Identity and access management (IAM) will undergo a series of key changes over the next few years, particularly around the development of smartcard authentication, identity-aware networks, hosted IAM and out-of-band authentication.
The predictions were made by analyst firm Gartner ahead of its Identity & Access Management Summit 2009 in London on 23 to 24 March.
"There is a continuing need in this time of economic uncertainty and budgetary constraint for cost-effective, risk-appropriate IAM methods," said Ant Allan, research vice president at Gartner.
"This includes growing demand for identity-aware networking, host-based and service-based IAM offerings, and the search for protection from increasingly effective malware attacks against consumer accounts."
Although relatively unheard of today, the research predicts that hosted IAM and IAM-as-a-service will account for 20 per cent of IAM revenues by 2011, as the platform moves from software-centric delivery models to composite services models.
Driving this evolution is the potential to reduce the costs of implementation and use, and prepare for a more mature production-centric approach to delivering IAM as a service, thereby allowing customers to focus technical planning and delivery on less mature feature sets, such as access and intelligence.
However, Gartner warns that organisations looking at IAM-as-a-service should take a gentle approach, extending existing systems rather than significantly upgrading in a single sweep.
While hosted or managed IAM is set to rise, a fifth of smartcard authentication projects are expected to be abandoned, and 30 per cent scaled back in favour of lower-cost and lower-assurance authentication methods.
Although smartcards are generally regarded as a very secure and effective method of authentication, managing the cards and the associated desktop infrastructure is relatively expensive.
In the current economic environment, this cost may be seen as prohibitive, prompting companies to consider cheaper alternatives based on risk, end-user needs and total cost of ownership.
For large enterprises, the trend over the next few years will be towards the creation of "identity aware" corporate networks, according to Gartner, which will control access to some resources via user-based policies.
Rather than just verifying a user's identity at sign-on, and then leaving them free to use the network anonymously, identity-aware networks can monitor and audit user behaviour, and enforce access based on a user's identity, blocking access to resources that a user is not authorised to use. This can enhance security, and add compliance to regulations in those markets that require it.
When it comes to high-risk transactions, by next year approximately 15 per cent of global organisations storing or processing sensitive customer data will use two separate networks working simultaneously to authenticate a user, known as out-of-band authentication for high-risk transactions.
Cyber attacks are becoming increasingly sophisticated and insidious, and current security measures employed by financial institutions and other service providers are becoming obsolete. As a result, organisations are turning to out-of-band user authentication and transaction verification for high-risk customer transactions.
To help keep costs down, Gartner reckons that most global businesses that implement out-of-band authentication and transaction verification will use customer-owned landline and mobile phones as the 'something you hold' factor.
For this to work effectively, users must understand and trust out-of-band calls or text messages delivered to their phones, and service providers must ensure that they have reliable working phone numbers for their customers.
However, Gartner warns that the growth of mobile-based Trojans and malware may render out-of-band authentication methods that use smartphones insecure and ineffective.
"Organisations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions," concluded Allan.
