Access management is the discipline of ensuring the right people can access the right resources to be productive. Access management tools — which encompass single sign-on (SSO), multifactor authentication (MFA) and authorization — enforce that discipline, acting as the gateway between credentialed end users and the digital resources they need to access. Essential to providing access to employees, consumers, citizens and partners, access management platforms are deployed everywhere, but they often work best when they’re invisible to end users, working behind the scenes to identify users based on their attributes with minimal disruption.

Gartner’s new assessment of the access management landscape, the “2019 Gartner Magic Quadrant for Access Management,” provides an expert update on the market for access management technology and the trends impacting it. This year, Gartner predicted that “by 2022, 60 percent of access management implementations will leverage user and entity behavior analytics (UEBA) capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up from less than 10 percent today.”

Most Access Management Implementations Deliver One-Time Access

The vast majority of access management implementations today deliver initial authentication to a digital resource — a one-time validation of a user’s identity and attributes. This validation happens on the basis of knowledge-based proof actively provided by the user (username/password and some other kind of one-time password) or, more passively, based on information on the user’s geolocation/IP/browser/device. The authentication event occurs once, at the initiation of a user session, and, in some cases, once more when the session times out. But what about what happens after, when a user is logged on?

What if, for instance, a user logs in to a banking application with a known credential and checks their credit card balance (normal), then initiates a large transfer to a new account and routing number (not normal)? Or, in an enterprise setting, what if an employee begins exporting files from a customer relationship management (CRM) program at a high volume during nonbusiness hours? These risky behaviors — where a user begins behaving in a way that signals malicious activity — should flag the access management platform that something could be wrong. At that point, the user should be prompted to provide validation that they really are themselves from an out-of-band verification method.

The Importance of Adaptiveness and Context

Organizations need to differentiate between legitimate and malicious users — not just at login, but throughout their digital journey. Most access management platforms effectively identify users and their attributes at the initial moment of authentication, but can’t intervene within the session to prevent risky access. To intervene effectively, access management platforms need to be able to consume more context about the end user, the normal behavioral patterns of normal end users, the device and more. They also need to be able to prompt a user for reverification during a user session, not just at the beginning of it. That requires extensive integration into the application itself. Continuousness and context are the keys to the future of access management.

This brings us back to the initial statistic from Gartner’s report: the prediction that the majority (60 percent) of access management implementations will incorporate continuous trust analysis by 2022. In 2019, Gartner added more weight to this capability in its evaluation of the 14 vendors included in the report. According to the report, “Gartner’s evaluation of vendors’ products and services in this Magic Quadrant included new considerations about the vendors’ primary ability to provide Access Management (AM) solutions that either offer embedded or integrated identity corroboration capabilities for CARTA (Continuous Adaptive Risk and Trust Assessment).”

IBM Named a Leader in Access Management

IBM was named a Leader in the “2019 Gartner Magic Quadrant for Access Management” for its ability to execute and completeness of vision. IBM’s integrated portfolio for access management evaluated in this year’s report includes software-delivered and software-as-a-service (SaaS)-delivered deployment options. We believe this allows our clients the flexibility to deliver access management in the form factor that best fits their business and combine approaches into a hybrid deployment if needed.

IBM’s platform for access management is infused with deep context. For organizations providing access to applications for employees, we accomplish this through integration with our Unified Endpoint Management (UEM) platform, IBM MaaS360. IBM was also recognized as a Leader in the recently-published “2019 Gartner Magic Quadrant for Unified Endpoint Management Tools” for its product solution. Working together, UEM and access management tools can make access passwordless for employees accessing corporate resources from known devices. When employees try to access resources from unrecognized devices or noncompliant managed devices, access can be blocked or restricted until a second factor of verification is provided. For organizations providing access to consumers or external users, integration with IBM Trusteer incorporates deep user behavior and threat context to help prevent fraudulent activity throughout the customer life cycle. With continuous risk assessment that’s fully integrated into applications — from the initial registration experience to transaction — access management can enforce verification measures based on changes in user behavior within a session. Working together, fraud detection and access management make “adaptive access” a reality.

Surround Access Management With Context

Many vendors offer access management. In a world where context is key, only IBM surrounds access management with the expertise and user/device/threat context required to make smarter decisions about users and their access.

Learn more in the “Gartner Magic Quadrant for Access Management.”

Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixera, 12 August 2019

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…