skills by teaching graduate courses in information
assurance
 Senior high-tech executive experienced in strategy development and
execution, corporate / business development, product management and
product marketing
 RSA Security, IBM, Gradient, Sun Microsystems, Hewlett-Packard
 MBA – Harvard Business School
 BS Applied Mathematics – Rochester Institute of Technology
3

4. Aberdeen’s Unique Research Methodology
Fact-based, “benchmarking” style
average
lagging
leading
 Pressures  Respondents are differentiated
 Actions based on key performance
 Capabilities indicators
 Enabling Technologies  Correlation of “people, process
and technologies” with results
4

5. Benchmark Study on Identity and Access Management (IAM)
Business Context: Increased Complexity of the Enterprise Computing Environment
Drivers, Inhibitors for investment time to provision
Strategies % orphans time to ∆ # roles
Capabilities (people, process) time to de-provision
Enabling Technologies #, type
Provisioning
# applications #, type Applications
End-Users
Identities
Access
• Employees Data
• Temporary employees / contractors
• Mobile / remote users
• Business Partners
• Customers
• Privileged Users Hosts
Endpoints Intelligence Repositories
time to integrate apps, roles
% customization vs. % configuration #, type
# FTE admins
unauthorized access
“platform” vs. “best of breed” audit deficiencies total annual cost
data loss or exposure
5

6. Outline
 Introductions
 Business context
 End-users
 Endpoints
 Applications and data
 The cost complexity and compliance
 Aberdeen’s research findings
 Summary and recommendations
 Additional resources
6

7. Business Context
Evolving End-User Populations
• The days of enterprise end-users being largely synonymous with internal employees are over
 In Aberdeen’s 2011 study on managing identities and
access:
 For every 100 employees there are another 27
temporary employees or contractors
 Of this combined population, about 2 out of 5 (39%) are
supported as mobile / remote users
 Externally, support for business partners adds still
another 20% to the total end-user count –
 And this updated figure is then more than doubled
when adding in support for the organization's external
customers
 Effects of changing end-user populations
 Increased security- and compliance-related risks
 Pressure on the necessary supporting infrastructure
(e.g., including all people, process, technology,
hardware, software, services, training and support)
7

8. Business Context
Evolving Endpoint Complexity
• Momentum behind greater diversity and complexity of the enterprise IT infrastructure continues to mount
 Enterprise end-users increasingly have an expectation of
access to enterprise resources from any place, at any
time, from any mobile platform
 94% support access to enterprise email
 89% support access to enterprise contacts
 89% support access to enterprise calendar
 87% support access to enterprise web-based apps
 45% support access to corporate network or Wi-Fi
 Of particular note is the growing population of mobile
endpoint devices that are not provisioned and managed
by the enterprise
 72% of respondents in Aberdeen’s study on enterprise
mobility support corporate-owned devices
 62% support employee-owned devices
 Greater diversity and complexity of the enterprise IT
infrastructure creates corresponding challenges to the
enterprise's ability to maintain some semblance of
visibility and control
8

9. Business Context
Evolving Characteristics of Enterprise Applications and Data
• Enterprise data is generally not created to be hidden away – it is generally created to be shared
• This naturally increases the need for the means to access enterprise resources, securely and reliably
 Data volume and type  Applications / services
 More data  Currently supported: 215
 Larger files  Routinely accessed by typical
 More file types enterprise end-users: 56 (26%)
 Routinely accessed using
 Data flow strong authentication: 8 (14%)
 Increased collaboration, both
within and across
organizational boundaries
 Greater pressure to provide
faster access to information,
any time, any location, any
device
 Greater complexity for access
 More users
 Diverse populations
 More user-managed devices
9

10. Business Context
The cost of Complexity also amplifies the cost of Compliance
• In the context of their identity and access management initiatives, many organizations struggle with
implementing repeatable approaches to demonstrating compliance with regulatory requirements such as
attestation and separation of duties (SoD) … and this is consuming more and more of their IT budgets
 Attestation refers to the  Separation of duties (or
periodic validation that end- segregation of duties) refers
users have appropriate access to dividing tasks and
rights, i.e., as part of providing associated privileges for certain
assurance that the right end- business processes among
users have the right access to more than one individual, to
the right resources at the right help prevent potential abuse or
times. fraud.
10

11. Outline
 Introductions
 Business context
 Aberdeen’s research findings
 Vendor-integrated “platform” approach
vs. enterprise-integrated “point solution” approach
 Quantification of benefits
 Summary and recommendations
 Additional resources
11

12. Aberdeen’s Research Findings
Approach to Selecting and Deploying IAM Solutions (all respondents)
• Across all respondents, a discernable shift from integration of point solutions to a “platform” approach
• Average number of individual / point solutions currently deployed: between 4 and 5
100%
47% 53%
Percentage of Respondents (N=155)
80%
Vendor-integrated / "Platform" approach
60%
53%
47%
40%
Enterprise-integrated / "Point Solution"
approach
20%
0%
Current Planned
12

13. Analysis
“Platform” vs. “Point Solution”
 Aberdeen’s research shows a discernable shift from
enterprise self-integration of point solutions for IAM
toward more of a vendor-integrated approach
 Some solution providers refer to this as an IAM "platform“
 Others emphasize vendor integration, but feel that the
term "platform" implies a lack of flexibility and choice
 Aberdeen’s perspective
 Any approach that shifts the burden of integration from the
enterprise to the solution provider is a welcome trend
 Analysis of organizations adopting each approach
provides additional insights
 Platform approach (N=32)
 Point Solution approach (N=39)
13

14. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased Timely provisioning and modification of end-user access to existing
end-user
applications or services can save companies hundreds of dollars per end- Advantage:
user per year in terms of convenience, productivity and downtime, and
productivity significantly enhance the overall end-user experience.
Platform approach
14

15. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased Timely provisioning and modification of end-user access to existing
end-user
applications or services can save companies hundreds of dollars per end- Advantage:
user per year in terms of convenience, productivity and downtime, and
productivity significantly enhance the overall end-user experience.
Platform approach
Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution Platform
Translates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage
Provide emergency access
Increased 2.0 hours 2.3 hours 11% faster
(e.g., forgotten username or password)
end-user
productivity Reset a password or PIN
1.1 hours 1.6 hours 30% faster
(e.g., help desk or end-user self-service)
15

16. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Rapid de-provisioning of end-user access, on the other hand, is more about
cost avoidance than it is about cost savings – e.g., by reducing the window
Reduced of vulnerability from orphaned accounts and minimizing the potential for Advantage:
risk downstream misuse. Periodic attestation of access privileges and
enforcement for separation of duties are also critical elements of reducing
Platform approach
risk.
16

17. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Rapid de-provisioning of end-user access, on the other hand, is more about
cost avoidance than it is about cost savings – e.g., by reducing the window
Reduced of vulnerability from orphaned accounts and minimizing the potential for Advantage:
risk downstream misuse. Periodic attestation of access privileges and
enforcement for separation of duties are also critical elements of reducing
Platform approach
risk.
Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution Platform
Translates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage
Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster
Suspend / revoke / de-provision end-user access to an existing app 3.7 hours 6.8 hours 46% faster
Reduced Average dormant / orphaned accounts found
risk 3.7% 6.5% 44% faster
(as a % of total number of accounts)
4.3-times
Average dormant / orphaned accounts found = none 13% 3%
higher
17

18. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Given the dynamic changes in enterprise end-user populations and
application portfolios, faster time to integrate a new application or integrate
Increased a new end-user role with the enterprise's IAM infrastructure translates to Advantage:
agility flexibility and agility to compete more effectively. Pre-integration and
workflow spanning IAM components cuts out the complexity and overhead
Platform approach
of synchronization.
18

19. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Given the dynamic changes in enterprise end-user populations and
application portfolios, faster time to integrate a new application or integrate
Increased a new end-user role with the enterprise's IAM infrastructure translates to Advantage:
agility flexibility and agility to compete more effectively. Pre-integration and
workflow spanning IAM components cuts out the complexity and overhead
Platform approach
of synchronization.
Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution Platform
Translates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage
Increased Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster
agility Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster
19

20. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Fewer incidents of unauthorized access to enterprise resources related to
Enhanced IAM translates to a huge benefit in terms of cost avoidance, particularly
security given the high average cost per incident found in Aberdeen's studies. Advantage:
and Consistent enforcement of policies and consistent, consolidated reporting
for compliance translates to fewer audit deficiencies related to IAM, and the
Platform approach
compliance
liberation of IT resources for more strategic projects.
20

21. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Fewer incidents of unauthorized access to enterprise resources related to
Enhanced IAM translates to a huge benefit in terms of cost avoidance, particularly
security given the high average cost per incident found in Aberdeen's studies. Advantage:
and Consistent enforcement of policies and consistent, consolidated reporting
for compliance translates to fewer audit deficiencies related to IAM, and the
Platform approach
compliance
liberation of IT resources for more strategic projects.
Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution Platform
Translates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage
Enhanced Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer
security and
compliance Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer
21

22. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Efficiency of the vendor-integrated approach translates to support for
higher scale with fewer FTE admin resources, at lower total annual cost per
Reduced
end-user per year. Common management interfaces across components
Advantage:
total cost enable policies which are consistent and easier to administer. Both Platform approach
"internal" and "external" end-users are managed by the same system.
22

23. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Efficiency of the vendor-integrated approach translates to support for
higher scale with fewer FTE admin resources, at lower total annual cost per
Reduced
end-user per year. Common management interfaces across components
Advantage:
total cost enable policies which are consistent and easier to administer. Both Platform approach
"internal" and "external" end-users are managed by the same system.
Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution Platform
Translates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage
Total annual cost related to IAM initiatives $8.90 $17.10
(e.g., including all people, process, technology, hardware, per end-user per end-user 48% lower
Reduced software, services, training, support) per year per year
total cost
2.75-times
Total end-users per FTE IAM administrator 5,500 2,000
more
23

24. Summary of Findings
Analysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM
Benefits Description and Derivation of Benefits Platform vs. Point
Solution
Increased Timely provisioning and modification of end-user access to existing
applications or services can save companies hundreds of dollars per end-
end-user
productivity
user per year in terms of convenience, productivity and downtime, and Advantage:
significantly enhance the overall end-user experience.
Platform approach
Rapid de-provisioning of end-user access, on the other hand, is more about
cost avoidance than it is about cost savings – e.g., by reducing the window
Reduced of vulnerability from orphaned accounts and minimizing the potential for
risk downstream misuse. Periodic attestation of access privileges and
enforcement for separation of duties are also critical elements of reducing
risk.
Given the dynamic changes in enterprise end-user populations and
application portfolios, faster time to integrate a new application or integrate
Increased a new end-user role with the enterprise's IAM infrastructure translates to
agility flexibility and agility to compete more effectively. Pre-integration and
workflow spanning IAM components cuts out the complexity and overhead
of synchronization.
Fewer incidents of unauthorized access to enterprise resources related to
Enhanced IAM translates to a huge benefit in terms of cost avoidance, particularly
security given the high average cost per incident found in Aberdeen's studies.
and Consistent enforcement of policies and consistent, consolidated reporting
compliance for compliance translates to fewer audit deficiencies related to IAM, and the
liberation of IT resources for more strategic projects.
Efficiency of the vendor-integrated approach translates to support for
higher scale with fewer FTE admin resources, at lower total annual cost per
Reduced
end-user per year. Common management interfaces across components
24

25. Details of Analysis
Adoption of the Platform Approach to IAM Translates to Tangible Business Value
Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution Platform
Translates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage
Provide emergency access
Increased 2.0 hours 2.3 hours 11% faster
(e.g., forgotten username or password)
end-user
productivity Reset a password or PIN
1.1 hours 1.6 hours 30% faster
(e.g., help desk or end-user self-service)
Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster
Suspend / revoke / de-provision end-user access to an existing
3.7 hours 6.8 hours 46% faster
application
Reduced
risk Average dormant / orphaned accounts found
3.7% 6.5% 44% faster
(as a % of total number of accounts)
4.3-times
Average dormant / orphaned accounts found = none 13% 3%
higher
Increased Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster
agility Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster
Enhanced Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer
security and
compliance Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer
Total annual cost related to IAM initiatives $8.90 $17.10
(e.g., including all people, process, technology, hardware, per end-user per end-user 48% lower
Reduced software, services, training, support) per year per year
total cost
2.75-times
Total end-users per FTE IAM administrator 5,500 2,000
more
25

26. Current Capabilities
Knowledge Management, by Maturity Class and by Approach
• Workflow for IAM lifecycle; workflow-based approval for exceptions; standardized audit and reporting
• Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard
Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%)
Platform Approach (N=32) Point Solution (N=39)
67% 59%
60%
Percentage of Respondents (N=155)
55%
59% 58%
56%
49%
49% 50%
47%
40%
33%
28%
20% 24%
21%
15%
0%
Workflow-based approval for Standardized workflow for the IAM Standardized audit, analysis and
exceptions lifecycle reporting
26

27. Current Capabilities
Performance Management, by Maturity Class and by Approach
• Effective audit and reporting, attestation, and enforcement for separation of duties
• Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard
Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%)
Platform Approach (N=32) Point Solution (N=39) 68%
63%
67%
60% 63% 56%
Percentage of Respondents (N=155)
56% 57%
50% 49%
45% 45%
40%
35% 36%
24% 25%
20%
0%
Audit and reporting for who approved Periodic validation that end-users Enforcement for separation of duties
access privileges and when have appropriate access rights
27

28. How IAM Capabilities Are Achieved
Configuration (out-of-the-box) vs. Customization (coding)
• Leaders are slightly more able than all others to achieve IAM capabilities by configuration than by coding
• Adopters of the Platform approach have pushed this advantage a bit further; no impact for Point Solution
• Cost implications are obvious; vendor enhancements in this area would receive strong market welcome
100%
Percentage of Respondents (N=155)
80% 42% 44% 47% 47%
60%
Customization
Configuration
40%
58% 56% 53% 53%
20%
0%
Platform Best-in-Class Point Solution All Others (Other
Approach (N=32) (Top 20%) Approach (N=39) 80%)
28

29. Outline
 Introductions
 Business context
 Aberdeen’s research findings
 Summary and recommendations
 Additional resources
31

30. Summary
 Based on more a study of more than 160 respondents, Aberdeen's
analysis of 32 enterprises which have adopted the vendor-integrated
(Platform) approach to identity and access management, and 39
organizations which have adopted the enterprise-integrated (Point
Solution) approach, showed that the vendor-integrated approach
correlates with the realization of significant advantages –
including
 Increased end-user productivity
 Reduced risk
 Increased agility
 Enhanced security and compliance
 Reduced total cost.
32

31. Recommendations
Crawl / Walk / Run (1 of 3)
• Aberdeen's research consistently confirms the merits of a pragmatic "Crawl, Walk, Run" approach as
the basic template for successful enterprise-wide initiatives
 Adopt a primary strategic focus. Which of the following strategies
supports the most compelling business case for your organization's
investments in IAM: convenience and productivity for end-users?
Compliance and security requirements? Consistency of policies for
managing identities and access to corporate resources? Cost savings and
cost avoidance through greater efficiency and effectiveness? The essential
first step is to identify the strategy that is most compelling for your
organization to get started, and begin.
 Put someone in charge. Having a responsible executive or team with
primary ownership for important enterprise-wide initiatives is consistently
correlated with the achievement of top results. IAM initiatives are consistent
with this pattern.
 Prioritize security control objectives as a function of requirements for
risk, audit and compliance. Emphasizing security before compliance, rather
than the other way around, reduces the probability of overlaps in controls
(which waste resources) or gaps (which increase vulnerabilities).
33

32. Recommendations
Crawl / Walk / Run (2 of 3)
 Establish consistent policies for end-user identities and end-user access
to enterprise resources. As the expression of management's intent for the
business, consistent policies are the foundation for any successful IAM
initiative.
 Standardize the workflow for the IAM lifecycle, including workflow-based
approval for exceptions. Standardization and automation of workflow should
not mean automatic approval, however – on the contrary, increased
involvement and accountability for approvals puts a greater responsibility on
the business owners rather than on the IT staff.
 Standardize audit, analysis and reporting for IAM projects, including
reporting for who approved access and when, periodic validation that end-
users have appropriate access, and enforcement for separation of duties.
Quarterly attestation reviews, for example, are common to address
requirements for regulatory compliance.
34

33. Recommendations
Crawl / Walk / Run (3 of 3)
 Evaluate and select IAM solutions. Pay special attention to the level of
integration and intelligence provided by the IAM solution provider(s), versus
the degree of integration that remains to be completed by the enterprise.
Another critical consideration is the proportion of capabilities that can be
achieved by configuration (i.e., out-of-the-box) versus customization (i.e.,
coding and services). Proposals which are disproportionately heavy with
professional services from vendors or their third-party business partners do
not move a given solution from the enterprise-integrated category to the
vendor-integrated category.
35

34. Recommendations – Additional Considerations
 New approaches
 Organizational (vs. departmental)
 Lifecycle
 Vendor integrated / interoperable
 Higher scale at lower total cost
 New identity-enabled opportunities
DEVRE ER STHGIR LLA puo rG need rebA 1102 ©
S
 Social
 Mobile
Cloud ™

DU OLC SoMoClo Evolution
Social + Mobile + Cloud = Business Transformation
36

35. Outline
 Introductions
 Business context
 Aberdeen’s research findings
 Summary and recommendations
 Additional resources
37

36. Aberdeen Online Identity Assessment
Benchmark your own organization against those in the report
www.oracle.com/Identity
38