Digital identities and the open business

Identity and access management as a driver for business growth C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Ou tlook\GRCSXTGE\Bob CA IAM 2.jpg February 2013

Identity and access management (IAM) systems are today used by the majority of European enterprises. Many of these are still installed on-premise but increasin gly they are being supplemented by the use of on-demand IAM services (IAMaaS). The overal l uptake represents a big increase from when Quocirca last surveyed the market in 20091.

Whilst IAM is important for managing the access rights of increasingly mobile employees, three other major drivers have encouraged businesses to invest despit e the tight economic conditions: the opening up of more and more applications to exter nal users, the growing use of cloud based services and the rise of social media. The ultimate aim with all three is to nurture new business processes, thereby finding and exp loiting new opportunities.

This report presents new research into the use and benefits of IAM and the relat ionship it has with these three drivers. The research is based on over three hundred int erviews with senior IT managers in medium sized to large organisations in a range of bus iness sectors across Europe. The report should be of interest to anyone wanting to bet ter serve all types of users, whilst still keeping control over applications and dat

a. Bob Tarzey Quocirca Ltd Tel : +44 7900 275517 Email: bob.tarzey@quocirca.com Rob Bamforth Quocirca Ltd Tel: +44 7802 175796 Email: rob.bamforth@quocirca.com

Digital identities and the open business Identity and access management as a driver for business growth Effective identity and access management (IAM) is seen as an essential tool for enabling open interaction between a business and its users, be they consumers, employees or users that are employees of other businesses, such as partners or customers. Many businesses now have more external users than internal ones The majority of businesses now open up at least some of their applications to ex ternal users, with 58% saying they transact directly with users from other businesses and/or c onsumers. The scale of the business processes they are running that require this will ofte n mean the number of external users exceeds internal ones. This has led to a rise in the up take of IAM systems with advanced capabilities to handle multiple types of users. Advanced IAM also helps organisations embrace cloud services and social media

97% of organisations that are enthusiastic about cloud-based services have deplo yed IAM in general and 65% are using IAM-as-a-service (IAMaaS); only 26% of cloud avoiders use any form of IAM. The single-sign-on (SSO) capability of such services acts as a brok er and a central place to enforce usage policy between users and both on-premise and on-d emand applications. Many businesses also recognise the value of social media, with the top motivation being to identify and communicate with potential customers. Deployment of IAM has increased markedly in the last three years When Quocirca last researched the IAM market in 20091, 25% had some form of IAM in place, with 52% saying it was planned although, for many, those plans were delay ed. However, regardless of the ensuing tight economic conditions, 70% have now deplo yed IAM. For 27% this is a totally on-premise system, however, 22% have already chosen to use a pure on-demand system, whilst 21% have a hybrid deployment. The number of sources of identity is extending well

beyond in-house directories Active Directory is the most widely used primary source of identity for employee s (68% of respondents). For users from customer and partner organisations the most common sources of identity are their own directories (11 12%). Secondary sources include the memb ership lists of professional bodies, for example legal and medical practitioners (7 8%) a nd government databases (2 3%). 12% use social media as a primary source of identity for consumers, 9% say it is secondary. These fairly low use rates of alternative sou rces suggest an untapped business opportunity, perhaps because currently deployed IAM tools d o not facilitate it. IAM eases a number of management challenges

The top IT management challenge eased by IAM is the enforcement and management o f access policy. However, it is also about improving the user experience by provid ing easy federated access to multiple applications and enabling user self-service. Whilst there are many benefits for businesses to be gained from effective IAM it seems likely tha t IT departments are under-selling these benefits. The benefits of IAMaaS, in particular, are widely recognised

The potential of IAMaaS is widely recognised even by those with pure on-premise IAM deployments. Lower management and ownership costs along with improved employee productivity top the list, with ease of integrating external users not far behin d. Those who make extensive use of cloud-based services are especially likely to recognise th e benefits of IAM in general and select IAMaaS in particular.

Conclusions Having an identity and access management system in place is now seen as an imper ative by many businesses to achieving a wide range of IT and business goals. Those organisations that lack effective IAM are likely to lag behind their competitors in many areas

as more and more business-to-business (B2B) and business-to-consumer (B2C) trans actions move online, cloud services become the mainstream source of IT applications and services for many businesses and so cial media takes centre stage as a source of identity.

Introduction identity as the new perimeter Identity and access management (IAM) is all about a business authenticating and understanding its users. This includes its employees, but also the growing number of external users that a given business allows to access its applications (Figure 1), both those installed on-premise and those that are subscribed to as ondemand services. Identity and access management (IAM) systems are increasingly being seen as the bridge between users and applications; either of which can be inside or outside of the firewall that has traditionally been the boundary of a given organisation s IT systems. This has led to the concept of the identity perimeter2.

Some organisations say they no longer even have officebased employees, with all employees being considered as mobile (just 8% said they had only office-based users ). However, the biggest change is the degree to which consumers and the employees of customer organisations are being given access; 58% of the businesses surveyed have now opened up applications to users from customer organisations , consumers or both (the figure of 58% is derived by adding together the numbers for those who interact with consumers and those that interact with users of customer organisations and subtracting from the total those who say they interact with both). The main motivator is to transact directly with these external users online (Figure 2).

IAM is also about making sure all users have convenient access to the resources they require, whilst maintaining appropriate levels of security and privacy and ensuring compliance requirements can be met. It is not about the creation and storage of identities per se. As this report will go on to show, effective IAM enables the federated use of a wide range of existing sources of identity. It also provides the balance between opening applications up to mobile and external users whilst making sure those applications, and the data to which they provide access, is appropriately protected.

The degree of transaction with external users varies by sector. With growth in use of online banking, financial services organisations are the most likely to be interacting with consumers, with 54% already doing so, along with government organisations, 49% of which are already transacting online with citizens. Telcos (as service providers) lead when it comes to direct interaction with users in business customer organisations with 48% doing so already, with

manufacturers coming in second at 42% with their

complex supply chains. The profile of interaction is likely to change over time as the benefit of direct interaction is increasingly recognised and more and more products and services are sold directly.

Beyond the opening up of applications to external users, there are two other major drivers for IAM.

First, there is the increasing acceptance and take up of cloud services (Figure 3). The research unambiguously shows that those organisations that are making wide use of cloud services have also invested in IAM (see later section on IAMaaS). The main reasons for this are that IAM eases the way access to cloud-based services is granted and revoked and once a user has logged on once they can be given immediate access to multiple cloud services.

Second is the rising use of social media (Figure 4), which can help businesses t o better understand customer preferences and improve the overall customer experience. Many think there is hug e business potential here; however, the number one reason for working with social media highlighted by this research is being able to identify and communicate with potential customers. Advanced IAM systems enable this by al lowing users to make use of their own existing identities, which in turn enables easier interaction and shou ld lead to faster business growth.

Businesses need to recognise that the return on investment in IAM is not just im proved security but an open ended business opportunity knowing your users through their digital identities and the n being able to maximise their potential is the cornerstone for controlling interaction between a given busines s and the outside world.

You and your digital identity, the rise of social media The age of bring-your-own-identity (BYOID) For one group in particular consumers social media is emerging as a key source of identity (Figure 5). Real world examples of this include organisations that have internet-centric business models, for example music download sites such as Spotify and charity giving sites such as JustGiving, that allow users to login using their Facebook identities; this makes it far easier for

users to sign up and for donors to part with their money.

However, usage looks set to expand into more conservative areas; for example, the UK government is also evaluating Facebook as part of the Identity Assurance (IDA) programme3, a way of better enabling secure transactions between public sector bodies and citizens. Is it even possible in the future that Facebook or Google identities could be the basis for access to online banking? This would not be such a huge step, according to a recent report from Virgin Media4, two th irds of UK banks have already speeded up customer service through use of Twitter.

This has led to the emergence of the concept BYOID (bring-your-own-identity), something that may well extend beyond consumers all the way to employees in the fullness of time. Before too long employees may take their identities with them from one job to the next in a similar way that many already do with their smartphones and other access devices (BYOD bring-your-own-device another industry trend that has already taken hold5).

Many may consider that an identity taken from a social media site cannot be trusted. However, there are an increasing number of services that can be used to calculate the trust of such identities and set thresholds for when they are accepted. Such sites calculate that, if a user has been using the same Facebook identity for five years and has accumulated a long back history of communications, it is unlikely to be a fake. In fact, because of the controls many social media organisations place around creating accounts, using them to create fake identities is more difficult than doing so through a registration process that involves a new unique account being created specific to a given service.

However, if social media sites are to be used as a source of identity, businesses need to be savvy about how they go about it. Marketing departments cannot expect to convert users of third party social media sites directly across to their own applications; neither can they expect users to login multiple times or fill out several forms with the same information. To truly embrace social media requires it to be fully integrated with IAM systems and used as a means of single-sign-on (SSO) to multiple resources. Any company not using this effectively may be losing sales.

The increasing use of IAM Patterns of use for IAM The three trends outlined earlier the opening up of applications, the rising use of cloud and growing importance of social media added to an increasingly complex mix of identity sources, are all d rivers behind the growing use of IAM. Figure 6 shows that there seems to have been considerable investment in IAM since Quocirca last published research in this area in 20091 (which was focussed on privileged user management ). 70% of organisations now have some sort of a system in place compared with around 25% just four years ago. Int erestingly, around 50% said they had plans for IAM investment in 2009; plans which seem to have come to fruition

despite the ensuing tight economic conditions. In a later section; The IAM empowered business , the report lo oks at the reasons IAM systems are seen as important for achieving a range of IT objectives.

The use of on-demand IAM-as-a-service (IAMaaS) is on the rise; 22% say this is t heir primary way of implementing IAM with a further 21% saying they have a hybrid on-premise/on-demand deployment .

This leaves 30% of companies with no IAM eing the least likely (Figure 7). They will find it hard to open up access eir competitors have. In the past small businesses may have considered that such nterprises, however with the increasing availability of IAMaaS, where r be a blocker.

system at all, with smaller companies b to applications in the way that that th systems were only affordable by large e payment is by use, cost should no longe

Authenticating users

The data shown in Figure 8 examines the attitude the respondents had to various aspects of authenticating users. It is widely accepted that clearly establishing identities is essential . Overall, 84% of all respondents say the need to do so is true for their organisation.

When it comes to checking identities, 77% are likely to use strong authentication (this is especially true of telcos and financial services). However, only a small number of respondents say they use hardware token providers (as a primary source of identity), probably because of the cost. The main reason that businesses will have turned to hardware token providers as a source of identity in the first place is because they are also a source of strong authentication. Given the importance attached to strong authentication, many are probably seeking lower cost software-based alternatives that make use of spatial and/or temporal co-ordinates or making use of mobile phones (unsurprisingly, telcos take a lead here too).

70% say they no longer rely entirely on usernames and passwords to authenticate users (again, this is especially true of telcos). IP addresses are used for authentication by 82%; if used alone this would be a concern because IP addresse s can be spoofed by hackers who want to make their attacks appear to come from legitimate locations. However, it is unlikely that IP addresses are being used as a primary means of identity; they are probably just an additional attribute that may be used as part of a strong authentication process.

As many as 54% say they sometimes transact without first establishing the identi

ty of users. This was especially true of telcos (83%) and financial services (77%). There may be good reasons for this , for example when asking for a quote for insurance or mobile phone service plan many do not want to give all th eir details before seeing the cost. However, it is likely that, in other cases, collecting such information is simpl y seen as too arduous, which it need not be if the supporting IAM tools were in place. In many cases the customer experie nce could be improved.

Multiple sources of identity Obviously, all organisations have some existing source of identity for their own employees. For 68% of the respondents to the current survey the main one is Microsoft Active Directory (Figure 9). When it comes to the broader community of users, Active Directory is less widely used. For mobile users and contractors it is still likely to be the main source, but less so.

Whilst Active Directory is widely used, it, and most other directories, has not been designed to scale up for the emerging use cases where some organisations are now engaging with tens or hundreds of thousands of users from other businesses maybe millions of consumers.

There are other challenges that are tricky to resolve with a policy that relies on a single organisational user directory. Many IT departments have to cope with mergers and acquisitions at some point; this may mean merging two different directories. With federated IAM, both can be maintained, at least in the short term, with both being use as identity sources. Many cloud-based applications also have their own directory of users, which can be integrated as part of single overall user identity in a federated IAM system and access provided via SSO.

A growing minority of organisations are already exploiting other sources, either as a primary or secondary means of identifying and authenticating external users (Figures 10 and 11). These include: . The external directories of partner and customer organisations are the most widely used primary source of identity for users from customer and partner organisations. . Professional body membership listings, for example legal and medical practitioners, are most commonly used as a secondary source of identity for users from customer and partner organisations. . Government databases are used to a limited extent, an opportunity that could be exploited further. . Social media, as pointed out in the introduction, currently is most likely to be used for consumers but with huge future potential for all types of user as the age of BYOID dawns. As Figure 4 showed, identifying and communicating with potential new customers is currently a leading use case for social media, but there is a range of others, including analysis of customer likes and dislikes.

Of course, this still leaves many organisations with no source of identity for e xternal users, either because they are not engaging with them effectively through IT or because their current IAM capab ilities do not allow them to, which may mean they are missing out on potential rich seams of user information to hel p attract new business.

The IAM empowered business The growing diversity of users and the consequent range of sources of identity underlines why so many organisations have seen the need to invest in IAM tools that can link multiple identity sources and provide federated access based on policy.

Figure 12 shows how respondents rated IAM as a means of enabling various IT management requirements. Top of the list was the enforcement of access policy for users; beyond this it was about improving the user experience through providing self-service and federated access as well as ease of provisioning.

Scalability to cope with unknown numbers of users was low on the list; for some this may be because they do not understand the limitations of existing directories, or because they do not know there are tools that can help with this; others may simply take it for granted as they have such tools in place already. The perception of IAM as an enabler for access to cloud-based applications (software-as-a-service/SaaS) is also low, but the evidence of this research is that it can be a key enabler for those that are making extensive use of cloud se rvices.

Policy enforcement is generally achieved using advanced single-sign-on (SSO). On ce a user is authenticated, all relevant resources are opened up and their use audited. There is a benefit to cu stomers in doing this; from the earliest stages of interaction each individual can be assigned a unique internal identifier linked to a range of other attributes, including their existing social and/or business identities, which, a s far as they are concerned, is their primary identity.

A new user can be provisioned once via SSO and have immediate access to both onpremise and cloud-based resources from any device (dependent on policy). Perhaps more importantly, their access to all resources can be deprovisioned in an instant when the need arises and there are no legacy passwords held in cookies etc. on their devices.

SSO simplifies things for both the user and the access provider. It is about muc

h more than a one-time validation of an identity. An SSO system acts as a hub and, based on the parameters associated with a given identity, it can control access to applications and data and enact policies about what a given us er or class of users are entitled to with that access. Those actions can also be readily audited. Because such polici es can be based on the results of analysis of content, it is still possible to deny access to certain classes of i nformation even when documents are misclassified or stored in the wrong place.

To engage with external users it is often necessary to be able to extend the met adata that describes a user. When this is the case, parameters can be added and used to decide what resources to a llow or deny access to and, where needed, additional criteria required by different applications associated with a given identity. Flexibility is important as these parameters may change over time and new ones may need to be added.

Most recognise that to deploy advanced IAM and to make use of federated services requires standards (Figure 13). LDAP, a general IAM standard for exchanging identity information between systems , topped the list, being seen as

essential or useful by 88% of respondents. However, 60% recognised the growing i mportance of SCIM, a standard for simplifying identity management in the cloud.

Although IAM has many potential business benefits making it easier to attract ne w customers, increasing business with existing customers, improved user experience and making business processes more efficient, all of which can provide an overall competitive edge IT departments seem to be underselling IAM. Many seem more aware of the IT operational benefits than the business ones (Figure 14). Although just under half felt it was true that the business is not interested in our IAM systems , it seems there are board members ready to l isten.

Those that have not persuaded their bosses to take an interest may fail to get t he go ahead for enhanced or new investments. They should learn from the more insightful that are focussed on the business benefits and presenting these as an opportunity. And there is good news for all; the task of securing in vestment has been made easier by the increasing availability of IAM-as-a-service (IAMaaS).

The emergence of IAMasaservice (IAMaaS) IAM-as-a-service (IAMaaS) is the provision of IAM capabilities on-demand over th e internet; many such services provide all the capabilities of an on-premise system with additional benefits un ique to IAMaaS, which are summarised in the next section (Table 2). Provision of IAMaaS may be direct from an IAM vendor or from a service provider using a vendor s product. The number of vendors offering IAMaaS has risen in the last 4 5 years and many more buyers reviewing options for IAM will now be evaluating IAMaaS.

The recognition of the benefits of IAMaaS is widespread (Figure 15), more so tha n its actual use, which, as reported earlier (Figure 6), was 22% for pure IAMaaS deployment and 21% for hybrid use, w here IAMaaS is integrated with on-premise IAM. This combination has its own set of benefits, also outlined in t he next section (Table 3). This understanding of the benefit of IAMaaS, even by those currently using a purely o n-premise system or having no current IAM system, suggests plenty of opportunity for the providers of such ser vices or those considering deploying them.

Just as with IAM in general, respondents to the current survey were more likely to recognise the IT rather than the business benefits of IAMaaS, especially the operational cost savings (Figure 16) . Many will also like the fact that, as with most on-demand services, payment is out of operational expenditure (OPEX) r ather than requiring upfront capital expenditure (CAPEX). There was also widespread recognition that IAMaaS c an lead to improved employee

productivity; for example access to a wide range of resources can be more easily made to an increasingly mobile workforce.

All the business benefits of IAM in general making it easier to attract new cust omers, increasing business with existing customers, improved user experience and making business processes more efficient also apply to IAMaaS. Other benefits beyond the cost savings that apply to IAMaaS in particular includ e the ease of providing access to all users, especially external ones.

As was pointed out in the introduction (Figure 3), the acceptance of cloud-based services in general is now widespread. 22% of respondents can be considered to be cloud enthusiasts whilst an other 23% can be considered to be cloud avoiders . Contrasting these two groups and their views on certain issu es has proved to be interesting and will be the subject of a forthcoming Quocirca report6; for now, the current report will look at views on IAM in particular.

First, respondents were asked about the importance of certain security technolog ies for providing access to cloudbased services (Figure 17). Even cloud avoiders accept they have to use at least some cloud services and see the need for audit trails and content filtering. Whilst cloud enthusiasts also recog nise the same needs, they also widely acknowledge the benefits of IAM, SSO and linking identity and content through po licy. These are all integral capabilities of most advanced IAM systems. In other words, cloud enthusiasts see IAM as essential for enabling their use of cloud.

Also, as Figure 18 shows, the enthusiasts were far more likely to have deployed IAM, with 97% having something in place compared to just 26% of avoiders. Not surprisingly, the majority of enthus iasts (65%) are choosing IAMaaS either as their sole IAM capability or as part of a hybrid system. Of course, ca use and effect may be debatable, we use cloud therefore we need IAM or because we have IAM we can use cloud , but the li nkage is clear. Cloud-based services are going to continue to be seen as an effective way of delivering many IT services and IAM enables this. If you are using cloud-based services in general, why not use them for IAM too? Why not IAMaaS?

The benefits of IAM Deployed effectively, IAM benefits both the business and the IT department. IAM is the key to the opening up of applications to external users, the exploitation of social media and the adoptio n of cloud services. The business and operational benefits are listed in the three tables that follow; first for IAM i n general, then IAMaaS in particular and finally for hybrid deployments.

Table 1: Benefits of advanced identity and access management BUSINESS BENEFITS OPERATIONAL BENEFITS Transacting directly with customers is the number one motivator for opening up applications to external users, with 87% of respondents saying it was a primary or secondary motivator. Advanced IAM enables businesses to transact securely and efficiently with a wide range of users. Enabling federated access to existing and new applications for both external users and employees is seen as one of the top IT management benefits of advanced IAM by around 80% of respondents. Advanced IAM enables business growth and innovation through supporting the simple creation of new online revenue streams and increased customer satisfaction. 46% of respondents already recognised IAM as essential to achieving certain business goals. 84% of respondents believe that clearly establishing identities is essential in ALL cases before commencing a transaction. Advanced IAM enables access to both cloud-based and on-premise applications to be controlled via a single identity. The process of mergers and acquisitions can be eased by the rapid sharing of resources, enabling the federating of two different directories of users from each organisation via IAM. 82% of respondents believe IAM is essential to achieving IT security goals. Advanced IAM enables the rapid provisioning of all types of new users and, as important, their immediate and comprehensive deprovisioning when the relationship with a given user ends. User self-service was seen at the number two management benefit of IAM, selected by 81% of respondents. Allowing users to reset their own passwords and be automatically granted access to new

applications based on policy is good for user experience and makes for more efficient IT operations. This increases customer satisfaction and reduces operational costs. The opening up of a wide range of alternative sources of identity via the use of open standards is essential to achieving federated IAM. 88% say LDAP is essential or useful and there is increasing awareness of SCIM, with 60% saying it is essential or useful.

Table 2: Benefits specific to IAM-as-a-service BUSINESS BENEFITS OPERATIONAL BENEFITS 58% of businesses already provide direct access for consumers, business partner users or both to their applications. IAMaaS eases the provision of access as such systems are designed for remote access from the bottom-up. Lower cost of management was the top benefit cited for IAMaaS (52% of all respondents). As with any ondemand service, IAMaaS systems do not require installation and configuration, they can be rapidly deployed and do not require specialist in-house skills. As it is itself a cloud-based service, IAMaaS, in particular, enables the easy federation of applications from different cloud service providers for all types of user, easing the creation of new partnerships. 59% of respondents already recognised the benefit of this. Lower cost of ownership was cited by 50% of all respondents as a benefit of IAMaaS, which costs less to implement than an on-premise system due to economies of scale (shared infrastructure costs).

As the use of IAMaaS is easily scalable, it can be expanded or contracted based on needs. For example, if a new consumer service is launched it may take off or flop; either way an under or over investment will not have been made. As with most on-demand services, payment is out of operational expenditure (OPEX) rather than requiring upfront capital expenditure (CAPEX). Costs are therefore on a more predictable pay-as-you-grow basis. This allows organisations to experiment with the benefits of advanced IAM and prove the value without major upfront investment, often by tackling a few tactical projects in the early days Identifying and communicating with potential new customers is one of the top reasons for business use of social media. Certain IAMaaS systems have preconfigured links to many social media sites, enabling easy integration into business processes and the growing use of bring-your-own-identity (BYOID). IAMaaS improves IT productivity with no identity infrastructure to manage; IT staff are freed up to focus

on other tasks and innovation. 52% of all respondents saw improved employee productivity as a benefit of IAMaaS. It provides easy access to a wide range of resources for all employees, including those working remotely.

IAMaaS, like all on-demand software services, provides immediate access to new features without the need to install updates and the down time that can entail.

Table 3: Benefits specific to hybrid on-premise plus IAMaaS BUSINESS BENEFITS OPERATIONAL BENEFITS More sensitive applications can remain internalised, with access rights restricted to those listed on the internal directory only, whilst transactional applications can be opened up to all via the IAMaaS system. This is an aid to the 81% who see IAM as necessary to achieving IT security goals. Continued use can be made of existing legacy IAM and directory deployments whilst advanced capabilities can be integrated from an IAMaaS system. IAMaaS systems are already integrated with many cloud applications (e.g. Google Apps, Office 365 and WebEx). They are, therefore, ready-to-go for the business without have to rely on IT to configure or write interfaces. Adding IAMaaS to an existing on-premise deployment adds such capabilities at a click. Many cloud-based applications also have their own directory of users, which can be integrated as part of a single overall user identity in a federated IAM system with access provided via SSO, linked to on-premise applications via existing internal IAM.

Conclusion Having an IAM system in place is now seen by many businesses as essential to ach ieving a wide range of IT and business goals. Primary amongst these are the opening up of more and more applic ations to external users, the growing use of cloud-based services and the rise of social media. The ultimate a im is to nurture new business processes, thereby finding and exploiting new opportunities. The number of busin esses that have deployed IAM has increased dramatically over the last four years.

Those organisations that lack effective IAM are likely to lag behind their compe titors in these areas as more and more business-to-business and business-to-consumer transactions move online, clo ud services become the mainstream source of IT applications and services for many businesses and social media takes centre stage as a source of identity. IAM has moved from a security tool to become a business enab ler.

The availability of IAMaaS has brought access to enterprise IAM capabilities wit hin reach of smaller organisations and, for larger organisations with legacy IAM and directory systems, IAMaaS can provide them with the agility to embrace all these opportunities through integrating them into a hybrid system. T his has led to a rapid growth in the use of IAMaaS either as the sole way a business deploys IAM or as part of an onpremise/on-demand hybrid deployment.

However identity management is achieved, the majority of businesses now see it a s essential. The statement made at the start of this report, that identity is the new perimeter, is already a re ality and will become more so as IT users and applications disperse ever more and traditional IT security boundaries look more and more dated.

Appendix 1 country level data Certain observations regarding the variation between organisations in different industry sectors have been made throughout the report. Some comment has also been made on the variations between organisations of different sizes, especially with reference to the deployment of IAM. These observations ar e made across all 337 surveys. Appendix 1 shows some of the variations between countries, although it should be pointed out that for some countries the samples are too small for significant conclusions to be drawn (see Appendix 2, Figure 31).

Open up applications, attitude to cloud and adoption of social media Organisations in the Nordic and Benelux regions were more likely to be opening u p their applications to consumers than those from further south; Iberia and Italy (Figure 19). However, a strong m otivator for all to do so was to transact directly with customers (Figure 20). Conversely, Italian and Iberian or ganisations were the least likely to be cloud avoiders (Figure 21), so all have good reason to look at IAM, albeit with the reasons for doing so varying. The Nordics are leading the way with use of social media for identifying and communi cating with potential customers (Figure 22), which ties in well with their enthusiasm for opening up application s to consumers.

Deployment and use of IAM The Nordics may find it easier to embrace open applications and social media if more of them put IAM systems in place; they were some of the least likely to have done so. Overall, Iberian orga nisations were the most likely to have done so and the most likely to have deployed IAM-as-a-service (Figure 23). UK-ba sed organisations are hot on strong authentication, with those in the Benelux region taking little interest ( Figure 24).

Italians were the least likely to see IAM an important for providing federated a ccess to external users, whilst, in line with other findings, Nordics were keen. However, Italians were the most likely t o extol the virtues of IAM for simplifying access to SaaS-delivered applications (Figure 25). The need for scal ability of IAM for unknown numbers of users was most recognised amongst the countries with the largest populations (Figure 26), which makes sense, whilst only in the Nordics and Israel did the majority think IAM was very import ant for access policy management/enforcement although most saw it as at least fairly important.

Benefits of IAMaaS Italians and Iberians were the most optimistic that the business was interested in their IAM systems (Figure 27) and in all areas but the UK the majority felt there were benefits to be had from IAM aaS (Figure 28). When it came to the benefits of IAMaaS, those from the Benelux region were again focussed on integra ting external users, whilst Italians were the most interested in saving a bit of money, although this was important t o all (Figure 29).

Benelux, Israeli, Nordic and UK based organisations were the most likely to reco gnise the power of IAMaaS to open up new revenue streams, whilst the French and Italians were focussed on new busi ness processes. The Iberians took little or no interest in either of these issues (Figure 30). That said, awarenes s of these business benefits needs to increase across the board to bring them more in line with the operational IT ben efits.

Appendix 2 demographics The following figures show the distribution of the research respondents by count ry, size, sector and job role:

Appendix 3 references 1 Privileged user Management Quocirca 2009

http://www.quocirca.com/reports/430/privileged-user-management--its-time-to-take -control

The identity perimeter

Quocirca 2012

http://www.quocirca.com/reports/791/the-identity-perimeter

UK Cabinet Office web site

http://www.cabinetoffice.gov.uk/resource-library/identity-assurance-enabling-tru sted-transactions

4 - Social media continues to rise in popularity among high street banks Media study

Virgin

http://www.virginmediabusiness.co.uk/News-and-events/News/News-archives/2012/Soc ial-media-continues-torise-in-popularity-among-high-street-banks/

Quocirca The data sharing paradox

2011

http://www.quocirca.com/reports/620/the-data-sharing-paradox

Forthcoming cloud report

2013

Quocirca will be publishing a follow-on report on the use of cloud-based service s

C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Ou tlook\GRCSXTGE\CA_r_Primary_RGB_web_395x352.png About CA Technologies CA Technologies (NASDAQ: CA) provides IT management solutions that help customer s manage and secure complex IT environments to support agile business services. Organisations leverage CA Te chnologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. IT Security solutions from CA Technologies can help you enable and protect your business, while leveraging key technologies such as cloud, mobile, and virtualisation securely to provide the a gility that you need to respond quickly to market and competitive events. Our identity and access management (IA M) solutions can help you enhance the security of your information systems so that you can improve custome r loyalty and growth, while protecting your critical applications and data, whether located on-premise or in the cloud. With more than 3,000 security customers and over 30 years experience in security management, CA offers pragmatic solutions that help reduce security risks, enable greater efficiencies and cost savings, and support delivering quick business value. CA CloudMinderTM provides enterprise-grade identity and access management capabi lities as a hosted cloud service supporting both on-premise and cloud-based applications. Deployed as a service, CA CloudMinder drives operational efficiencies and cost efficiencies through speed of deployment, pred ictability of expense and reduced infrastructure and management needs. www.ca.com/mindyourcloud

Description: Description: Description: Description: Description: Description: 5% REPORT NOTE: This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations with regard to IAM.

The report draws on Quocirca s research and knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth.

About Quocirca

Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisation s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correc t technologies at the correct

time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time , Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of t he ITC community.

Quocirca works with global and local providers of ITC products and services to h elp them deliver on the promise that ITC holds for business. Quocirca s clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more spec ialist firms.

Details of Quocirca s work and the services it offers can be found at http://www.q uocirca.com

Disclaimer: This report has been written independently by Quocirca Ltd. During the preparati on of this report, Quocirca may have used a number of sources for the information and views provided. Although Q uocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information pro vided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice.

All brand and product names are recognised and acknowledged as trademarks or ser vice marks of their respective holders.