Identity Management Market Trends

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

Identity Management Market Trends

by Brady Hicks

Docid: 00018887

Publication Date: 2009

Report Type: MARKET


Identity management – or IAM (identity and access management) – is a
largely unavoidable part of doing business in an age that
is both digital and regulated. Regulatory and
rulings in both the public and private sectors,
risk management practices, and other internal pressures continue to drive
organizations to devote extra
to monitoring, measuring, auditing, and controlling the ways in
employees and even applications interface with electronic
systems. Accordingly, identity management has emerged as a central
component of access management and security strategies. This report
takes a look at the market for identity management products.

Report Contents:

Executive Summary

[return to top
of this report]

The term "identity management" refers to the control and
automation of processes that regulate which users can access specific resources. In this context, a user
can be a person, server, host,
or application. Rather than requiring IT administrators to separately manage
security for each resource, identity management solutions provide a single point of administration
for performing these functions.

Basic Tenets

Per to the Control Objectives for Information and Related Technology

– an IT governance standard widely adopted by US
corporations to achieve Sarbanes-Oxley compliance – there
are five basic tenets of identity management1

  1. Uniqueness
    of Individuals
    – All
    users (internal, external and temporary) and their activity on IT
    systems (business application, system operation, development and
    maintenance) should be uniquely identifiable.
  2. “Need
    to Know”
    – User
    access rights to systems and data should be in line with defined and
    documented business needs and job requirements.
  3. Data Ownership – User
    access rights are requested by user management, approved by the system
    owner, and implemented by the security-responsible person.
  4. Central
    – User
    identities and access rights are maintained in a central repository.
  5. Management
    – Cost-effective technical
    and procedural measures are deployed and kept current to establish
    user identification, implement authentication, and enforce access

Other Considerations

A complete identity management solution not
only automates the provisioning of accounts, it also provides a user
self-service password management tool, delegated administration that
allows IT staff members to offload the responsibility of user management
to those who know the users best, and full auditing and reporting
capabilities to provide visibility into system access activity.

Central functions of an identity management deployment may include:

  • Consolidated User Administration
    – Single platform
    to manage user accounts and profiles.
  • User Provisioning
    – Creates and deletes user accounts from
    systems throughout the user lifecycle.
  • Single Sign-on
    – Authenticates user for multiple
    applications requiring only one login.
  • Password Management
    – Updates and synchronizes user profiles
    and passwords across multiple applications.
  • Strong Authentication
    – Validates the user leveraging a mix of
    protection measures, including password, digital token, and PIN.
  • Directory Management
    – Manages accounts within a
    central setting, in many cases a Lightweight Directory Access Protocol
    (LDAP) directory.
  • Web Access Control – Provides user-account authorization
    within Web-based applications.

Market Dynamics

[return to top of this report]

The ongoing demand for identity management is based mostly on pressures:
government regulations; security-related concerns; and internally from
enterprise officials looking to efficiently and cost-effectively administer
access to complex IT environments.

These and other types of pressures are detailed in Table 1.

Table 1. Identity Management Pressures
Pressure Description
Government Regulations Notable US privacy regulations are HIPAA,
Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI DSS), and the Gramm-Leach-Bliley Act.

Health Insurance Portability and Accountability Act (HIPAA).
HIPAA requires organizations in the healthcare
sector to meet defined standards for the storage and transmission of data.
Among other goals, the act intends to ensure the security of confidential
patient information when it is transmitted from one entity, such as a
doctor’s office, to another, such as an insurance company or another

Sarbanes-Oxley (SOX) Act.
The Sarbanes-Oxley Act establishes strict financial reporting requirements
for US-based public companies and holds corporate executives
accountable for ensuring that their companies follow these

Payment Card Industry Data Security Standard (PCI DSS).
PCI regulations are designed to protect credit card users from fraud
and other abuses. PCI compliance requires companies to have provisions in
place for physical and electronic data protection, including two-factor
authentication, password management, and others.

Gramm-Leach-Bliley Act (GLBA).
This act restricts how and when
financial institutions may share information about their customers.

Globally, many other nations have enacted their
own privacy legislation that affects corporations doing business in their
markets. For example, the European Union Privacy Act, Canada’s Personal
Information Protection and Electronic Documents Act (PIPEDA), and the Japanese
Personal Information Protection Act (JPIPA) all place restrictions on the
collection of and access to personal information that require, in turn,
identity management solutions to ensure that the data is not accessible to
unauthorized individuals. 

Security The market for identity management products continues to rise as
enterprises attempt to cope with the growth of users on their networks from
both inside and outside their firewalls.

Internal and external password
policies carry support and enforcement costs that drive up help desk
expenses. As organizations continue to implement new enterprise applications,
these costs will continue to mount. By implementing a secure single sign-on
solution, many of these costs can be reduced, if not eliminated.

IT Administration Organizations increasingly use enterprise networks to
provide resources and services to external parties such as customers,
suppliers, and
business partners. This development complicates identity management
and creates the need for solutions to make such management easier and
more affordable.

The enterprise user base is constantly in flux
as new employees are hired, current employees change assignments, other
employees leave, contractors come and go, and customers, business partners,
and suppliers change. While these issues may seem disconnected,
upon close examination it becomes clear that the common thread they share
is identity. Every decision that is made about granting access to resources causes a potential security conflict.
Identity management solutions
ease the
managerial burden of granting access and provide much needed security
along the way.

Market Leaders

[return to top of this report]

Prominent Identity Management technology market leaders include Oracle,
IBM, Dell, Microsoft, HPE, AWS, Broadcom, Micro Focus, Hitachi, Adobe,
Accenture, SAP, and HID Global, among others. This competition also
includes a subset of Identity Management known as PIM ("Privileged"
Identity Management), which is employed specifically to secure, manage,
and monitor activities associated with privileged or tiered accounts.
Top competitors in this area include Microsoft, IBM, BeyondTrust, and

[return to top of this report]

Market Growth

The global market for IAM services is projected to grow by to $24.12 billion
(2025).3 Further findings highlighted by this report include:

  • The "provisioning component segment" providing the highest revenue
    market share (30.7 percent)
  • On-premise deployments valued at $5.3 billion (2018)
  • Majority market-share companies including Oracle, IBM, Broadcom, Micro
    Focus, and HID Global

In the past, the identity management market was an
open field with specialty developers such as Oblix and RSA competing
directly against giants such as IBM and CA Technologies. Recently, however,
large entrants in the market have used a combination of acquisitions and
internal development to enhance their positions and put pressure on
mid-sized competitors. Most recently, Broadcom acquired CA in 2018.


Federated Identity Management Identity Management in the Cloud. Companies have become increasingly concerned
about security and identity management as they transition more and more of
their applications to the cloud. As a result, businesses are turning to
federated identity management solutions, which allow users to maintain
identities across Web services and e-commerce
transactions and between disparate organizations.
federated management, a manufacturer could link its
purchasing system with the applications used by its various suppliers. The
manufacturer could then check inventory and conduct transactions through a
supplier’s system. A user’s identity would be established on the
manufacturer’s side and then that person’s assigned network rights would
be carried over as he or she accesses the supplier’s applications. The services would interact regardless of
whether the organizations were using different applications or platforms.
Each Web service in use would be governed by a set of policies to be
enforced and administered through the identity management system.

Federated identity management strategies are particularly applicable to
the latest applications being rolled out in social media, and this need for
security does not just apply to users needing to be careful about their own
identity. People should not be posting confidential information on their
Facebook profiles, but if they do and one of their friends has his or her
identity stolen, that information could be read by the wrong people. In the
consumer space, companies are taking additional steps to authenticate their
users, moving beyond the simple username and password. Today, businesses,
particularly financial services institutions, are requiring more customers to
validate their identity at login by answering security questions or
acknowledging the correctness of a site key – a designated image assigned to
them that appears on screen.

Bring Your Own Device. Identity management will become an even more prominent
element of enterprise security as more and more organizations accept –
or, in some cases, succumb to – the reality of the “bring your own
device” movement. Bring your own device (BYOD) describes when employees use their
personally-owned devices for work purposes in preference to or in
addition to those supplied to them by the
organization. Statistics regarding the extent of BYOD vary widely, but
all agree that it is growing fast. Many believe that there are
benefits for organizations that allow personal devices onto their
network, including increased productivity, improved user satisfaction,
and greater flexibility.

A new generation of identity management solutions capable of
accommodating a diverse and disparate set of consumer-grade devices will likely quickly
gain favor with enterprise officials.

Identity and Access Governance. In some circles, “identity management,” or “identity and access
management” (IAM), is in the process of evolving into a new concept
called “identity and access governance” (IAG). More than administering access to enterprise systems and applications,
the goal is to better align identity management functions with
enterprise business objectives.

IDaaS. Several years ago4, Network World noted that interest
in IDaaS (Identity-as-a-Service)-based services are part of a "small but
growing" subset of IAM, primarily due to "midsize to
large enterprises that need to manage access to applications in the cloud as
well as to legacy on-premises applications."

Strategic Planning

[return to top of this report]

Of-note IAM planning implications include:

  • The potential to cause internal tension, proving not just a
    technical challenge but a turf battle.
  • The responsibility of the admin who syncs user information across
    departments determining approval point for all exchanges.
  • Employing those that marry technology with an organization’s
    business processes.
  • The need for execs – as well as IT personnel – to determine which
    departments and individuals may access.
  • Basing policies on overall corporate protocol and industry

Key Benefits

The benefits that identity management solutions can offer organizations

  • Reduced risk
    – This is achieved through the secure control
    of access rights to a growing, diverse community of partners, customers,
    and employees. Identity
    management gives enterprises quicker response to internal audits and
    regulatory mandates as well. Identity management solutions also enable a vital yet peripheral
    function: The dynamic tracking of physical and electronic accesses through
    various enterprise systems and applications, thereby providing the extended benefit
    of asset management and monitoring.

  • Reduced operational costs
    – By automating, delegating, and
    providing self-service interfaces to user administration activities. Organizations can
    also implement identity-based security without the aid of specialty
    solutions. While providing some of the same security benefits, this approach
    requires significantly more administration and may create inconveniences for
  • Enhanced user experience – By reducing
    multiple login requirements and removing or reducing the help desk from
    the cycle of providing general support and resetting passwords.

Maintaining secure and accurate digital
identities is vital for government agencies and nonprofits as well as
commercial enterprises. Identity management solutions enable government agencies to more accurately
and rapidly recognize authorized constituents for a range of programs, such as tax collection,
delivery services, and national defense.
For private sector concerns, identity management solutions not only
enable and establish identity, they allow the enterprise to link together
computer-based sales and prospect analysis applications, market
development analysis, and salesforce automation systems: all data and
information of a competitive and highly secure nature that, if efficiently
and securely shared, can lead to increased revenue while reducing the cost
of sales.

Organizations seeking
comprehensive solutions that are easy to implement and maintain may find
themselves frustrated as they are required to perform customizations and
discover that the solutions demand more administration than expected, while
offering fewer features than desired. These organizations may be better
served by implementing a point solution, such as an authentication tool, for a
narrowly-defined, required function. If needed, a comprehensive
identity management solution could be implemented later, most likely
through a phased deployment.


[return to top of this report]

[return to
of this report]

About the Author

[return to top of this report]

Brady Hicks is an
editor with Faulkner Information Services. He writes about computer and
networking hardware, software, communications networks and equipment, and the

[return to top of this report]