Research

Publication Date: 29 July 2011 ID Number: G00215738

Identity and Access Governance: Definition and Market

Earl Perkins

Governing access to applications should not be a major feat in enterprises;

unfortunately, it is frequently not easy or straightforward. The process and tools that
might make it better are not in place, and the conditions that would make it work, such
as an accurate and comprehensive identity data model, are not available. This leads to
an inefficient and time-consuming experience for the end user and the IT people
responsible for the process, often resulting in an inaccurate picture of access as well as
unpleasant experiences with auditors. How can enterprises improve their overall
governance of identity and access? One answer lies in the use of identity and access
governance (IAG) solutions, a well-defined access process, and an organizational
structure to support them both.

Key Findings
IAG replaces Gartner terminology formerly known as "role life cycle management" and
"entitlement life cycle management." It covers a broader set of functions and is focused
on governing access use and identity administration rather than just roles.

The IAG market is one of the fastest growing in identity and access management (IAM),
driven by the need for better compliance intelligence and more effective governance.

IAG represents the most direct interface between IT and business users for their identity
governance requirements.

Recommendations
Document the existing IAG process(es), organizational structure and resources used in
the enterprise to evaluate current governance abilities.

Assess the current state of your identity data model and determine the changes that
may be required to effectively use IAG processes and technology.

Consider using IAG tools and services when establishing access governance is the key
deliverable.

© 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The
information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all
warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors,
omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization
and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice.
Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or
services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors
may include senior managers of these firms or funds. Gartner research is produced independently by its research
organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see "Guiding Principles on Independence and Objecti vity" on its website,
http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp
TABLE OF CONTENTS

Analysis ....................................................................................................................................... 3
Background and Context.................................................................................................. 4
The Identity Data Model ...................................................................................... 5
IAG Workflow and Administration ........................................................................ 6
IAG Identity Data Use, Monitoring and Optimization............................................. 6
IAG Products and Services .................................................................................. 7
IAG Stand-Alone Vendors ................................................................................... 7
IAM Suite Vendor Products ................................................................................. 7
Identity Administration Vendors (With Some IAG Functionality)............................ 8
Other Vendors With IAG and IAI Functionality ..................................................... 8
The Impact ...................................................................................................................... 9
Conclusion....................................................................................................................... 9
Recommended Reading ............................................................................................................... 9

LIST OF FIGURES

Figure 1. IAM as a Process .......................................................................................................... 3

Figure 2. The "Atomic Elements" of IAM Process .......................................................................... 5

Publication Date: 29 July 2011/ID Number: G00215738 Page 2 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
ANALYSIS
IAG represents a crucial and necessary maturity step for the IAM practice within an enterprise. It
is a recognition that granular application-specific access requests were not handled adequately
by prior IAM processes and tools. It is also a recognition that a way to achieve a more mature and
accurate method of handling access requests will be necessary if compliance reporting and the
intelligence produced from IAG are to deliver the accountability and transparency expected for
auditors and executives.
A significant part of the IAG process is found within the entitlement administration process — it is
that portion of IAG that addresses the identity data model creation and maintenance (see Figure
1). For IAG to be relevant, the quality and integrity of the identity data model must be maintained.
The quality of relationships defined (between identifiers such as IDs and accounts, their attributes
that provide context, and entitlements, roles and rules) is directly proportional to the quality of
accountability and transparency that can be achieved during the access of applications and IT
resources.

Figure 1. IAM as a Process

Source: Gartner (July 2011)

Choosing IAM solutions mostly centers on the formal access request process. An effective
process is defined by the business and automated where it is most needed. Choice is also a
function of the software's ability to best represent an identity data model that most closely aligns
with the business view of identity information and its use. IAG represents a significant part of the
IT governance, risk and compliance (GRC) practice. As such, it is part of a structured set of
processes and activities with defined inputs and outputs, coupled with specific skill sets for
administrators and users alike. IAG software should be capable of integrating well with IT GRC

Publication Date: 29 July 2011/ID Number: G00215738 Page 3 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
management software where necessary, providing identity and access intelligence (IAI) as its
primary output to IT GRC management where appropriate.

Background and Context

Gartner defines IAG as "the life cycle practice of governing the access request process and
related functions to ensure complete and timely access to required IT resources (including data
and information, structured and unstructured)." This involves a number of different functions,
including managing roles and access policies, constructing an identity data model to catalog
entitlements and other vital identity data, and scoring risk.
IAG is, first, a set of administration and intelligence functions within IAM that delivers the
management, review and assignment of access entitlements, driven by compliance requirements
and information security and risk management objectives. IAG provides the needed "glue"
between the compliance and access management policies, and the critical business systems and
platforms that need them. It enables control and produces intelligence so that business process
owners can have access "event" transparency for decision making. IAG also provides a way to
hold end users accountable for the access they use, managers accountable for the access they
approve, and administrators accountable for the access they manage.
Other specific IAG capabilities include:
Identity data model and use model design (using discovery and mining tools)

Access request administration

Access policy management
Access credential management

Access certification
Role management

Segregation of duties analysis and verification

Entitlement administration
The IAG market explored in this research delivers products to support these capabilities. IAG
customers can use some, many or all these capabilities in establishing IAG for their enterprises.
IAG is part of the IAM process, as defined in previous Gartner research (see "A Process View of
Identity and Access Management Is Essential"). The purpose of this research is to examine the
market for IAG tools, the features available in IAG tools, and how IAG tools fit in an IAM system.
IAG organizations will be addressed in future research.
In terms of function, distinct IAG tools have three major categories: creating an identity data
model, administering the access request process, and monitoring the process to ensure that
access complies with policies. The first category can be described as the construction of a
structured view of identity data in preparation for (and required by) the IAG process. It consists of
what Gartner refers to as the "atomic elements" of IAM:

Access policies to define how IAG interprets business requirements for access

Rules that are specific instructions to software for implementing access policies based
on the context from attributes

Publication Date: 29 July 2011/ID Number: G00215738 Page 4 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 Identifiers such as global IDs or account names
Identifier attributes that give an identifier context, such as street address or status

Credentials such as X.509 certificates or strong authentication mechanisms

Entitlements such as read/write functions within an application

Roles, a common construct in IAG, may also be included in the model. The model defines the
relationships between these elements, and the access request process keeps the model current.
The use of IAI derived from these functions also allows for the continuous improvement of the
process (see Figure 2).

Figure 2. The "Atomic Elements" of IAM Process

Source: Gartner (July 2011)

An example of a relationship is the definition of rule sets to execute policy, and the assignment of
attributes to identifiers to define the identity's context in light of those rules. A combination of the
rules and attributes during an access decision step can determine the entitlements used for that
access decision. The interplay between these elements is a constant and dynamic aspect of the
identity data model, and is a key measure of the success of an IAG tool implementation.

The Identity Data Model

The identity data model is the starting point for IAG tools. In many respects, it is an extension of
the data model found in classic enterprise directories, supplemented with databases provided by
the tools that may contain entitlement catalogs, rule sets and extended attribute information to
complete the model. For many reasons, it is more accurate to think of the identity data model as a
networked model, since it can potentially consist of data from many different sources within the
enterprise. Constructing the model is a joint activity between selected business stakeholders and
IT architects — a top-down mapping exercise in which the business requirements for access are

Publication Date: 29 July 2011/ID Number: G00215738 Page 5 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
accurately represented to IT so that the identity model can reflect the relationships outlined above
as closely as possible.
For example, in entitlement assignment, IT has a view of how entitlements are defined within
applications and systems. Business planners who work with IT have a view of how entitlements
relate to the business roles and compliance mandates they use in business processes where
access to critical applications and services is required. A "mapping" process occurs during the
construction of the identity data model that overlays the business view of entitlement relationships
with the IT view that is specific to applications and systems. This mapping is critical and reflects a
strategic planning area of IAG; its success or failure to reflect the business view of entitlement
use largely determines the success or failure of IAG.
The identity data model also includes an identity data "use" element as well — that is, the activity
and event logging mechanisms in IAG tools. These logs are critical to the ability of IAG to deliver
IAI (see "Identity and Access Intelligence: Making IAM Relevant to the Business") as part of the
program management and governance life cycle (see "Best Practices for Identity and Access
Management Program Management and Governance"). IAG logs capture administrative activities
generated by the assignment of attributes, credentials, and entitlements to identifiers and roles,
as well as events reported by IAG applications during processing requests. IAG can also access
external logs from such adjacent technologies as security information and event management,
data loss prevention and entitlement management to build a complete picture of what is
happening, who and what is affected, and when. IAM can also be a contributing intelligence
source for those respective products.
IAG also permits continuous controls monitoring (CCM) for identifying and remediating
segregation of duties violations (see "Continuous Controls Monitoring for Transactions: The Next
Frontier for GRC Automation"). Keeping the identity data model accurate is a prerequisite for
successful IAG operations, and represents a frequent cause of failure in IAG programs that
initially show promise.

IAG Workflow and Administration

The second major functional category of IAG tools is in the workflow and administration execution
to request access. This function provides a user experience for participants in the governance life
cycle, from business representatives responsible for managing access requests, to IT
administrators responsible for managing the identity data model support systems and IAG
workflow. IAG tools represent one of the true touchpoints between the IT process and the
business process, where there is shared responsibility for the integrity of the data required to
have complete, timely, and accurate access to applications and systems. Business
representatives are accountable for the approval and certification of requested entitlements for
their own users within the department or division. They are also responsible for working with IT to
ensure that the IAG workflow is defined accurately to reflect how access requests are handled
within their areas of responsibility. For many enterprises, this represents a "transfer" of
accountability from IT to the business that did not take place when first-generation IAM products,
such as user provisioning, were introduced in those enterprises years ago.

IAG Identity Data Use, Monitoring and Optimization

When applying IAG workflow and administration, logs are generated. Those logs capture system,
review and request, and identity activities and events through the use of IAG products, providing
a raw but comprehensive view of the IAG process in action. A critical part of IAG functionality is in
the creation and generation of IAI (see "Identity and Access Intelligence: Making IAM Relevant to
the Business"), which is derived from a structured, analytical approach to correlation, review,
analysis and reporting of identity data use in all its forms. Monitoring and optimization of the

Publication Date: 29 July 2011/ID Number: G00215738 Page 6 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
supporting IAG systems places major emphasis on IAI output, serving as a "closed loop" for
improving the system and process.
Compliance reporting was (and is) the first practical form of IAI produced from IAG systems.
While IAG isn't the only generator of IAI, it is one of the most important, and it is also the practice
that benefits most from effective IAI. IAG identity data use will be the topic of future Gartner
research.

IAG Products and Services

There are four types of IAG product vendors in the market today:

Those that are focused on building an identity data model through discovery, mining and
engineering, and focused on providing a workflow for requesting and administering
granular access.

Those that deliver one or more IAG functions as part of a broader IAM suite.
Those that have significant IAG functionality as part of another product within their suite.

Those that are focused on related areas of IAG and possess some IAG and IAI features,
but are not considered IAG products. Often, such products are associated with CCM or
segregation of duties.
The next section features a representative sample of these vendor types. It is not an exhaustive
list of vendors and their IAG products fitting the descriptions above, but it does provide an
understanding of market participation. Forthcoming in late 2011 is a more extensive Magic
Quadrant study of the IAG market that will focus primarily on the first two vendor types, and
provide more detail regarding vendor capabilities and market positions.

IAG Stand-Alone Vendors

Aveksa (Waltham, Massachusetts)
Products: Aveksa Enterprise Access Governance Platform (that is, Compliance Manager, Role
Manager, Access Request and Change Manager, Data Access Governance)
Bhold (Utrecht, Netherlands)
Products: Bhold Suite, Bhold Controls, Bhold Attestation

CrossIdeas (Rome)
Products: Ideas Core, Access Certifier, Role Constructor, Compliance Control for SAP-CCS

RM5 Software (Helsinki)

Products: RM5 IdM, RM5 IdM SaaS

SailPoint (Austin, Texas)

Products: SailPoint IdentityIQ, which includes Compliance Manager, Lifecycle Manager,
Governance Platform, Provisioning Engine, Identity Intelligence

IAM Suite Vendor Products

Attachmate (Seattle)
Products: Novell Access Governance Suite (OEM for Aveksa), as well as embedded role
administration functionality in Novell Identity Manager
CA Technologies (Islandia, New York)
Products: CA Role & Compliance Manager, CA Identity Manager

Publication Date: 29 July 2011/ID Number: G00215738 Page 7 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Courion (Waltham, Massachusetts)
Product: Access Assurance Suite (ComplianceCourier, RoleCourier, AccountCourier)

Hitachi ID Systems (Calgary, Alberta, Canada)

Products: Identity Manager, Group Manager

IBM Tivoli (White Plains, New York)

Products: Tivoli Identity Manager, IBM Security Role and Policy Modeler
Oracle (Redwood Shores, California)
Products: Oracle Identity Analytics, Oracle Identity Manager

Identity Administration Vendors (With Some IAG Functionality)

Avatier (San Ramon, California)
Product: Avatier Identity Management Suite (AIMS)
Beta Systems (Berlin)
Products: SAM Enterprise Identity Manager, SAM Rolmine

BMC Software (Houston)

Products: BMC Remedy Identity Manager (alliance with SailPoint)
Evidian (Les Clayes, France)
Product: Evidian Identity & Access Manager

Fischer International (Naples, Florida)

Products: Fischer Identity Suite, Identity as a Service Solutions
Microsoft (Redmond, Washington)
Products: Forefront Identity Manager, Sentillion proVision

Omada (Copenhagen)
Products: Omada Identity Suite (includes Compliance Attestation Manager, Compliance Report
Center and Advanced Role-Based Access Control)
Quest (Aliso Viejo, California)
Products: Quest One Identity Manager, ActiveRoles Server
SAP (Walldorf, Germany)
Product: SAP NetWeaver Identity Management

Siemens (Munich)
Products: DirX Identity, DirX Audit

Other Vendors With IAG and IAI Functionality

Approva (Herndon, Virginia)
Products: Access Manager, Authorizations Insight, Certification Manager, Configuration Insight

LogLogic (San Jose, California)

Product: LogLogic Compliance Manager
LogRhythm (Boulder, Colorado)
Product: LogRhythm for Compliance and Audit

SAP (Walldorf, Germany)

Product: SAP BusinessObjects Access Control

Publication Date: 29 July 2011/ID Number: G00215738 Page 8 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Security Compliance Corp. (SCC) (Orinda, California)
Product: Access Auditor

Security Weaver (San Diego)

Products: Secure Provisioning, Separations Enforcer

Varonis Systems (New York)

Product: Varonis Data Governance Suite

The Impact
The IAG market of products and services will continue to grow and expand rapidly as more
enterprises elevate the general IAM debate and choices to fulfill governance mandates for access
to critical IT systems and applications. Through 2014, IAG will represent the fastest growing
segment of the IAM market, outpacing user provisioning, access management and directory
services growth. New entrants will attempt to leverage existing IAM product implementations, as
well as expand IAG product capabilities in data management, policy management and workflow,
by partnering with more traditional vendors in those areas or by incorporating feature sets from
them. IAI value from IAG will grow as more-formal programs for identity data repository and use
analytics are applied, resulting in more use cases demanding IAI from governance.
Major IAM suite vendors are seeking to incorporate IAG administration and workflow functionality
into more traditional IAM products, such as user provisioning, leaving more complex features to
support the construction of identity data models and analytics for identity data use in other
product sets of their portfolios. This is likely to place increasing pressure on stand-alone IAG
vendors to innovate in an attempt to penetrate well-established customer bases of IAM suite
providers. Construction, rationalization and/or cleansing of identity data repositories will increase
as enterprises position themselves better to use IAG tools, and IAI derived from them, by fixing
problematic identity data models to more accurately reflect the way enterprises use identities.
New buying centers continue to rise as IAG directly addresses what business process and
application owners desire in governing access, focusing more on financial, auditing and risk
decision makers, coupled with IT assistance. The complexity of building a representative identity
data model and subsequent workflows will increase enterprise dependency on consulting and
integration services. Such services will continue to grow and expand as IAG takes its proper
place in addressing IT GRC concerns in the enterprise. Traditional IAM integrators are already
expanding and consolidating roles and experience in IAG, and developing good IAI.

Conclusion
Technology and service providers should recognize that enterprises have specific requirements
that mandate governance over access and the identity life cycle. Those requirements will
establish prerequisites for processes, people and infrastructure, and inform the enterprise of a
priority to deliver the changes necessary. There are indications that enterprises that have
deployed basic IAM systems are ready for IAG, as long as the prerequisites are identified and
prioritized. For many enterprises, IAG is, first and foremost, a fulfillment of governing the total
end-to-end process of access, including approval and certification. Providers must continue to
refine the definition of IAG in that context, and provide enterprises with a reasonable justification
for the steps required to realize IAG deployment and use.

RECOMMENDED READING
Some documents may not be available as part of your current Gartner subscription.
"Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management"

Publication Date: 29 July 2011/ID Number: G00215738 Page 9 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
"Identity and Access Intelligence: Making IAM Relevant to the Business"
"A Process View of Identity and Access Management Is Essential"
"Best Practices for Identity and Access Management Program Management and Governance"
"Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation"

REGIONAL HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096

European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611

Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600

Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670

Latin America Headquarters

Gartner do Brazil
Av. das Nações Unidas, 12551
9° andar—World Trade Center
04578-903—São Paulo SP
BRAZIL
+55 11 3443 1509

Publication Date: 29 July 2011/ID Number: G00215738 Page 10 of 10

© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved.