The Gartner IAM Program Maturity Model
We scored our respondents' maturity levels on a scale of one to four, with four being the most mature:
- Fragmented identity: IAM controls are either nonexistent or disparate across the environment, potentially opening the organization up to unnecessary risk.
- Unified identity: The organization uses a unified system with a single source of truth for most — if not all — applications.
- Contextual identity: The system uses context indicators, like geographic location and user behavior, to automatically adjust access controls.
- Adaptive identity: The system is highly dynamic and automated, enabling it to respond to new threats quickly without input from human users.
The average maturity score was between two and three, indicating that there's still room to grow for most organizations. Let's explore some of the biggest factors in identity and access management maturity.
Access Management and Authentication
Access management includes the processes and technologies that allow your organization to grant and manage access to all applications and systems within your IT network. It's essential for protecting your resources from unauthorized access, which is why consistency is key.
Incorporating automated technology into access management processes is an excellent tool for applying consistent policies across all your applications. There are a wide range of factors that go into an organization's access management maturity, including authentication methods and access control strategies.
Promising Signs in Identity Management and Administration
Identity access management is a cybersecurity framework for managing what each individual user can access within your network. It's a critical consideration for protecting sensitive data, as it restricts access to certain resources based on each user's need. In our survey, we found that the average IAM maturity score was 2.33 out of four.
Nearly two-thirds (64%) of respondents said their organization had a primary directory that served as their single source of truth for most — if not all — of their internal identities. Identities from other systems could link back to this directory, which provided mostly consistent data across the system.
Although another 24% used the primary directory as their only source of network authority, 12% used various sources of truth for identity information, which caused fragmented data. Without a centralized source of truth, properly managing identities across your organization is difficult at best and near impossible at worst.Back to top
Most Organizations Focus on Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) requires users to provide multiple identifying factors in order to log in. It's significantly more secure than your standard username-password combination, but it has its limitations.
MFA fatigue, for example, is a growing problem. Attackers can steal usernames and passwords, but they can't remotely respond to a push notification on someone else's smartphone. So they spam the victim with notifications until they accidentally grant access to their account. Finding ways to eliminate this problem, such as passwordless security, is going to be crucial in the coming years.
In our survey, we discovered that 95% of organizations have implemented some level of MFA in their environments with varying degrees of standardization. And 11% were able to create a frictionless experience using dynamic, contextual policies that reduce MFA fatigue.Back to top
More Than Half Leverage Privileged Access Management
Privileged access management is a specific IAM approach that grants and revokes elevated access as needed to reduce the risk of data loss. There are many technologies and policies that go into a comprehensive PAM solution, including password vaults and just-in-time approaches.
Our survey found that 56% of organizations store all their shared credentials — such as super-administrative credentials — in an enterprise-wide vault. Organizations in this group also leveraged basic vault integrations such as automated audit and account rotation, which helps keep credentials from being abused. However, these organizations could stand to use more advanced controls.
Only 6% used a Just-In-Time (JIT) approach — granting privileges only when needed — to minimize the risks of standing privilege across their environments. A solution like Bravura Privilege, which enables multiple types of JIT approaches, helps eliminate the need to manually manage privileged account credentials by automating key PAM processes for various use cases.
Role-Based Access Control (RBAC)
RBAC is a technique that restricts user access based on each individual's role within your organization, which is vital for protecting your most sensitive data. The Gartner maturity model survey results reveal that more than half (59%) of respondents already automate basic RBAC workflows, but they still use ad-hoc requests for additional permissions.
In contrast, 5% applied comprehensive RBAC policies to provision access across all identities, including additional ones. These organizations also used an IAM tool to handle exceptional access requests, which applied additional policies and rules for more robust governance. That's where organizations should be aiming moving forward.Back to top
Many Businesses Automate Life Cycle Management
Life cycle management encompasses the complete IAM cycle from user creation and onboarding to final sign-on and offboarding. Automating key life cycle management processes helps streamline your IT environment and reduce risk by handling accounts you may have previously missed.
One of the most striking findings in our IAM and PAM maturity levels survey results was that the majority of respondents were split between:
- Automating basic account creation and fixing issues manually
- Using a centralized IAM tool to automate account creation and manage directories for both internal and external identities
Ideally, an organization should automate these processes using a centralized IAM tool that also manages both unsynchronized Line-Of-Business (LOB) applications. This tool should treat external identities with the same kind of rigor it applies to internal ones, possibly through a vendor management system. Only 2% of our respondents said their organizations were at this level — but it is achievable with the right systems in place.
Most Organizations Are Lagging Behind on Governance
The average governance maturity rating among our respondents was fairly low, at 2.13 out of four. Although 61% of organizations conduct partially automated access reviews on a regular basis, 32% still rely on spreadsheets and outdated tools for manual access review processes.
Our suggestion? Ditch the spreadsheets and implement an automated solution for the most effective protection against hackers.Back to top