You are on page 1of 21

Digital identities and the open business

Identity and access management as a driver for business growth
February 2013

Identity and access management (IAM) systems are today used by the majority of European enterprises. Many of these are still installed on-premise but increasingly they are being supplemented by the use of on-demand IAM services (IAMaaS). The overall uptake represents a big increase from when Quocirca last surveyed the market in 20091. Whilst IAM is important for managing the access rights of increasingly mobile employees, three other major drivers have encouraged businesses to invest despite the tight economic conditions: the opening up of more and more applications to external users, the growing use of cloud based services and the rise of social media. The ultimate aim with all three is to nurture new business processes, thereby finding and exploiting new opportunities. This report presents new research into the use and benefits of IAM and the relationship it has with these three drivers. The research is based on over three hundred interviews with senior IT managers in medium sized to large organisations in a range of business sectors across Europe. The report should be of interest to anyone wanting to better serve all types of users, whilst still keeping control over applications and data.

Bob Tarzey Quocirca Ltd Tel : +44 7900 275517 Email: bob.tarzey@quocirca.com

Rob Bamforth Quocirca Ltd Tel: +44 7802 175796 Email: rob.bamforth@quocirca.com

Copyright Quocirca © 2013

Digital identities and the open business

Digital identities and the open business
Identity and access management as a driver for business growth
Effective identity and access management (IAM) is seen as an essential tool for enabling open interaction between a business and its users, be they consumers, employees or users that are employees of other businesses, such as partners or customers.

Many businesses now have more external users than internal ones

The majority of businesses now open up at least some of their applications to external users, with 58% saying they transact directly with users from other businesses and/or consumers. The scale of the business processes they are running that require this will often mean the number of external users exceeds internal ones. This has led to a rise in the uptake of IAM systems with advanced capabilities to handle multiple types of users. 97% of organisations that are enthusiastic about cloud-based services have deployed IAM in general and 65% are using IAM-as-a-service (IAMaaS); only 26% of cloud avoiders use any form of IAM. The single-sign-on (SSO) capability of such services acts as a broker and a central place to enforce usage policy between users and both on-premise and on-demand applications. Many businesses also recognise the value of social media, with the top motivation being to identify and communicate with potential customers. When Quocirca last researched the IAM market in 2009 , 25% had some form of IAM in place, with 52% saying it was planned although, for many, those plans were delayed. However, regardless of the ensuing tight economic conditions, 70% have now deployed IAM. For 27% this is a totally on-premise system, however, 22% have already chosen to use a pure on-demand system, whilst 21% have a hybrid deployment. Active Directory is the most widely used primary source of identity for employees (68% of respondents). For users from customer and partner organisations the most common sources of identity are their own directories (11–12%). Secondary sources include the membership lists of professional bodies, for example legal and medical practitioners (7–8%) and government databases (2–3%). 12% use social media as a primary source of identity for consumers, 9% say it is secondary. These fairly low use rates of alternative sources suggest an untapped business opportunity, perhaps because currently deployed IAM tools do not facilitate it. The top IT management challenge eased by IAM is the enforcement and management of access policy. However, it is also about improving the user experience by providing easy federated access to multiple applications and enabling user self-service. Whilst there are many benefits for businesses to be gained from effective IAM it seems likely that IT departments are under-selling these benefits. The potential of IAMaaS is widely recognised even by those with pure on-premise IAM deployments. Lower management and ownership costs along with improved employee productivity top the list, with ease of integrating external users not far behind. Those who make extensive use of cloud-based services are especially likely to recognise the benefits of IAM in general and select IAMaaS in particular.
1

Advanced IAM also helps organisations embrace cloud services and social media

Deployment of IAM has increased markedly in the last three years

The number of sources of identity is extending well beyond in-house directories

IAM eases a number of management challenges

The benefits of IAMaaS, in particular, are widely recognised

Conclusions
Having an identity and access management system in place is now seen as an imperative by many businesses to achieving a wide range of IT and business goals. Those organisations that lack effective IAM are likely to lag behind their competitors in many areas as more and more business-to-business (B2B) and business-to-consumer (B2C) transactions move online, cloud services become the mainstream source of IT applications and services for many businesses and social media takes centre stage as a source of identity.

© Quocirca 2013

-2-

Digital identities and the open business

Introduction – identity as the new perimeter
Identity and access management (IAM) is all about a business authenticating and understanding its users. This includes its employees, but also the growing number of external users that a given business allows to access its applications (Figure 1), both those installed on-premise and those that are subscribed to as ondemand services. Identity and access management (IAM) systems are increasingly being seen as the bridge between users and applications; either of which can be inside or outside of the firewall that has traditionally been the boundary of a given organisation’s IT systems. This has led to the concept of the identity perimeter2. Some organisations say they no longer even have officebased employees, with all employees being considered as “mobile” (just 8% said they had only “office-based users”). However, the biggest change is the degree to which consumers and the employees of customer organisations are being given access; 58% of the businesses surveyed have now opened up applications to “users from customer organisations”, “consumers” or both (the figure of 58% is derived by adding together the numbers for those who interact with consumers and those that interact with users of customer organisations and subtracting from the total those who say they interact with both). The main motivator is to transact directly with these external users online (Figure 2). IAM is also about making sure all users have convenient access to the resources they require, whilst maintaining appropriate levels of security and privacy and ensuring compliance requirements can be met. It is not about the creation and storage of identities per se. As this report will go on to show, effective IAM enables the federated use of a wide range of existing sources of identity. It also provides the balance between opening applications up to mobile and external users whilst making sure those applications, and the data to which they provide access, is appropriately protected. The degree of transaction with external users varies by sector. With growth in use of online banking, financial services organisations are the most likely to be interacting with consumers, with 54% already doing so, along with government organisations, 49% of which are already transacting online with citizens. Telcos (as service providers) lead when it comes to direct interaction with users in business customer organisations with 48% doing so already, with manufacturers coming in second at 42% with their

© Quocirca 2013

-3-

Digital identities and the open business
complex supply chains. The profile of interaction is likely to change over time as the benefit of direct interaction is increasingly recognised and more and more products and services are sold directly. Beyond the opening up of applications to external users, there are two other major drivers for IAM. First, there is the increasing acceptance and take up of cloud services (Figure 3). The research unambiguously shows that those organisations that are making wide use of cloud services have also invested in IAM (see later section on IAMaaS). The main reasons for this are that IAM eases the way access to cloud-based services is granted and revoked and once a user has logged on once they can be given immediate access to multiple cloud services. Second is the rising use of social media (Figure 4), which can help businesses to better understand customer preferences and improve the overall customer experience. Many think there is huge business potential here; however, the number one reason for working with social media highlighted by this research is being able to identify and communicate with potential customers. Advanced IAM systems enable this by allowing users to make use of their own existing identities, which in turn enables easier interaction and should lead to faster business growth. Businesses need to recognise that the return on investment in IAM is not just improved security but an open ended business opportunity – knowing your users through their digital identities and then being able to maximise their potential is the cornerstone for controlling interaction between a given business and the outside world.

You and your digital identity, the rise of social media
The age of bring-your-own-identity (BYOID)
For one group in particular – consumers – social media is emerging as a key source of identity (Figure 5). Real world examples of this include organisations that have internet-centric business models, for example music download sites such as Spotify and charity giving sites such as JustGiving, that allow users to login using their Facebook identities; this makes it far easier for users to sign up and for donors to part with their money. However, usage looks set to expand into more conservative areas; for example, the UK government is also evaluating Facebook as part of the Identity Assurance (IDA) programme3, a way of better enabling secure transactions between public sector bodies and citizens. Is it even possible in the future that Facebook or Google identities could be the basis for access to online banking? This would not be such a huge step, according to a recent report from Virgin Media4, two thirds of UK banks have already speeded up customer service through use of Twitter.

© Quocirca 2013

-4-

Digital identities and the open business
This has led to the emergence of the concept BYOID (bring-your-own-identity), something that may well extend beyond consumers all the way to employees in the fullness of time. Before too long employees may take their identities with them from one job to the next in a similar way that many already do with their smartphones and other access devices (BYOD – bring-your-own-device – another industry trend that has already taken hold5). Many may consider that an identity taken from a social media site cannot be trusted. However, there are an increasing number of services that can be used to calculate the trust of such identities and set thresholds for when they are accepted. Such sites calculate that, if a user has been using the same Facebook identity for five years and has accumulated a long back history of communications, it is unlikely to be a fake. In fact, because of the controls many social media organisations place around creating accounts, using them to create fake identities is more difficult than doing so through a registration process that involves a new unique account being created specific to a given service. However, if social media sites are to be used as a source of identity, businesses need to be savvy about how they go about it. Marketing departments cannot expect to convert users of third party social media sites directly across to their own applications; neither can they expect users to login multiple times or fill out several forms with the same information. To truly embrace social media requires it to be fully integrated with IAM systems and used as a means of single-sign-on (SSO) to multiple resources. Any company not using this effectively may be losing sales.

The increasing use of IAM
Patterns of use for IAM
The three trends outlined earlier – the opening up of applications, the rising use of cloud and growing importance of social media – added to an increasingly complex mix of identity sources, are all drivers behind the growing use of IAM. Figure 6 shows that there seems to have been considerable investment in IAM since Quocirca last published research in this area in 20091 (which was focussed on privileged user management). 70% of organisations now have some sort of a system in place compared with around 25% just four years ago. Interestingly, around 50% said they had plans for IAM investment in 2009; plans which seem to have come to fruition despite the ensuing tight economic conditions. In a later section; “The IAM empowered business”, the report looks at the reasons IAM systems are seen as important for achieving a range of IT objectives. The use of on-demand IAM-as-a-service (IAMaaS) is on the rise; 22% say this is their primary way of implementing IAM with a further 21% saying they have a hybrid on-premise/on-demand deployment.

© Quocirca 2013

-5-

Digital identities and the open business
This leaves 30% of companies with no IAM system at all, with smaller companies being the least likely (Figure 7). They will find it hard to open up access to applications in the way that that their competitors have. In the past small businesses may have considered that such systems were only affordable by large enterprises, however with the increasing availability of IAMaaS, where payment is by use, cost should no longer be a blocker.

Authenticating users
The data shown in Figure 8 examines the attitude the respondents had to various aspects of authenticating users. It is widely accepted that “clearly establishing identities is essential”. Overall, 84% of all respondents say the need to do so is true for their organisation. When it comes to checking identities, 77% are likely to use strong authentication (this is especially true of telcos and financial services). However, only a small number of respondents say they use hardware token providers (as a primary source of identity), probably because of the cost. The main reason that businesses will have turned to hardware token providers as a source of identity in the first place is because they are also a source of strong authentication. Given the importance attached to strong authentication, many are probably seeking lower cost software-based alternatives that make use of spatial and/or temporal co-ordinates or making use of mobile phones (unsurprisingly, telcos take a lead here too). 70% say they no longer rely entirely on usernames and passwords to authenticate users (again, this is especially true of telcos). IP addresses are used for authentication by 82%; if used alone this would be a concern because IP addresses can be spoofed by hackers who want to make their attacks appear to come from legitimate locations. However, it is unlikely that IP addresses are being used as a primary means of identity; they are probably just an additional attribute that may be used as part of a strong authentication process. As many as 54% say they sometimes transact without first establishing the identity of users. This was especially true of telcos (83%) and financial services (77%). There may be good reasons for this, for example when asking for a quote for insurance or mobile phone service plan many do not want to give all their details before seeing the cost. However, it is likely that, in other cases, collecting such information is simply seen as too arduous, which it need not be if the supporting IAM tools were in place. In many cases the customer experience could be improved.

© Quocirca 2013

-6-

Digital identities and the open business
Multiple sources of identity
Obviously, all organisations have some existing source of identity for their own employees. For 68% of the respondents to the current survey the main one is Microsoft Active Directory (Figure 9). When it comes to the broader community of users, Active Directory is less widely used. For mobile users and contractors it is still likely to be the main source, but less so. Whilst Active Directory is widely used, it, and most other directories, has not been designed to scale up for the emerging use cases where some organisations are now engaging with tens or hundreds of thousands of users from other businesses – maybe millions of consumers. There are other challenges that are tricky to resolve with a policy that relies on a single organisational user directory. Many IT departments have to cope with mergers and acquisitions at some point; this may mean merging two different directories. With federated IAM, both can be maintained, at least in the short term, with both being use as identity sources. Many cloud-based applications also have their own directory of users, which can be integrated as part of single overall user identity in a federated IAM system and access provided via SSO. A growing minority of organisations are already exploiting other sources, either as a primary or secondary means of identifying and authenticating external users (Figures 10 and 11). These include: • The external directories of partner and customer organisations are the most widely used primary source of identity for users from customer and partner organisations. • Professional body membership listings, for example legal and medical practitioners, are most commonly used as a secondary source of identity for users from customer and partner organisations. • Government databases are used to a limited extent, an opportunity that could be exploited further. • Social media, as pointed out in the introduction, currently is most likely to be used for consumers but with huge future potential for all types of user as the age of BYOID dawns. As Figure 4 showed, identifying and communicating with potential new customers is currently a leading use case for social media, but there is a range of others, including analysis of customer likes and dislikes. Of course, this still leaves many organisations with no source of identity for external users, either because they are not engaging with them effectively through IT or because their current IAM capabilities do not allow them to, which may mean they are missing out on potential rich seams of user information to help attract new business.

© Quocirca 2013

-7-

Digital identities and the open business

The IAM empowered business
The growing diversity of users and the consequent range of sources of identity underlines why so many organisations have seen the need to invest in IAM tools that can link multiple identity sources and provide federated access based on policy. Figure 12 shows how respondents rated IAM as a means of enabling various IT management requirements. Top of the list was the enforcement of access policy for users; beyond this it was about improving the user experience through providing self-service and federated access as well as ease of provisioning. Scalability to cope with unknown numbers of users was low on the list; for some this may be because they do not understand the limitations of existing directories, or because they do not know there are tools that can help with this; others may simply take it for granted as they have such tools in place already. The perception of IAM as an enabler for access to cloud-based applications (software-as-a-service/SaaS) is also low, but the evidence of this research is that it can be a key enabler for those that are making extensive use of cloud services. Policy enforcement is generally achieved using advanced single-sign-on (SSO). Once a user is authenticated, all relevant resources are opened up and their use audited. There is a benefit to customers in doing this; from the earliest stages of interaction each individual can be assigned a unique internal identifier linked to a range of other attributes, including their existing social and/or business identities, which, as far as they are concerned, is their primary identity. A new user can be provisioned once via SSO and have immediate access to both on-premise and cloud-based resources from any device (dependent on policy). Perhaps more importantly, their access to all resources can be deprovisioned in an instant when the need arises and there are no legacy passwords held in cookies etc. on their devices. SSO simplifies things for both the user and the access provider. It is about much more than a one-time validation of an identity. An SSO system acts as a hub and, based on the parameters associated with a given identity, it can control access to applications and data and enact policies about what a given user or class of users are entitled to with that access. Those actions can also be readily audited. Because such policies can be based on the results of analysis of content, it is still possible to deny access to certain classes of information even when documents are misclassified or stored in the wrong place. To engage with external users it is often necessary to be able to extend the metadata that describes a user. When this is the case, parameters can be added and used to decide what resources to allow or deny access to and, where needed, additional criteria required by different applications associated with a given identity. Flexibility is important as these parameters may change over time and new ones may need to be added. Most recognise that to deploy advanced IAM and to make use of federated services requires standards (Figure 13). LDAP, a general IAM standard for exchanging identity information between systems, topped the list, being seen as

© Quocirca 2013

-8-

Digital identities and the open business
essential or useful by 88% of respondents. However, 60% recognised the growing importance of SCIM, a standard for simplifying identity management in the cloud. Although IAM has many potential business benefits – making it easier to attract new customers, increasing business with existing customers, improved user experience and making business processes more efficient, all of which can provide an overall competitive edge – IT departments seem to be underselling IAM. Many seem more aware of the IT operational benefits than the business ones (Figure 14). Although just under half felt it was true that the “business is not interested in our IAM systems”, it seems there are board members ready to listen. Those that have not persuaded their bosses to take an interest may fail to get the go ahead for enhanced or new investments. They should learn from the more insightful that are focussed on the business benefits and presenting these as an opportunity. And there is good news for all; the task of securing investment has been made easier by the increasing availability of IAM-as-a-service (IAMaaS).

© Quocirca 2013

-9-

Digital identities and the open business

The emergence of IAM-as-a-service (IAMaaS)
IAM-as-a-service (IAMaaS) is the provision of IAM capabilities on-demand over the internet; many such services provide all the capabilities of an on-premise system with additional benefits unique to IAMaaS, which are summarised in the next section (Table 2). Provision of IAMaaS may be direct from an IAM vendor or from a service provider using a vendor’s product. The number of vendors offering IAMaaS has risen in the last 4–5 years and many more buyers reviewing options for IAM will now be evaluating IAMaaS. The recognition of the benefits of IAMaaS is widespread (Figure 15), more so than its actual use, which, as reported earlier (Figure 6), was 22% for pure IAMaaS deployment and 21% for hybrid use, where IAMaaS is integrated with on-premise IAM. This combination has its own set of benefits, also outlined in the next section (Table 3). This understanding of the benefit of IAMaaS, even by those currently using a purely on-premise system or having no current IAM system, suggests plenty of opportunity for the providers of such services or those considering deploying them. Just as with IAM in general, respondents to the current survey were more likely to recognise the IT rather than the business benefits of IAMaaS, especially the operational cost savings (Figure 16). Many will also like the fact that, as with most on-demand services, payment is out of operational expenditure (OPEX) rather than requiring upfront capital expenditure (CAPEX). There was also widespread recognition that IAMaaS can lead to improved employee

© Quocirca 2013

- 10 -

Digital identities and the open business
productivity; for example access to a wide range of resources can be more easily made to an increasingly mobile workforce. All the business benefits of IAM in general – making it easier to attract new customers, increasing business with existing customers, improved user experience and making business processes more efficient – also apply to IAMaaS. Other benefits beyond the cost savings that apply to IAMaaS in particular include the ease of providing access to all users, especially external ones. As was pointed out in the introduction (Figure 3), the acceptance of cloud-based services in general is now widespread. 22% of respondents can be considered to be cloud “enthusiasts” whilst another 23% can be considered to be cloud “avoiders”. Contrasting these two groups and their views on certain issues has proved to be interesting 6 and will be the subject of a forthcoming Quocirca report ; for now, the current report will look at views on IAM in particular. First, respondents were asked about the importance of certain security technologies for providing access to cloudbased services (Figure 17). Even cloud avoiders accept they have to use at least some cloud services and see the need for audit trails and content filtering. Whilst cloud enthusiasts also recognise the same needs, they also widely acknowledge the benefits of IAM, SSO and linking identity and content through policy. These are all integral capabilities of most advanced IAM systems. In other words, cloud enthusiasts see IAM as essential for enabling their use of cloud. Also, as Figure 18 shows, the enthusiasts were far more likely to have deployed IAM, with 97% having something in place compared to just 26% of avoiders. Not surprisingly, the majority of enthusiasts (65%) are choosing IAMaaS either as their sole IAM capability or as part of a hybrid system. Of course, cause and effect may be debatable, “we use cloud therefore we need IAM” or “because we have IAM we can use cloud”, but the linkage is clear. Cloud-based services are going to continue to be seen as an effective way of delivering many IT services and IAM enables this. If you are using cloud-based services in general, why not use them for IAM too? Why not IAMaaS?

© Quocirca 2013

- 11 -

Digital identities and the open business

The benefits of IAM
Deployed effectively, IAM benefits both the business and the IT department. IAM is the key to the opening up of applications to external users, the exploitation of social media and the adoption of cloud services. The business and operational benefits are listed in the three tables that follow; first for IAM in general, then IAMaaS in particular and finally for hybrid deployments.

Table 1: Benefits of advanced identity and access management
BUSINESS BENEFITS Transacting directly with customers is the number one motivator for opening up applications to external users, with 87% of respondents saying it was a primary or secondary motivator. Advanced IAM enables businesses to transact securely and efficiently with a wide range of users. Advanced IAM enables business growth and innovation through supporting the simple creation of new online revenue streams and increased customer satisfaction. 46% of respondents already recognised IAM as essential to achieving certain business goals. The process of mergers and acquisitions can be eased by the rapid sharing of resources, enabling the federating of two different directories of users from each organisation via IAM. OPERATIONAL BENEFITS Enabling federated access to existing and new applications for both external users and employees is seen as one of the top IT management benefits of advanced IAM by around 80% of respondents.

User self-service was seen at the number two management benefit of IAM, selected by 81% of respondents. Allowing users to reset their own passwords and be automatically granted access to new applications based on policy is good for user experience and makes for more efficient IT operations. This increases customer satisfaction and reduces operational costs.

84% of respondents believe that clearly establishing identities is essential in ALL cases before commencing a transaction. Advanced IAM enables access to both cloud-based and on-premise applications to be controlled via a single identity. 82% of respondents believe IAM is essential to achieving IT security goals. Advanced IAM enables the rapid provisioning of all types of new users and, as important, their immediate and comprehensive deprovisioning when the relationship with a given user ends. The opening up of a wide range of alternative sources of identity via the use of open standards is essential to achieving federated IAM. 88% say LDAP is essential or useful and there is increasing awareness of SCIM, with 60% saying it is essential or useful.

© Quocirca 2013

- 12 -

Digital identities and the open business

Table 2: Benefits specific to IAM-as-a-service
BUSINESS BENEFITS 58% of businesses already provide direct access for consumers, business partner users or both to their applications. IAMaaS eases the provision of access as such systems are designed for remote access from the bottom-up. As it is itself a cloud-based service, IAMaaS, in particular, enables the easy federation of applications from different cloud service providers for all types of user, easing the creation of new partnerships. 59% of respondents already recognised the benefit of this. As the use of IAMaaS is easily scalable, it can be expanded or contracted based on needs. For example, if a new consumer service is launched it may take off or flop; either way an under or over investment will not have been made. OPERATIONAL BENEFITS Lower cost of management was the top benefit cited for IAMaaS (52% of all respondents). As with any ondemand service, IAMaaS systems do not require installation and configuration, they can be rapidly deployed and do not require specialist in-house skills. Lower cost of ownership was cited by 50% of all respondents as a benefit of IAMaaS, which costs less to implement than an on-premise system due to economies of scale (shared infrastructure costs). As with most on-demand services, payment is out of operational expenditure (OPEX) rather than requiring upfront capital expenditure (CAPEX). Costs are therefore on a more predictable pay-as-you-grow basis. This allows organisations to experiment with the benefits of advanced IAM and prove the value without major upfront investment, often by tackling a few tactical projects in the early days IAMaaS improves IT productivity with no identity infrastructure to manage; IT staff are freed up to focus on other tasks and innovation.

Identifying and communicating with potential new customers is one of the top reasons for business use of social media. Certain IAMaaS systems have preconfigured links to many social media sites, enabling easy integration into business processes and the growing use of bring-your-own-identity (BYOID). 52% of all respondents saw improved employee productivity as a benefit of IAMaaS. It provides easy access to a wide range of resources for all employees, including those working remotely.

IAMaaS, like all on-demand software services, provides immediate access to new features without the need to install updates and the down time that can entail.

Table 3: Benefits specific to hybrid on-premise plus IAMaaS
BUSINESS BENEFITS More sensitive applications can remain internalised, with access rights restricted to those listed on the internal directory only, whilst transactional applications can be opened up to all via the IAMaaS system. This is an aid to the 81% who see IAM as necessary to achieving IT security goals. IAMaaS systems are already integrated with many cloud applications (e.g. Google Apps, Office 365 and WebEx). They are, therefore, ready-to-go for the business without have to rely on IT to configure or write interfaces. Adding IAMaaS to an existing on-premise deployment adds such capabilities at a click. OPERATIONAL BENEFITS Continued use can be made of existing legacy IAM and directory deployments whilst advanced capabilities can be integrated from an IAMaaS system.

Many cloud-based applications also have their own directory of users, which can be integrated as part of a single overall user identity in a federated IAM system with access provided via SSO, linked to on-premise applications via existing internal IAM.

© Quocirca 2013

- 13 -

Digital identities and the open business

Conclusion
Having an IAM system in place is now seen by many businesses as essential to achieving a wide range of IT and business goals. Primary amongst these are the opening up of more and more applications to external users, the growing use of cloud-based services and the rise of social media. The ultimate aim is to nurture new business processes, thereby finding and exploiting new opportunities. The number of businesses that have deployed IAM has increased dramatically over the last four years. Those organisations that lack effective IAM are likely to lag behind their competitors in these areas as more and more business-to-business and business-to-consumer transactions move online, cloud services become the mainstream source of IT applications and services for many businesses and social media takes centre stage as a source of identity. IAM has moved from a security tool to become a business enabler. The availability of IAMaaS has brought access to enterprise IAM capabilities within reach of smaller organisations and, for larger organisations with legacy IAM and directory systems, IAMaaS can provide them with the agility to embrace all these opportunities through integrating them into a hybrid system. This has led to a rapid growth in the use of IAMaaS either as the sole way a business deploys IAM or as part of an on-premise/on-demand hybrid deployment. However identity management is achieved, the majority of businesses now see it as essential. The statement made at the start of this report, that identity is the new perimeter, is already a reality and will become more so as IT users and applications disperse ever more and traditional IT security boundaries look more and more dated.

© Quocirca 2013

- 14 -

Digital identities and the open business

Appendix 1 – country level data
Certain observations regarding the variation between organisations in different industry sectors have been made throughout the report. Some comment has also been made on the variations between organisations of different sizes, especially with reference to the deployment of IAM. These observations are made across all 337 surveys. Appendix 1 shows some of the variations between countries, although it should be pointed out that for some countries the samples are too small for significant conclusions to be drawn (see Appendix 2, Figure 31).

Open up applications, attitude to cloud and adoption of social media
Organisations in the Nordic and Benelux regions were more likely to be opening up their applications to consumers than those from further south; Iberia and Italy (Figure 19). However, a strong motivator for all to do so was to transact directly with customers (Figure 20). Conversely, Italian and Iberian organisations were the least likely to be cloud avoiders (Figure 21), so all have good reason to look at IAM, albeit with the reasons for doing so varying. The Nordics are leading the way with use of social media for identifying and communicating with potential customers (Figure 22), which ties in well with their enthusiasm for opening up applications to consumers.

© Quocirca 2013

- 15 -

Digital identities and the open business Deployment and use of IAM
The Nordics may find it easier to embrace open applications and social media if more of them put IAM systems in place; they were some of the least likely to have done so. Overall, Iberian organisations were the most likely to have done so and the most likely to have deployed IAM-as-a-service (Figure 23). UK-based organisations are hot on strong authentication, with those in the Benelux region taking little interest (Figure 24). Italians were the least likely to see IAM an important for providing federated access to external users, whilst, in line with other findings, Nordics were keen. However, Italians were the most likely to extol the virtues of IAM for simplifying access to SaaS-delivered applications (Figure 25). The need for scalability of IAM for unknown numbers of users was most recognised amongst the countries with the largest populations (Figure 26), which makes sense, whilst only in the Nordics and Israel did the majority think IAM was very important for access policy management/enforcement although most saw it as at least fairly important.

© Quocirca 2013

- 16 -

Digital identities and the open business Benefits of IAMaaS
Italians and Iberians were the most optimistic that the business was interested in their IAM systems (Figure 27) and in all areas but the UK the majority felt there were benefits to be had from IAMaaS (Figure 28). When it came to the benefits of IAMaaS, those from the Benelux region were again focussed on integrating external users, whilst Italians were the most interested in saving a bit of money, although this was important to all (Figure 29). Benelux, Israeli, Nordic and UK based organisations were the most likely to recognise the power of IAMaaS to open up new revenue streams, whilst the French and Italians were focussed on new business processes. The Iberians took little or no interest in either of these issues (Figure 30). That said, awareness of these business benefits needs to increase across the board to bring them more in line with the operational IT benefits.

© Quocirca 2013

- 17 -

Digital identities and the open business

Appendix 2 – demographics
The following figures show the distribution of the research respondents by country, size, sector and job role:

© Quocirca 2013

- 18 -

Digital identities and the open business

Appendix 3 – references
1 – Privileged user Management – Quocirca 2009 http://www.quocirca.com/reports/430/privileged-user-management--its-time-to-take-control 2 – The identity perimeter – Quocirca 2012 http://www.quocirca.com/reports/791/the-identity-perimeter 3 – UK Cabinet Office web site http://www.cabinetoffice.gov.uk/resource-library/identity-assurance-enabling-trusted-transactions 4 - Social media continues to rise in popularity among high street banks – Virgin Media study http://www.virginmediabusiness.co.uk/News-and-events/News/News-archives/2012/Social-media-continues-torise-in-popularity-among-high-street-banks/ 5 – Quocirca The data sharing paradox – 2011 http://www.quocirca.com/reports/620/the-data-sharing-paradox 6 – Forthcoming cloud report – 2013 Quocirca will be publishing a follow-on report on the use of cloud-based services

© Quocirca 2013

- 19 -

About CA Technologies
CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organisations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. IT Security solutions from CA Technologies can help you enable and protect your business, while leveraging key technologies such as cloud, mobile, and virtualisation – securely – to provide the agility that you need to respond quickly to market and competitive events. Our identity and access management (IAM) solutions can help you enhance the security of your information systems so that you can improve customer loyalty and growth, while protecting your critical applications and data, whether located on-premise or in the cloud. With more than 3,000 security customers and over 30 years’ experience in security management, CA offers pragmatic solutions that help reduce security risks, enable greater efficiencies and cost savings, and support delivering quick business value. CA CloudMinder provides enterprise-grade identity and access management capabilities as a hosted cloud service supporting both on-premise and cloud-based applications. Deployed as a service, CA CloudMinder drives operational efficiencies and cost efficiencies through speed of deployment, predictability of expense and reduced infrastructure and management needs.
TM

www.ca.com/mindyourcloud

Digital identities and the open business

About Quocirca
REPORT NOTE: This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations with regard to IAM. The report draws on Quocirca’s research and knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth. Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms. Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com Disclaimer: This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may have used a number of sources for the information and views provided. Although Quocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner. Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice. All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.