Everett & McKinsey Identity and Access Management 2009 Survey

2009 European Identity and Access
Management Survey
A survey conducted by KPMG IT Advisory together with Everett
Supported by eema and IIR
Advi s o ry
2 2009 European Identity & Access
Management Survey
The findings
at a glance
© 2009 KPMG International

2009 European Identity & Access 3
Management Survey
The value of Identity and Access Management (IAM) is still recognised

and IAM is here to stay
• Almost 90% of the survey participants have initiated one or more IAM projects
in the last year;
• 70% of the respondents have a specifically allocated IAM budget.
Clearly the economic crisis has its impact on IAM, but IAM is still in the
spotlight
• A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%
reported budget cuts of more than 50%;
• More than half of the respondents indicated a change of project scope;
• Many organisations are quite confident that their original business case is still
applicable in this hard economic climate;
• Despite budget cuts, almost three quarters of respondents entirely or partially
agreed that IAM investments should be increased instead of decreased due to
the current economic climate.
Governance, Risk and Compliance is by far the main driver of IAM

• Governance, Risk and Compliance is even more important than last year’s
survey indicated;
• The vast majority of IAM projects are still focused on their organisation’s direct
employees;
• Access attestation and certification services are ‘on the map’ and this is
possibly at the expense of the implementation of complete IAM solutions.
This indicates a shift from more preventive controls to a detective approach
focused on an organisation’s ‘crown jewels’.
There are still significant gaps between the expected and realised benefits
of IAM
• Although gaps between expectation and realisation still remain, over half of the
respondents were satisfied with the outcome of their IAM project;
• Organisations face difficulties in measuring the costs, benefits and quality of
IAM services and related activities.
A lack of business buy-in is the main cause of IAM project failure

• IAM projects are still mostly the responsibility of the IT department or the
Security Officer;
• 50% of the respondents stated that the business was not ready for the
proposed solution;
• 51% of the respondents indicated that there was a lack of support from
management and stakeholders.

Management Survey
Contents
01 Executive summary 5
02 Introduction 9
03 IAM projects – status and 12

impact of the economic crisis
04 Drivers and strategy 19
05 Architecture 22
06 Expected benefits, realisation 26

and satisfaction
Appendix A - Reference models 33
Appendix B - About the authors 36
Appendix C - European regions 39

Management Survey
01 Executive
summary

Management Survey
KPMG IT Advisory and Everett, in cooperation with eema and IIR, are pleased to
launch the report outlining the results of our 2009 European Identity and Access
Management (IAM) Survey.
Authors Survey In order to contribute to the decision making process of organisations with
regard to whether they should engage in IAM and with what type of initiative, we
KPMG: conducted the 2009 European IAM Survey as a follow-up to the IAM survey that
John Hermans KPMG conducted in 2008.
Joris ter Hart
Willem Guensberg Combining insights and trends from over 125 organisations from various sectors
Arjan van Vliet and countries, in combination with analysis and our experience in conducting IAM
projects and programmes, we believe our survey makes a significant contribution
Everett: to IAM research. This survey also provides insight into recent developments
Peter Valkenburg in the area of IAM and the impact of the economic crisis as the results are
Erik Frambach compared against the results from the 2008 IAM Survey (where applicable).
John Hermans Peter Valkenburg

Associate partner, Member of the Board of
KPMG IT Advisory in the Netherlands Everett Group
Global lead on Identity and Access Chief Technical Officer
Management

Management Survey
One of the most important conclusions of this survey is that, as was already
visible in the 2008 IAM Survey, IAM is here to stay. Even though the economic
circumstances are quite different for many of the organisations that participated,
the value of IAM is clearly recognised throughout all the sectors and throughout
the whole of Europe.
• Almost 90% of the respondents have initiated one or more projects during the
last three years;
• In 2008, one third of the respondents stated that they had no specific IAM
budget. The results of the 2009 survey show more or less a similar view as
70% of the respondents have a specific IAM budget.
The Financial Services (FS) sector continues its position as an early adopter of
IAM and in 2009 the Infrastructure, Government and Healthcare (IGH) sector
has emerged as an early adopter, whereas last year IGH was classified as a late
adopter (a so-called ‘laggard’). Despite the economic crisis, in general, the FS
sector still has the highest IAM budgets.
However, the area of IAM did not escape the impact of the economic crisis.
A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%
reported budget cuts of more than 50%. Still over half of the respondents
indicate not having seen any (significant) impact on their IAM budget. However
a majority of projects encountered an impact on the project scope due to
the economic hard times. Strikingly, most are confident that the original IAM
business case still holds.
The three main drivers analysed in this survey are:
• Governance, Risk and Compliance (GRC) –

Being ‘in control’ and able to prove it;
• Operational excellence – Cost control and user experience;
• Business agility – Being ready for change.
Governance, Risk and Compliance is now even more important as the main
driver of IAM than last year’s survey indicated. This applies to every sector and
specifically to Financial Services, Infrastructure, Government and Healthcare and
Information, Communication and Entertainment (ICE). In the Consumer Markets
(CM) and Industrial Markets (IM) operational excellence is also of reasonable
importance. In addition, we would like to mention that investing in business
agility and operational excellence can reduce IAM costs in the mid to long term.

Management Survey
We expect these areas to be an opportunity when the economy recovers and

organisations have the budget to make investments in projects in which the
benefits with regard to expenses are realised within the mid to long term.
As part of GRC, access attestation and certification is now definitively ‘on the
map’ of organisations. Almost 20% of the respondents indicated this to be
a means of achieving project goals. Simultaneously, the implementation of a
complete IAM solution dropped by approximately 50% towards 35%.
These facts indicate a shift from an extended preventive approach towards a
more detective approach focusing on an organisation’s ‘crown jewels’. This
focused approach could also be a consequence of the economic crisis as only
focusing on the critical information will decrease the expenses.
However, when we analyse the gaps between the expected and realised
benefits of IAM projects, less than half of the respondents who expected
significant benefits from access attestation and certification realised these
benefits. This indicates that this is an evolving area which is not yet mature. In
general, there is a significant gap between the expected and realised benefits in
all areas of the main drivers. As in 2008, respondents cited the most prominent
reason for failure as being that the business was not ready for the proposed
solution and the lack of support from the business. Nevertheless, 50% of the
respondents were satisfied with their IAM project outcome.
Despite the gap between the expected and realised benefits and the negative
impact of the economic crisis, we conclude that the value of IAM is apparent to
organisations as they are still investing in IAM. The challenge for the upcoming
years is to realise the expected benefits. With limited budgets due the economic
crisis, organisations have to make careful choices relating to the scope and
the approach. This implies a need for strong program management and a clear
roadmap for IAM.

Management Survey
Introduction
02

Management Survey
The 2009 European IAM Survey continues to explore the status of IAM projects
within European organisations. This report extends the results of KPMG’s 2008
IAM Survey, and comparisons between the two are presented where applicable.
Several definitions of IAM are generally used. For the purpose of this survey,
IAM is defined as:
“The policies, processes and systems for efficiently

and effectively governing and managing who has access
to which resources within an organisation.”
To be more precise, the processes covered by IAM are user management,

authentication management, authorisation management, access management,
provisioning and monitoring and audit. A complete overview of the KPMG
IAM reference model used for this survey is included in Appendix A.
For this survey KPMG, Everett and the media partners eema and IIR invited
a variety of European organisations to complete an online questionnaire. The
answers to the questions were subsequently analysed by a KPMG/Everett team
of IAM professionals. A detailed analysis of the results is provided in this report
in order to help the reader gain insight into:
• The status of IAM projects seen across Europe;

• The impact of the economic crisis on IAM budgets and project scope;
• The drivers and strategy of IAM projects;
• The level of benefit realisation and satisfaction with IAM projects.
A solid base of data was provided as 128 respondents from organisations located
in 23 European countries participated in the survey. Among the respondents
were a wide range of organisational representatives, from CEOs and CIOs
to Security Officers and heads of internal audit. The group also contained
participants from organisations of different sizes and from a variety of industries.

Management Survey
The distribution of participants with respect to European region, size and sector
was as follows:
Total number of respondents 128
Geographic region*
North (Denmark, England, Finland, Norway, Scotland) 34 %
East (Belarus, Czech Republic, Latvia, Romania, Russia) 9 %
South (Turkey, Cyprus, Greece, Italy, Spain) 12 %
West (Austria, Benelux, France, Germany, Switzerland) 37 %
Other 8 %
Size (number of IT users)
Less than 1,000 20 %
1,001-2,500 13 %
2,501-5,000 16 %
5,001-10,000 13 %
10,001-25,000 13 %
More than 25,000 25 %

* No significant differences
Sector
were found between the four
different geographical regions as Financial Services (FS) 39 %
described in the table. Therefore,
Infrastructure, Government and Healthcare (IGH) 34 %
the results presented in this
report apply to the European Information, Communication and Entertainment (ICE) 13 %
region as a whole and are not Industrial Markets (IM) 9 %
divided by the four geographical
regions. Consumer Markets (CM) 5 %
Reading aid
Chapter 3 of this report describes the current status of IAM projects and the
impact of the economic crisis. In Chapter 4 the strategy and main drivers of IAM
are elaborated. Subsequently, the IAM architecture is described in Chapter 5.
In the final chapter the expected and realised benefits of IAM are addressed;
this section also includes the participants’ ‘satisfaction’ with regard to the actual
benefits and their ability to measure costs and benefits of IAM.

Management Survey
03IAM projects –

status and impact of

the economic crisis
Management Survey
Authors’ note Number of IAM projects initiated

IAM was already ‘here to stay’ in 2008,
and the 2009 survey supports this 6%
2% 13%
impression. IAM is clearly of concern
to all organisations, regardless of the
sector in which they operate or the
country in which they are based. None
31% 1–2
3–5
Over half of respondents indicated to 6 – 10
have initiated one or more projects More than 10 projects
during the past three years. It appears
that it is often insufficient to initiate only 48%
a single project, but that a sequence
of projects is required in order to
successfully achieve their organisation’s Source: KPMG/Everett IAM survey, October 2009
IAM end goals. A possible explanation
may be that previous projects have As information is one of an organisation’s most valuable assets, control of access
failed, but based on our industry to this information forms an important part of an organisation’s day-to-day business.
experience it appears more likely that Around half (48%) of the respondent organisations had initiated one or two IAM
an IAM programme, in which several projects during the last three years, 87% of organisations had initiated at least
projects are contained, enhances the one IAM project and approximately a third (39%) had initiated more than three
chances of success. This supports IAM projects. Of these 39%, 6% had initiated more than ten projects.
the need for a strong programme
management organisation and a clear Observation in comparison to the 2008 IAM Survey: In 2008, all respondent
roadmap with clearly defined phases organisations indicated that they had initiated one or more IAM projects in the
and scoping. last three years, whereas 13% of 2009 respondents indicated they had not initiated
any IAM projects in the last three years.
The findings of this survey indicate that
the FS sector can still be categorised Number of IAM projects by sector
as one of the ‘early adopters’ of IAM.
Pressure to comply with banking
regulations as well as national and IM
international corporate governance
CM
legislation is relatively high in this
sector, and this is assumed to be one IGH
Sector
of the drivers of IAM projects within the ICE

sector.
FS
Contrary to 2008, in 2009 the IGH OTH*

sector is also adopting IAM on a regular 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
basis, whereas only a year ago IGH was
None 6 – 10
categorised as a ‘late adopter’.
1–2 More than 10 projects
3–5
Source: KPMG/Everett IAM survey, October 2009 * Other

Management Survey
The FS and IGH sectors both represent a significant percentage of respondents

who had initiated more than ten IAM projects over the past three years. The
IM and CM sectors, on the other hand, display less IAM project initiation with a
maximum of five initiated IAM projects.
Budgets
Size of IAM budgets
23%
31%
Less than EUR 100,000
EUR 100,001 – 250,000
EUR 250,001 – EUR 500,000
EUR 500,001 – EUR 1,000,000
EUR 1,000,001 – EUR 10,000,000
More than EUR 10,000,000
15%
Unknown
5%
6%
12%
8%
Source: KPMG/Everett IAM survey, October 2009
Out of the budgets specifically allocated to address IAM over the next three
years, 38% of the respondents plan to initiate projects with a budget up to EUR
250,000. 11% of respondents indicated that they have allocated a budget of over
EUR 1 million. Compared to the results of the 2008 IAM Survey there are no big
differences; in fact the results are almost the same.
As may be expected, smaller sized organisations (with less IT users) have smaller
IAM budgets and vice-versa, with EUR 10 million+ IAM budgets only occurring in
the organisations with over 5,000 employees. Overall, larger organisations appear
to have more difficulty in determining the total IAM budget, as many respondents
representing larger organisations indicated that they did not know its IAM
budget. By contrast, 80% of respondents representing smaller organisations (up
to 10,000 employees) were able to indicate the size of its IAM budget.

Management Survey
Authors’ note IAM budgets by sector

It is still the FS sector that boasts the
highest number of high-end budget
IM
ranges. This means that IAM budgets
are generally higher in the FS sector. CM
The IGH sector comes in a decent IGH
Sector
second in this category. One possible

explanation is that these sectors ICE
specifically experience a relatively high FS

pressure to comply with international
OTH
rules and regulations (FS) and a relatively
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
large number of IGH have begun over
the last year. The IM and ICE sectors Less than EUR 100,000 EUR 1,000,001 – EUR 10,000,000
do not appear to have the IAM drivers EUR 100,001 – 250,000 More than EUR 10,000,000
EUR 250,001 – EUR 500,000 Unknown
to justify the same level of budget EUR 500,001 – EUR 1,000,000
allocation. However, we note that the
obligation to comply with stringent Source: KPMG/Everett IAM survey, October 2009
legislation is also becoming increasingly
important in these sectors. In 2009, budget allocations remain largely unchanged. In addition, the IM and
ICE sectors have relatively small allocated IAM budgets.
Scope
IAM Scope
100%
94%
80%
60%
40%
37%
33%
20%
0% 10%
Own employees Partner and/or Clients Unknown/other
supplier network
Over 90% of the respondents indicated that IAM projects are still mainly focused
on their organisation’s direct employees. This indicates that most IAM projects
are focused on controlling access to internal systems and information. However,
approximately a third of IAM projects target partner and/or supplier networks, and
approximately a third target clients via IAM projects1.
1
Multiple answers were allowed for this question and therefore the total percentage is above 100%.
This is applicable to all graphs in which the total percentage is above 100%.

Management Survey
Authors’ note Means to achieve project goals

As far as the respondent organisations
50%
are concerned, attestation and
certification is now ‘on the map’. In 40% 44%
general the means to achieve project 37%
35%
goals are fairly evenly distributed over 30%
31%
the five IAM approaches mentioned
20%
here, with only 11% of respondents 20%
resorting to other means to achieve 10%
11%
their IAM project goals. This may be
viewed as a sign of the maturity of the 0%
New policy Complete User management Attestation Enhanced Other
IAM market, as most respondents found IAM solution and provisioning and certification authorisation
the options to achieve their project

goals readily available in today’s vendor Source: KPMG/Everett IAM survey, October 2009
portfolios.
With a fifth of respondents indicating attestation and certification solutions to be
The implementation of a complete a means of achieving project goals, attestation and certification solutions have
IAM solution has dropped significantly emerged to become one of the serious options on this chart. Common means
towards 35% (a 50% drop). It is (implementation of a new policy, a complete IAM solution, a user management
possible that the focused approach of and provisioning solution or enhanced authorisation) all represent a fairly similar
targeting ‘crown jewel’ components of number of respondents, with user management and provisioning as the most
the information/application landscape commonly used solution.
has reduced the popularity of the
complete solution. It is also possible that
a shift has taken place from the more
Impact of the economic crisis
preventive complete approach to more
detective solutions such as attestation
Impact on IAM budget
and certification focused on the ‘crown
jewels’. 1%
13% 7%
The IAM budget is increased by more than 50%

The IAM budget is increased by 5 – 50%
24% No impact, (almost) unaffected IAM budget
The IAM budget is cut by 5 – 50%EUR
The IAM budget is cut by 5 – 50%
55%
Although over half of respondents indicated not to have seen any (significant)
impact on IAM budgets, over a third (37%) indicated that their IAM budget has
been cut. A quarter of the respondents reported a 5%-50% cut, whereas 13%
reported IAM budget cuts of over 50%. As might be expected, IAM budgets are
under pressure as a result of the economic crisis.

Management Survey
However, 73% of respondents entirely or partially agreed that the economic

crisis is another reason why their organisation should invest in IAM.
Impact on IAM budget by sector
IM
CM
Sector
IGH
ICE
FS
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The IAM budget is increased by more than 50% The IAM budget is cut by 5 – 50%
The IAM budget is increased by 5 – 50% The IAM budget is cut by more than 50%
No impact, (almost) unaffected IAM budget
Although some sectors were largely unaffected, over a third (37%) of

respondents reported cuts in their IAM budget of more than 5%, especially in the
FS, ICE and IGH sectors. CM does not appear to be impacted as of yet, however
this might be distorted as almost 50% of the CM sector respondents indicated
not knowing their IAM budget.
Impact on IAM budget by total IAM budget range
>10M
1M-10M
total IAM budget
500K-1M
250-500K
100-250K
<100K
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The IAM budget is increased by more than 50% The IAM budget is cut by 5 – 50%
The IAM budget is increased by 5 – 50% The IAM budget is cut by more than 50%
No impact, (almost) unaffected IAM budget

Management Survey
Authors’ note It appears that the larger IAM budgets, and generally speaking the larger IAM
The survey clearly indicates that IAM projects, faced the hardest budget cuts in absolute terms (total EUR) and
budgets are under pressure from relative terms. Smaller organisations (with IAM budgets of up to EUR 10 million)
the economic crisis. Over a third of experienced a range of IAM budget cuts (anywhere between 5%-50%) and the
respondents have already experienced IAM budget increased in a relatively small number of organisations.
budget cuts. We expect that this figure
may rise in the next year as the budget Impact on scope
cycle for 2010 in general is under
pressure due to the economic crisis.
Large organisations in the Financial IM
Services sector have been hit especially CM

hard in the crisis and, generally
IGH
Sector
speaking, larger IAM projects face the

hardest budget cuts in absolute terms ICE
(total EUR). However, respondents were FS

generally confident that the original IAM
OTH
business case would still be accepted
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
under the current circumstances.
No impact Selecting or choosing a different
Slowing down (take more time for IAM projects) approach
Redefining the project scope focussing on Stopping IAM projects
the crown jewels
Despite the fact that 55% of respondents indicated that the economic crisis
has had no impact on their IAM budget, around 60% indicated that there was
some impact on the project scope, ranging from the slowing down to complete
stopping of IAM projects. Figures clearly indicate that projects are being
impacted negatively across all sectors.
Impact on business case

The IGH sector appeared to experience little effect of the economic crisis in
this respect, as almost 90% of respondents believed that the economic crisis
does not have an impact on the business case for IAM. Overall, over 70% of
respondents indicated that there was no impact on the IAM business case. In
addition, 80% of the respondents stated that the original IAM business case
would still be accepted under the current circumstances.

Management Survey
Drivers and
04
strategy

Management Survey
Authors’ note Main IAM driver

The relatively high weight of GRC as
a main driver in the FS sector may be
expected, as compliance requirements GRC 72%
are traditionally important within
this sector. In the IGH sector, GRC
Driver
Operational excellence 14%

is also the key topic with regard to
IAM. This could be due to the fact
that governmental and healthcare Business agility 13%
organisations are facing more and more
requirements with regard to information 0% 20% 40% 60% 80% 100%
security and data privacy.
The participants were asked to state their main IAM driver from the following
options:
• Governance, Risk and Compliance;

• Operational excellence;
• Business agility.
Respondents indicated that Governance, Risk and Compliance is undoubtedly the

main driver of IAM projects (72%). Operational excellence comes in second at
14% and business agility comes in third at 13%. Compared to the results of the
2008 IAM Survey, GRC has become even more important.
Main IAM drivers by sector
IM
CM
Sector
IGH
ICE
FS
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Business agility
Operational excellence
GRC

Management Survey
Authors’ note When we filter these results by sector, we find that FS, ICE and IGH represent
The FS sector appears to be the most the highest scores for GRC. Although GRC is also a factor in the ICE and CM
mature in running its IAM projects. sectors, the most important drivers in these sectors show a less pronounced
In this sector the lowest number of bias towards GRC as the main driver. In the CM and the IM sectors, operational
‘none of the above’ was reported, excellence turns out to be significantly more important than in the other sectors.
and the number of ‘agreed across the Business agility is a more important driver in the IGH and IM sectors than in any
organisation’ was the highest. The IM other, most notably the FS sector.
sector, on the other hand, appears to
be the least mature; displaying low
IAM project approaches
numbers for all of the above mentioned
project management elements. The
high score for FS is in line with previous
IM
observations in this survey.
CM
IGH
Sector
ICE
FS
0% 10% 20% 30% 40% 50% 60%

Milestones in place Multi-year roadmap
Measurable milestones None of the above
Agreed across organization
When asked which project approaches are being used for IAM, many
respondents reported that several different approaches were in use. However,
there were also many respondents (25%) who reported that none of the project
approaches we suggested were in place.
When we filter these results by sector, the most prevalent result is that in the
CM and IM sectors around half of the respondents indicated that none of the
stated approaches were being used and that within IM none of these methods
were being used a lot. The IGH, ICE and FS sectors reported to be using all of
the listed project approaches.

Management Survey
Authors’ note Responsibility for IAM strategy

Based on the responsibilities for IAM
strategy one can conclude that IAM 8%
projects are still often IT-driven and 3%
3%
much less business-driven, which (Chief) Security Officer
3% 33%
is a risk as the business may not IT manager
4%
be sufficiently involved in order to (Chief) Risk Officer
(Chief) Information Officer
guarantee success. This may still be
10% IT architect
true if a (Chief) Security Officer initiates (Chief) Financial Officer
an IAM project, because security as Project manager
System Administrator
such is still often not seen as a business
Other
objective, but rather an IT-based 12%
method of protecting the business. We 24%
believe a Business Manager, a CFO,
a CIO, or perhaps the (Chief) Risk/ Source: KPMG/Everett IAM survey, October 2009
Business Officer/Manager, who has
direct responsibility for primary business The IT department is still responsible for IAM strategy in 24% of the respondent
processes, should take charge. With organisations. The (Chief) Security Officer and the IT Manager form the majority
the growing importance of GRC the of the positions responsible for IAM strategy. The position of (Chief) Risk Officer
involvement of the business becomes comes in third.
even more important as GRC is a
business issue.

Management Survey
05
Architecture


Management Survey
Authors’ note IAM and IT architecture

The FS sector scores high here (70%),
90%
which is to be expected, given the effort
that many of these organisations typically 80%
78%
have already put into information security 70%
69% 70%
and risk management frameworks. A 60%
possible reason for the IM sector’s high 50% 58%
score could be that these organisations
40%
have standardised production processes
30%
and the IT architecture is therefore also
20%
more mature and aligned with these
processes. The low score for the CM 10% 17%
sector may indicate that IAM is often 0%

IM CM IGH ICE FS
used for consumers facing a limited
amount of applications that pose a fairly Source: KPMG/Everett IAM survey, October 2009
simple problem in terms of architecture.
In any case, IAM is often a long-term and Within 63% of the respondent organisations a specific IAM architecture has been
costly endeavour that requires strategic designed or IAM has been incorporated into the IT architecture. When broken
planning for which, we believe, down into sectors we find that IM scores the highest and that all sectors, except
architecture is a crucial component. CM, score above 50%.
Authors’ note Architectural principles for IAM

Many organisations appear to rely on a
preferred supplier rather than choose a 50%
‘best of breed’ solution. This indicates 45%
the importance of an IAM solution that
40%
fits into an organisation’s current vendor 39%
35%
and software landscape. Interestingly, 34%
30%
only 50% of the respondents from
25%
the Government sector reported
20% 24%
open standards as a principle of their
20%
15% 18%
organisation’s IAM solution. As these
organisations tend to promote open 10%
11%
5% 9%
standards, this appears to contradict
their official policy. Nevertheless, this 0%
Open Preferred Best of Central Delegated Loosely or Other/
figure is still around twice as high as the standards supplier breed authorizations
management
authorizations tightly coupled
management
unknown
overall figure.
When we asked the respondents about
the most used standards and preferred
According to the respondents, Central authorisations management is the most
practices, the most popular answer
important principle for defining their organisation’s IAM need (39%). When
was ISO 27001 (information security)
organisations are selecting their required IAM solution, a large amount acquire
and ISO 27002 (information security
the solution of their preferred supplier and only 18% perform a vendor selection
management). Based on this answer
in order to select a ‘best of breed’ solution.
we can conclude that there are no
specific IAM standards and industry best
practices in order to implement IAM.

Management Survey
Authors’ note Authentication mechanisms

Stronger authentication mechanisms
such as tokens and smartcards are well
Username & password 100%
matured, especially tokens. The fact that
the good-old username and password Tokens 54%
authentication still prevails indicates that Smart cards/certificates 36%
these may be used for access not only
RFID 11%
to low risk information (systems), but
also to high risk information (systems); Biometrics 13%
thus raising their vulnerabilities. 1%
Other
0% 20% 40% 60% 80% 100%
Username and password is an authentication mechanism that was reported by all

respondents. Tokens are also popular with more than 50% of the respondents.
Smartcards or other certificate-based mechanisms scored 35%. RFID and
biometrics were both reported at around 12%.
Authors’ note Current use of identity administrations

We believe that connecting to an
authoritative source is essential for
14%
any long-term viable IAM solution. A
connection to an authoritative source No administration of core user identity data /
organizational reference data
can be used to align the joiner/mover/ 39%
leaver process to the IAM administration Central identity administration,
not linked to authoritative sources
and ultimately enable the business (such as HR system)
to determine which user accounts
Central identity administration, directly linked
need to be allocated, modified and to authoritative sources (every change in
authoritative sources will result in change in
removed. Having a non-authoritative identity administration)
47%
source connected to IAM will make
it almost impossible to manage IAM
administration and to leave it up to the
business to decide which access a Source: KPMG/Everett IAM survey, October 2009
person needs to have. Fortunately over
half of the respondents indicated that An industry best practice for IAM is the connection to an authoritative source for
they intend to link their central identity central identity administration. Nevertheless, 60% of the respondents reported
administration to an authoritative source. that their IAM solution does not use an authoritative source.

Management Survey
Expected benefits,
06
realisation and
satisfaction

Management Survey
Expectations versus the realisation of IAM benefits
The participants were asked to rate their expected benefits of each driver and to
rate the realisation of the expected benefits. The survey results show significant
differences between the expected benefits and the realisation rate of the three
main drivers:
• Governance, Risk and Compliance (GRC);

• Operational excellence;
• Business agility.
The various areas used for measuring the benefits within the main drivers are
elaborated in Appendix A.
Business agility
Realisation versus expectation
Area Percentage that Percentage that

expects significant2 realised significant
improvements improvements
Adaptation to organisational
51% 26%
structural changes
Extended enterprise 35% 15%
Application integration and
52% 25%
exploitation
Realisation versus expectation

expects significant realised significant
Cost of service delivery 60% 32%
Quality of service delivery 66% 32%
User management and
83% 46%
provisioning
Identity administration 68% 48%
Role administration 65% 39%
Credentials management 59% 36%
2
Significant is defined as categories 4 and 5 on a scale of 1-5.

Management Survey
Authors’ note Realisation versus expectation

Generally speaking, the respondents
have high expectations of IAM, however
organisations appear to have fewer
expectations of business agility and
the realisation rate is also low in this User management and provisioning 83% 46%
area. This corresponds to the fact that Identity administration 68% 48%
business agility is perceived to be the Role administration 65% 39%
least important driver of IAM. Credentials management 59% 36%

The survey results show significant
differences between the expected
benefits and the realisation rate in the Governance, Risk and Compliance
three main areas. Even in the area
of GRC, which is seen as the most Realisation versus expectation
important driver of IAM, the realisation
is far below the expectation. This
may be explained by the fact that the improvements improvements
processes of user management and
Monitoring and reporting 67% 35%
provisioning are more mature in the
Attestation 59% 25%
market and that the area of GRC is still
evolving. This could also indicate that Cost control 39% 22%
there is too much focus on provisioning Risk reduction 70% 39%
as part of the project process. Segregation of duties 60% 35%

Considering the hard economic climate
and the fact that GRC is one of the
most important IAM driver for many
organisations, it makes sense to focus Satisfaction with results of IAM projects
on specific activities in order to realise
the benefits in the area of GRC and to The respondents were also asked to indicate the percentage of IAM projects
define these activities in a well-defined which actually met with the expected improvements.
roadmap as this is also lacking in a lot of
organisations. However, we would like Percentage of IAM projects meeting expectations
to mention that investing in business
agility and operational excellence can
12%
reduce IAM costs in the mid to long 22%
term. We expect these areas to be an
8%
opportunity when the economy recovers
Less than 10%
and organisations have the budget to 11 – 25%
make investments in projects in which 26 – 50%
51 – 75%
the benefits with regard to expenses are
76 – 100%
realised within the mid to long term. 19% 100%
20%
19%

Management Survey
Authors’ note These facts confirm the analysis of benefits versus realisation by driver. Less
Respondents’ answers help to give than a quarter (22%) of respondents experienced IAM projects fully meeting their
an indication that organisations are expectations by 100%.
apparently satisfied if the expected An analysis by sector shows that organisations in the FS, IGH and ICE sectors
benefits are realised in more than 50% have the highest percentage of IAM projects meeting requirements. Around 40%
of their projects. A possible clarification of these organisations achieved their project goals for 75%-100% of their projects.
could be that the original expectations There are also big differences in the ability to measure the effectiveness of the
were known to be too optimistic, or projects, e.g. in the IM and IGH sectors this was around 30%, or alternatively
that it is common sense to accept respondents stated that it was unknown whether the project goals were met. This
that projects, in general, do not realise was 50% in the CM sector, compared to around 10% in the FS and ICE sectors.
all of their expected benefits. The
difference between the satisfaction
Percentage of IAM projects meeting requirements (per sector)
level and number of successful projects
can also be explained by the fact that
many organisations lack insight into the IM
benefits of IAM projects. CM
IGH
Sector
ICE
FS
OTH
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Less than 10% 51 – 75% Unknown

11 – 25% 76 – 100%
26 – 50% 100%
The participants were also asked to indicate to what extent they were satisfied
with the project outcome.
Satisfaction with IAM project outcome
8% 3%
13%
Very dissatisfied
Not satisfied
Neutral
Satisfied
Very satisfied
41%
35%

Management Survey
Authors’ note A difference with the 2008 IAM Survey results is that in this survey more
In our view, the aim of IAM is to resolve respondents were neutral (34%) than in 2008 (27%). Also this year, less
business issues. The respondents respondents (6% decrease) were very dissatisfied with their IAM project
indicate that it is still difficult to gain outcome.
the commitment and involvement of
the business. This can be a big risk As a large amount of IAM projects still do not realise all of their goals, it is
for a project’s success rate as the interesting to analyse why these projects fail. As in last year’s survey results,
business should be responsible for the business issues are seen as the biggest hurdle as lack of support from
IAM and also because it becomes management and stakeholders is also a business issue.
difficult to measure a projects benefits.
Surprisingly the respondents indicated
Causes of project failure
that technical issues are not a large
hurdle compared to other reasons. In
our firms’ experience the technical Substantial excess of 8%
the allocated budget
maturity of the IAM solution is still not Goals not achieved within 27%
allocated time
ideal and as a result can be one of the
Business was not ready for 50%
biggest project risks. Technical issues proposed/presented solution
often impede the realisation of the user Lack of support from management 51%
and/or stakeholders
requirements, which can cause issues Unrealistic goals, 39%
with the business as its requirements given time and budget
Project result did not provide a 17%
are not met. In addition, technical issues solution for the actual problem
can cause a budget overrun which is Proposed/presented IAM technology 20%
did not integrate with existing IT
also a project risk.
Other 14%
0% 10% 20% 30% 40% 50% 60%
Measuring costs and quality of IAM services

In the 2009 survey several questions were included related to the measurement
of various aspects of IAM. In general, the majority of the respondent organisations
face difficulties in measuring the costs and quality of IAM:
• 49% did not know or measure the costs related to IAM service delivery;
• 48% did not know or measure the quality of IAM service delivery;
• 37% did not know the costs related to the review (internal/external) of access
rights as part of GRC.
The results also show that a large number of respondents want to realise cost
reductions with regard to service delivery and GRC and want to improve the
quality of service delivery. This can be difficult to realise without the necessary
insight into the quality and costs.

Management Survey
Authors’ note Methods to measure IAM success

Organisations are facing difficulties
in measuring the costs and quality Compare to industry standards
of IAM service delivery and gaining and best practices 33%
Compare with organization specific
insight into the benefits of IAM. This predefined key performance indicators 29%
supports KPMG’s experience that Through external audits
and/or benchmarks 40%
a business case is often based on
qualitative drivers and that it is still No measurement 29%
difficult to quantify the costs and also Other 5%
the benefits of IAM. This can be a
0% 10% 20% 30% 40% 50% 60%
risk when selling your business case
internally and staying alive as a project Source: KPMG/Everett IAM survey, October 2009
in these economically turbulent times.
It is therefore recommended to include
benefits management into project and Lacking insight into IAM benefits
project portfolio management. Issues
relating to measurement can also be 8%
an indication that an individual’s opinion 18%
8%
of ‘realisation’ and ‘satisfaction’ is a
subjective opinion and can also differ
internally within organisations. Entirely agree
14%
Partially agree
Partially disagree
Entirely disagree
Neither agree nor disagree
52%
Although a reasonable number of organisations measure their IAM effectiveness,

organisations are still struggling to gain insight into the benefits of IAM:
• 18% entirely agreed that they have a lack of insight into the benefits of IAM;
• 53% partially agreed that they have a lack of insight into the benefits of IAM;
• Only 8% entirely disagreed that they have a lack of insight and therefore have
a proper insight into the benefits of IAM.

Management Survey
Appendix

Management Survey
A Reference models
Definition of IAM
Several definitions of IAM are generally used. For the purpose of this survey,
IAM is defined as:
“The policies, processes and systems for

efficiently and effectively governing and managing
who has access to which resources within an
organisation.”
To be more precise, IAM is the process of creating value and addressing

IT governance and compliance through effective and efficient:
• Management of users;
• Authentication of the identity of users;
• Management of user access to IT resources;
• Monitoring what users do with that access.
KPMG IAM reference model

KPMG’s experience with IAM has led to the development of an envisioned
end-state; the KPMG IAM reference model:

Management Survey
The IAM processes supporting the business, as identified in the IAM reference
architecture, are:
• User Management – Activities for the effective governance and management

of the lifecycle of identities;
• Authentication Management – Activities for the effective governance and

management of the process for determining that an entity is who or what it
claims to be;
• Authorisation Management – Activities for the effective governance and

management of the process for determining entitlement rights that decide
what resources an entity is permitted to access in accordance with the
organisation’s policies;
• Access Management – Enforcement of policies for access control in response

to a request from an entity requiring access an IT resource within the
organisation;
• Data Management and Provisioning – Propagation of identity and data for

authorisation to IT resources via automated or manual processes;
• Monitoring and Audit – Monitoring, auditing and reporting compliance by

users regarding access to resources within the organisation based on the
defined policies.
Areas within the main IAM drivers
Business agility
Three areas are identified as follows:
• Adaptation to organisational structure changes – Being able to quickly

adapt (bulk) user access rights when changing the organisational structure (as a
result of a reorganisation or with mergers and de-mergers);
• Extended enterprise – Support for working with business partners and internal
separate organisations in an extended enterprise, e.g. through federation;
• Application integration and exploitation – Fast integration of new

applications or systems and how effectively the business applications and
other services are exploiting the IAM infrastructure.

Management Survey
Six areas are identified as follows:
• Cost of service delivery – With regard to IAM, such as costs related to

authorisation, the number of deficiencies requiring remediation and the
increased productivity of end users due to quicker access to necessary
applications and systems;
• Quality of service delivery – How well the IAM processes and services are
performing;
• User management and provisioning – Support for all aspects of user

registration/de-registration and assigning/removing privileges and resources;
• Identity administration – Administration of core user identity data as well as

organisational reference data (such as organisational tree/relationship between
manager and employee);
• Role administration – Administration of access rights by using a grouping

mechanism (e.g. roles). The grouping mechanism will be used during the
access request process when requesting and approving access;
• Credentials management – Managing all aspects of user credentials (e.g.

passwords, tokens) for authentication purposes.
Governance, Risk and Compliance
Five areas are identified as follows:
• Monitoring and reporting – Being able to overview (in near real-time) which
users have access to what information and being able to efficiently generate
GRC-related reports;
• Attestation – Being able to provide reports to be signed by: a) business

process owners to attest the appropriateness of the design of access controls;
b) line management to attest the correctness of the granted access rights;
• Cost control – Costs related to the preparation and execution of internal/

external reviews of access rights;
• Risk reduction – Being in control of fraud risks due to a complete insight into
end users’ access rights;
• Segregation of duties – Detecting and avoiding potentially conflicting roles

(responsibilities) of end users.

Management Survey
B About the authors
About KPMG
KPMG is a global network of professional firms providing Audit, Tax and Advisory
services. We operate in 144 countries and have 137,000 people working in
member firms around the world. The independent member firms of the KPMG
network are affiliated with KPMG International, a Swiss cooperative. Each KPMG
firm is a legally distinct and separate entity and describes itself as such. KPMG
International performs no professional services for clients nor, concomitantly,
generates any revenue.
KPMG firms have performed a wide range of IAM projects and have a broad
service offering, such as executing current state assessments, defining vision
statements, developing (business) architectures, creating roadmaps, perform
access attestation/certification projects and assisting in executing IAM audits.
Knowledge of IAM is embodied in our firms’ professionals; to emphasize that we

pro-actively develop the knowledge of our people. Around the world we have a
number of Centers of Excellence (CoE) for IAM, for the EMEA region this center
is located in Amstelveen in the Netherlands.
As a result of our firms’ IAM project experience, we have gathered much

information, identified “industry best practices” and have a detailed
understanding of project perils and pitfalls. In 2007, KPMG developed a
methodology for IAM projects, this methodology enables our firms to support
clients locally and on a global scale.
About Everett
Everett is a systems integrator and consultancy firm with highly skilled
professionals and unique hands-on experience. Everett has offices in Nieuwegein
(head office), London (England), Milan (Italy) and Bangalore (India). Everett also
provides 7x24 solution support services. Since its inception in 1999, Everett has
proven itself as a leading specialist on Identity Enabled Service Platforms and
middleware in general as applicable in Identity & Access management, GRC,
Portal, Secure Remote Access, and Enterprise Application Integration technology.
Since new technologies and new concepts bring uncertainty Everett has
developed ways to absorb that, while implementing. Everett’s interactive
and iterative methodology EVOLVE embraces change and channels it to the
desired result. Our consultants will assist you in this process as your consultant,
architect, project manager or engineer. As a temporary addition to your team or
as a project team with a clear mission and turn-key responsibility.

Management Survey
Everett strives for thought-leadership in its competences and it wants to work as

a trusted advisor with the early adopters in any industry. Everett’s commitment is
to deserve its reputation as ‘trusted to know’.
About eema and IIR

For 22 years, eema has been Europe’s leading independent, non-profit e-Identity
& Security association, working with its European members, governmental
bodies, standards organisations and interoperability initiatives throughout Europe
to further e-Business and legislation.
Over the years IIR, an Informa Plc company, has constantly developed and
refined the process of producing premium business events with a threefold aim
of objectivity, timeliness and practical solutions. Featuring key industry experts,
IIR conferences provide up-to-date information direct from practitioners who have
found solutions to the challenges facing businesses today. By staying close to
each market IIR ensures that the conference takes place at exactly the right time
to provide you with the information you need, when you need it.

Management Survey
KPMG contacts
Austria Germany Russia

Michael Schirmbrand Jörg Asma Nikolay Legkodimov
Partner Partner Senior Manager
Tel. +43 (1)3 133 2656 Tel. +49 221 2073 6233 Tel. +7 (495) 9374444
mschirmbrand@kpmg.at jasma@kpmg.com NLegkodimov@kpmg.ru
Baltics Germany Slovakia

Andris Brieze Marko Vogel Pavol Adamec
Senior Manager Manager Director
Tel. +371 6703 8000 Tel. +49 201 455 8838 Tel. +421 (2) 59984933
andris.brieze@kpmg.lv mvogel@kpmg.com padamec@kpmg.sk
Belgium Hungary Spain

Alain D’Hoe Tamas Gaidosch Ramon Poch
Senoir Business Development Manager Partner Partner
Tel. +32 (0)2 708 4391 Tel. +36 1 887 7139 Tel. +34 914563400
alain.dhoe@kpmg.com tamas.gaidosch@kpmg.hu rpoch@kpmg.es
Bulgaria Italy Switzerland

Nikola Nyagolov Saverio Celano Roman Haltinner
Senior Manager Senior Manager Senior Consultant
Tel. +359 (2) 9697 320 Tel. +39 340-9049639 Tel. +41 44 249 3118
nnyagolov@kpmg.com scelano@kpmg.it rhaltinner@kpmg.com
Czech Republic Luxembourg The United Kingdom

Tomás Kudelka Michael Hofmann Malcolm Marshall
Senior Manager Partner Partner
Tel. +42 (0)23 411 2388 Tel. +352 22 51 51 79 25 Tel. +44 207 311 5456
tkudelka@kpmg.cz michael.hofmann@kpmg.lu malcolm.marshall@kpmg.co.uk
Denmark Poland The Netherlands

Morten Klitgaard Friis Krzysztof Radziwon John Hermans
Partner Partner Associate Partner
Tel. +45 3818 3445 Tel. +48 (22) 528 11 37 Tel. +31 (0)20 656 8394
mkfriis@kpmg.dk kradziwon@kpmg.pl hermans.john@kpmg.nl
France Portugal
Laurent Gobbi Tiago Reis
Partner Senior Manager
Tel. +33 1 55687441 Tel. +351 210 110 000
l.gobbi@kpmg.fr treis@kpmg.com
Finland Romania
Panu Härkönen Gabriel Mihai Tanase
Management Advisor Manager
Tel. +35 (8)50 372 5866 Tel. +40 (21) 201 22 22
panu.harkonen@kpmg.fi mtanase@kpmg.com

Management Survey
C European regions
Northern Europe Southern Europe
• Denmark • Cyprus
• England • Greece
• Finland • Italy
• Norway • Spain
• Scotland
Western Europe
Eastern Europe • Austria
• Belarus • Belgium
• Czech Republic • France
• Latvia • Germany
• Romania • Luxembourg
• Russia • Netherlands
• Turkey • Switzerland

kpmg.com
Contact subhead: Univers 65 Bold

9pt; 12pt leading
Contact body: Univers 45 Light Firstname Lastname Firstname Lastname

9pt; 12pt leading Street address Street address
Firstname Lastname City/Country City/Country
Street address Tel +86 (10) 6505 6300 Tel +86 (10) 6505 6300
City/Country Fax +86 (10) 6505 6301 Fax +86 (10) 6505 6301
Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301 Firstname Lastname Firstname Lastname
Street address Street address
Tel +86 (10) 6505 6300
Tel +86 (10) 6505 6300
Contact us Street address Street address
Tel
KPMG +86 (10) 6505 6300
Fax
John +86 (10) 6505 6301
Hermans Firstname Lastname Firstname Lastname
Associate Partner Street address Street address
Firstname Lastname
Tel +31 (0)20 656 8394 City/Country City/Country
Street address
hermans.john@kpmg.nl Tel +86 (10) 6505 6300 Tel +86 (10) 6505 6300
City/Country
www.kpmg.nl Fax +86 (10) 6505 6301 Fax +86 (10) 6505 6301
Tel +86 (10) 6505 6300
Everett Street address Street address
Firstname Lastname
Peter Valkenburg City/Country City/Country
Street address Officer
Chief Technology Tel +86 (10) 6505 6300 Tel +86 (10) 6505 6300
City/Country
Tel +31 (0)30 659 2255 Fax +86 (10) 6505 6301 Fax +86 (10) 6505 6301
Tel +86 (10) 6505 6300
peter.valkenburg@everett.nl
Fax +86 (10) 6505 6301
www.everett.nl Firstname Lastname Firstname Lastname
City/Country City/Country
Tel +86 (10) 6505 6300 Tel +86 (10) 6505 6300
Fax +86 (10) 6505 6301 Fax +86 (10) 6505 6301
The views and opinions expressed herein are those of the survey respondents © 2009 KPMG International. KPMG International is a Swiss
and do not necessarily represent the views and opinions of KPMG International or cooperative. Member firms of the KPMG network of
Disclaimer
KPMG information
member firms. © Copyright
independent firms information
are affiliated with KPMG andInternational.
publication
details
KPMG International provides no client services. No member
firm has any authority to obligate or bind KPMG International
The information contained herein is of a general nature and is not intended to
or any other member firm vis-à-vis third parties, nor does
address the circumstances of any particular individual or entity. Although we
KPMG International have any such authority to obligate or
endeavour to provide accurate and timely information, there can be no guarantee
bind any member firm. All rights reserved. Printed in the
that such information is accurate as of the date it is received or that it will continue
Netherlands. KPMG and the KPMG logo are registered
to be accurate in the future. No one should act on such information without
trademarks of KPMG International, a Swiss cooperative.
appropriate professional advice after a thorough examination of the particular
situation. 158_1009

Everett &amp; McKinsey Identity and Access Management 2009 Survey

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Everett &amp; McKinsey Identity and Access Management 2009 Survey

Загружено:

Авторское право:

Доступные форматы

2009 European Identity and Access

© 2009 KPMG International

The value of Identity and Access Management (IAM) is still recognised

Governance, Risk and Compliance is by far the main driver of IAM

A lack of business buy-in is the main cause of IAM project failure

© 2009 KPMG International

03 IAM projects – status and 12

04 Drivers and strategy 19

06 Expected benefits, realisation 26

Appendix A - Reference models 33

Appendix B - About the authors 36

Appendix C - European regions 39

© 2009 KPMG International

© 2009 KPMG International

John Hermans Peter Valkenburg

© 2009 KPMG International

The three main drivers analysed in this survey are:

• Governance, Risk and Compliance (GRC) –

• Operational excellence – Cost control and user experience;

• Business agility – Being ready for change.

© 2009 KPMG International

We expect these areas to be an opportunity when the economy recovers and

© 2009 KPMG International

© 2009 KPMG International

“The policies, processes and systems for efficiently

To be more precise, the processes covered by IAM are user management,

• The status of IAM projects seen across Europe;

© 2009 KPMG International

Total number of respondents 128

North (Denmark, England, Finland, Norway, Scotland) 34 %

East (Belarus, Czech Republic, Latvia, Romania, Russia) 9 %

South (Turkey, Cyprus, Greece, Italy, Spain) 12 %

West (Austria, Benelux, France, Germany, Switzerland) 37 %

Size (number of IT users)

Less than 1,000 20 %

More than 25,000 25 %

© 2009 KPMG International

status and impact of

Authors’ note Number of IAM projects initiated

of the drivers of IAM projects within the ICE

Contrary to 2008, in 2009 the IGH OTH*

Source: KPMG/Everett IAM survey, October 2009 * Other

© 2009 KPMG International

The FS and IGH sectors both represent a significant percentage of respondents

Size of IAM budgets

Source: KPMG/Everett IAM survey, October 2009

© 2009 KPMG International

Authors’ note IAM budgets by sector

second in this category. One possible

specifically experience a relatively high FS

Source: KPMG/Everett IAM survey, October 2009

© 2009 KPMG International

Authors’ note Means to achieve project goals

the options to achieve their project

The IAM budget is increased by more than 50%

Source: KPMG/Everett IAM survey, October 2009

© 2009 KPMG International

However, 73% of respondents entirely or partially agreed that the economic

Impact on IAM budget by sector

Source: KPMG/Everett IAM survey, October 2009

Although some sectors were largely unaffected, over a third (37%) of

Impact on IAM budget by total IAM budget range

Source: KPMG/Everett IAM survey, October 2009

© 2009 KPMG International

Everett & McKinsey Identity and Access Management 2009 Survey

Everett & McKinsey Identity and Access Management 2009 Survey