Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Identity & Access Management and Single Sign-On

The Growing Cloud Identity
Crisis:
A Detailed Survey Report on Cloud-Based
Solutions for IAM and SSO

Executive Summary
Background
Terms and Definitions
About the Research
Managing Access to Cloud Applications
Top Challenges of Cloud Application Access
The Most Important Features for Cloud Application Access
The Current IAM Market
IAM Is Gaining Widespread Adoption
Existing IAM Deployments
The Most Valued IAM Functionality
Public and Private Cloud Support within IAM
Single Sign-On and Cloud-Based Applications
Single Sign-On Is in Demand
SSO Solutions Are Working
Cloud Applications Appear to be Driving SSO Adoption
SSO Adoption Is Growing
The IAM Market Direction
IAM Is a High Priority Purchase
Security and Trust Are the Most Critical Features
Price and Trust Drive Vendor Selection
Industry Focus: Financial Services and Compliance
Concerns
Industry Focus: Manufacturing Moves to the Cloud
Summary
Appendix: Supporting the IAM Purchase Process
2
Table of Contents
3
4
6
11
14
18
20
21
23
24
The Growing Cloud Identity Crisis

This report highlights the results of research conducted by Gemalto, makers of CloudEntr, in
conjunction with 451 Research in October 2013. The survey captured results from IT decision-
makers in North American companies with a specific focus on the Identity and Access Management
(IAM) market and its growing role in securing access to cloud-based applications.
The data reveals an IAM market in transition, in large part due to the increase in cloud-based
applications. As companies increase their reliance on cloud-based applications, they face growing
challenges in managing access to those applications.
Although the IAM market is well established, with almost half of respondents already having an
IAM solution in place, it’s still in flux as well.
Single Sign-On (SSO) solutions are gaining traction at the same time. The more hosted applications
a business uses, the more likely they are to have deployed an SSO solution. The continued growth
of cloud-based business applications is most likely fueling the additional growth and interest in
cloud-based SSO.
Finally, security and trust in the vendor are the most important factors in choosing IAM solutions
and vendors. Businesses are looking for a strong reputation and solid support policies, as well as
pricing that meets their needs.
3
> Security is the top concern when it comes to managing access to cloud-based
applications. The #1 challenge named by survey respondents was “preventing
security breaches.”
> Many businesses are looking for strong authentication solutions as a way to reduce
the risks of cloud-based application access. Managing mobile access is also critical
for all but the largest of the companies.
> Almost 30 percent of respondents were in the process of evaluating or deploying
new IAM solutions.
> When it comes to IAM solutions, businesses are looking for security and the ability
to handle access from multiple devices and locations. Businesses in regulated
industries (healthcare, financial services) are particularly interested in enforcing
company policies.
Executive Summary

4
Cloud computing presents new challenges for the enterprise. IT organizations are suddenly
responsible for managing access to cloud-based applications that reside outside the enterprise
firewalls. They have the same levels of responsibility for securing access to cloud-based
applications as on-premise apps, but without the same level of control.
Many organizations already have processes and technologies for managing authentication
and access to their on-premise applications. A mature Identity and Access Management (IAM)
marketplace addresses these needs quite well. But with the advent of cloud computing, the market
is being stretched to address the needs of securing access to cloud-based applications. The
growing need comes from both ends of the market:
The survey was designed to deliver a better understanding of what’s happening in this market,
which is characterized both by mature on-premise solutions and a growing number of new cloud-
based participants.
Terms and Definitions
Identity and Access Management (IAM) solutions facilitate the management and automation
of user access to systems or applications within an organization. They typically manage user
authentication (ascertaining user identity), authorization (what privileges they have), and
application access.
Single Sign-On (SSO) solutions address the authentication part of the IAM puzzle. They simplify
access to multiple diverse applications by consolidating application access from a single login.
Once authenticated with the SSO solution, the user does not have to enter an account and password
to access the downstream applications – the SSO solution manages authentication. SSO may be
a feature of a comprehensive IAM solution. Stand-alone SSO solutions may integrate with IAM
solutions to exchange information about user identity and authorization levels.
> Companies with established IAM solutions need to extend those practices and
capabilities to handle the growing number of cloud-based applications their
business users access.
> Small or growing companies often have no in-house IAM solutions and rely heavily
on cloud-based applications. These represent new potential participants in the IAM
market.
Background

5
About the Research
In October 2013, Gemalto, in conjunction with 451 Research, conducted a survey of North American
IT decision-makers and influencers about their use of Identity and Access Management solutions
and single sign-on (SSO) solutions. More than two hundred respondents, across all industry
sectors, responded to the survey. Titles included IT directors and managers, security executives
(CSOs, compliance managers), and line of business executives with security mandates.
For many of the questions, respondents were asked to rate the importance of different factors or
features on a scale of 1 to 10, with 10 being “very important.” In some of the results, we report the
consensus estimate of importance, which in this case is the answer averaged over all respondents
in the categories.
In some cases, the sample sizes are too small to report statistically significant findings –
particularly when drilling down by industry. And almost 30% of the respondents fell outside of
the defined categories, answering “Other” for their industry. However, we have called out several
instances in which meaningful industry differences appear in the data.
Background

Number of hosted applications reportedly used, by business size
0 10 20 30 40 50
5
6 to 10
11 to 15
16 to 20
20>
>
Over 5,000
1001-5000
101-1000
Company Size
6
One of the biggest changes to the enterprise IT environment in recent years has been the growth of
cloud-based applications. Even those organizations with established IAM solutions for on-premise
applications must now figure out how to manage employee and contractor access to cloud-based
or hosted applications.
To avoid the complications of cloud, the survey simply asked respondents about how many “hosted
applications” the business used. Although you might expect cloud adoption to be more pervasive in
the smaller businesses, the research showed that many of the larger businesses (with more than
5000 employees) use more than 20 hosted applications.
Top Challenges of Cloud Application Access
The survey asked respondents about which challenges were relevant to their company when it
came to managing secure access to cloud-based applications. Respondents could select all of
the cloud access security challenges that applied. The clear leader in challenges was the issue of
preventing security breaches.

7
It comes as no surprise in today’s environment that preventing security breaches would be top of
mind. But recall that this survey was taken in October of 2013 – before the Target data breach, the
Marriot and Niemen Marcus breaches, and the Senate hearings and subsequent press coverage.
When asked to identify the single biggest challenge when it comes to secure access to cloud-based
applications, the overwhelming concern is preventing security breaches. Regulatory compliance,
which was eighth on the list above, is second on the list when companies can choose only one
challenge. This highlights industry differences – for many businesses in regulated industries,
regulatory compliance is the most important issue.
Challenges of Managing Secure Access to Cloud Apps
0% 10% 20% 30% 40% 50% 60% 70%
Administrative workload reduction
Managing (BYOD)
Improving end user experience
Regulatory compliance and audit
Control over SaaS applications
Application of company policy
Transparent access management
Revoking access of users
Password policy enforcement
Assigning access to users
Preventing security breaches

8
Respondents from organizations with more than 1,000 employees tended to give more weight to
administrative workload reduction and controlling SaaS applications. Businesses with more than
5,000 employees were more concerned with “application of company policy” as a challenge for
cloud-based applications.
Which one of the following is the biggest challenge in your company in
terms of managing secure access to cloud-based applications?
30%
25%
20%
15%
10%
5%
0%
Preventing security breaches Regulatory compliance
& audit
Assigning access to users
(employees and contractors)
(who has access to what)

1 2 3 4 5 6 7 8 9 10
Reporting and analytics
Mobile access
Single Sign-On
Authentication methods
Authentication policy management
Ease of provisioning
Password manager
Strong authentication
How would you rate the importance of each of the following for
managing secure access to cloud-based applications? (consensus estimate):
9
The Most Important Features for Cloud Application Access
The survey participants identified a wide range of features that they felt were critical to addressing
the challenges above. The most highly ranked feature was strong authentication.
0% 10% 20% 30% 40% 50% 60% 70%
Admin workload reduction
Over 5000 1001-5000 101-1000
Involving end user experience
Managing (BYOD)
Control over SaaS apps
Transparent access mgmt.
Revoking access
Assigning access
Don’t know
Company Size

10
While strong authentication is the clear leader, it’s worth noting that the rest of the responses are
fairly tightly clustered – nearly everything is important.
Reporting and Analytics rank lowest for the group of respondents as a whole; only 36% of the
respondents said it was very important (a 9 or 10 on the scale of 1 to 10). But in the financial
services industry, 53% of the respondents said that Reporting and Analytics were very important.
Company size also affected the relative importance of the different features. For example, mobile
access was less important for companies larger than 5,000. It’s unclear why this should be true
– perhaps those larger companies imagine that BYOD policies about using mobile devices were
enough, or perhaps the workforce patterns are different among these very large companies. The
lower ratings from the companies greater than 5,000 may have brought down the overall weighted
importance of mobile access across the respondents as a whole.
1 2 3 4 5 6 7 8 9 10
0%
Importance of Mobile Access features for managing secure access to
cloud-based applications, by company size:
Over 5000 1001-5000 101-1000
5%
10%
15%
20%
25%
30%
Company Size

11
The business IT landscape is changing, with the corporate perimeter disappearing. This has
significant implications for Identity and Access Management practices. At the enterprise level,
many businesses are adopting cloud-based applications, while small and mid-sized businesses are
embracing cloud-based applications to delegate IT overhead and responsibilities. As the research
highlights, the more of these cloud-based applications businesses use, the greater their need for
IAM and SSO capabilities that reach beyond the on-premise perimeter to manage user identity and
application access in the cloud.
The survey data reveals an IAM market that is both mature and in transition at the same time.
Although many companies already have IAM solutions, a large number are also in the process of
testing, evaluating or deploying IAM solutions.
IAM Is Gaining Widespread Adoption
When asked whether or not they had an IAM solution already, the data reveals a mix of existing
implementations (maturity) and new deployments and evaluations (change and disruption).
> Nearly half of the respondents already had an IAM solution.
> Another 30% planned to either deploy or evaluate/test IAM in the next six months
Does your company currently use any Identity and Access Management solutions?
Yes, have IAM
Will deploy in 6 months
Plan to test/evaluate
within 6 months
No plans
Don’t know
No Answer
48%
16%
14%
14%
6%
1%

12
While a 50% deployment would indicate a fairly mature industry, the large number of evaluations
means that conditions are changing in such a way as to spur significant adoption. The increasing
uptake in cloud-based applications is no doubt part of that change.
Existing IAM Deployments
Adoption of IAM was fairly consistent across the range of company sizes. But adoption varied by
industry, with the greatest deployments in technology (hardware and software) industries, as well
as financial services.
When asked to name their existing IAM solutions, respondents tended to list on-premise IAM
solutions from Microsoft (including Active Directory), IBM, CA, Oracle, and others. The cloud-based
IAM solutions were mostly missing from the existing deployments. Cloud-based IAM solutions may
be driving newer deployments planned in the coming months.
The Most Valued IAM Functionality
When asked about the most important attributes of an IAM solution, security and convenience were
the main themes.
1 2 3 4 5 6 7 8 9 10
Public cloud support
Private cloud support
Administrator convenience
Support for a large # of applications
Login for all SaaS and on-premise apps
Enforce company/regulatory policy
App access from multiple devices/locations
On a scale of 1-10, rate the importance of the following functionalities
for an IAM solution:
Strength/reputation of security technology
1 being “Not At All Important” and 10 being “Extremely Important”

13
When looking at the data by industry, a few interesting differences emerge:
Public and Private Cloud Support within IAM
You might expect that the ability to access public cloud applications like Salesforce or Google Apps
is driving IAM adoption. However, while both public and private cloud application access were
identified as important attributes for an IAM solution, private cloud access slightly outweighed
public cloud access in importance:
If you consider that a ranking of 8 or above on the scale of 1 to 10 as important, then 58% of
respondents counted support for private cloud access as important, compared with 43% of
respondents listing public cloud support as similarly important.
> Strength/reputation of the security technology was slightly more important for
smaller companies, government agencies and manufacturing industries.
> Ability to access applications from multiple locations and devices was more highly
valued in retail and government institutions.
1 2 3 4 5 6 7 8 9 10
0%
5%
10%
15%
20%
25% Don’tknow/
NoAnswer
Support for public cloud
Support for private cloud
Importance of Public Cloud vs. Private Cloud on a scale of 1-10
1 being “Not At All Important” and 10 being “Extremely Important”

14
For businesses deploying a large number of cloud-based applications, the most pressing need in
managing access may be consolidating all the different credentials that people have to remember.
Cloud-based Single Sign-On replaces the numerous logins that people have to perform with one
login.
For many businesses, SSO the first step on the path to broader IAM solutions. SSO addresses the
issue of handling the multiple logins and significantly lowers the bar for deployment compared with
a comprehensive IAM solution. A growing number of cloud-based SSO solutions are working with
identity providers to give businesses a growth path into a broader IAM solution.
Single Sign-On Is in Demand
Overall, close to two thirds of the respondents (63 percent) either already have an SSO deployment
or plan to deploy SSO within six months. (Note that many larger businesses may have SSO for on-
premise applications, but not necessarily for cloud-based applications.)
There is little variation across company size, although significant variation among industries.
The industries with the highest current adoption of SSO solutions included computer hardware/
networking (65%), financial services (53%) and healthcare (53%).
Single Sign-On and Cloud-Based Apps
0% 10% 20% 30% 40% 50%
Don’t know
No plans
Plan to test/evaluate in 6 months
Plan to deploy within 6 months
Yes, have SSO
Does your company currently use, or plan to evaluate a
Single Sign-On (SSO) solution?

15
SSO Solutions Are Working
Of those who have deployed SSO solutions, 93 percent were either “very satisfied” or “somewhat
satisfied” with their solutions.
How satisfied is your company with its Single Sign-On (SS0) solution?
Very Satisfied
Somewhat Satisfied
Unsatisfied
No Answer
50%
43%
5%
2%

16
Cloud Applications Appear to be Driving SSO Adoption
When analyzing which companies have deployed SSO solutions, one of the most important
predictors of adoption is how many hosted business applications the company uses. Businesses
that used more than 15 hosted applications were already using SSO at almost twice the rate of
businesses with fewer than 10 hosted applications:
It’s reasonable to extrapolate that as businesses add more hosted (cloud-based) applications to
their portfolio, the urgency for SSO increases. The continued growth of cloud-based business
applications is most likely fueling the additional growth and interest in cloud-based SSO.
0
< 10
11-15
10
20
30
40
50
60
70
> 15
No plansPlan to test/
evaluate in 6
months
Plan to deploy
within 6 months
Yes, have SSO
Adoption of SSO by the number of hosted applications the company supports
Number of hosted
applications

17
SSO Adoption Is Growing
There’s a lot of evaluation and deployment activity going on, with a full 35% of respondents in the
process of deploying, evaluating or testing an SSO solution.
When you look at the industries that are planning to evaluate and test SSO solutions within the next
six months, consumer retail, financial services and government sectors are considering SSO at a
higher rate than other industries.
Percentage of respondents that plan to test and evaluate SSO
within 6 months
0% 5% 10% 15% 20% 25% 30% 35%
Software and IT
Computer hardware/networking
Manufacturing
Healthcare
Government
Financial services
Education and training
Consumer retail

18
The data indicates a large amount of activity in the IAM and SSO market, specifically addressing
the challenges of managing secure access to cloud-based applications. Given the responses from
the survey, one can draw some conclusions about the factors that will influence the overall market
direction.
IAM Is a High Priority Purchase
When asked about how they rated IAM as a purchase priority, nearly a third of the respondents
listed IAM as a top tier priority, while another third considered it second tier.
Within industries, the technology industries (computer hardware and network, software and IT)
gave IAM the highest overall priority, followed by manufacturing:
Security and Trust are the Most Critical Features
When asked to rate the importance of product features as decision criteria in an IAM purchase,
security and trust in the vendor (including the vendor’s support) are the most important features
influencing solution evaluation:
0% 20% 40% 60% 80% 100%
Top Tier (e.g., in the top 3)
Second Tier
Third Tier
Software and IT
Manufacturing
Hardware/networking
All
Not a Priority
Don’t Know
No Answer
Technology industries give IAM the most important purchase priority
Purchase Priority

19
Price and Trust Drive Vendor Selection
Assuming that a cloud-based IAM solution addresses the key issues of security and trust, price
is the most important issue with vendor selection. The next most important features were vendor
support and reputation – again, factors ultimately related to trust.
1 2 3 4 5 6 7 8 9 10
Level of security
Support
Trust in vendor
Non-disruptive integration
Overall ease of use
Centralized management
Cost per user
Decision Criteria Importance
0% 10% 20% 30% 40% 50% 60% 70% 80%
Don’t Know
Free trial
Vendor size (big company vs. start up)
Vendor references and use cases
Vendor reputation
Vendor support of product
Price/licensing model
Factors in Selecting Cloud-Based IAM

20
IAM solutions already have a strong foothold in the financial services industry. A full 58% of the
financial services companies in the survey already had IAM, and another 36% were planning to
deploy or evaluate IAM within the next six months. Only one of the respondents in financial services
had no plans to evaluate or test IAM.
The financial services industry has long been subject to regulations, and is most sensitive to the
issues or challenges around compliance. When asked about the relevant challenges for cloud-
based application access, the financial services respondents called out the challenges related to
compliance – including enforcing password policies, managing (and revoking) application access,
and applying company policies.
When asked to choose a single challenge for managing access, 32% selected regulatory
compliance and audit as their main challenge, compared with 12% of the respondents overall.
Not surprisingly, financial services respondents also rated ‘Reporting’ as an important feature for
managing secure access to cloud-based applications. 53 percent ranked it as very important (9 or
10 on the scale of 10), compared with 36% of the overall respondents.
Industry Focus: Financial Services
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Revoking access to users
Assigning access to user
Financial Services Average
Most important IAM challenges for financial services compared to
overall respondents

21
Industry Focus: Manufacturing
Manufacturing companies accounted for more than 10 percent of the respondents. The difference
between their responses and other industries shed some light on what’s happening in the industry.
When it comes to important features for an IAM solution, manufacturing respondents highlighted
the importance of managing access to both public and private cloud applications at a higher rate
than respondents as a whole:
When asked about the challenges of managing secure access to cloud-based applications,
manufacturers gave nearly equal importance to enforcing password policies as preventing security
breaches.
0% 10% 20% 30% 40% 50% 60%
Private Cloud (9 or 10)
Public Cloud (9 or 10)
Manufacturing All respondents

22
The data paints the picture of an industry embracing cloud applications and struggling to handle
the ramifications. [For a discussion of the role of cloud computing in manufacturing, see the article
“Ten Ways Cloud Computing is Revolutionizing Manufacturing,” Louis Columbus, Forbes Online,
May 6 2013.]
Industry Focus: Manufacturing
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Admin workload reduction
Control over SaaS apps
Manufacturing Average
Most important IAM challenges for manufacturing compared to
overall respondents

23
Summary
Although IAM as an industry is well established, it’s undergoing significant change with the broad
adoption of cloud computing. As companies deploy more business applications in the cloud, they
face new challenges securing access to those applications.
This is a time of significant market opportunity for organizations deploying IAM and SSO solutions.
The cloud-based delivery model makes IAM or SSO solutions simpler and more affordable to deploy
than traditional solutions in an on-premise environment. This report offers some guidance as to
the features that businesses deem most critical in an IAM deployment.
If you are planning an IAM or SSO deployment, consider the unique factors of your business and
industry as well as the broader trends outlined in this document. For example, do your cloud-
based applications manage regulated data? Do you have a high degree of workforce turnover? Is
your workforce highly mobile? These factors will affect the weight you give the various factors and
features of a solution.
Look for vendors who can meet those needs while earning and maintaining your trust. Factors to
consider include the strength of the technology used, the level of vendor support, and the overall
reputation of the vendor.

24
When asked about how they researched and found information on IAM solutions, recommendations
from IT partners and direct web searches topped the list.
When asked for their single most important source of information, however, some interesting
variations occurred depending on company size. Smaller businesses (less than 1000 employees)
relied most heavily on recommendations from IT partners. The mid-sized businesses (between
1000 and 5000 employees) relied on a range of different sources, including their own web research.
Appendix: Supporting the IAM Purchase
What is your company’s primary source of information on Identity and Access
Management solutions for cloud-based applications?
Recommendations from your IT partners
Analysts
Direct search on the Web
Peers and friends
Through communities
In events
31%
16%
10%
6%
1%
Don’t know
Other
No answer
19%
9%
6%
2%

25
Appendix: Supporting the IAM Purchase
In most organizations, the IT or IT/Security organization is responsible for managing the purchase
process for IAM solutions. However, business units sometimes manage the purchase process.
0 10 20 30 40
IT partners
Analysts
Press
Events
Peers
Communities
Web
Over 5000 1001-5000 101-1000
Don’t know
Primary source of information when evaluating Identity and
Access Management solutions
Company Size
0 10 20 30 40 50 60 70
Don’t know
Functional Groups
CFO or COO
IT/Security
Over 5000 1001-5000 101-1000
Who is responsible for managing the purchase process for
IAM solutions?
Company Size

Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Identity & Access Management and Single Sign-On

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Identity & Access Management and Single Sign-On

Similar to Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Identity & Access Management and Single Sign-On (20)

Recently uploaded

Recently uploaded (20)

Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Identity & Access Management and Single Sign-On