Академический Документы
Профессиональный Документы
Культура Документы
Management Survey
A survey conducted by KPMG IT Advisory together with Everett
Supported by eema and IIR
Advi s o ry
2 2009 European Identity & Access
Management Survey
The findings
at a glance
Clearly the economic crisis has its impact on IAM, but IAM is still in the
spotlight
• A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%
reported budget cuts of more than 50%;
• More than half of the respondents indicated a change of project scope;
• Many organisations are quite confident that their original business case is still
applicable in this hard economic climate;
• Despite budget cuts, almost three quarters of respondents entirely or partially
agreed that IAM investments should be increased instead of decreased due to
the current economic climate.
There are still significant gaps between the expected and realised benefits
of IAM
• Although gaps between expectation and realisation still remain, over half of the
respondents were satisfied with the outcome of their IAM project;
• Organisations face difficulties in measuring the costs, benefits and quality of
IAM services and related activities.
Contents
01 Executive summary 5
02 Introduction 9
05 Architecture 22
01 Executive
summary
KPMG IT Advisory and Everett, in cooperation with eema and IIR, are pleased to
launch the report outlining the results of our 2009 European Identity and Access
Management (IAM) Survey.
Authors Survey In order to contribute to the decision making process of organisations with
regard to whether they should engage in IAM and with what type of initiative, we
KPMG: conducted the 2009 European IAM Survey as a follow-up to the IAM survey that
John Hermans KPMG conducted in 2008.
Joris ter Hart
Willem Guensberg Combining insights and trends from over 125 organisations from various sectors
Arjan van Vliet and countries, in combination with analysis and our experience in conducting IAM
projects and programmes, we believe our survey makes a significant contribution
Everett: to IAM research. This survey also provides insight into recent developments
Peter Valkenburg in the area of IAM and the impact of the economic crisis as the results are
Erik Frambach compared against the results from the 2008 IAM Survey (where applicable).
One of the most important conclusions of this survey is that, as was already
visible in the 2008 IAM Survey, IAM is here to stay. Even though the economic
circumstances are quite different for many of the organisations that participated,
the value of IAM is clearly recognised throughout all the sectors and throughout
the whole of Europe.
• Almost 90% of the respondents have initiated one or more projects during the
last three years;
• In 2008, one third of the respondents stated that they had no specific IAM
budget. The results of the 2009 survey show more or less a similar view as
70% of the respondents have a specific IAM budget.
The Financial Services (FS) sector continues its position as an early adopter of
IAM and in 2009 the Infrastructure, Government and Healthcare (IGH) sector
has emerged as an early adopter, whereas last year IGH was classified as a late
adopter (a so-called ‘laggard’). Despite the economic crisis, in general, the FS
sector still has the highest IAM budgets.
However, the area of IAM did not escape the impact of the economic crisis.
A quarter of the respondents reported budget cuts of 5%-50%, whereas 13%
reported budget cuts of more than 50%. Still over half of the respondents
indicate not having seen any (significant) impact on their IAM budget. However
a majority of projects encountered an impact on the project scope due to
the economic hard times. Strikingly, most are confident that the original IAM
business case still holds.
Governance, Risk and Compliance is now even more important as the main
driver of IAM than last year’s survey indicated. This applies to every sector and
specifically to Financial Services, Infrastructure, Government and Healthcare and
Information, Communication and Entertainment (ICE). In the Consumer Markets
(CM) and Industrial Markets (IM) operational excellence is also of reasonable
importance. In addition, we would like to mention that investing in business
agility and operational excellence can reduce IAM costs in the mid to long term.
As part of GRC, access attestation and certification is now definitively ‘on the
map’ of organisations. Almost 20% of the respondents indicated this to be
a means of achieving project goals. Simultaneously, the implementation of a
complete IAM solution dropped by approximately 50% towards 35%.
These facts indicate a shift from an extended preventive approach towards a
more detective approach focusing on an organisation’s ‘crown jewels’. This
focused approach could also be a consequence of the economic crisis as only
focusing on the critical information will decrease the expenses.
However, when we analyse the gaps between the expected and realised
benefits of IAM projects, less than half of the respondents who expected
significant benefits from access attestation and certification realised these
benefits. This indicates that this is an evolving area which is not yet mature. In
general, there is a significant gap between the expected and realised benefits in
all areas of the main drivers. As in 2008, respondents cited the most prominent
reason for failure as being that the business was not ready for the proposed
solution and the lack of support from the business. Nevertheless, 50% of the
respondents were satisfied with their IAM project outcome.
Despite the gap between the expected and realised benefits and the negative
impact of the economic crisis, we conclude that the value of IAM is apparent to
organisations as they are still investing in IAM. The challenge for the upcoming
years is to realise the expected benefits. With limited budgets due the economic
crisis, organisations have to make careful choices relating to the scope and
the approach. This implies a need for strong program management and a clear
roadmap for IAM.
Introduction
02
The 2009 European IAM Survey continues to explore the status of IAM projects
within European organisations. This report extends the results of KPMG’s 2008
IAM Survey, and comparisons between the two are presented where applicable.
Several definitions of IAM are generally used. For the purpose of this survey,
IAM is defined as:
A solid base of data was provided as 128 respondents from organisations located
in 23 European countries participated in the survey. Among the respondents
were a wide range of organisational representatives, from CEOs and CIOs
to Security Officers and heads of internal audit. The group also contained
participants from organisations of different sizes and from a variety of industries.
The distribution of participants with respect to European region, size and sector
was as follows:
Geographic region*
Other 8 %
1,001-2,500 13 %
2,501-5,000 16 %
5,001-10,000 13 %
10,001-25,000 13 %
Reading aid
Chapter 3 of this report describes the current status of IAM projects and the
impact of the economic crisis. In Chapter 4 the strategy and main drivers of IAM
are elaborated. Subsequently, the IAM architecture is described in Chapter 5.
In the final chapter the expected and realised benefits of IAM are addressed;
this section also includes the participants’ ‘satisfaction’ with regard to the actual
benefits and their ability to measure costs and benefits of IAM.
03IAM projects –
Budgets
23%
31%
Less than EUR 100,000
EUR 100,001 – 250,000
EUR 250,001 – EUR 500,000
EUR 500,001 – EUR 1,000,000
EUR 1,000,001 – EUR 10,000,000
More than EUR 10,000,000
15%
Unknown
5%
6%
12%
8%
Out of the budgets specifically allocated to address IAM over the next three
years, 38% of the respondents plan to initiate projects with a budget up to EUR
250,000. 11% of respondents indicated that they have allocated a budget of over
EUR 1 million. Compared to the results of the 2008 IAM Survey there are no big
differences; in fact the results are almost the same.
As may be expected, smaller sized organisations (with less IT users) have smaller
IAM budgets and vice-versa, with EUR 10 million+ IAM budgets only occurring in
the organisations with over 5,000 employees. Overall, larger organisations appear
to have more difficulty in determining the total IAM budget, as many respondents
representing larger organisations indicated that they did not know its IAM
budget. By contrast, 80% of respondents representing smaller organisations (up
to 10,000 employees) were able to indicate the size of its IAM budget.
Scope
IAM Scope
100%
94%
80%
60%
40%
37%
33%
20%
0% 10%
Own employees Partner and/or Clients Unknown/other
supplier network
Over 90% of the respondents indicated that IAM projects are still mainly focused
on their organisation’s direct employees. This indicates that most IAM projects
are focused on controlling access to internal systems and information. However,
approximately a third of IAM projects target partner and/or supplier networks, and
approximately a third target clients via IAM projects1.
1
Multiple answers were allowed for this question and therefore the total percentage is above 100%.
This is applicable to all graphs in which the total percentage is above 100%.
55%
Although over half of respondents indicated not to have seen any (significant)
impact on IAM budgets, over a third (37%) indicated that their IAM budget has
been cut. A quarter of the respondents reported a 5%-50% cut, whereas 13%
reported IAM budget cuts of over 50%. As might be expected, IAM budgets are
under pressure as a result of the economic crisis.
IM
CM
Sector
IGH
ICE
FS
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The IAM budget is increased by more than 50% The IAM budget is cut by 5 – 50%
The IAM budget is increased by 5 – 50% The IAM budget is cut by more than 50%
No impact, (almost) unaffected IAM budget
>10M
1M-10M
total IAM budget
500K-1M
250-500K
100-250K
<100K
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The IAM budget is increased by more than 50% The IAM budget is cut by 5 – 50%
The IAM budget is increased by 5 – 50% The IAM budget is cut by more than 50%
No impact, (almost) unaffected IAM budget
Authors’ note It appears that the larger IAM budgets, and generally speaking the larger IAM
The survey clearly indicates that IAM projects, faced the hardest budget cuts in absolute terms (total EUR) and
budgets are under pressure from relative terms. Smaller organisations (with IAM budgets of up to EUR 10 million)
the economic crisis. Over a third of experienced a range of IAM budget cuts (anywhere between 5%-50%) and the
respondents have already experienced IAM budget increased in a relatively small number of organisations.
budget cuts. We expect that this figure
may rise in the next year as the budget Impact on scope
cycle for 2010 in general is under
pressure due to the economic crisis.
Large organisations in the Financial IM
Despite the fact that 55% of respondents indicated that the economic crisis
has had no impact on their IAM budget, around 60% indicated that there was
some impact on the project scope, ranging from the slowing down to complete
stopping of IAM projects. Figures clearly indicate that projects are being
impacted negatively across all sectors.
Drivers and
04
strategy
The participants were asked to state their main IAM driver from the following
options:
IM
CM
Sector
IGH
ICE
FS
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Business agility
Operational excellence
GRC
Authors’ note When we filter these results by sector, we find that FS, ICE and IGH represent
The FS sector appears to be the most the highest scores for GRC. Although GRC is also a factor in the ICE and CM
mature in running its IAM projects. sectors, the most important drivers in these sectors show a less pronounced
In this sector the lowest number of bias towards GRC as the main driver. In the CM and the IM sectors, operational
‘none of the above’ was reported, excellence turns out to be significantly more important than in the other sectors.
and the number of ‘agreed across the Business agility is a more important driver in the IGH and IM sectors than in any
organisation’ was the highest. The IM other, most notably the FS sector.
sector, on the other hand, appears to
be the least mature; displaying low
IAM project approaches
numbers for all of the above mentioned
project management elements. The
high score for FS is in line with previous
IM
observations in this survey.
CM
IGH
Sector
ICE
FS
When asked which project approaches are being used for IAM, many
respondents reported that several different approaches were in use. However,
there were also many respondents (25%) who reported that none of the project
approaches we suggested were in place.
When we filter these results by sector, the most prevalent result is that in the
CM and IM sectors around half of the respondents indicated that none of the
stated approaches were being used and that within IM none of these methods
were being used a lot. The IGH, ICE and FS sectors reported to be using all of
the listed project approaches.
05
Architecture
overall figure.
Source: KPMG/Everett IAM survey, October 2009
When we asked the respondents about
the most used standards and preferred
According to the respondents, Central authorisations management is the most
practices, the most popular answer
important principle for defining their organisation’s IAM need (39%). When
was ISO 27001 (information security)
organisations are selecting their required IAM solution, a large amount acquire
and ISO 27002 (information security
the solution of their preferred supplier and only 18% perform a vendor selection
management). Based on this answer
in order to select a ‘best of breed’ solution.
we can conclude that there are no
specific IAM standards and industry best
practices in order to implement IAM.
Expected benefits,
06
realisation and
satisfaction
The participants were asked to rate their expected benefits of each driver and to
rate the realisation of the expected benefits. The survey results show significant
differences between the expected benefits and the realisation rate of the three
main drivers:
The various areas used for measuring the benefits within the main drivers are
elaborated in Appendix A.
Business agility
Operational excellence
2
Significant is defined as categories 4 and 5 on a scale of 1-5.
19%
Authors’ note These facts confirm the analysis of benefits versus realisation by driver. Less
Respondents’ answers help to give than a quarter (22%) of respondents experienced IAM projects fully meeting their
an indication that organisations are expectations by 100%.
apparently satisfied if the expected An analysis by sector shows that organisations in the FS, IGH and ICE sectors
benefits are realised in more than 50% have the highest percentage of IAM projects meeting requirements. Around 40%
of their projects. A possible clarification of these organisations achieved their project goals for 75%-100% of their projects.
could be that the original expectations There are also big differences in the ability to measure the effectiveness of the
were known to be too optimistic, or projects, e.g. in the IM and IGH sectors this was around 30%, or alternatively
that it is common sense to accept respondents stated that it was unknown whether the project goals were met. This
that projects, in general, do not realise was 50% in the CM sector, compared to around 10% in the FS and ICE sectors.
all of their expected benefits. The
difference between the satisfaction
Percentage of IAM projects meeting requirements (per sector)
level and number of successful projects
can also be explained by the fact that
many organisations lack insight into the IM
IGH
Sector
ICE
FS
OTH
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The participants were also asked to indicate to what extent they were satisfied
with the project outcome.
8% 3%
13%
Very dissatisfied
Not satisfied
Neutral
Satisfied
Very satisfied
41%
35%
Authors’ note A difference with the 2008 IAM Survey results is that in this survey more
In our view, the aim of IAM is to resolve respondents were neutral (34%) than in 2008 (27%). Also this year, less
business issues. The respondents respondents (6% decrease) were very dissatisfied with their IAM project
indicate that it is still difficult to gain outcome.
the commitment and involvement of
the business. This can be a big risk As a large amount of IAM projects still do not realise all of their goals, it is
for a project’s success rate as the interesting to analyse why these projects fail. As in last year’s survey results,
business should be responsible for the business issues are seen as the biggest hurdle as lack of support from
IAM and also because it becomes management and stakeholders is also a business issue.
difficult to measure a projects benefits.
Surprisingly the respondents indicated
Causes of project failure
that technical issues are not a large
hurdle compared to other reasons. In
our firms’ experience the technical Substantial excess of 8%
the allocated budget
maturity of the IAM solution is still not Goals not achieved within 27%
allocated time
ideal and as a result can be one of the
Business was not ready for 50%
biggest project risks. Technical issues proposed/presented solution
often impede the realisation of the user Lack of support from management 51%
and/or stakeholders
requirements, which can cause issues Unrealistic goals, 39%
with the business as its requirements given time and budget
Project result did not provide a 17%
are not met. In addition, technical issues solution for the actual problem
can cause a budget overrun which is Proposed/presented IAM technology 20%
did not integrate with existing IT
also a project risk.
Other 14%
• 49% did not know or measure the costs related to IAM service delivery;
• 48% did not know or measure the quality of IAM service delivery;
• 37% did not know the costs related to the review (internal/external) of access
rights as part of GRC.
The results also show that a large number of respondents want to realise cost
reductions with regard to service delivery and GRC and want to improve the
quality of service delivery. This can be difficult to realise without the necessary
insight into the quality and costs.
52%
• 18% entirely agreed that they have a lack of insight into the benefits of IAM;
• 53% partially agreed that they have a lack of insight into the benefits of IAM;
• Only 8% entirely disagreed that they have a lack of insight and therefore have
a proper insight into the benefits of IAM.
Appendix
A Reference models
Definition of IAM
Several definitions of IAM are generally used. For the purpose of this survey,
IAM is defined as:
• Management of users;
• Authentication of the identity of users;
• Management of user access to IT resources;
• Monitoring what users do with that access.
The IAM processes supporting the business, as identified in the IAM reference
architecture, are:
Business agility
• Extended enterprise – Support for working with business partners and internal
separate organisations in an extended enterprise, e.g. through federation;
Operational excellence
• Quality of service delivery – How well the IAM processes and services are
performing;
• Monitoring and reporting – Being able to overview (in near real-time) which
users have access to what information and being able to efficiently generate
GRC-related reports;
• Risk reduction – Being in control of fraud risks due to a complete insight into
end users’ access rights;
About KPMG
KPMG is a global network of professional firms providing Audit, Tax and Advisory
services. We operate in 144 countries and have 137,000 people working in
member firms around the world. The independent member firms of the KPMG
network are affiliated with KPMG International, a Swiss cooperative. Each KPMG
firm is a legally distinct and separate entity and describes itself as such. KPMG
International performs no professional services for clients nor, concomitantly,
generates any revenue.
KPMG firms have performed a wide range of IAM projects and have a broad
service offering, such as executing current state assessments, defining vision
statements, developing (business) architectures, creating roadmaps, perform
access attestation/certification projects and assisting in executing IAM audits.
About Everett
Everett is a systems integrator and consultancy firm with highly skilled
professionals and unique hands-on experience. Everett has offices in Nieuwegein
(head office), London (England), Milan (Italy) and Bangalore (India). Everett also
provides 7x24 solution support services. Since its inception in 1999, Everett has
proven itself as a leading specialist on Identity Enabled Service Platforms and
middleware in general as applicable in Identity & Access management, GRC,
Portal, Secure Remote Access, and Enterprise Application Integration technology.
Since new technologies and new concepts bring uncertainty Everett has
developed ways to absorb that, while implementing. Everett’s interactive
and iterative methodology EVOLVE embraces change and channels it to the
desired result. Our consultants will assist you in this process as your consultant,
architect, project manager or engineer. As a temporary addition to your team or
as a project team with a clear mission and turn-key responsibility.
Over the years IIR, an Informa Plc company, has constantly developed and
refined the process of producing premium business events with a threefold aim
of objectivity, timeliness and practical solutions. Featuring key industry experts,
IIR conferences provide up-to-date information direct from practitioners who have
found solutions to the challenges facing businesses today. By staying close to
each market IIR ensures that the conference takes place at exactly the right time
to provide you with the information you need, when you need it.
KPMG contacts
France Portugal
Laurent Gobbi Tiago Reis
Partner Senior Manager
Tel. +33 1 55687441 Tel. +351 210 110 000
l.gobbi@kpmg.fr treis@kpmg.com
Finland Romania
Panu Härkönen Gabriel Mihai Tanase
Management Advisor Manager
Tel. +35 (8)50 372 5866 Tel. +40 (21) 201 22 22
panu.harkonen@kpmg.fi mtanase@kpmg.com
C European regions
Northern Europe Southern Europe
• Denmark • Cyprus
• England • Greece
• Finland • Italy
• Norway • Spain
• Scotland
Western Europe
Eastern Europe • Austria
• Belarus • Belgium
• Czech Republic • France
• Latvia • Germany
• Romania • Luxembourg
• Russia • Netherlands
• Turkey • Switzerland
The views and opinions expressed herein are those of the survey respondents © 2009 KPMG International. KPMG International is a Swiss
and do not necessarily represent the views and opinions of KPMG International or cooperative. Member firms of the KPMG network of
Disclaimer
KPMG information
member firms. © Copyright
independent firms information
are affiliated with KPMG andInternational.
publication
details
KPMG International provides no client services. No member
firm has any authority to obligate or bind KPMG International
The information contained herein is of a general nature and is not intended to
or any other member firm vis-à-vis third parties, nor does
address the circumstances of any particular individual or entity. Although we
KPMG International have any such authority to obligate or
endeavour to provide accurate and timely information, there can be no guarantee
bind any member firm. All rights reserved. Printed in the
that such information is accurate as of the date it is received or that it will continue
Netherlands. KPMG and the KPMG logo are registered
to be accurate in the future. No one should act on such information without
trademarks of KPMG International, a Swiss cooperative.
appropriate professional advice after a thorough examination of the particular
situation. 158_1009