To secure themselves and the private information of their customers, access and authentication management have become the de-facto choice to organizations. To ensure authentication of data and secure access, advanced and integrated solutions are in demand. This article goes deeper to understand the current and future trend of this market.

“Active security technological developments will gain a lot of momentum which will help building confidence and protecting the consumers” Rajiv Chadha, VP, Sales, VeriSign India

Protecting sensitive data in today’s digital network has become tough challenge for every kind of organization. A security breach, if serious enough, can cost millions of dollars and bring an organization to its knees finan­cially. Networks have become critical resources in many organizations, providing real-time communications with others, and access, through both the Internet and enterprise intranets, to unprecedented levels of information. Therefore, eliminating unauthorized access to data is at least a necessity and potentially a business lifesaver. In addition, much of the data available on internal business networks needs to be protected, either due to data privacy regulations or to protect valuable information assets. As such, the need to provide reliable and secure network access has become a key challenge facing today’s Information Technology (IT) organizations.

Today, with increased mobility, diverse user-base, internal threats, and regulatory requirements, the security scene has become complex. The network access is no more limited to a few trusted employees. As users and applications multiply and mobilize, the cost and difficulty of managing security, access and delivery increase exponentially. With the proliferation of the Internet and new e-business practices, there has never been a more critical need for sophisticated technologies and solutions to provide authentication and restricted access. Today as public and private networks merge and organizations increasingly expand their business to the Internet, the critical need to address authentication issues has been realized.

How Big is The Market?

“Industry is looking today for an integrated solution that addresses identity, authentication and access management in single platform” Vikas Desai, Lead Technology Consultant, India & SAARC, RSA, The Security Division of EMC

The fast growing internet penetration has not only created amazing online business and services opportunities, but enabled fraudsters to expand their operations beyond national borders. Indian customers have now reached a level where people have been investing in anti-hacking tools like firewall and intrusion detection systems. Authentication in terms of identity protection etc is essential to prevent against security attacks.

Today, with increased mobility, diverse user-base, internal threats, and regulatory requirements, the security scene has become complex. The network access is no more limited to a few trusted employees. As users and applications multiply and mobilize, the cost and difficulty of managing security, access and delivery increase exponentially. With the proliferation of the Internet and new e-business practices, there has never been a more critical need for sophisticated technologies and solutions to provide authentication and restricted access. Today as public and private networks merge and organizations increasingly expand their business to the Internet, the critical need to address authentication issues has been realized. The identity management services industry is predicted to grow at a CAGR of nearly 5- 10% during the period spanning from 2007 to 2011, forecasts “Identity & Access Management Services”, a new research report by RNCOS.

“Authentication solutions must evolve to meet the changing market demands” Shailendra Sahasrabudhe, Country Manager – India, Aladdin Knowledge Systems

According to Rajiv Chadha, VP, Sales, VeriSign Services India Pvt. Ltd, Data access is an issue for consideration in key markets like banking & finance, telecommunications, pharmaceuticals, manufacturing and hi-tech IT manufacturing companies—software or hardware, where information needs to be secured and accessed only by the right people. More recently the RBI banking guidelines also called for authentication solutions to be implemented over mobile phones.

“The analysts from IDC and Forrester state that companies are increasingly looking for end –to-end solutions built on a common platform, providing integration, management, reporting and workflow capabilities.  As per Forrester, the providing elements of IAM suites and products are of most interest to enterprises, as they provide the capability to impose access restrictions on users as they are added to the network, making it easy to identify who they are and what access rights they require. This clearly shows a huge potential market size for access and authentication in India” said, Vikas Desai, Lead Technology Consultant, India & SAARC, RSA, the security division of EMC.

“Every citizen of this nation need to protect his digital identity and authentication is certainly the way to do it” Sunil Kumar, Country Manager – India, Entrust

Sunil Kumar, Country Manager, India, Entrust, believes that the answer to this can be different from the angle you look at it. In revenue terms its certainly quite huge but when we look at the number of people who need authentication I equate it to the population of the country. Every citizen of this nation need to protect his digital identity and authentication is certainly the way to do it. ePassport Project is a good initiative towards it.

Shailendra Sahasrabudhe, Country Manager, India, Aladdin Knowledge Systems, also believes that increasing security issues, along with the rising number of identity-related fraud cases, causing a loss of billions of dollars, is expected to push growth in the access management industry worldwide. Also, identity-proof services will play a key role in fighting against fraud and building online reputation. Thus, the increasing number of corporate customers, large or small, is looking for identity and access management solutions to automate the process of managing and securing access to valuable data, thus ensuring high growth in this industry in coming years.

“More and more corporates will move out from their legacy security systems or point solutions and have them integrated to their IAM solution” Kaushik Thakkar, VP Sales & Strategic Alliances, PortWise

Dhruv Singhal, Director, Sales Consulting, Fusion Middleware, Oracle India, said, “IDC confirms the Identity and Access Management (IAM) software market as one of the fastest growing security software markets in Asia Pacific, growing at a compounded annual growth rate (CAGR) of 17% (2008-2012) to reach US$ 524 million by 2012. Spending is expected to continue as organizations turn to IAM solutions to help manage security risk, improve corporate insight, improve productivity, reduce cost and complexity and enforce and simplify the compliance process.”

Commenting on market size, Kaushik Thakkar, VP, Sales and Strategic Alliances, PortWise, said, “We see in the market space that a lot of organizations within BFSI are actively looking for solutions, and also going tendering. So, regardless of the current size we expect a big growth, probably higher CAGR than the one reported for Asia Pacific.”

Driving Factors

The driving force for the data access and authentication market originates from the regular security threats and increasing data breaches organizations are faced with. This results in security solutions finding better uptake among both enterprises and small businesses.

“A major trend in IAM market is Business-to-Business transaction or identity federation” Dhruv Singhal, Director – Sales Consulting, Fusion Middleware, Oracle India

Addressing the driving issues, Rajiv Chadha says that some of the key driving forces when we talk of data security among Indian enterprises are compliance requirements like PCI, the kind of IP an organization has and the type of business data. Data security and authentication becomes a priority for an organization based on how important is the type of data an organization has and the associated risk.

Expressing his thoughts almost similar, Naresh Shah, MD, IDC & VP, Global Engineering Strategy, Novell, says that security and compliance tend to be the key drivers for this market, ensuring that not only can you control who has access to what, but also be able to report of system usage. Other drivers include reducing cost (help desk, infrastructure) and complexity (deployment and on-going management).

According to Rana Gupta, Business Head, India & SAARC, SafeNet India Pvt Ltd, It is expected that the increasing security issues, along with the rising number of identity-related fraud cases, will push the growth of the identity and access management industry. Apart from this identity-proof services will play a pivotal role in fighting against fraud and building online reputation. It is also expected that large and small corporate will drive this growth to a great extent.

“There is a growing need to centralize authorization decisions for custom developed and SOA-based applications” Naresh Shah, MD, IDC & VP, Global Engineering Strategy, Novell

Sunil Kumar believes that the key driving forces for the market are Phishing, Man-in-Middle Attacks, Key Stroke Logging, Malicious Code sites, Man-in-Browser etc. These are all some of the external factors which determine the market potnetial. On the other hand at Enterprise level Access and Authentication is important to internal employees so as to maintain the confidentiality, integrity and to make sure right people access the right information. According to Portwise, Regulatory compliance such as Sarbanes-Oxley Act (SOX), PCI DSS, Gramm-Leach-Bliley Act (GLBA), and Basel II and risk management are driving much of the growth for this market.  Identity and Access Management (IAM) is critical to ensure compliance with industry regulations. An organization’s security and compliance efforts are dependent on understanding, who has access to what resources and efficiently managing them. By doing identity audit from time to time, confidential information can not only be secured but can also significantly reduce audit compliance costs.

Kaushik Thakkar also believes that 2-Factor Authentication (2FA) in an IAM context is the actual driver for many deals. Customers are now more educated, experienced and understand that rather than point solutions, they want to have strong authentication with 2FA. That is part of a larger context and is integrated with the business logic. One good example is Online Banking, where the mechanism of 2FA is integrated to the exact function for example signing off a banking transaction.

“Companies will be looking at having one integrated system that protects the entire infrastructure” Rana Gupta, Business Head, India & SAARC, SafeNet India Pvt Ltd

Most organizations give passwords or codes to access the information and data. If organizations would place all their passwords they had with some strong user authentication to access the data, they would have considerably more secured information systems. These applications can report all applications and data being used from the database. Application companies need to give specific access to all their employees, as passwords are easy to crack or to guess. You get an information overflow in an enterprise, and you cannot limit the data being accessed through passwords. People have access to information which, they do not need to access as a result of which the security of the business is compromised. This makes it important to make sure that people prove 'who' they are before accessing the data as extremely sensitive information is being delivered.

Current Technologies

Sophisticated technologies and solutions are in high demand as growth of e-business has been phenomenal and internet usage has grown exponentially. Today as public and private networks merge and organizations increasingly expand their business to the Internet, the critical need to address e-security has been realized.

There are various approaches that could be used to implement Access and Authentication Management. Stronger authentication and access control could be achieved using various factors like, SecurID Tokens, Digital Certificates, Biometric Sensors, Smart Cards, Etc. Two of the biggest challenges with authentication are user acceptability and cost. For most strong authentication methods the user has to carry a device with her or remember a utterly complex password or pass phrase. The authentication technology has evolved greatly in the past few years. Today we have Risk Based Authentication mechanism which is based on the concept of Risk. It is a dynamic model where which allows organizations to decide how to handle activities based on the risks associated with each. Unlike other forms of authentication advanced solutions have a dynamic approach and are lot more granular. It allows organizations to invisible authentication. It also allows the organization to uses different authentication mechanisms for different groups of people.

Digital data and communications have become an inseparable aspect of people’s day-to-day lives, holding enormous value for organizations—both for meeting their own business needs, and as services they can provide to their customers. As such, businesses have been moving in the direction of increased connectivity, looking for ways to become more efficient, and offer better services to their users. The need for data protection has thus taken the spotlight. For organizations looking to secure themselves and the private information of their customers, identity and access management have become the buzzwords of choice.

Authentication technology takes a variety of forms, ranging from verifying account credentials (using amongst other things, a login name and password) to physical identity verification (using biometrics such as finger print scanning technology) to identifying that the client system from which a user is attempting to connect to a server is really the authorized client system. Multi-factor authentication is a system wherein two or more different factors are used to authenticate. Using two factors as opposed to one delivers a higher level of authentication assurance.

For example, solution from VeriSign offers strong authentication, also called two-factor authentication, that combines something you know (such as a username and password) with something you have (a credential such as a smart card, token, or mobile phone). The VIP Authentication Services provides the validation for "something you have." The consumer’s identity and transaction information stays within the system; only the security code passes anonymously to VeriSign for validation. As a result the consumer experiences a fast response and a more secure connection. This two-factor authentication option can be added to the consumer network without a costly infrastructure investment.

Organizations increasingly need to ensure that shared information is accessed by the authorized users and also specify the data that should be shared and data that should not be shared by the public. Solution like Fraud Detection Service, works behind the scenes to detect anomalies. A rules and a self-learning behavior engine processes each event to determine risk based on pre-determined parameters including location, device, time, network address, transaction type, and user information. If the risk threshold is exceeded, the system automatically intervenes and requires a higher level of authentication.

Also solution like Adaptive Authentication is a comprehensive authentication and fraud detection platform that monitors and authenticates customer activity based on risk levels, institutional policies, and customer segmentation. Adaptive Authentication is powered by risk-based authentication, an intelligent system that authenticates all users behind-the-scenes by measuring a series of risk indicators. This transparent authentication provides for a superior user experience as customers are only challenged in the highest risk scenarios. Point solutions focuses on specific areas, leading to fragmented and redundant security processes and systems. That would be a complex and costly approach for any organization, particularly in the face of increasing compliance requirements.

According to Portwise, a holistic IAM (Identity and Access Management) approach would be a software suite with comprehensive set of solutions that enables an organization to effectively manage user identities and control their access across the enterprise resources. By centralized management of all user identities and their access rights, policy management of an organization is less error-prone and results in significant cost reduction. The right solution reduces security administration, helps organizations to better secure their online applications, delivers a positive online user experiences and also improves the overall workforce productivity and contributes to improved business results.

Any Major Shift in Technology or Approach in Future?

The Indian market has matured for authentication. Authentication is playing an important role. Awareness has come in and people are investing in these solutions. Especially in key markets like banking & finance, telecommunications, pharmaceuticals, manufacturing and hi-tech IT manufacturing companies—software or hardware, where information needs to be secured and accessed only by the right people.

Shailendra Sahasrabudhe believes that as market sophistication and experience with strong authentication increases, authentication solutions must evolve to meet the changing market demands. Organizations, facing increasingly complex business and IT scenarios, are demanding broad and open solutions that enable them to incorporate many capabilities using a single system and comply with regulations. At the same time, they are looking for solutions that are easy to implement and use, ensuring user acceptance and maximizing return on their investment.

RSA indicates that access and authentication is moving from a point solution to enterprise – wide solutions. It is becoming more holistic through comprehensive strategies. There is a shift in the mindsets of Chief Information Security Officers and the top management on how they view corporate information security risks. They are looking for an integrated solution that addresses identity, authentication and access management. They are reviewing comprehensive Information Risk Strategy.

With the Global Digital economy on rise, “consumers are moving on-line” and so does “fraud is following the same path”. The consumers are taking a notice and are demanding protection in the Digital economy. Companies will start turning “security” into revenue by leveraging trust/security in their brand(s). From a technology perspective they will adopt a more “balanced Management” approach and based on Risk, Cost and User Interaction, will adopt the optimum level of security, enabling a “layered” security approach in organizations.

According to Rajiv Chada, Organizations are witnessing a shift in security adoption; from security solutions adopted in response to a security breach, to a more proactive adoption to counter the possibility of a security breach. Security must be seen to enhance – not inhibit – the online customer experience. While “Passive” security has played an important role in the past, it is “Active” security technological developments which will gain a lot of momentum which will help building confidence and protecting the consumers.

On the other side, Naresh Shah feels that while access management technologies will continue to be a requirement for web servers and portals, there is a growing need to centralize authorization decisions for custom developed and SOA-based applications, essentially having the ability to configure entitlement rather than code (and recode) into each application. This provides finer grained authorization than typical Access Management solutions can provide and is viewed as Entitlement Management. Addressing this question, Sunil Kumar says that a great need is emerging there to have common authentication platform which can support different authenticators on the same platform. So that customers have the flexibility to choose right kind of authenticators to use depending on risk involved and stakeholders.

Where is This Heading?

Whatever the means an organization uses to meet their security needs, the reality of our digital world means strong authentication - in its variety of forms – is here to stay. The solutions will evolve, and the implementations may change. Success will require keeping a finger on the pulse of the end-user or consumer, and continual adaptability of the organizations seeking to protect their assets, and the security developers looking to provide them with a solution. 

Aladdin states that the quest for efficiency and effectiveness, organizations are looking for a complete solution in a single system, rather than implementing and combining multiple systems. They seek integrated solutions that provide a mix of authentication devices, applications, and management tools to meet their current and perceived future needs, and that fit well into existing IT infrastructures.

According to Portwise, during the next coming years, the buying behavior would shift from point products to identity suites and, to a lesser extent, from products to managed services. Meanwhile, vendors will breakdown products into Service-Oriented Architecture (SOA)-enabled functions, repackaged in the form of identity-as-a-service (IDaaS).

Organizations increasingly need to ensure that shared information is accessed by the authorized users and also specify the data that should be shared and data that should not be shared by the public. Transaction monitoring evaluates transactions to help detect and prevent fraud. It can help defend consumers and help organizations defend and manage the risk associated with online services. Solution like EVSSL certificates authenticate websites for online transactions is already on high demand and will continue to play its significant role in future also. These certificates require a more extensive investigation of the website requesting it and follow stricter guidelines. If a website has an EVSSL certificate the browser will glow green indicating it’s a safe and secure site. The green browser bar will also display both the name of the verified organization as well as the SSL provider, allowing users to confirm the genuine name of the businesses with which they are interacting.

Talking on future of Indian market, Vikas Desai comments that the Indian market is at a nascent stage but banks, telecom, IT/ITeS companies are looking at Authentication in a big way. The drives to the solutions are also strong and this gives a clear indication of a strong potential market.

With a caution note, Naresh Shah pointed out that there appears to be a growing demand for increased modularization of Access Management services, providing separate but integrated services that enable authentication and authorization. Although the customers looking for these capabilities tend to have large numbers of custom developed applications that require more tight controls with increased inspection for compliance activities.

He believes that access management technologies will continue to be essential to help increase security and reduce costs, but his company is leading the charge to provide tighter integration with Identity Management and Security Event monitoring, to ensure that access control and provisioning decisions can be automated based on administrator defined policy, as well as automatically react to threats identified by the event monitoring service.  Essentially, this extends compliance activities beyond periodic checks to continuous validation.

Speaking almost in similar tune, Rana Gupta says that the ever growing security needs of enterprises and corporate are forcing companies to raise their security budget. Companies will be looking at having one integrated system that protects the entire infrastructure. Apart from this the increase in the use of identity and web-based services will drive the demand for security products that will efficiently protect user administration, authorization, and authentication.

But Sunil Kumar strongly believes that market will certainly move towards Risk Based Authentication approach. For all the authentication requirements traditional approaches like tokens, smart cards are not the only way out. They are good but challenges like high cost of production, maintenance, distribution will always play in the mind of customers. Consumers will start looking at options where appropriate authenticators are selected based on the risk involved, deployment time, scalability and value for money.

Conclusion

Industry strongly believes the untapped potential of access and authentication solutions market and expressed their trust on the growing momentum of users’ demand for advanced solutions to protect their business and organizational sensitive data. At the same time vendors have also shown their commitment with relentless effort to bring out innovative solutions. At the end of the day we can expect a very promising and sensible market.

—By: 'InfoSecurity' magazine.