August 19, 2019 By Lane Billings 4 min read

Access management is the discipline of ensuring the right people can access the right resources to be productive. Access management tools — which encompass single sign-on (SSO), multifactor authentication (MFA) and authorization — enforce that discipline, acting as the gateway between credentialed end users and the digital resources they need to access. Essential to providing access to employees, consumers, citizens and partners, access management platforms are deployed everywhere, but they often work best when they’re invisible to end users, working behind the scenes to identify users based on their attributes with minimal disruption.

Gartner’s new assessment of the access management landscape, the “2019 Gartner Magic Quadrant for Access Management,” provides an expert update on the market for access management technology and the trends impacting it. This year, Gartner predicted that “by 2022, 60 percent of access management implementations will leverage user and entity behavior analytics (UEBA) capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up from less than 10 percent today.”

Most Access Management Implementations Deliver One-Time Access

The vast majority of access management implementations today deliver initial authentication to a digital resource — a one-time validation of a user’s identity and attributes. This validation happens on the basis of knowledge-based proof actively provided by the user (username/password and some other kind of one-time password) or, more passively, based on information on the user’s geolocation/IP/browser/device. The authentication event occurs once, at the initiation of a user session, and, in some cases, once more when the session times out. But what about what happens after, when a user is logged on?

What if, for instance, a user logs in to a banking application with a known credential and checks their credit card balance (normal), then initiates a large transfer to a new account and routing number (not normal)? Or, in an enterprise setting, what if an employee begins exporting files from a customer relationship management (CRM) program at a high volume during nonbusiness hours? These risky behaviors — where a user begins behaving in a way that signals malicious activity — should flag the access management platform that something could be wrong. At that point, the user should be prompted to provide validation that they really are themselves from an out-of-band verification method.

The Importance of Adaptiveness and Context

Organizations need to differentiate between legitimate and malicious users — not just at login, but throughout their digital journey. Most access management platforms effectively identify users and their attributes at the initial moment of authentication, but can’t intervene within the session to prevent risky access. To intervene effectively, access management platforms need to be able to consume more context about the end user, the normal behavioral patterns of normal end users, the device and more. They also need to be able to prompt a user for reverification during a user session, not just at the beginning of it. That requires extensive integration into the application itself. Continuousness and context are the keys to the future of access management.

This brings us back to the initial statistic from Gartner’s report: the prediction that the majority (60 percent) of access management implementations will incorporate continuous trust analysis by 2022. In 2019, Gartner added more weight to this capability in its evaluation of the 14 vendors included in the report. According to the report, “Gartner’s evaluation of vendors’ products and services in this Magic Quadrant included new considerations about the vendors’ primary ability to provide Access Management (AM) solutions that either offer embedded or integrated identity corroboration capabilities for CARTA (Continuous Adaptive Risk and Trust Assessment).”

IBM Named a Leader in Access Management

IBM was named a Leader in the “2019 Gartner Magic Quadrant for Access Management” for its ability to execute and completeness of vision. IBM’s integrated portfolio for access management evaluated in this year’s report includes software-delivered and software-as-a-service (SaaS)-delivered deployment options. We believe this allows our clients the flexibility to deliver access management in the form factor that best fits their business and combine approaches into a hybrid deployment if needed.

IBM’s platform for access management is infused with deep context. For organizations providing access to applications for employees, we accomplish this through integration with our Unified Endpoint Management (UEM) platform, IBM MaaS360. IBM was also recognized as a Leader in the recently-published “2019 Gartner Magic Quadrant for Unified Endpoint Management Tools” for its product solution. Working together, UEM and access management tools can make access passwordless for employees accessing corporate resources from known devices. When employees try to access resources from unrecognized devices or noncompliant managed devices, access can be blocked or restricted until a second factor of verification is provided. For organizations providing access to consumers or external users, integration with IBM Trusteer incorporates deep user behavior and threat context to help prevent fraudulent activity throughout the customer life cycle. With continuous risk assessment that’s fully integrated into applications — from the initial registration experience to transaction — access management can enforce verification measures based on changes in user behavior within a session. Working together, fraud detection and access management make “adaptive access” a reality.

Surround Access Management With Context

Many vendors offer access management. In a world where context is key, only IBM surrounds access management with the expertise and user/device/threat context required to make smarter decisions about users and their access.

Learn more in the “Gartner Magic Quadrant for Access Management.”

Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixera, 12 August 2019

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today