Despite broader recognition of the need for securing access to applications and other IT resources, enterprises are still struggling to come to terms with the issues involved with identity and access management, Gartner has warned.
"We need to have a much more well-defined process for IAM (identity and access management), with architectures, controls and processes," Ant Allan, vice president of research at Gartner, told attendees of a recent conference in London on identity management.
While there has been a tendency to treat such problems as primarily a technological issue, and focus on how to integrate identity management into existing applications and systems, effective access management has a much broader impact, Allan said. "IAM is more and more about business issues as much as it is about security issues. You have to reflect the business controls and processes in your IAM controls and processes."
"(Identity and access management) is not something you can relegate to a low-level administrative task."
--Ray Wagner, managing vice president, Gartner
Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be, an issue that is receiving increasing prominence as global employment patterns shift.
"Before you create identities on your information systems for people, you need to establish who they are in the real world," Allan said. "We're seeing an increased focus on identity-based networks."
All this may see identity management shift from a technology manager responsibility to that of higher, C-level executives. "IAM is not something you can relegate to a low-level administrative task," Gartner's Ray Wagner noted.
Merely setting up efficient systems remains troublesome, if the typical queries received by Gartner itself are any indication. In the first quarter of this year, the most common queries from clients related to basic issues of user provisioning and authentication, Wagner said. Provisioning alone accounted for almost a quarter of queries.
One reason for increased interest in IAM is the increasing interest fiscal and legal regulators are taking in the systems used to control information access.
"Regulators want to see controls in place, and they want to see that you can show them you have controls in place," Allan said.
Effectively delivering that will probably require multiple categories of software, with Gartner singling out administration and access, verification, authentication and auditing as crucial roles.
"You don't need every kind of tool there is on the market, but you probably need more than one of each category," Allan said.
Angus Kidman of ZDNet Australia attended the Gartner Identity & Access Management Summit.