2009 European Identity and Access Management Survey
January 6, 2017 | Author: Lizbeth Woods | Category: N/A
Short Description
Download 2009 European Identity and Access Management Survey...
Description
2009 European Identity and Access Management Survey A survey conducted by KPMG IT Advisory together with Everett Supported by eema and IIR Advi s o ry
2 2009 European Identity & Access Management Survey
The findings at a glance
© 2009 KPMG International
2009 European Identity & Access Management Survey
The value of Identity and Access Management (IAM) is still recognised and IAM is here to stay • Almost 90% of the survey participants have initiated one or more IAM projects in the last year; • 70% of the respondents have a specifically allocated IAM budget. Clearly the economic crisis has its impact on IAM, but IAM is still in the spotlight • A quarter of the respondents reported budget cuts of 5%-50%, whereas 13% reported budget cuts of more than 50%; • More than half of the respondents indicated a change of project scope; • Many organisations are quite confident that their original business case is still applicable in this hard economic climate; • Despite budget cuts, almost three quarters of respondents entirely or partially agreed that IAM investments should be increased instead of decreased due to the current economic climate. Governance, Risk and Compliance is by far the main driver of IAM • Governance, Risk and Compliance is even more important than last year’s survey indicated; • The vast majority of IAM projects are still focused on their organisation’s direct employees; • Access attestation and certification services are ‘on the map’ and this is possibly at the expense of the implementation of complete IAM solutions. This indicates a shift from more preventive controls to a detective approach focused on an organisation’s ‘crown jewels’. There are still significant gaps between the expected and realised benefits of IAM • Although gaps between expectation and realisation still remain, over half of the respondents were satisfied with the outcome of their IAM project; • Organisations face difficulties in measuring the costs, benefits and quality of IAM services and related activities. A lack of business buy-in is the main cause of IAM project failure • IAM projects are still mostly the responsibility of the IT department or the Security Officer; • 50% of the respondents stated that the business was not ready for the proposed solution; • 51% of the respondents indicated that there was a lack of support from management and stakeholders.
© 2009 KPMG International
3
4 2009 European Identity & Access Management Survey
Contents
01
Executive summary
5
02
Introduction
9
03
IAM projects – status and
impact of the economic crisis
04
Drivers and strategy
19
05
Architecture
22
06
Expected benefits, realisation
26
and satisfaction
Appendix A - Reference models
33
Appendix B - About the authors
36
Appendix C - European regions
39
© 2009 KPMG International
12
2009 European Identity & Access Management Survey
01
5
Executive summary
© 2009 KPMG International
6 2009 European Identity & Access Management Survey
KPMG IT Advisory and Everett, in cooperation with eema and IIR, are pleased to launch the report outlining the results of our 2009 European Identity and Access Management (IAM) Survey. Authors Survey KPMG: John Hermans Joris ter Hart Willem Guensberg Arjan van Vliet Everett: Peter Valkenburg Erik Frambach
In order to contribute to the decision making process of organisations with regard to whether they should engage in IAM and with what type of initiative, we conducted the 2009 European IAM Survey as a follow-up to the IAM survey that KPMG conducted in 2008. Combining insights and trends from over 125 organisations from various sectors and countries, in combination with analysis and our experience in conducting IAM projects and programmes, we believe our survey makes a significant contribution to IAM research. This survey also provides insight into recent developments in the area of IAM and the impact of the economic crisis as the results are compared against the results from the 2008 IAM Survey (where applicable).
John Hermans Associate partner, KPMG IT Advisory in the Netherlands Global lead on Identity and Access Management
© 2009 KPMG International
Peter Valkenburg Member of the Board of Everett Group Chief Technical Officer
2009 European Identity & Access Management Survey
One of the most important conclusions of this survey is that, as was already visible in the 2008 IAM Survey, IAM is here to stay. Even though the economic circumstances are quite different for many of the organisations that participated, the value of IAM is clearly recognised throughout all the sectors and throughout the whole of Europe. • Almost 90% of the respondents have initiated one or more projects during the last three years; • In 2008, one third of the respondents stated that they had no specific IAM budget. The results of the 2009 survey show more or less a similar view as 70% of the respondents have a specific IAM budget. The Financial Services (FS) sector continues its position as an early adopter of IAM and in 2009 the Infrastructure, Government and Healthcare (IGH) sector has emerged as an early adopter, whereas last year IGH was classified as a late adopter (a so-called ‘laggard’). Despite the economic crisis, in general, the FS sector still has the highest IAM budgets. However, the area of IAM did not escape the impact of the economic crisis. A quarter of the respondents reported budget cuts of 5%-50%, whereas 13% reported budget cuts of more than 50%. Still over half of the respondents indicate not having seen any (significant) impact on their IAM budget. However a majority of projects encountered an impact on the project scope due to the economic hard times. Strikingly, most are confident that the original IAM business case still holds. The three main drivers analysed in this survey are: • Governance, Risk and Compliance (GRC) – Being ‘in control’ and able to prove it; • Operational excellence – Cost control and user experience; • Business agility – Being ready for change. Governance, Risk and Compliance is now even more important as the main driver of IAM than last year’s survey indicated. This applies to every sector and specifically to Financial Services, Infrastructure, Government and Healthcare and Information, Communication and Entertainment (ICE). In the Consumer Markets (CM) and Industrial Markets (IM) operational excellence is also of reasonable importance. In addition, we would like to mention that investing in business agility and operational excellence can reduce IAM costs in the mid to long term.
© 2009 KPMG International
7
8 2009 European Identity & Access Management Survey
We expect these areas to be an opportunity when the economy recovers and organisations have the budget to make investments in projects in which the benefits with regard to expenses are realised within the mid to long term. As part of GRC, access attestation and certification is now definitively ‘on the map’ of organisations. Almost 20% of the respondents indicated this to be a means of achieving project goals. Simultaneously, the implementation of a complete IAM solution dropped by approximately 50% towards 35%. These facts indicate a shift from an extended preventive approach towards a more detective approach focusing on an organisation’s ‘crown jewels’. This focused approach could also be a consequence of the economic crisis as only focusing on the critical information will decrease the expenses. However, when we analyse the gaps between the expected and realised benefits of IAM projects, less than half of the respondents who expected significant benefits from access attestation and certification realised these benefits. This indicates that this is an evolving area which is not yet mature. In general, there is a significant gap between the expected and realised benefits in all areas of the main drivers. As in 2008, respondents cited the most prominent reason for failure as being that the business was not ready for the proposed solution and the lack of support from the business. Nevertheless, 50% of the respondents were satisfied with their IAM project outcome. Despite the gap between the expected and realised benefits and the negative impact of the economic crisis, we conclude that the value of IAM is apparent to organisations as they are still investing in IAM. The challenge for the upcoming years is to realise the expected benefits. With limited budgets due the economic crisis, organisations have to make careful choices relating to the scope and the approach. This implies a need for strong program management and a clear roadmap for IAM.
© 2009 KPMG International
2009 European Identity & Access Management Survey
9
02
Introduction
© 2009 KPMG International
10 2009 European Identity & Access Management Survey
The 2009 European IAM Survey continues to explore the status of IAM projects within European organisations. This report extends the results of KPMG’s 2008 IAM Survey, and comparisons between the two are presented where applicable. Several definitions of IAM are generally used. For the purpose of this survey, IAM is defined as:
“The policies, processes and systems for efficiently and effectively governing and managing who has access to which resources within an organisation.” To be more precise, the processes covered by IAM are user management, authentication management, authorisation management, access management, provisioning and monitoring and audit. A complete overview of the KPMG IAM reference model used for this survey is included in Appendix A. For this survey KPMG, Everett and the media partners eema and IIR invited a variety of European organisations to complete an online questionnaire. The answers to the questions were subsequently analysed by a KPMG/Everett team of IAM professionals. A detailed analysis of the results is provided in this report in order to help the reader gain insight into: • The • The • The • The
status of IAM projects seen across Europe; impact of the economic crisis on IAM budgets and project scope; drivers and strategy of IAM projects; level of benefit realisation and satisfaction with IAM projects.
A solid base of data was provided as 128 respondents from organisations located in 23 European countries participated in the survey. Among the respondents were a wide range of organisational representatives, from CEOs and CIOs to Security Officers and heads of internal audit. The group also contained participants from organisations of different sizes and from a variety of industries.
© 2009 KPMG International
2009 European Identity & Access Management Survey
The distribution of participants with respect to European region, size and sector was as follows: Total number of respondents
128
Geographic region* North (Denmark, England, Finland, Norway, Scotland)
34 %
East (Belarus, Czech Republic, Latvia, Romania, Russia)
9 %
South (Turkey, Cyprus, Greece, Italy, Spain)
12 %
West (Austria, Benelux, France, Germany, Switzerland)
37 %
Other
8 %
Less than 1,000
20 %
1,001-2,500
13 %
2,501-5,000
16 %
5,001-10,000
13 %
10,001-25,000
13 %
More than 25,000
25 %
Financial Services (FS)
39 %
Infrastructure, Government and Healthcare (IGH)
34 %
Information, Communication and Entertainment (ICE)
13 %
Industrial Markets (IM)
9 %
Consumer Markets (CM)
5 %
Size (number of IT users)
* No significant differences were found between the four different geographical regions as described in the table. Therefore, the results presented in this report apply to the European region as a whole and are not divided by the four geographical regions.
Sector
Reading aid Chapter 3 of this report describes the current status of IAM projects and the impact of the economic crisis. In Chapter 4 the strategy and main drivers of IAM are elaborated. Subsequently, the IAM architecture is described in Chapter 5. In the final chapter the expected and realised benefits of IAM are addressed; this section also includes the participants’ ‘satisfaction’ with regard to the actual benefits and their ability to measure costs and benefits of IAM.
© 2009 KPMG International
11
12 2009 European Identity & Access Management Survey
03
IAM projects – status and impact of the economic crisis © 2009 KPMG International
2009 European Identity & Access Management Survey
IAM was already ‘here to stay’ in 2008, and the 2009 survey supports this impression. IAM is clearly of concern to all organisations, regardless of the sector in which they operate or the country in which they are based. Over half of respondents indicated to have initiated one or more projects during the past three years. It appears that it is often insufficient to initiate only a single project, but that a sequence of projects is required in order to successfully achieve their organisation’s IAM end goals. A possible explanation may be that previous projects have failed, but based on our industry experience it appears more likely that an IAM programme, in which several projects are contained, enhances the chances of success. This supports the need for a strong programme management organisation and a clear roadmap with clearly defined phases and scoping. The findings of this survey indicate that the FS sector can still be categorised as one of the ‘early adopters’ of IAM. Pressure to comply with banking regulations as well as national and international corporate governance legislation is relatively high in this sector, and this is assumed to be one of the drivers of IAM projects within the sector. Contrary to 2008, in 2009 the IGH sector is also adopting IAM on a regular basis, whereas only a year ago IGH was categorised as a ‘late adopter’.
Number of IAM projects initiated
2%
6%
13%
None 1–2 3–5 6 – 10 More than 10 projects
31%
48%
Source: KPMG/Everett IAM survey, October 2009 As information is one of an organisation’s most valuable assets, control of access to this information forms an important part of an organisation’s day-to-day business. Around half (48%) of the respondent organisations had initiated one or two IAM projects during the last three years, 87% of organisations had initiated at least one IAM project and approximately a third (39%) had initiated more than three IAM projects. Of these 39%, 6% had initiated more than ten projects. Observation in comparison to the 2008 IAM Survey: In 2008, all respondent organisations indicated that they had initiated one or more IAM projects in the last three years, whereas 13% of 2009 respondents indicated they had not initiated any IAM projects in the last three years. Number of IAM projects by sector
IM CM Sector
Authors’ note
IGH ICE FS OTH* 0%
10% None 1–2 3–5
20%
30%
40%
50%
70%
80%
90%
100%
6 – 10 More than 10 projects
Source: KPMG/Everett IAM survey, October 2009
© 2009 KPMG International
60%
* Other
13
14 2009 European Identity & Access Management Survey
The FS and IGH sectors both represent a significant percentage of respondents who had initiated more than ten IAM projects over the past three years. The IM and CM sectors, on the other hand, display less IAM project initiation with a maximum of five initiated IAM projects.
Budgets Size of IAM budgets
23% 31%
15% 5% 6% 8%
Less than EUR 100,000 EUR 100,001 – 250,000 EUR 250,001 – EUR 500,000 EUR 500,001 – EUR 1,000,000 EUR 1,000,001 – EUR 10,000,000 More than EUR 10,000,000 Unknown
12%
Source: KPMG/Everett IAM survey, October 2009 Out of the budgets specifically allocated to address IAM over the next three years, 38% of the respondents plan to initiate projects with a budget up to EUR 250,000. 11% of respondents indicated that they have allocated a budget of over EUR 1 million. Compared to the results of the 2008 IAM Survey there are no big differences; in fact the results are almost the same. As may be expected, smaller sized organisations (with less IT users) have smaller IAM budgets and vice-versa, with EUR 10 million+ IAM budgets only occurring in the organisations with over 5,000 employees. Overall, larger organisations appear to have more difficulty in determining the total IAM budget, as many respondents representing larger organisations indicated that they did not know its IAM budget. By contrast, 80% of respondents representing smaller organisations (up to 10,000 employees) were able to indicate the size of its IAM budget.
© 2009 KPMG International
2009 European Identity & Access Management Survey
IAM budgets by sector
IM CM
Sector
Authors’ note It is still the FS sector that boasts the highest number of high-end budget ranges. This means that IAM budgets are generally higher in the FS sector. The IGH sector comes in a decent second in this category. One possible explanation is that these sectors specifically experience a relatively high pressure to comply with international rules and regulations (FS) and a relatively large number of IGH have begun over the last year. The IM and ICE sectors do not appear to have the IAM drivers to justify the same level of budget allocation. However, we note that the obligation to comply with stringent legislation is also becoming increasingly important in these sectors.
IGH ICE FS OTH 0%
10%
20%
30%
40%
Less than EUR 100,000 EUR 100,001 – 250,000 EUR 250,001 – EUR 500,000 EUR 500,001 – EUR 1,000,000
50%
60%
70%
80%
90%
100%
EUR 1,000,001 – EUR 10,000,000 More than EUR 10,000,000 Unknown
Source: KPMG/Everett IAM survey, October 2009 In 2009, budget allocations remain largely unchanged. In addition, the IM and ICE sectors have relatively small allocated IAM budgets.
Scope IAM Scope 100% 80%
94%
60% 40% 37% 20% 0%
33% 10%
Own employees
Partner and/or supplier network
Clients
Unknown/other
Source: KPMG/Everett IAM survey, October 2009 Over 90% of the respondents indicated that IAM projects are still mainly focused on their organisation’s direct employees. This indicates that most IAM projects are focused on controlling access to internal systems and information. However, approximately a third of IAM projects target partner and/or supplier networks, and approximately a third target clients via IAM projects1. 1 Multiple answers were allowed for this question and therefore the total percentage is above 100%. This is applicable to all graphs in which the total percentage is above 100%.
© 2009 KPMG International
15
16 2009 European Identity & Access Management Survey
Authors’ note As far as the respondent organisations are concerned, attestation and certification is now ‘on the map’. In general the means to achieve project goals are fairly evenly distributed over the five IAM approaches mentioned here, with only 11% of respondents resorting to other means to achieve their IAM project goals. This may be viewed as a sign of the maturity of the IAM market, as most respondents found the options to achieve their project goals readily available in today’s vendor portfolios. The implementation of a complete IAM solution has dropped significantly towards 35% (a 50% drop). It is possible that the focused approach of targeting ‘crown jewel’ components of the information/application landscape has reduced the popularity of the complete solution. It is also possible that a shift has taken place from the more preventive complete approach to more detective solutions such as attestation and certification focused on the ‘crown jewels’.
Means to achieve project goals 50% 44%
40% 30%
37%
35%
31%
20%
20%
10%
11%
0% New policy
Complete IAM solution
User management Attestation and provisioning and certification
Enhanced authorisation
Other
Source: KPMG/Everett IAM survey, October 2009 With a fifth of respondents indicating attestation and certification solutions to be a means of achieving project goals, attestation and certification solutions have emerged to become one of the serious options on this chart. Common means (implementation of a new policy, a complete IAM solution, a user management and provisioning solution or enhanced authorisation) all represent a fairly similar number of respondents, with user management and provisioning as the most commonly used solution.
Impact of the economic crisis Impact on IAM budget 13%
1%
7%
The IAM budget is increased by more than 50% The IAM budget is increased by 5 – 50% No impact, (almost) unaffected IAM budget The IAM budget is cut by 5 – 50%EUR The IAM budget is cut by 5 – 50%
24%
55%
Source: KPMG/Everett IAM survey, October 2009 Although over half of respondents indicated not to have seen any (significant) impact on IAM budgets, over a third (37%) indicated that their IAM budget has been cut. A quarter of the respondents reported a 5%-50% cut, whereas 13% reported IAM budget cuts of over 50%. As might be expected, IAM budgets are under pressure as a result of the economic crisis. © 2009 KPMG International
2009 European Identity & Access Management Survey
However, 73% of respondents entirely or partially agreed that the economic crisis is another reason why their organisation should invest in IAM. Impact on IAM budget by sector IM
Sector
CM IGH ICE FS 0%
10%
20%
30%
40%
50%
The IAM budget is increased by more than 50% The IAM budget is increased by 5 – 50% No impact, (almost) unaffected IAM budget
60%
70%
80%
90%
100%
The IAM budget is cut by 5 – 50% The IAM budget is cut by more than 50%
Source: KPMG/Everett IAM survey, October 2009 Although some sectors were largely unaffected, over a third (37%) of respondents reported cuts in their IAM budget of more than 5%, especially in the FS, ICE and IGH sectors. CM does not appear to be impacted as of yet, however this might be distorted as almost 50% of the CM sector respondents indicated not knowing their IAM budget.
Impact on IAM budget by total IAM budget range
total IAM budget
>10M 1M-10M 500K-1M 250-500K 100-250K
View more...
Comments