'Enterprises Should Review Service, Appliance Options In IAM Space'

Gartner has revealed its key predictions for identity and access management (IAM) between 2009 and 2011. Speaking ahead of the Gartner Identity and Access Management Summit 2009 in London, analysts have identified forward-looking assumptions around smart-card authentication, identity-aware networks, hosted IAM and out-of-band (OOB) authentication.

“There is a continuing need in this time of economic uncertainty and budgetary constraints for cost-effective, risk-appropriate IAM methods,” said Ant Allan, research vice president at Gartner. “This includes growing demand for identity-aware networking, host- and service-based IAM offerings and the search for protection from increasingly effective malware attacks against consumer accounts.”

By 2011, hosted IAM and IAM-as-a-service will account for 20 percent of IAM revenue.

Solution sets related to intelligence, administration, verification and access are evolving from software-centric platform delivery models to composite services models. These reduce the costs of implementation and use and prepare for a more-mature production-centric approach to delivering IAM as a service. Markets for first-generation hosted and managed IAM services address relatively mature implementations. They enable customers to focus their technical planning and delivery on less-mature feature sets such as access and intelligence.

A growing percentage of the revenue realised by IAM vendors and service providers will be made possible by the next step in the IAM maturity model, toward hosted IAM and IAM as a service. Gartner recommends that existing IAM solutions users evaluate service-based options for extending the solutions, rather than significantly upgrading those solutions. Those that have not deployed a significant IAM solution should include service and appliance options in their review to gauge the progress of IAM maturity and its suitability.

Through 2011, 20 percent of smart-card authentication projects will be abandoned and 30 percent scaled back in favour of lower-cost, lower-assurance authentication methods.

The use of smart cards with public-key credentials is generally regarded as a high-assurance authentication method. However, provisioning and managing smart cards and the necessary desktop infrastructure are relatively expensive. A risk-based approach may force some organisations to implement two or more authentication methods, which are likely to include smart cards. This will drive the adoption of versatile authentication servers (VASs), which provide a single infrastructure for multiple methods and a single integration point for the local network and heterogeneous downstream applications.

Gartner recommends that organisations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO).

By 2011, 30 percent of large corporate networks will become ‘identity aware’ by controlling access to some resources via user-based policies.

Most corporate networks are anonymous, because they forward packets based on internet protocol (IP) addresses, rather than users’ identities. Adding identity awareness to networks to monitor user behaviour and enforce access based on a user’s identity is identity-aware networking (IAN), which blocks access to resources that a user is not authorised to access. Some solutions also provide audit trails that satisfy auditors.

Gartner recommends that network managers and others responsible for IAM projects develop strategies for making networks identity aware. They must ensure that all new network infrastructure and network access control equipment purchases have the capability to support this strategy.

By 2010, approximately 15 percent of global organisations storing or processing sensitive customer data will use OOB authentication for high-risk transactions.

The security measures that most financial institutions and other service providers have in place are proving inadequate in the face of new cyber-crime attacks against customer accounts. Man-in-the-browser (MITB) Trojan attacks in particular are rendering most installed stronger user authentication measures ineffective so organisations are turning to OOB user authentication and transaction verification for high-risk customer transactions.

Most global businesses that implement OOB authentication and transaction verification will use customer-owned landline and mobile phones as the ‘something you hold’ factor. Users must understand and trust OOB calls or SMS messages delivered to their phones and service providers must ensure that they have reliable working phone numbers (and backup numbers) for their customers.

Another problem is that Trojan horses and other forms of malware now prevalent on PCs will become common on smartphones in the next few years, which may render OOB authentication methods that use smartphones insecure and ineffective.

“Organisations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions,” concluded Allan.