August 19, 2019 By Lane Billings 4 min read

Access management is the discipline of ensuring the right people can access the right resources to be productive. Access management tools — which encompass single sign-on (SSO), multifactor authentication (MFA) and authorization — enforce that discipline, acting as the gateway between credentialed end users and the digital resources they need to access. Essential to providing access to employees, consumers, citizens and partners, access management platforms are deployed everywhere, but they often work best when they’re invisible to end users, working behind the scenes to identify users based on their attributes with minimal disruption.

Gartner’s new assessment of the access management landscape, the “2019 Gartner Magic Quadrant for Access Management,” provides an expert update on the market for access management technology and the trends impacting it. This year, Gartner predicted that “by 2022, 60 percent of access management implementations will leverage user and entity behavior analytics (UEBA) capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up from less than 10 percent today.”

Most Access Management Implementations Deliver One-Time Access

The vast majority of access management implementations today deliver initial authentication to a digital resource — a one-time validation of a user’s identity and attributes. This validation happens on the basis of knowledge-based proof actively provided by the user (username/password and some other kind of one-time password) or, more passively, based on information on the user’s geolocation/IP/browser/device. The authentication event occurs once, at the initiation of a user session, and, in some cases, once more when the session times out. But what about what happens after, when a user is logged on?

What if, for instance, a user logs in to a banking application with a known credential and checks their credit card balance (normal), then initiates a large transfer to a new account and routing number (not normal)? Or, in an enterprise setting, what if an employee begins exporting files from a customer relationship management (CRM) program at a high volume during nonbusiness hours? These risky behaviors — where a user begins behaving in a way that signals malicious activity — should flag the access management platform that something could be wrong. At that point, the user should be prompted to provide validation that they really are themselves from an out-of-band verification method.

The Importance of Adaptiveness and Context

Organizations need to differentiate between legitimate and malicious users — not just at login, but throughout their digital journey. Most access management platforms effectively identify users and their attributes at the initial moment of authentication, but can’t intervene within the session to prevent risky access. To intervene effectively, access management platforms need to be able to consume more context about the end user, the normal behavioral patterns of normal end users, the device and more. They also need to be able to prompt a user for reverification during a user session, not just at the beginning of it. That requires extensive integration into the application itself. Continuousness and context are the keys to the future of access management.

This brings us back to the initial statistic from Gartner’s report: the prediction that the majority (60 percent) of access management implementations will incorporate continuous trust analysis by 2022. In 2019, Gartner added more weight to this capability in its evaluation of the 14 vendors included in the report. According to the report, “Gartner’s evaluation of vendors’ products and services in this Magic Quadrant included new considerations about the vendors’ primary ability to provide Access Management (AM) solutions that either offer embedded or integrated identity corroboration capabilities for CARTA (Continuous Adaptive Risk and Trust Assessment).”

IBM Named a Leader in Access Management

IBM was named a Leader in the “2019 Gartner Magic Quadrant for Access Management” for its ability to execute and completeness of vision. IBM’s integrated portfolio for access management evaluated in this year’s report includes software-delivered and software-as-a-service (SaaS)-delivered deployment options. We believe this allows our clients the flexibility to deliver access management in the form factor that best fits their business and combine approaches into a hybrid deployment if needed.

IBM’s platform for access management is infused with deep context. For organizations providing access to applications for employees, we accomplish this through integration with our Unified Endpoint Management (UEM) platform, IBM MaaS360. IBM was also recognized as a Leader in the recently-published “2019 Gartner Magic Quadrant for Unified Endpoint Management Tools” for its product solution. Working together, UEM and access management tools can make access passwordless for employees accessing corporate resources from known devices. When employees try to access resources from unrecognized devices or noncompliant managed devices, access can be blocked or restricted until a second factor of verification is provided. For organizations providing access to consumers or external users, integration with IBM Trusteer incorporates deep user behavior and threat context to help prevent fraudulent activity throughout the customer life cycle. With continuous risk assessment that’s fully integrated into applications — from the initial registration experience to transaction — access management can enforce verification measures based on changes in user behavior within a session. Working together, fraud detection and access management make “adaptive access” a reality.

Surround Access Management With Context

Many vendors offer access management. In a world where context is key, only IBM surrounds access management with the expertise and user/device/threat context required to make smarter decisions about users and their access.

Learn more in the “Gartner Magic Quadrant for Access Management.”

Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixera, 12 August 2019

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today