Access management is the discipline of ensuring the right people can access the right resources to be productive. Access management tools — which encompass single sign-on (SSO), multifactor authentication (MFA) and authorization — enforce that discipline, acting as the gateway between credentialed end users and the digital resources they need to access. Essential to providing access to employees, consumers, citizens and partners, access management platforms are deployed everywhere, but they often work best when they’re invisible to end users, working behind the scenes to identify users based on their attributes with minimal disruption.

Gartner’s new assessment of the access management landscape, the “2019 Gartner Magic Quadrant for Access Management,” provides an expert update on the market for access management technology and the trends impacting it. This year, Gartner predicted that “by 2022, 60 percent of access management implementations will leverage user and entity behavior analytics (UEBA) capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up from less than 10 percent today.”

Most Access Management Implementations Deliver One-Time Access

The vast majority of access management implementations today deliver initial authentication to a digital resource — a one-time validation of a user’s identity and attributes. This validation happens on the basis of knowledge-based proof actively provided by the user (username/password and some other kind of one-time password) or, more passively, based on information on the user’s geolocation/IP/browser/device. The authentication event occurs once, at the initiation of a user session, and, in some cases, once more when the session times out. But what about what happens after, when a user is logged on?

What if, for instance, a user logs in to a banking application with a known credential and checks their credit card balance (normal), then initiates a large transfer to a new account and routing number (not normal)? Or, in an enterprise setting, what if an employee begins exporting files from a customer relationship management (CRM) program at a high volume during nonbusiness hours? These risky behaviors — where a user begins behaving in a way that signals malicious activity — should flag the access management platform that something could be wrong. At that point, the user should be prompted to provide validation that they really are themselves from an out-of-band verification method.

The Importance of Adaptiveness and Context

Organizations need to differentiate between legitimate and malicious users — not just at login, but throughout their digital journey. Most access management platforms effectively identify users and their attributes at the initial moment of authentication, but can’t intervene within the session to prevent risky access. To intervene effectively, access management platforms need to be able to consume more context about the end user, the normal behavioral patterns of normal end users, the device and more. They also need to be able to prompt a user for reverification during a user session, not just at the beginning of it. That requires extensive integration into the application itself. Continuousness and context are the keys to the future of access management.

This brings us back to the initial statistic from Gartner’s report: the prediction that the majority (60 percent) of access management implementations will incorporate continuous trust analysis by 2022. In 2019, Gartner added more weight to this capability in its evaluation of the 14 vendors included in the report. According to the report, “Gartner’s evaluation of vendors’ products and services in this Magic Quadrant included new considerations about the vendors’ primary ability to provide Access Management (AM) solutions that either offer embedded or integrated identity corroboration capabilities for CARTA (Continuous Adaptive Risk and Trust Assessment).”

IBM Named a Leader in Access Management

IBM was named a Leader in the “2019 Gartner Magic Quadrant for Access Management” for its ability to execute and completeness of vision. IBM’s integrated portfolio for access management evaluated in this year’s report includes software-delivered and software-as-a-service (SaaS)-delivered deployment options. We believe this allows our clients the flexibility to deliver access management in the form factor that best fits their business and combine approaches into a hybrid deployment if needed.

IBM’s platform for access management is infused with deep context. For organizations providing access to applications for employees, we accomplish this through integration with our Unified Endpoint Management (UEM) platform, IBM MaaS360. IBM was also recognized as a Leader in the recently-published “2019 Gartner Magic Quadrant for Unified Endpoint Management Tools” for its product solution. Working together, UEM and access management tools can make access passwordless for employees accessing corporate resources from known devices. When employees try to access resources from unrecognized devices or noncompliant managed devices, access can be blocked or restricted until a second factor of verification is provided. For organizations providing access to consumers or external users, integration with IBM Trusteer incorporates deep user behavior and threat context to help prevent fraudulent activity throughout the customer life cycle. With continuous risk assessment that’s fully integrated into applications — from the initial registration experience to transaction — access management can enforce verification measures based on changes in user behavior within a session. Working together, fraud detection and access management make “adaptive access” a reality.

Surround Access Management With Context

Many vendors offer access management. In a world where context is key, only IBM surrounds access management with the expertise and user/device/threat context required to make smarter decisions about users and their access.

Learn more in the “Gartner Magic Quadrant for Access Management.”

Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixera, 12 August 2019

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read