As we've seen in our research, organizations believe that preventing and detecting insider espionage is the top security threat they are inadequately equipped to address. Respondents also stated that they believe that technical staff with elevated privileges pose the greatest internal IT security risk to their organizations. This underscores a general feeling that organizations are doing a poor job of protecting user credentials and controlling access to data. However, organizations are beginning to discover that identity and access management (IAM) is a key component to controlling user access to critical information across the entire enterprise ecosystem while ensuring compliance with corporate policies and regulations.

IAM has been around for a while but is not widely adopted or embraced by many organizations – at least not successfully. Past challenges with IAM have led many to think that IAM is a solution whose time has come and gone. We believe this is not too dissimilar from what happened with data-loss prevention when it was first introduced – same with smartphones and electric cars. All were great ideas, but either the technology or the market was just not quite ready when they were first released yet eventually each of these hit their stride and were widely adopted.

The 451 Take

Of the four services we've discussed in this Spotlight series – cloud security management, security incident and event monitoring, vulnerability scans, and now identity access management (IAM) – IAM has seen the lowest adoption rate among enterprises. Only 8% of the enterprises we polled stated that IAM was a top security project in the next 12 months, and that's down 2.7% from the previous year's study. So why are we proposing that service providers consider adding it to their service portfolios? IAM might not be the security product businesses are currently pursuing, but it is one they should be pursuing. Properly managing identity and controlling access to data, applications and services based on that identity goes a long way toward protecting the assets that are so valuable to organizations today. Of course, there are other technology and tools that organizations should consider to make them secure, but IAM is an important tool in the security tool chest. That said, IAM can be a bear to implement and manage, creating ample opportunities for service providers to deliver it as a managed service, help enterprises ensure that it is deployed correctly, and maintain it over time.


Modern enterprises want immediate, easy and secure access to information anytime from anywhere. This has led to a vanishing enterprise boundary as organizations embrace cloud services, workforce mobility, and a hybrid IT infrastructure. However, this posture has introduced new vulnerabilities and potential points of breach, renewing interest in identity and access management to protect identities and defend a borderless enterprise. Yet, according to 451 Research's Voice of the Enterprise: Information Security, Workloads and Key Projects survey, only 38% of enterprises have IAM technology deployed in their organizations.

At a high level, identity and access management is the process of creating, managing and using digital identities and enforcing access policies across disparate systems both in the cloud and on-premises. Simply stated, the goal of IAM is to give the right people the right level of access at the right time and in the right context. IAM is becoming a critical imperative for enterprises to maintain the trust of their customers and meet compliance requirements in industries such as banking and financial services, healthcare, education, manufacturing, media and entertainment, retail and vendors, telecommunications, and others.

Let's be clear up front: there are many challenges with IAM. Part of the problem is the difficulty with getting IAM to integrate with the entire array of systems, platforms and applications used in the enterprise. As a result, businesses end up with a handful of applications connected to the IAM system but then still have several manual processes and individual accounts to manage. Not only is this ineffective at protecting the enterprise, but it often fails to meet the regulatory and compliance requirements imposed on many industries.

Historically, identity and access management services were limited in scale and features and were often poorly implemented. For example, enterprises often want the IAM service integrated with their Active Directory but their AD structure is poorly structured, making integration difficult or impossible. Or the organizational politics of who owns data and who controls access to it has limited the effectiveness of IAM in the enterprise. In addition, traditional IAM services placed a heavy administrative burden on internal staff and a significant strain on IT budgets. Consequently, these past IAM failures have tainted the perceived value of identity and access management implementations among enterprises, creating a challenge for future endeavors with IAM. However, areas like IAM, where enterprises are struggling to implement and manage needed security controls, are prime opportunities for service providers.

We have seen IAM go through several iterations over the years but the latest wave of IAM is addressing past issues and making it easier to integrate and deliver throughout the enterprise's IT ecosystem. The key is that most enterprises – and many service providers, for that matter – miss that IAM must be treated as a program, a constantly evolving, adaptive and managed program, not a one-and-done project with disjointed point solutions that do not address identity management holistically. IAM is about protecting the organization's riskiest assets: its people. With the proliferation of multi-cloud and hybrid IT, identity management is a must – identities across disparate platforms cannot be successfully managed by traditional means or manual processes.

Service providers have opportunities to provide the IAM platform as a service, ongoing management, and the professional services to set it all up. But before IAM can even be implemented, most organizations will need help ensuring that proper access processes and procedures exist and that access levels are documented and understood.

Successful service providers are offering full identity and access management services by combining tools like single sign-on, complete application access lifecycle management, mobile access management, robust and dynamic access policies, multi-factor authentication, and identity federation – all of which can be applied holistically across disparate platforms and clouds.

Aaron Sherrill
Senior Analyst

Aaron Sherrill covers emerging trends, innovation and disruption in the Managed Services and Managed Security Services sectors. Aaron joined 451 Research after serving as Vice President and CTO for two of the largest, pure-play Managed Service Providers in the market. He was instrumental in developing and growing the service provider business, driving the technical strategy for the companies, developing and leading information security programs, and bringing new managed cloud and security services to the marketplace.

Dan Thompson
Research Director - MTDC

As a Research Director for 451 Research, Dan Thompson provides insight into the Multi-Tenant Datacenter (MTDC) market space. Dan is particularly focused on MTDCs that are trying to move up the stack to offer additional services beyond colocation and connectivity. These services may include disaster recovery, security, various forms of cloud and other managed services. He also assists the 451 Research Information Security group when their interests overlap.

Keith Dawson
Principal Analyst

Keith Dawson is a principal analyst in 451 Research's Customer Experience & Commerce practice, primarily covering marketing technology. Keith has been covering the intersection of communications and enterprise software for 25 years, mainly looking at how to influence and optimize the customer experience.

Want to read more? Request a trial now.