Role-based mgmt. is key to identity management customers, survey says

A few weeks back I alerted you to a survey that Eurekify founder Ron Rymon was conducting to gather your thoughts about role-based management. The survey has now closed, and the final results and interpretations will be published at the end of this month (I’ll let you know when that happens, and where to get them), but preliminary findings from the 147 non-scientifically selected respondents are now available.

Respondents were primarily identity management project managers, as well as consultants in this area. Participants came from all sectors, with an especially large representation from financial institutions.

The survey’s main findings are that identity management customers see role-based management as a key aspect of their identity management implementation (79%), and most do not find that identity management vendors provide adequate tools and methodologies for defining and deploying roles (70%).

Here’ a summary of the main results:

In 83% of the organizations, privileges are still granted in an ad-hoc fashion (i.e., granted on an as-needed when-needed basis and rarely revoked), or through cloning (i.e., give Joe the same rights as Jane), and not based on business roles and provisioning policies. Only 16% of the organizations have automated provisioning processes. Maybe as a result, more than 50% of the organizations believe that at least 20% of their users’ privileges are incorrect (10% estimate that at least 50% of their privileges are incorrect). Only 6% think they have the means to verify segregation of duties – a requirement of many regulatory schemes.

Most organizations give almost equal weight to productivity and audit/compliance as the main reasons to implement identity management (84% and 82% respectively).

Customers main concerns with regard to identity management deployments are:

1) Formation and deployment of a role-based model (70%).

2) Poor quality of the existing privileges (59%).

3) Interfaces to existing systems (56%).

Most identity management customers plan to implement role-based access control (RBAC) (79%), but 38% say they will not do so in the first half of 2006. A full 84% of respondents are concerned about their ability and the time it would take to define a role-based privileges model.

My conclusion from this data is that almost 10 years after automated provisioning burst on the scene, most IT organizations are still having a hard time coming to grips with it. It may be that they are trying to do too much within a single project, rather than a step-by-step implementation or it may well be that RBAC is necessary (although not sufficient) for an efficient provisioning system. Either way, there is a lot of business out there for provisioning, RBAC, and other identity management vendors and consultants – with more coming every day.