It has been too long since we last wrote to you. During that time, we at Gartner have been discussing the trends and futures worth writing about in our respective research areas. One of the notable discussions has been around the concept we call identity and access management (IAM) intelligence– too many words, so let’s just call it IAM intelligence. So what is IAM intelligence and why should we even care about it?
We believe IAM intelligence represents the ability of IAM tools and process to (a) build effective repositories of identity information for IAM systems to use, (b) collect and correlate information about the IAM events that occur throughout the system with other important security events and information, (c) provide a means to monitor, analyze and report on what is happening within the IAM world for a number of constituents. There are perhaps other functions that could be defined under IAM intelligence, but I think you get the essence of what we believe.
Ok, that sounds pretty good, but so what? User provisioning and web access management tools have usage logs and audit reporting functionality– why do we have to have yet another collection of research papers on a group of capabilities and processes that already exist? Is it just another ploy to make the “old look new” so you can see more research? Or is there relevance to this? Actually, there are good reasons for calling this group of capabilities out.
(1) Both we at Gartner, our colleagues at Burton, and other analyst firms have noted the maturing of IAM– its gradual acceptance in more and more enterprises as something structured, somthing that needs to be done and done well. As this maturity continues, the links between IAM and other disciplines within IT become better defined and richer– such as those in areas like security information and event management (SIEM), or governance, risk, and compliance management (GRCM). The links include exchanges of information– from historical logs of events and information (about security and IAM) to process activities. Gradually, more and more is known about the inner workings of IAM and the effect it truly has on access in the enterprise;
(2) Customer requirements are particularly acute for IAM in the regulatory and policy compliance areas. There are people to report to about who has access to what resources, when and where they had access, the nature of the access, the integrity of privacy for different types of information– all of this requires a level of transparency that good intelligence can provide. While these functions may be embedded in existing products, it is no less important that we have a plan to get that information, analyze and normalize it, and use it for a lot of different reasons;
(3) You can’t manage effectively what you can’t measure. Having insight into what’s happening in IAM systems allows those systems to be tuned, to work better, to be modified if they aren’t and to be optimized when they are. Processes ranging from account maintenance to access control benefit from the means to monitor and analyze those mechanisms that make those processes possible, particularly if they’re going to be automated in some fashion.
There are other reasons, but I hope I’ve made my point: IAM intelligence can make a difference in IAM lifecycles. Understanding how it works and what’s possible with it are tasks any IT organization should not ignore. Have a formal, inclusive planning approach to IAM intelligence when planning, building, and operating enterprise IAM– you won’t regret it.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.