Study Shows IT Decision-Makers View Identity and Access as Chief Security Concerns

Oct. 25, 2004
Eighty-Seven percent of respondents to fund identity and access management solutions in 2005

Unisys Corporation announced the results of a new research study on identity and access management (IAM) at the Digital ID World 2004 conference. The research study found that information technology decision makers view IAM - the process of establishing and managing the digital identities that provide secure access to networks, sensitive information and other business resources - as key to increasing enterprise security, managing IT costs and enabling compliance with government regulations.

The study, which surveyed C-level executives and IT managers at large U.S. companies, revealed numerous issues surrounding the economics of IAM, as well as budgeting issues and varying speeds of adoption for specific types of IAM solutions being deployed to secure enterprise IT infrastructures and information resources.

Money alone can't solve the issue
Seventy-seven percent of respondents view an effective IAM system as a primary means of protecting against corporate network intrusions resulting from identity theft and other attacks originating either inside or outside the enterprise.

Moreover, respondents indicated a prudent hesitation to simply throw money at the security issue. Instead, they expressed a desire to ensure that the system delivers a defined economic benefit. Six out of 10 respondents want an IAM solution that enables them to manage or reduce operational costs, and nearly half view achieving return on investment (ROI) as a key factor in judging the success of their IAM implementation. That concern is even higher among decision-makers from companies with revenues of $3 billion or more - indicating that ROI is even more critical to larger companies with more at stake.

Ninety-two percent of respondents responsible for regulatory compliance identified IAM as key to their strategy for compliance with rules mandating safeguards for sensitive information. Those include Sarbanes-Oxley (SOX) in corporate governance - with a compliance deadline looming November 15 - the Health Information Portability and Accountability Act (HIPAA) in healthcare, and the Gramm-Leach-Bliley Act (GLBA) in financial services. The research showed that the higher-ranking the respondent, the more likely they were to rate IAM as "extremely important" for compliance.

Eighty-seven percent of the respondents indicated they plan to budget funds for IAM in 2005, with more than 55 percent increasing their IAM budgets by an average of 19 percent over 2004. That commitment suggests that IT decision-makers have prioritized IAM as an area for special action.

"This research clearly demonstrates that senior IT management has come to view identity and access management not as a technology solution, but as a critical part of an enterprise business strategy," said Patrick O'Kane, chief architect, Unisys Identity and Access Management Practice. "IAM is no longer a 'nice to have,' it's a 'need to have' for infrastructure security that protects critical assets, promotes operational efficiency and yields optimal return on investment."

The survey also examined the adoption and penetration rates of the most commonly used types of IAM solutions including:

Single Sign On - the most widely adopted IAM solution - enables a user to access multiple Web applications through a single point of contact without needing to maintain or remember multiple passwords. Even with a high rate of adoption, there is still plenty of opportunity for, and interest in, further deployment.

-- 93 percent of respondents were familiar with Single Sign On.

-- 53 percent of respondents have already implemented Single Sign On, or are in the process of implementation, with another 37 percent planning to do so in the next one to four years.

Role-Based Access Control - grants users access privileges according to their function, not their personal identity. Workers are granted only the privileges they need to perform their jobs. This can yield significant improvements in operational efficiency by eliminating the logistical adds, moves and changes that occur when identity is tied to the individual rather than to the functional role.

-- Role-Based Access Control was the next most-recognized IAM solution after Single Sign On; more than 80 percent of respondents were familiar with it.

-- 37 percent of respondents stated they have already implemented or are currently implementing Role-Based Access Control.

-- 41 percent of respondents stated they plan to implement Role-Based Access Control within the next four years.

Federated Identity Management - enables participating organizations to cooperate in sharing each other's authentication and authorization services. It is particularly useful for secure information-sharing with external partners and suppliers, or among business units within a company.

-- Federated Identity Management is the most nascent and currently the least implemented IAM solution; 62 percent of respondents indicated familiarity with Federated Identity Management, but only 19 percent have implemented it.

-- However, 37 percent of respondents plan to implement a Federated Identity Management solution within the next four years.

-- The adoption rate for Federated Identity Management could accelerate with the acceptance of a single standard - most likely the emerging Security Assertion Markup Language 2 (SAML 2). Nearly 90 percent of respondents agreed that the emergence of an accepted standard is an important goal.

Conducted in early October 2004, the survey polled 150 IT decision-makers at large U.S. companies (with more than $500 million annual revenue) about issues surrounding identity and access management within their organizations. Market research firm KRC Research conducted the study on behalf of Unisys.