G00271424

Predicts 2016: Identity and Access

Management
Published: 7 December 2015

Analyst(s): Ray Wagner, Ant Allan, Felix Gaehtgens, Gregg Kreizman, Anmol Singh, Earl Perkins

The evolving significance of IAM in security strategy is driving advancements

in recognition technologies, session monitoring, IDaaS and risk
management of privileged activity. IAM leaders should monitor these nearterm events to adapt buying and management processes and engage IAM
best practices.

Key Findings

Over the next few years, off-the-shelf analytics tools will make a greater contribution to the level
of trust across mainstream use cases.

Though identity and access management as a service (IDaaS) offerings provide rapidly
deployable user provisioning and solid Web access management functions, they lack deep
identity governance and administration functionality.

Because privileged access remains risky, more vendor privileged access management (PAM)
offerings will feature capabilities to review privileged activity like advanced session recording,
intelligent playback, and user and entity behavior analytics (UEBA).

Most user authentication methods applied for enterprise use cases do not provide the desired
identity assurance for privileged operations on key business systems.

Recommendations

Identify use cases that demand the combination of medium levels of trust and exceptional user
experience provided by recognition technologies.

Request that incumbent user authentication vendors provide their roadmaps regarding analytics
and various biometric modes, including passive modes.

Evaluate IDaaS adoption by analyzing the total cost of ownership of current on-premises IAM
implementations and support to determine whether to keep IAM in place or move all or part of
IAM to IDaaS.

Review privileged activity on a regular basis by using advanced session recording and replay
features for manual review based on risk scores. Utilize maturing UEBA technology to further
drive risk scoring and automatic responses to undesired activity.

Table of Contents
Strategic Planning Assumptions............................................................................................................. 2
Analysis.................................................................................................................................................. 2
What You Need to Know.................................................................................................................. 2
Strategic Planning Assumptions....................................................................................................... 3
A Look Back...................................................................................................................................10
Gartner Recommended Reading.......................................................................................................... 11

Strategic Planning Assumptions

By 2019, use of passwords and tokens in medium-risk use cases will drop 55% due to the
introduction of recognition technologies.
By 2019, 40% of IDaaS implementations will replace on-premises IAM implementations, up from
10% today.
By 2018, 25% of organizations up from less than 5% today will reduce data leakage incidents
by 33% by reviewing privileged session activity.
By 2019, more than 50% of organizations will implement risk-appropriate contextual authentication
for privileged access management, up more than 30% from today.

Analysis
Every year, Gartner analysts offer their predictions on what they see as the key issues facing the
markets they cover. Gartner's identity and access management (IAM) analysts have developed a set
of predictions in this space for 2016 and beyond. IAM leaders should consider these forwardlooking Strategic Planning Assumptions when allocating resources and selecting products and
services.

What You Need to Know

In this research, Gartner's IAM analysts are looking ahead of present-day markets for notable trends
in recognition technologies, session monitoring, IDaaS and risk-based authentication. In addition to
Strategic Planning Assumptions in this research, several Gartner analysts use near-term flags to
help clients track and closely monitor trends as they occur before the year of predicted full impact.

Page 2 of 12

Gartner, Inc. | G00271424

Strategic Planning Assumptions

Strategic Planning Assumption: By 2019, use of passwords and tokens in medium-risk use cases
will drop 55% due to the introduction of recognition technologies.
Analysis by: Ant Allan
Key Findings:
Recognition technologies combine big data analytics, passive biometric modes and deviceembedded public-key credentials to provide trust in a claimed digital identity without the need for
any active authentication act by the user. IAM leaders should be aware of the following
observations:

Rather than providing a desired level of trust at login, recognition technologies can quickly ramp
up to and sustain the desired level of trust throughout a session.

The use of analytics techniques is already well-established in some authentication contexts and,
in limited use cases, can eliminate the need for initial login passwords or even tokens.

Greater range and variety of identity-relevant data and increased power of analytic techniques
will enable off-the-shelf analytics to make a greater contribution across mainstream use cases.

Passive biometric modes exploit the user's presence or normal activity when logging in and
throughout a session, making use of inputs already available on phones, tablets and many PCs.

Use of such modes remains niche. However, these modes can be implemented in software on
most devices, yielding multiple benefits over embedded fingerprint sensors, which have limited
penetration and whose performance is constrained by device and OS vendors' engineering
decisions.

The apps or software development kits (SDKs) that handle the biometric capture can also
embed public-key credentials for message integrity and proof of origin, adding to the level of
trust.

Market Implications:

Recognition technologies will add value across a wide range of use cases that demand medium
levels of trust coupled with exceptional user experience (UX).

Needs for recognition technologies arise in many consumer use cases, such as online banking,
and also within organizations, particularly those that are pursuing digital workplace strategies.

These needs are felt most keenly in smartphone use cases, such as mobile banking. Gartner
expects to see early adoption here.

Recognition technologies also add value in tablet, laptop and desktop use cases. While use of
phone-as-a-token methods is now well-established, if users can do without an ancillary device
when using their phones, they will expect the same UX with other endpoint devices.

Gartner, Inc. | G00271424

Page 3 of 12

Very few vendors combine analytics with passive biometric modes. Gartner projects that
partnerships and acquisitions will broaden availability of recognition technologies within the
next two to three years.

Organizations may struggle to convince regulators and auditors that recognition technologies
provide an appropriate level of trust, especially where existing and forthcoming regulations
(potentially including European Banking Authority specifications for Internet payments) demand
the use of hardware tokens.

Established technologies, especially out-of-band push modes, will likely continue to satisfy the
needs of many organizations through 2019, but more and more will be augmented by analytics
and biometric modes, even if not superseded by full-blown recognition technologies.

Recommendations:
IAM and security leaders should:

Identify use cases requiring a combination of medium levels of trust and UX a combination
that recognition technologies will offer.

Plan to orchestrate different tools from multiple vendors, at least in the midterm.

Press incumbent user authentication vendors regarding their investments in analytic capabilities
beyond current-generation contextual, adaptive techniques, as well as in passive biometric
modes.

Evaluate alternative vendors that will be able to provide recognition technologies alone or in
combination. These might include online fraud detection (OFD), UEBA and other analytics-savvy
vendors, as well as biometric platform vendors and individual biometric authentication vendors.

Related Research:

"Maverick* Research: The Death of Authentication"

"Market Guide for Online Fraud Detection"

"Magic Quadrant for User Authentication"

"Technology Overview: Adaptive Access Control"

"Enterprise Adaptive Access: Are We There Yet?"

Strategic Planning Assumption: By 2019, 40% of IDaaS implementations will replace on-premises
IAM implementations, up from 10% today.
Analysis by: Gregg Kreizman
Key Findings:
IDaaS has proven its value to buyers; the technology is useful for user provisioning and Web access
management. The spread of cloud and mobile architectures also has led businesses to engage
Page 4 of 12

Gartner, Inc. | G00271424

IDaaS. Adoption has been sluggish, though, where enterprises choose to integrate identity
governance and administration (IGA) functionality with legacy applications, and the customization
requirements deter companies from engaging the cloud for IGA. IAM leaders should be aware of the
following observations:

Based on data collected from Gartner client interactions and vendor-supplied customer data,
90% or more of IDaaS purchases are for Web-centric, shallow-functionality IDaaS offerings.
These offerings provide excellent connectivity for SaaS and provide basic user provisioning and
good Web access management functions to support workforce B2C and B2B use cases. They
also deploy rapidly. They lack deep IGA functionality.

Deep function IDaaS offerings, which deliver IGA functionality and provide connectors to legacy
applications that are equivalent to traditional on-premises IGA tools, have been more difficult to
sell. On-premises deployments of IGA tools are often heavily customized, and moving
customized implementations to the cloud is not a scalable, high-volume proposition for
vendors. There is also some correlation between the use of IGA tools and organizational size
and cloud risk aversion.

Market Implications:
Web-centric IDaaS vendors have had the most success selling to small and midsize businesses,
although deal and implementation sizes have grown over time. Web-centric IDaaS vendors
experiencing difficulties penetrating larger enterprises are developing deeper IGA functionality and
use partnerships to develop connectors for legacy application. However, these Web-centric IDaaS
vendors will rightly resist requests for customization. There will continue to be a chasm between the
IAM needs of larger, more complex, risk-averse organizations and what Web-centric IDaaS can
deliver.
This will leave a significant portion of the available market with software that is self-managed or
outsourced to a managed service provider. An IDaaS vendor also might be willing to put up
customized hosted instances for each customer. Customers of these customized offerings lose the
economies of SaaS-based offerings and therefore have many of the same costs associated with
traditional on-premises deployments.
Gartner, though, has advised clients to avoid customization as much as possible. IGA tools have
become more configurable, and vendors have even admonished customers to avoid customization
in favor of configuration. Another macro trend that will shape the nature of IDaaS adoption is the
steady movement of applications to cloud and mobile architectures. The need for legacy application
support doesn't go away but diminishes somewhat over time. This combination of deeper functional
offerings that are configured rather than customized and the macro trend of more modern
application architectures will lead to a greater portion of the market being willing to adopt IDaaS.
Enhanced IAM features will offer sufficient quality in IDaaS to support a greater portion of
organizational IAM workloads.

Gartner, Inc. | G00271424

Page 5 of 12

Recommendations:

Investigate the total cost of ownership of current on-premises IAM implementations and
support. Identify the business drivers for keeping IAM in place or move all or part of IAM to
IDaaS. This investigation will provide a solid foundation for the decision to move to the cloud.
The most common benefits cited of a move to IDaaS are fast time to value, agility for bringing
on new applications and personnel-based staff concerns for traditional IAM deployments.

Evaluate vendors that provide deep functionality and legacy application support when reluctant
to adopt IDaaS because of apparent lack of functional depth in the market.

Monitor advancements in IGA from Web-centric providers, and consider IDaaS once functional
needs can be met and organizational benefits of IDaaS can be realized.

Related Research:

"Magic Quadrant for Identity and Access Management as a Service, Worldwide"

"Use Business Drivers and Cost Analysis to Make IDaaS Versus On-Premises Software Delivery
Model Choices"

Strategic Planning Assumption: By 2018, 25% of organizations up from less than 5% today
will reduce data leakage incidents by 33% by reviewing privileged session activity.
Analysis by: Felix Gaehtgens
Key Findings:
Privileged activity in the administration of systems, networks, databases or applications is inherently
risky and requires a high level of trust and confidence. Much of this activity is performed by third
parties consultants, contractors or outsourcing partners. Unless organizations track and review
privileged activity, they risk being blindsided by insider threats, malicious users or errors that cause
significant outages. To engage new options in this administration, IT, security and IAM leaders
should be aware of the following trends:

Session recording has become a common feature for many privileged session management
(PSM) tools and virtual desktop infrastructure (VDI) servers. Several vendors in this space have
developed advanced features that streamline playback of session activity through intelligent
fast-forward or time lapse, timelining with events or generation of searchable metadata.

Manually reviewing all privileged activity by humans is unrealistic. Organizations with more
mature IT security are using risk scores derived from contextual information to decide which
privileged session needs to be scrutinized.

Privileged activity generates a stream of distinct logged events from multiple sources that can
be correlated back to this activity by such tools as SIEM. The next phase of evolution utilizes
UEBA to focus.

Page 6 of 12

Gartner, Inc. | G00271424

As UEBA technology evolves, dynamic risk scoring based on UEBA technology will in near real
time identify privileged access that is suspicious or risky for further analysis. UEBA will also be
designed to stop undesired activity as it happens by triggering an autoresponse, thereby
reducing breaches, data leakage and outages.

Near-Term Flag: More than 50% of PSM vendors will feature intelligent playback capabilities in their
offering by 2017, up from 25% in 2015.
Near-Term Flag: By 2016, at least five PAM vendors will offer specialized UEBA tools for privileged
access or provide a significant integration between PAM tools and SIEM or UEBA.
Market Implications:

Advanced playback capabilities will become a standard feature of PSM tools. Vendors that have
these features in 2015 will find it increasingly difficult to charge premiums for these features
beyond 2017.

Expert services for reviewing privileged activity will be outsourced to specialist security service
providers.

The synergies between UEBA and PAM will provide differentiation and drive integration through
partnerships, developments and, ultimately, acquisitions by 2017.

Recommendations:

Classify systems by criticality and data by sensitivity or confidentiality. Calculate risk scores for
privileged access due to these factors. Use additional factors, such as an inherent trust level for
an administrator, which may be lower when the administrator works for an outsourcing
organization and has just recently started activity. Determine a threshold above which privileged
activity must be manually reviewed.

Use UEBA technology as it matures to automatically review privileged activity and assign risk
scores to determine when privileged activity must be manually reviewed or an automated
response (such as locking out privileged users) must happen.

Leverage time spent reviewing privileged activity by highlighting good and bad practices, and
use this to improve your standard practices. Use information in order to learn and document
complex techniques.

Related Research:

"Market Guide for Privileged Access Management"

"How to Secure Remote Privileged Access for Third Parties"

"Market Guide for User and Entity Behavior Analytics"

Gartner, Inc. | G00271424

Page 7 of 12

Strategic Planning Assumption: By 2019, more than 50% of organizations will implement riskappropriate contextual authentication for privileged access management, up more than 30% from
today.
Analysis by: Anmol Singh
Key Findings:
Organizations remain challenged when balancing security risks associated with privileged access to
sensitive and critical systems and applications against the requirements for operational efficiencies.
Many organizations extend incumbent user authentication methods to IT administrators for gaining
secured access to privileged accounts and systems. IT security and IAM leaders should make a
note of these developing trends:

Weak authentication methods used for privileged access could greatly dilute the efficacy and
effectiveness of well-established PAM controls for managing privileged access.

Higher-trust methods such as one-time password (OTP) hardware tokens or X.509 smart tokens
aren't practical authentication form factors for granting privileged access to vendors and other
third-party users, who only require sporadic access on a temporary basis.

Traditional authentication methods focus on initial authentication and therefore aren't wellsuited for use cases requiring maintenance of trust over the entire course of a privileged user
session.

Use of adaptive authentication for privileged access not only provides better user experience
and therefore enhances administrator engagement and operational efficiency, but also
determines high-risk authentication requests in real time.

Contextual authentication techniques significantly increase the levels of trust and accountability
by means of context evaluation throughout a user's privileged session, and not just at the time
of session establishment.

Near-Term Flag: By 2018, more than 40% of organizations will move away from rule-based access
controls and plan to invest in adaptive access controls for securing privileged access to critical IT
systems, up more than 20% from today.
Near-Term Flag: By 2018, more than 50% of PAM vendors will invest heavily in incorporating
contextual and adaptive techniques for authentication of privileged users, either through organic
development or in partnership with user authentication vendors, up from less than 20% today.
Market Implications:
The growing need for organizations to maintain operational efficiencies in the face of security risks
associated with privileged access will have several implications:

More organizations will use contexts to determine high-risk authentication requests and
detection of anomalous privileged activity.

Page 8 of 12

Gartner, Inc. | G00271424

As more and more organizations begin to implement a risk-based model leveraging context
awareness and analysis for privileged access, the market will continue to see a growing
demand for better accuracy in real-time authentication decisions.

Organizations will elevate the level of trust by initially layering adaptive authentication
techniques with higher-trust methods such as one-time password (OTP) hardware tokens or X.
509 smart tokens for step-up authentication. This will occur while the risk-appropriate adaptive
capabilities are in early phases of learning and activity profile baselining.

More PAM vendors will invest in exploring contextual data points derived from user's activity
and entity behavior analytics approaches. These efforts will strive for a more accurate
determination of risks implied from certain types of administrator behavior.

As the demand for adaptive authentication grows for privileged access use cases, we will see
more partnerships and collaboration opportunities between PAM and user authentication
vendors to offer seamless integration of adaptive authentication capabilities to PAM systems.

Recommendations:

Assess using context-aware access controls that make use of certain predefined inputs to
dynamically determine the privileged access decision: Allow access, deny access or elevate
trust via step-up authentication.

Consider using additional contexts that can be applied at a more granular level to implement a
risk-appropriate model for authorizing access to privileged systems and accounts based on the
evaluated risk score.

Utilize system attributes host name, host ID, Internet Protocol (IP) and Media Access Control
(MAC) addresses and application identifiers as initial contexts for automated authentication
in application-to-application password management (AAPM). Some PAM vendors such as
Hitachi ID Systems offer several contexts to choose from in order to authenticate the
application-to-password vault for credentials retrieval (see "Market Guide for Privileged Access
Management" for more details).

Integrate adaptive access controls for user authentication to PSM tools in order to establish
privileged session to target systems and provide single sign-on capability to administrators.

Identify and utilize contexts that can be applied at regular intervals throughout a privileged
session in progress to enable continuous authentication by maintaining trust over the entire
course of a privileged user session.

Related Research:

"Market Guide for Privileged Access Management"

"Twelve Best Practices for Privileged Access Management"

"Technology overview for Adaptive Access Control"

Gartner, Inc. | G00271424

Page 9 of 12

A Look Back
In response to your requests, we are taking a look back at some key predictions from previous years.
We have intentionally selected predictions from opposite ends of the scale one where we were
wholly or largely on target, as well as one we missed.
On Target 2011 Prediction: By the end of 2015, more than 50% of cloud-based IAM offerings
will be hybrid solutions. (Original analysis by Gregg Kreizman.)
In 2011, Gartner defined a "hybrid" cloud-based IAM solution as using enterprise-based IAM
software and scalable service-based technologies integrated for cloud computing. Since then, a
market for IDaaS has steadily grown to support several use cases, including workforce access to
SaaS and on-premises applications, B2C and B2B. Workforce use cases lead to IDaaS adoption. In
almost all workforce use cases, and in some other use cases, the IDaaS is "bridged" to enterprise
user repositories for identity synchronization and to support single sign-on following an initial
authentication to on-premises directories and access products. IDaaS vendors also provide
federation and proxy functionality to serve on-premises applications and SaaS. These vendors have
demonstrated high scalability, particularly with consumer-facing implementations.
Missed 2012 Prediction: Pressured by IDaaS alternatives, average IAM product licensing will fall
an average of 25% by 2015. (Original analysis by Earl Perkins.)
As of October 2015, the introduction of effective IDaaS solutions has not resulted in a reduction in
traditional IAM product licensing of 25%. While the IDaaS market itself has grown aggressively, the
overall impact of traditional IAM markets is still not substantial. This is due to several reasons:

IDaaS-to-IDaaS competitiveness: While IDaaS has made significant progress in the general
IAM market and continues to grow in use and function, most price savings created by this
growth have occurred within the IDaaS market itself. IDaaS remains a competitive opportunity
for both smaller companies as well as early entrants from major platform as a service (PaaS)
providers. This trend will continue.

Different buyers: Most IDaaS sales are driven largely by Web-architected application targets,
employee-to-SaaS and consumer-facing needs.

Feature comparison with traditional IAM: While IDaaS solutions continue to improve yearly,
functionality has not advanced at the pace predicted in 2012.

Gartner still believes that by 2019, 25% of IAM purchases will use the IDaaS delivery model up
from less than 10% in 2014. Whether these purchases will supplant existing enterprise-based IAM
solutions is uncertain. Traditional IAM has experienced minor price decreases in some areas,
particularly in access management. IAM costs continue to be nontrivial for most organizations
because of the continued complexity of the identity environment, the expansion of responsibilities in
operational technology (OT) and the Internet of Things (IoT), and the nature and sophistication of
threats to identity (see "Magic Quadrant for Identity and Access Management as a Service,
Worldwide" for more information).

Page 10 of 12

Gartner, Inc. | G00271424

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.
"Cool Vendors in Education, 2014"
"Managing Identities, Access and Trust for Digital Workplace Success"
"Market Guide for User and Entity Behavior Analytics"
"Technology Overview: Phone-as-a-Token Authentication Methods"
Evidence
Gartner sees a variety of passive mode solutions in commercial use: face; iris and scleral vein
recognition; keyboard dynamics (typing rhythm/cadence); gesture dynamics (pointer and
touchscreen movements); and handling dynamics (motion-based mode using device
accelerometers and gyros).

Gartner, Inc. | G00271424

Page 11 of 12

GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity.

Page 12 of 12

Gartner, Inc. | G00271424