August 19, 2019 By Lane Billings 4 min read

Access management is the discipline of ensuring the right people can access the right resources to be productive. Access management tools — which encompass single sign-on (SSO), multifactor authentication (MFA) and authorization — enforce that discipline, acting as the gateway between credentialed end users and the digital resources they need to access. Essential to providing access to employees, consumers, citizens and partners, access management platforms are deployed everywhere, but they often work best when they’re invisible to end users, working behind the scenes to identify users based on their attributes with minimal disruption.

Gartner’s new assessment of the access management landscape, the “2019 Gartner Magic Quadrant for Access Management,” provides an expert update on the market for access management technology and the trends impacting it. This year, Gartner predicted that “by 2022, 60 percent of access management implementations will leverage user and entity behavior analytics (UEBA) capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up from less than 10 percent today.”

Most Access Management Implementations Deliver One-Time Access

The vast majority of access management implementations today deliver initial authentication to a digital resource — a one-time validation of a user’s identity and attributes. This validation happens on the basis of knowledge-based proof actively provided by the user (username/password and some other kind of one-time password) or, more passively, based on information on the user’s geolocation/IP/browser/device. The authentication event occurs once, at the initiation of a user session, and, in some cases, once more when the session times out. But what about what happens after, when a user is logged on?

What if, for instance, a user logs in to a banking application with a known credential and checks their credit card balance (normal), then initiates a large transfer to a new account and routing number (not normal)? Or, in an enterprise setting, what if an employee begins exporting files from a customer relationship management (CRM) program at a high volume during nonbusiness hours? These risky behaviors — where a user begins behaving in a way that signals malicious activity — should flag the access management platform that something could be wrong. At that point, the user should be prompted to provide validation that they really are themselves from an out-of-band verification method.

The Importance of Adaptiveness and Context

Organizations need to differentiate between legitimate and malicious users — not just at login, but throughout their digital journey. Most access management platforms effectively identify users and their attributes at the initial moment of authentication, but can’t intervene within the session to prevent risky access. To intervene effectively, access management platforms need to be able to consume more context about the end user, the normal behavioral patterns of normal end users, the device and more. They also need to be able to prompt a user for reverification during a user session, not just at the beginning of it. That requires extensive integration into the application itself. Continuousness and context are the keys to the future of access management.

This brings us back to the initial statistic from Gartner’s report: the prediction that the majority (60 percent) of access management implementations will incorporate continuous trust analysis by 2022. In 2019, Gartner added more weight to this capability in its evaluation of the 14 vendors included in the report. According to the report, “Gartner’s evaluation of vendors’ products and services in this Magic Quadrant included new considerations about the vendors’ primary ability to provide Access Management (AM) solutions that either offer embedded or integrated identity corroboration capabilities for CARTA (Continuous Adaptive Risk and Trust Assessment).”

IBM Named a Leader in Access Management

IBM was named a Leader in the “2019 Gartner Magic Quadrant for Access Management” for its ability to execute and completeness of vision. IBM’s integrated portfolio for access management evaluated in this year’s report includes software-delivered and software-as-a-service (SaaS)-delivered deployment options. We believe this allows our clients the flexibility to deliver access management in the form factor that best fits their business and combine approaches into a hybrid deployment if needed.

IBM’s platform for access management is infused with deep context. For organizations providing access to applications for employees, we accomplish this through integration with our Unified Endpoint Management (UEM) platform, IBM MaaS360. IBM was also recognized as a Leader in the recently-published “2019 Gartner Magic Quadrant for Unified Endpoint Management Tools” for its product solution. Working together, UEM and access management tools can make access passwordless for employees accessing corporate resources from known devices. When employees try to access resources from unrecognized devices or noncompliant managed devices, access can be blocked or restricted until a second factor of verification is provided. For organizations providing access to consumers or external users, integration with IBM Trusteer incorporates deep user behavior and threat context to help prevent fraudulent activity throughout the customer life cycle. With continuous risk assessment that’s fully integrated into applications — from the initial registration experience to transaction — access management can enforce verification measures based on changes in user behavior within a session. Working together, fraud detection and access management make “adaptive access” a reality.

Surround Access Management With Context

Many vendors offer access management. In a world where context is key, only IBM surrounds access management with the expertise and user/device/threat context required to make smarter decisions about users and their access.

Learn more in the “Gartner Magic Quadrant for Access Management.”

Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixera, 12 August 2019

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Identity & Access

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today