April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model
by Andras Cser for Security & Risk Professionals

Making Leaders Successful Every Day

To purchase reprints of this document.For Security & Risk Professionals April 1.com. It provides comprehensive coverage of three key IAM domains: 1) governance and value. we infuse technology with processes. please email clientsupport@ forrester. . 2007 11 Prioritize Governance And Easy-To-Implement Areas First © 2011 Forrester Research. Hayes ExECuT I v E S u M MA Ry An identity and access management (IAM) maturity model is necessary for assessing your current state against industry best practices. understanding your performance relative to that of your peers. You can evaluate each increasingly difficult area in each module and score yourself objectively based on simple yes/no criteria. 2010 “best Practices: Enterprise Role Management” September 30. versatile model that provides direct help for IAM strategy creation. We based the Forrester IAM maturity model on our extensive research. 2008 “user Account Provisioning For The Midmarket” August 20. TAbl E o F Co nTE nTS 2 Maturity Models Guide IAM Assessments And Strategy Creation . . While other models treat technology and processes separately. . Proving value. Easy To Use. And Increasing Automation by Andras Cser with Stephanie balaouras and nicholas M. leading to a composite IAM maturity score for your organization. Related Research Documents “Introducing The Forrester Information Security Maturity Model” July 27. and the more than 20 maturity assessments that we have conducted during the past two years.forrester. 3 . All other trademarks are the property of their respective owners. TechRankings. . For additional reproduction and usage information. the 100 client inquiries that we field each quarter. RoleView. All rights reserved. 2) access management. Technographics. But Conventional Linear Maturity Models Are Not Much Help For Execution 3 The Forrester IAM Maturity Model Is Modular. Inc. see Forrester’s Citation Policy located at www. 2011 Introducing The Forrester Identity And Access Management Maturity Model defining Strategy. it also includes feedback and conversations with many major IAM vendors. and creating a long-term strategy and road map. It is a nonlinear. and 3) identity management. And Effective 8 Use The Forrester IAM Maturity Model To Measure And Improve IAM RECoMMEndATIonS n oT E S & RE S o u RCE S This report is based on more than 20 IAM assessments that Forrester produced with our clients. Forrester Wave. Inc. Opinions reflect judgment at the time and are subject to change. Information is based on best available resources.com. . Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. and Total Economic Impact are trademarks of Forrester Research. Forrester.

People get excited about IAM and want it to solve the most complex role management and user account provisioning issues for them in six months. This is especially useful for creating executive presentations that highlight the elevation gain and progress that the organization has made since the last evaluation and help make IAM what it should be: an iterative process. As with any other IT project. · Calibrate your spending on IAM. Although we’d like to believe that everyone wants to build a solid strategy. enthusiasm. Once you understand the total picture of your IAM · Set achievable goals. one of the biggest issues is executive landscape. If you re-evaluate the assessment model every six to 12 months you will be able to see how you’re progressing. Reproduction Prohibited . obtaining this information to begin with is very difficult. · Focus on your progress. Of course. You can clearly see in a structured manner where you are in terms of progress on a comprehensive map. Two of the most common inquiries we answer at Forrester are “How are we as an organization doing compared with our peers?” and “What is the next step for us as we build out our IAM infrastructure and strategy?” Answers to both questions are critical when you want to recruit or maintain support from executive sponsors such as the CISO or CIO for your IAM processes and projects. April 1. Inc. To answer the first question. This is obviously not a realistic requirement.2 Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals MATURITy MoDELS GUIDE IAM ASSESSMENTS AND STRATEGy CREATIoN . Maturity models help you: · Set your own baseline. This map can open your eyes to technology areas or issues that you may not have even been aware of before you started using the maturity model. Forrester Research. 2011 © 2011. Both questions are hard to answer in a vacuum. · Build a comprehensive IAM strategy. you have to standardize the data collection and evaluation from other organizations and present this data in a sanitized but still meaningful manner to your executives. You will have to understand where you are in maturity and plan realistic projects that you will be able to complete successfully before the budgeted deadline. they just want to spend the minimum on managing access and identities and be on par with their competitors and peer organizations. You can’t build a credible IAM strategy without understanding where you are while continuing to serve your customers — the patient’s heart has to pump blood even during triple bypass surgery. . . you can start to balance your immediate requirements and mid-term and long-term goals and bring them together in a solid strategy plan. Finding the answer to the second question is even more difficult: You must identify the areas that need improvement and the order in which you have to fight fires. The above are the reasons why many organizations look to maturity models. we realize that most organizations don’t want to be IAM heroes.

and they always have challenges and serious concerns. The model automatically scores each category by evaluating a list of your “Yes” and “No” responses to specific criteria. Forrester Research. · Don’t provide a holistic view of IAM. a university may have a good password reset program but no way of performing access recertifications. Each scored category rolls up into a score for the entire domain (see Figure 2). . AND EFFECTIvE Our maturity model is different from other maturity models. EASy To USE. A linear maturity model can’t appropriately evaluate such organizations. Most organizations are more mature in either identity or access. a company may have a solid access recertification program but not a web single sign-on program. identity and access management is the automation of these processes and controls. For example. and technology (but with a strong focus on technology or automation). Conventional maturity models skew their focus mainly on processes and people. and identity management (see Figure 1) Within each domain are evaluation categories encompassing people. © 2011. there can be huge discrepancies and misunderstandings between how the authors have defined the evaluation criteria and how security and risk professionals interpret the criteria. process. BUT CoNvENTIoNAL LINEAR MATURITy MoDELS ARE NoT MUCH HELP FoR ExECUTIoN Conventional linear models expect you to implement one area or process after another. We divide aspects of IAM into three major domains: governance and value. then automation is too much of an afterthought — and this is where people struggle most. Alternatively. because it works on the assumption that the organization will implement one technology area or process after the other — something that’s not a reality for most organizations. it’s not clear what’s required to achieve the next higher level of maturity for each domain or function. Reproduction Prohibited April 1. If the maturity model covers 80% people and process aspects. . access management. What are the issues with these linear models? They: · Don’t account for differing IAM maturity levels. In addition.Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals 3 . 2011 . · Lack specific evaluation criteria and prescriptive advice. We all have our process manuals nicely stacked in our drawers. Without detailed criteria. Forrester has worked with clients attempting to use this type of model. Many maturity models lack a welldefined. Inc. detailed set of criteria to help clients determine what is required for each level of maturity. While these are extremely important. if evaluation criteria are too vague or too subjective. THE FoRRESTER IAM MATURITy MoDEL IS MoDULAR.

4 Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals Figure 1 domains In The Forrester Composite IAM Maturity Model Access management How to keep the bad guys out and allow controlled access to the good guys Identity management How to manage the workforce joiner. 2011 © 2011. Figure 2 Forrester’s Composite IAM Maturity Model Access management Identity management Entitlement management Federation and cloud IAM Provisioning and delegated administration Password management Directory infrastructure Desktop single sign-on Governance and value Demonstrated value Governance and strategy 58874 Source: Forrester Research. April 1. leaver. and recerti cation processes Governance and value How to have sound ownership. Inc. Reproduction Prohibited Job role management Privileged identity management Access recerti cation Web single sign-on . Forrester Research. mover. Inc. Inc. business justi cation for IAM 58874 Source: Forrester Research.

· Demonstrated value — helps convince naysayers of the value of IAM. and consumers don’t have access to — and don’t walk away with — sensitive information. and effective marketing of the IAM strategy and the process/program itself. This category seeks to demonstrate if there is executive sponsorship. you run the risk of users spending extensive time on finding passwords. This category also demonstrates if appropriate IAM training plans exist. we look at criteria such as: 1) whether desktop SSO is integrated with password reset. there is lost momentum for IAM. and 4) how its logs are monitored.1 In this category. IAM-related employee and business partner satisfaction. and there is rework. · Privileged identity management — controls how administrators gain access to systems. You need to manage their access to routers. confusion. The access management domain includes the following categories: · Desktop single sign-on — provides an easy entry point into IAM implementation. a well-defined IAM strategy that is up-to-date. domain controllers. The risks of failing to demonstrate IAM value are: 1) losing the attention of executive stakeholders. 2011 . 2) how many applications desktop SSO covers. governance. Without desktop SSO. Since desktop single sign-on (desktop SSO) requires no application customization and often provides support for password reset self-service. and business value that was demonstrated in the recent past. servers. Without a well-defined IAM strategy that has the support of executive management. Do you remember when a disgruntled system administrator held the servers at the city of San Francisco hostage?2 High-privileged users can bypass all application-enforced access controls. 3) how it integrates with multifactor authentication and other IAM technologies. Forrester Research. Inc. diminished levels of customer services.Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals 5 Governance And value Focuses on The organizational Aspects And Strategy of IAM There is no working IAM process without appropriate executive support. Reproduction Prohibited April 1. many organizations start with this category. Every IAM project needs a business justification. business partners. we look at the following evaluation categories: · Governance and strategy — keeps the IAM program on track. and formal definitions of IAM value. IAM project costing. you run the risk that IAM projects are neverending. and 3) inability to secure funding for subsequent IAM project phases. and excessive costs of integrating multifactor authentication with applications. former employees. In the governance and value domain. Access Management Keeps your Assets Secure Security remains one of the biggest motivating factors for IAM projects. 2) lack of focus on IAM. Security and risk professionals want to ensure that current employees. We have seen too many senior executives shoot down projects because of a perceived lack of value. and battles between departments as to who should own IAM. we evaluate how the organization is tracking call center metrics. In this category. and other critical © 2011.

consumers. one benefit of using web SSO is the ability for end users to access applications without having to log in repeatedly. Compliance regulations require most organizations to not only check for segregation of duties (SoD) violations but also to enforce them in and among applications. we look at the following: 1) how well you have defined firecall procedures and systems covered by privileged identity management (PIM). we look at the following: 1) how SAML is used to access SaaS applications. you run the risk of service-level degradation. but the proliferation of SaaS applications (and sensitive data in them) demands extending enterprise IAM to these applications. If you don’t implement EM. and 2) if there is integration of host access control and help desk systems with PIM. 2) how SharePoint sites are protected. we look at the following: 1) application coverage of web SSO. Inc. Are your users giving away too much data through their SharePoint portals? Entitlement management (EM) can help here. Reproduction Prohibited . Sure. but the biggest benefit comes from the ability for application developers to avoid having to maintain security and login/authentication codes in their applications. Forrester Research. and disgruntled employees taking down your infrastructure or holding you hostage. Many companies use EM to create a standard framework for defining and enforcing entitlement in applications — especially in-house developed applications. etc. and 3) how you protect unstructured data and databases. you run the risk of spending too much on application development. If you don’t implement web SSO. and 3) selfservice password reset with web SSO. IAM to cloud applications is still in its nascent phase. 2) how users’ access is recertified in SaaS applications. In this category. In this category. and log in for all users of the application. developers accessing (sensitive) production data. 3) integration of multifactor and risk-based authentication. audit remediation costs. users spending too much time logging in to applications. · Entitlement management — clears the way to check for segregation of duties violations.) and allows those users to use their home login and password management facilities. we look at the following: 1) application coverage of EM.6 Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals infrastructure components carefully. · Web single sign-on — relieves application developers from security implementation. · Federation and cloud IAM — allow the owner organization to manage its users. This greatly reduces application maintenance costs and improves application security. 2) procedures for web SSO implementation. Moving to federation allows the application owner to let go of managing user names and passwords of users that they do not directly control (business partners. Do you manage your partners’ end user data on their own internal infrastructure? In traditional IAM. In this category. If you don’t implement proper controls for privileged users. the application owner usually manages the user name. password. 3) how the organization can onboard and troubleshoot a new SaaS application. you run the risk of being unable to detect SoD violations and having high application development costs due to the need to recode applications when business policies change. and 4) the extent to which the company is using cloud- April 1. and the cost and complexity of managing too many passwords for users. In this category. 2011 © 2011. increased cross-site scripting attack surface in applications.

© 2011. Knowing and certifying who should have access to what rights in applications is the most important aspect of identity and access management — even if this process doesn’t include fulfillment of access rights granting and revocation. and 4) how users’ activities (and not just entitlements) are monitored for making recertification decisions. The risks of not having a solid process for managing directory infrastructures are excessive downtimes. and compromised passwords being very hard to detect. moving. We regularly speak to companies that can’t support their growth or M&A activity without the right blend of identity management services such as provisioning. movers. 3) attribute authority. too many password change cycles. and time wasted calling the help desk to reset passwords. Are you struggling to consolidate your Active Directory instances? This is the most common finding of our assessments: companies invariably struggle with the right ownership. or leaving (joiners. 2011 . 2) user ID naming conventions. the excessive number and different cycles of password changes for different applications. In this category. This domain includes the following categories: · Directory infrastructure — the foundation of IAM. The risks of not having a robust password management infrastructure include too many and not enforceable password policies. and job role management. lack of reliable deprovisioning for ex-users. 2) how users are impacted by it. Having the right set of processes and governance around directories is a must for any organization that wants to manage users’ identities effectively. and 5) processes for schema updates. Forrester Research. and users having to remember too many passwords for SaaS applications. 3) how the recertification campaigns are monitored and kept on track by compliance oversight folks.Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals 7 based IAM services. we look at the following: 1) how uniformly you enforce password policies across the organization. and low user data quality. maintenance. and 2) the percentage of applications you cover with self-service password reset. Users often complain about the number of passwords they have to remember. The risks of not implementing federation and cloud-based IAM include excessive costs of managing other organizations’ users’ passwords and identities. having SoD violations expose the company to financial risk. · Password management — helps eliminate users having to remember too many passwords. Identity Management Helps With Regulatory Compliance And Improves Service Delivery Managing access recertifications and processes for employees who are joining. and cleanup of user repositories. leavers) is important not only from a security perspective but also from a compliance perspective. Inc. and credential-sharing among users. The risks of not automating access recertification include spending too much on unreliable manual processes. unauthorized access to SaaS applications after users terminate. access recertification. · Access recertification — brings the biggest gains in compliance and automation. we evaluate the following: 1) centralized ownership for directories. Reproduction Prohibited April 1. In this category we look at: 1) how automated the process is. 4) the number of authentication repositories. In this category.

Reproduction Prohibited . and track your progress over time. and deprovisioning of users being ineffective and error-prone. Inc. users waiting excessive periods of time to get all their access. and leaver processes for freeing up your IT administrators to do more value-add tasks and having a better security and compliance stature. 4 — measured. If you have determined that IAM is a priority. target specific categories for remediation. and 5 — optimized (see Figure 3).8 Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals · Provisioning and delegated administration — streamline the identity life-cycle process. They are: 0 — nonexistent. SoD violations going undetected between applications. which are based on the evaluation scale from the COBIT maturity level definitions. The risks of not having a job role system include copying/ modeling users’ access rights for joiner and mover processes resulting in too much privilege. you use the Forrester Information Security Maturity Model to understand the maturity of identity and access management compared with other security functions at your organization. In this category we examine: 1) how many systems are covered by automatic user account provisioning.g. 2011 © 2011. template-based ways of determining what access rights someone should have in that position — without managers needing to approve every single provisioning request. 3 — defined.. 2) how well orphan accounts are detected and eliminated. Do your users complain that they have to wait weeks before they get all their access because certain managers delay an access request approval decision? It’s critical that reliable human resources information drive at least some part of the joiner. task-oriented roles (e. 1 — ad hoc. Forrester Research. mover. The risks of not automating the provisioning and deprovisioning process are audit findings and fines. high-attrition. In this category we look at: 1) how roles are defined and recertified. it must measure each component in the same way. retail associates) where you need to grant and revoke access for many people. If you have high-traffic. · Job role management — helps deprovisioning and approvals and eliminates SoD violations. Self-Assessment: Defining Levels of IAM Maturity For the maturity model to work.3 It’s possible that there are other categories in information security that require your attention and prioritization first. Forrester used the same maturity levels as seen in the Forrester Security Maturity Model. job role management can help by providing prescriptive. 2) how SoD checks are performed. call center. then this model will help you set your IAM maturity baseline. 3) how business partners are provided with a delegated system administrator interface to manage their own access to the company’s IT systems. April 1. USE THE FoRRESTER IAM MATURITy MoDEL To MEASURE AND IMPRovE IAM We recommend that before evaluating your IAM maturity. and spending too much on IT staff. and 3) what processes are in place for assigning and revoking movers to and from job roles. and 4) how user accounts are locked after a certain period of user inactivity. 2 — repeatable. branch staff.

proactive. Inc. 2011 . Self-Assessment: Scoring And Assessing your IAM Maturity Level Begin by scoring your security program by answering “Yes” or “No” to the 60 evaluation criteria questions in the Self-Assessment worksheet of the tool. Reproduction Prohibited April 1. not formalized. usually automated Source: Forrester Research.Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals 9 Figure 3 Forrester Maturity level definitions Level Characteristics 0 — Nonexistent Not understood. occurs only when necessary Documented.00) will be highlighted in red (see Figure 4-2). not consistent. often automated. As you do so. Inc. the Scoring Summary and Maturity Stage Results worksheets will update automatically. Forrester Research. understood Well-managed. © 2011. Then when you look at your Scoring Summary worksheet. predictable. formal. you’ll be able to quickly identify domains that need attention (see Figure 4-1). disorganized Intuitive. evaluated occasionally. not planned. evaluated frequently Continuous and e ective. need is not recognized 1 — Ad hoc 2 — Repeatable 3 — De ned 4 — Measured 5 — Optimized 58874 Occasional. integrated. categories within domains that are particularly problematic (categories that scored less than 2. When you look at your Maturity Stage Results. not documented.

April 1. Inc. Forrester Research. Reproduction Prohibited .10 Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals Figure 4 The Maturity Model Shows users Where They need To Improve The Most 4-1 Sample IAM Maturity Stage Results 4-2 Sample IAM Maturity Scoring Summary 58874 Source: Forrester Research. 2011 © 2011. Inc.

Having the right ownership and stakeholder commitment is the foundation of a solid IAM strategy and program. Because E-SSO automatically logs end users in to their applications. We designed our IAM model such that categories to the left of the maturity curve are easier to implement than categories to the right (refer again to Figure 2). in the access management domain. Creating and maintaining an effective IAM strategy from the Forrester Identity And Access Management Maturity Model is relatively easy if you follow the steps below: · Pay special attention to the domains that score less than 2. few security professionals are aware of the security benefits of E-SSO — of which © 2011. This ensures that you learn how to crawl before you run. For example. focus on the easiest-to-implement areas first. This is the maximum number of projects that you can realistically undertake and demonstrate results for within three to four months — the typical attention span of a CIo or CISo. Inc. · Within each domain. desktop SSo and PIM are easier to implement than enterprise SSo. If you have a domain that scored less than 2. short-term projects to three. you should focus on the categories that come first. · Keep the number of your immediate. If you spread yourself too thin. If you have more than one red domain. So if you have multiple categories that scored less than 2. focus on that domain first. you’ll have to show progress against your baseline at least once a year to maintain the momentum of your IAM projects. Forrester Research. 2011 . However.00. The end user benefits of E-SSO are obvious. you won’t be able to show tangible results. Reproduction Prohibited April 1.00 (highlighted in red on the Scoring Summary worksheet) in a particular domain.Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals 11 R E C o M M E n d AT I o n S PRIoRITIzE GovERNANCE AND EASy-To-IMPLEMENT AREAS FIRST The goal of taking the IAM self-assessment is not just to benchmark and understand where you are but also to gain objective input into which categories you have to focus on in your IAM strategy. ENDNoTES 1 Desktop or enterprise single sign-on (E-SSO) is a relatively easy way to provide end user convenience and to get started in identity and access management (IAM). Reassessing your maturity annually and demonstrating progress will keep your stakeholders confident that there is both a cohesive IAM strategy that’s on the right track and a clear focus for future improvements. we recommend focusing on getting the governance and value domain in decent shape. Keep in mind that your primary bottleneck is likely to be communication to business partners and application developers in the categories you’re trying to improve. they no longer have to remember multiple IDs and passwords and they no longer waste time contacting the help desk when they forget their credentials.00 (highlighted in red in the Scoring Summary worksheet and summarized on the Maturity Stage Results). · Evaluate and track your IAM maturity every year.

See the July 27. 2 Source: Angela Moscaritolo. E-SSO will allow security professionals to perform more effective entitlement enforcement in legacy applications and support less expensive employee fraud prevention. Forrester Research. August 9. See the November 9.12 Introducing The Forrester Identity And Access Management Maturity Model For Security & Risk Professionals there are many. access recertifications.” SC Magazine. 2010. If you need guidance with determining which areas of your overall security program you should focus on. It: 1) allows system administrators to hide passwords from users and revoke user access quickly when necessary.scmagazineus. 2011 © 2011.com/disgruntled-san-francisco-admin-sentenced-to-four-years/ article/176596/). 3 April 1. “Enterprise Single Sign-On: The Fast Lane To Identity And Access Management” report. “Disgruntled San Francisco admin sentenced to four years. Inc. and 3) paves the way for a broader IAM initiative. and role management. Forrester expects that in the future. “Introducing The Forrester Information Security Maturity Model” report. 2010. Reproduction Prohibited . 2) enables multifactor authentication of any application. We recommend that you use E-SSO as the first point of entry into IAM and use its benefits to build the business case for implementing more complex technologies such as provisioning. 2010 (http://www. Forrester recommends that you begin by completing Forrester’s own Security Maturity Model.

For more information. Frankfurt.Making leaders Successful Every day Headquarters Forrester Research.com. Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forwardthinking advice to global leaders in business and technology.com For a complete list of worldwide locations visit www.5000 Email: forrester@forrester. please contact Client Support at +1 866. +1 617. We offer quantity discounts and special pricing for academic and nonprofit institutions. For more than 27 years. 58874 .forrester. Cambridge.613. including Amsterdam. Forrester has been making IT. events. Forrester Research.com.6000 Fax: +1 617.613. Dubai. Inc.forrester.. or clientsupport@forrester.com Nasdaq symbol: FORR www.. Foster City. For information on hard-copy or electronic reprints.5730. Forrester works with professionals in 19 key roles at major companies providing proprietary research.forrester. Dallas. Sydney.com/about. Tel Aviv. MA 02139 USA Tel: +1 617. customer insight. Research and Sales Offices Forrester has research centers and sales offices in more than 27 cities internationally.367. and Toronto.613. and peer-to-peer executive programs.7378. Calif. consulting. Madrid. 400 Technology Square Cambridge. visit www. London. and technology industry leaders successful every day. marketing. Mass.

Sign up to vote on this title
UsefulNot useful