April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model

by Andras Cser for Security & Risk Professionals

Making Leaders Successful Every Day

For Security & Risk Professionals

April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model

defining Strategy, Proving value, And Increasing Automation
by Andras Cser with Stephanie balaouras and nicholas M. Hayes

ExECuT I v E S u M MA Ry
An identity and access management (IAM) maturity model is necessary for assessing your current state against industry best practices, understanding your performance relative to that of your peers, and creating a long-term strategy and road map. We based the Forrester IAM maturity model on our extensive research, the 100 client inquiries that we field each quarter, and the more than 20 maturity assessments that we have conducted during the past two years. It is a nonlinear, versatile model that provides direct help for IAM strategy creation. It provides comprehensive coverage of three key IAM domains: 1) governance and value; 2) access management; and 3) identity management. While other models treat technology and processes separately, we infuse technology with processes. You can evaluate each increasingly difficult area in each module and score yourself objectively based on simple yes/no criteria, leading to a composite IAM maturity score for your organization.

TAbl E o F Co nTE nTS

2 Maturity Models Guide IAM Assessments And Strategy Creation . . . 3 . . . But Conventional Linear Maturity Models Are Not Much Help For Execution 3 The Forrester IAM Maturity Model Is Modular, Easy To Use, And Effective 8 Use The Forrester IAM Maturity Model To Measure And Improve IAM
RECoMMEndATIonS

n oT E S & RE S o u RCE S
This report is based on more than 20 IAM assessments that Forrester produced with our clients; it also includes feedback and conversations with many major IAM vendors.

Related Research Documents Introducing The Forrester Information Security Maturity Model July 27, 2010
best Practices: Enterprise Role Management September 30, 2008 user Account Provisioning For The Midmarket August 20, 2007

11 Prioritize Governance And Easy-To-Implement Areas First

2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please email clientsupport@ forrester.com. For additional reproduction and usage information, see Forresters Citation Policy located at www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

MATURITy MoDELS GUIDE IAM ASSESSMENTS AND STRATEGy CREATIoN . . . Two of the most common inquiries we answer at Forrester are How are we as an organization doing compared with our peers? and What is the next step for us as we build out our IAM infrastructure and strategy? Answers to both questions are critical when you want to recruit or maintain support from executive sponsors such as the CISO or CIO for your IAM processes and projects. Both questions are hard to answer in a vacuum. To answer the first question, you have to standardize the data collection and evaluation from other organizations and present this data in a sanitized but still meaningful manner to your executives. Of course, obtaining this information to begin with is very difficult. Finding the answer to the second question is even more difficult: You must identify the areas that need improvement and the order in which you have to fight fires. The above are the reasons why many organizations look to maturity models. Maturity models help you:

Set your own baseline. You can clearly see in a structured manner where you are in terms of

progress on a comprehensive map. This map can open your eyes to technology areas or issues that you may not have even been aware of before you started using the maturity model. You cant build a credible IAM strategy without understanding where you are while continuing to serve your customers the patients heart has to pump blood even during triple bypass surgery.

Focus on your progress. If you re-evaluate the assessment model every six to 12 months

you will be able to see how youre progressing. This is especially useful for creating executive presentations that highlight the elevation gain and progress that the organization has made since the last evaluation and help make IAM what it should be: an iterative process.

Build a comprehensive IAM strategy. Once you understand the total picture of your IAM Set achievable goals. As with any other IT project, one of the biggest issues is executive

landscape, you can start to balance your immediate requirements and mid-term and long-term goals and bring them together in a solid strategy plan.

enthusiasm. People get excited about IAM and want it to solve the most complex role management and user account provisioning issues for them in six months. This is obviously not a realistic requirement. You will have to understand where you are in maturity and plan realistic projects that you will be able to complete successfully before the budgeted deadline.

Calibrate your spending on IAM. Although wed like to believe that everyone wants to build

a solid strategy, we realize that most organizations dont want to be IAM heroes; they just want to spend the minimum on managing access and identities and be on par with their competitors and peer organizations.

April 1, 2011

2011, Forrester Research, Inc. Reproduction Prohibited

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

. . . BUT CoNvENTIoNAL LINEAR MATURITy MoDELS ARE NoT MUCH HELP FoR ExECUTIoN Conventional linear models expect you to implement one area or process after another. Forrester has worked with clients attempting to use this type of model, and they always have challenges and serious concerns. What are the issues with these linear models? They:

Dont account for differing IAM maturity levels. Most organizations are more mature in either
identity or access. For example, a company may have a solid access recertification program but not a web single sign-on program. Alternatively, a university may have a good password reset program but no way of performing access recertifications. A linear maturity model cant appropriately evaluate such organizations, because it works on the assumption that the organization will implement one technology area or process after the other something thats not a reality for most organizations.

Lack specific evaluation criteria and prescriptive advice. Many maturity models lack a welldefined, detailed set of criteria to help clients determine what is required for each level of maturity. Without detailed criteria, there can be huge discrepancies and misunderstandings between how the authors have defined the evaluation criteria and how security and risk professionals interpret the criteria. In addition, if evaluation criteria are too vague or too subjective, its not clear whats required to achieve the next higher level of maturity for each domain or function.

Dont provide a holistic view of IAM. Conventional maturity models skew their focus mainly

on processes and people. While these are extremely important, identity and access management is the automation of these processes and controls. If the maturity model covers 80% people and process aspects, then automation is too much of an afterthought and this is where people struggle most. We all have our process manuals nicely stacked in our drawers.

THE FoRRESTER IAM MATURITy MoDEL IS MoDULAR, EASy To USE, AND EFFECTIvE Our maturity model is different from other maturity models. We divide aspects of IAM into three major domains: governance and value, access management, and identity management (see Figure 1) Within each domain are evaluation categories encompassing people, process, and technology (but with a strong focus on technology or automation). The model automatically scores each category by evaluating a list of your Yes and No responses to specific criteria. Each scored category rolls up into a score for the entire domain (see Figure 2).

2011, Forrester Research, Inc. Reproduction Prohibited

April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

Figure 1 domains In The Forrester Composite IAM Maturity Model

Access management How to keep the bad guys out and allow controlled access to the good guys Identity management How to manage the workforce joiner, mover, leaver, and recerti cation processes

Governance and value How to have sound ownership, business justi cation for IAM

58874

Source: Forrester Research, Inc.

Figure 2 Forresters Composite IAM Maturity Model

Access management Identity management

Entitlement management

Federation and cloud IAM

Provisioning and delegated administration

Password management

Directory infrastructure

Desktop single sign-on

Governance and value Demonstrated value Governance and strategy

58874

Source: Forrester Research, Inc.

April 1, 2011

2011, Forrester Research, Inc. Reproduction Prohibited

Job role management

Privileged identity management

Access recerti cation

Web single sign-on

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

Governance And value Focuses on The organizational Aspects And Strategy of IAM There is no working IAM process without appropriate executive support, governance, and business value that was demonstrated in the recent past. In the governance and value domain, we look at the following evaluation categories:

Governance and strategy keeps the IAM program on track. This category seeks to

demonstrate if there is executive sponsorship, a well-defined IAM strategy that is up-to-date, and effective marketing of the IAM strategy and the process/program itself. This category also demonstrates if appropriate IAM training plans exist. Without a well-defined IAM strategy that has the support of executive management, you run the risk that IAM projects are neverending, there is lost momentum for IAM, and there is rework, confusion, and battles between departments as to who should own IAM.

Demonstrated value helps convince naysayers of the value of IAM. Every IAM project

needs a business justification. We have seen too many senior executives shoot down projects because of a perceived lack of value. In this category, we evaluate how the organization is tracking call center metrics, IAM project costing, IAM-related employee and business partner satisfaction, and formal definitions of IAM value. The risks of failing to demonstrate IAM value are: 1) losing the attention of executive stakeholders; 2) lack of focus on IAM; and 3) inability to secure funding for subsequent IAM project phases.

Access Management Keeps your Assets Secure Security remains one of the biggest motivating factors for IAM projects. Security and risk professionals want to ensure that current employees, former employees, business partners, and consumers dont have access to and dont walk away with sensitive information. The access management domain includes the following categories:

Desktop single sign-on provides an easy entry point into IAM implementation. Since

desktop single sign-on (desktop SSO) requires no application customization and often provides support for password reset self-service, many organizations start with this category.1 In this category, we look at criteria such as: 1) whether desktop SSO is integrated with password reset; 2) how many applications desktop SSO covers; 3) how it integrates with multifactor authentication and other IAM technologies; and 4) how its logs are monitored. Without desktop SSO, you run the risk of users spending extensive time on finding passwords, diminished levels of customer services, and excessive costs of integrating multifactor authentication with applications.

Privileged identity management controls how administrators gain access to systems.

Do you remember when a disgruntled system administrator held the servers at the city of San Francisco hostage?2 High-privileged users can bypass all application-enforced access controls. You need to manage their access to routers, domain controllers, servers, and other critical

2011, Forrester Research, Inc. Reproduction Prohibited

April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

infrastructure components carefully. In this category, we look at the following: 1) how well you have defined firecall procedures and systems covered by privileged identity management (PIM), and 2) if there is integration of host access control and help desk systems with PIM. If you dont implement proper controls for privileged users, you run the risk of service-level degradation, audit remediation costs, developers accessing (sensitive) production data, and disgruntled employees taking down your infrastructure or holding you hostage.

Web single sign-on relieves application developers from security implementation. Sure,
one benefit of using web SSO is the ability for end users to access applications without having to log in repeatedly, but the biggest benefit comes from the ability for application developers to avoid having to maintain security and login/authentication codes in their applications. This greatly reduces application maintenance costs and improves application security. In this category, we look at the following: 1) application coverage of web SSO; 2) procedures for web SSO implementation; 3) integration of multifactor and risk-based authentication; and 3) selfservice password reset with web SSO. If you dont implement web SSO, you run the risk of spending too much on application development, users spending too much time logging in to applications, increased cross-site scripting attack surface in applications, and the cost and complexity of managing too many passwords for users.

Entitlement management clears the way to check for segregation of duties violations.

Are your users giving away too much data through their SharePoint portals? Entitlement management (EM) can help here. Compliance regulations require most organizations to not only check for segregation of duties (SoD) violations but also to enforce them in and among applications. Many companies use EM to create a standard framework for defining and enforcing entitlement in applications especially in-house developed applications. In this category, we look at the following: 1) application coverage of EM; 2) how SharePoint sites are protected; and 3) how you protect unstructured data and databases. If you dont implement EM, you run the risk of being unable to detect SoD violations and having high application development costs due to the need to recode applications when business policies change.

Federation and cloud IAM allow the owner organization to manage its users. Do you

manage your partners end user data on their own internal infrastructure? In traditional IAM, the application owner usually manages the user name, password, and log in for all users of the application. Moving to federation allows the application owner to let go of managing user names and passwords of users that they do not directly control (business partners, consumers, etc.) and allows those users to use their home login and password management facilities. IAM to cloud applications is still in its nascent phase, but the proliferation of SaaS applications (and sensitive data in them) demands extending enterprise IAM to these applications. In this category, we look at the following: 1) how SAML is used to access SaaS applications; 2) how users access is recertified in SaaS applications; 3) how the organization can onboard and troubleshoot a new SaaS application; and 4) the extent to which the company is using cloud-

April 1, 2011

2011, Forrester Research, Inc. Reproduction Prohibited

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

based IAM services. The risks of not implementing federation and cloud-based IAM include excessive costs of managing other organizations users passwords and identities, unauthorized access to SaaS applications after users terminate, and users having to remember too many passwords for SaaS applications. Identity Management Helps With Regulatory Compliance And Improves Service Delivery Managing access recertifications and processes for employees who are joining, moving, or leaving (joiners, movers, leavers) is important not only from a security perspective but also from a compliance perspective. We regularly speak to companies that cant support their growth or M&A activity without the right blend of identity management services such as provisioning, access recertification, and job role management. This domain includes the following categories:

Directory infrastructure the foundation of IAM. Are you struggling to consolidate your

Active Directory instances? This is the most common finding of our assessments: companies invariably struggle with the right ownership, maintenance, and cleanup of user repositories. Having the right set of processes and governance around directories is a must for any organization that wants to manage users identities effectively. In this category, we evaluate the following: 1) centralized ownership for directories; 2) user ID naming conventions; 3) attribute authority; 4) the number of authentication repositories; and 5) processes for schema updates. The risks of not having a solid process for managing directory infrastructures are excessive downtimes, lack of reliable deprovisioning for ex-users, and low user data quality.

Password management helps eliminate users having to remember too many passwords.

Users often complain about the number of passwords they have to remember, the excessive number and different cycles of password changes for different applications, and time wasted calling the help desk to reset passwords. In this category, we look at the following: 1) how uniformly you enforce password policies across the organization, and 2) the percentage of applications you cover with self-service password reset. The risks of not having a robust password management infrastructure include too many and not enforceable password policies, too many password change cycles, and compromised passwords being very hard to detect.

Access recertification brings the biggest gains in compliance and automation. Knowing

and certifying who should have access to what rights in applications is the most important aspect of identity and access management even if this process doesnt include fulfillment of access rights granting and revocation. In this category we look at: 1) how automated the process is; 2) how users are impacted by it; 3) how the recertification campaigns are monitored and kept on track by compliance oversight folks; and 4) how users activities (and not just entitlements) are monitored for making recertification decisions. The risks of not automating access recertification include spending too much on unreliable manual processes, having SoD violations expose the company to financial risk, and credential-sharing among users.

2011, Forrester Research, Inc. Reproduction Prohibited

April 1, 2011

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

Provisioning and delegated administration streamline the identity life-cycle process.

Do your users complain that they have to wait weeks before they get all their access because certain managers delay an access request approval decision? Its critical that reliable human resources information drive at least some part of the joiner, mover, and leaver processes for freeing up your IT administrators to do more value-add tasks and having a better security and compliance stature. In this category we examine: 1) how many systems are covered by automatic user account provisioning; 2) how well orphan accounts are detected and eliminated; 3) how business partners are provided with a delegated system administrator interface to manage their own access to the companys IT systems; and 4) how user accounts are locked after a certain period of user inactivity. The risks of not automating the provisioning and deprovisioning process are audit findings and fines, users waiting excessive periods of time to get all their access, and spending too much on IT staff.

Job role management helps deprovisioning and approvals and eliminates SoD violations.
If you have high-traffic, high-attrition, task-oriented roles (e.g., call center, branch staff, retail associates) where you need to grant and revoke access for many people, job role management can help by providing prescriptive, template-based ways of determining what access rights someone should have in that position without managers needing to approve every single provisioning request. In this category we look at: 1) how roles are defined and recertified; 2) how SoD checks are performed; and 3) what processes are in place for assigning and revoking movers to and from job roles. The risks of not having a job role system include copying/ modeling users access rights for joiner and mover processes resulting in too much privilege, SoD violations going undetected between applications, and deprovisioning of users being ineffective and error-prone.

USE THE FoRRESTER IAM MATURITy MoDEL To MEASURE AND IMPRovE IAM We recommend that before evaluating your IAM maturity, you use the Forrester Information Security Maturity Model to understand the maturity of identity and access management compared with other security functions at your organization.3 Its possible that there are other categories in information security that require your attention and prioritization first. If you have determined that IAM is a priority, then this model will help you set your IAM maturity baseline, target specific categories for remediation, and track your progress over time. Self-Assessment: Defining Levels of IAM Maturity For the maturity model to work, it must measure each component in the same way. Forrester used the same maturity levels as seen in the Forrester Security Maturity Model, which are based on the evaluation scale from the COBIT maturity level definitions. They are: 0 nonexistent; 1 ad hoc; 2 repeatable; 3 defined; 4 measured; and 5 optimized (see Figure 3).

April 1, 2011

2011, Forrester Research, Inc. Reproduction Prohibited

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

Figure 3 Forrester Maturity level definitions

Level Characteristics 0 Nonexistent Not understood, not formalized, need is not recognized 1 Ad hoc 2 Repeatable 3 De ned 4 Measured 5 Optimized
58874

Occasional, not consistent, not planned, disorganized Intuitive, not documented, occurs only when necessary Documented, predictable, evaluated occasionally, understood Well-managed, formal, often automated, evaluated frequently Continuous and e ective, integrated, proactive, usually automated
Source: Forrester Research, Inc.

Self-Assessment: Scoring And Assessing your IAM Maturity Level Begin by scoring your security program by answering Yes or No to the 60 evaluation criteria questions in the Self-Assessment worksheet of the tool. As you do so, the Scoring Summary and Maturity Stage Results worksheets will update automatically. When you look at your Maturity Stage Results, youll be able to quickly identify domains that need attention (see Figure 4-1). Then when you look at your Scoring Summary worksheet, categories within domains that are particularly problematic (categories that scored less than 2.00) will be highlighted in red (see Figure 4-2).

2011, Forrester Research, Inc. Reproduction Prohibited

April 1, 2011

10

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

Figure 4 The Maturity Model Shows users Where They need To Improve The Most
4-1 Sample IAM Maturity Stage Results

4-2 Sample IAM Maturity Scoring Summary

58874

Source: Forrester Research, Inc.

April 1, 2011

2011, Forrester Research, Inc. Reproduction Prohibited

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

11

R E C o M M E n d AT I o n S

PRIoRITIzE GovERNANCE AND EASy-To-IMPLEMENT AREAS FIRST

The goal of taking the IAM self-assessment is not just to benchmark and understand where you are but also to gain objective input into which categories you have to focus on in your IAM strategy. Creating and maintaining an effective IAM strategy from the Forrester Identity And Access Management Maturity Model is relatively easy if you follow the steps below:

Pay special attention to the domains that score less than 2.00. If you have a domain that
scored less than 2.00 (highlighted in red in the Scoring Summary worksheet and summarized on the Maturity Stage Results), focus on that domain first. If you have more than one red domain, we recommend focusing on getting the governance and value domain in decent shape. Having the right ownership and stakeholder commitment is the foundation of a solid IAM strategy and program.

Within each domain, focus on the easiest-to-implement areas first. We designed our
IAM model such that categories to the left of the maturity curve are easier to implement than categories to the right (refer again to Figure 2). For example, in the access management domain, desktop SSo and PIM are easier to implement than enterprise SSo. So if you have multiple categories that scored less than 2.00 (highlighted in red on the Scoring Summary worksheet) in a particular domain, you should focus on the categories that come first. This ensures that you learn how to crawl before you run.

Keep the number of your immediate, short-term projects to three. This is the maximum
number of projects that you can realistically undertake and demonstrate results for within three to four months the typical attention span of a CIo or CISo. Keep in mind that your primary bottleneck is likely to be communication to business partners and application developers in the categories youre trying to improve. If you spread yourself too thin, you wont be able to show tangible results.

Evaluate and track your IAM maturity every year. youll have to show progress against
your baseline at least once a year to maintain the momentum of your IAM projects. Reassessing your maturity annually and demonstrating progress will keep your stakeholders confident that there is both a cohesive IAM strategy thats on the right track and a clear focus for future improvements.

ENDNoTES
1

Desktop or enterprise single sign-on (E-SSO) is a relatively easy way to provide end user convenience and to get started in identity and access management (IAM). The end user benefits of E-SSO are obvious. Because E-SSO automatically logs end users in to their applications, they no longer have to remember multiple IDs and passwords and they no longer waste time contacting the help desk when they forget their credentials. However, few security professionals are aware of the security benefits of E-SSO of which

2011, Forrester Research, Inc. Reproduction Prohibited

April 1, 2011

12

Introducing The Forrester Identity And Access Management Maturity Model

For Security & Risk Professionals

there are many. It: 1) allows system administrators to hide passwords from users and revoke user access quickly when necessary; 2) enables multifactor authentication of any application; and 3) paves the way for a broader IAM initiative. Forrester expects that in the future, E-SSO will allow security professionals to perform more effective entitlement enforcement in legacy applications and support less expensive employee fraud prevention. We recommend that you use E-SSO as the first point of entry into IAM and use its benefits to build the business case for implementing more complex technologies such as provisioning, access recertifications, and role management. See the November 9, 2010, Enterprise Single Sign-On: The Fast Lane To Identity And Access Management report.
2

Source: Angela Moscaritolo, Disgruntled San Francisco admin sentenced to four years, SC Magazine, August 9, 2010 (http://www.scmagazineus.com/disgruntled-san-francisco-admin-sentenced-to-four-years/ article/176596/). If you need guidance with determining which areas of your overall security program you should focus on, Forrester recommends that you begin by completing Forresters own Security Maturity Model. See the July 27, 2010, Introducing The Forrester Information Security Maturity Model report.

April 1, 2011

2011, Forrester Research, Inc. Reproduction Prohibited

Making leaders Successful Every day

Headquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 Email: forrester@forrester.com Nasdaq symbol: FORR www.forrester.com For a complete list of worldwide locations visit www.forrester.com/about. Research and Sales Offices Forrester has research centers and sales offices in more than 27 cities internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai; Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forwardthinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 27 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com.

58874