Requirements for an analyst company

News & Events

06/26/2012 - Press release, Corporate

  • Role-based authorization concepts are only being planned or implemented in almost 44% of companies
  • Separation of duties (Segregation of Duties - SoDs) with technical systems for permanent control are still comparatively little in use
  • Less than 12% of companies perform full and regular recertification of access permissions

Berlin, June 26, 2012 -The European analyst company KuppingerCole has the topic Identity Access Management (IAM)1 and Identity Access Governance (IAG)2 investigated in the financial industry in a joint study with Beta Systems Software AG. IAM / IAG solution expert Beta Systems is regarded as an expert in the financial industry due to its many years of experience and its broad customer base. KuppingerCole conducted the survey on the status of IAM and IAG in the financial industry in Germany and Switzerland between November 2011 and January 2012. The starting point of the study is the inventory of the previous implementation of IAM and IAG in companies in the financial sector.

“This is not primarily about the introduction of technologies. The technologies help to efficiently implement the requirements. From this point of view, they are also indispensable, as is shown, for example, by the high workload for the manual fulfillment of audit requirements at many companies. In addition, the traceability of activities is increased and the number of errors is reduced, ”explains Martin Kuppinger from KuppingerCole. "Nevertheless, the basic requirement for IAM and IAG is that the organizational responsibilities and structures, the regulations and detailed guidelines and processes are defined."

The study looks at several aspects of this topic and examines the fundamental question of which measures and concepts have been implemented in the area of ​​access protection for information.

In general, access to data is only possible after authentication and controlled via access authorizations. Two thirds of the companies surveyed are already fully implementing this. A further 29% of the companies state that they have partially implemented this function, with the exceptions in most cases being data with low sensitivity that should generally be openly accessible. However, this does not mean that the solutions used today always work in the required manner. This does not answer the question of whether exactly the required authorizations were granted in accordance with the minimum or appropriateness principle.

This can also be seen from the fact that almost 44% of companies are only just planning or implementing role-based authorization concepts that have established themselves as the standard for assigning authorizations.

The values ​​for the implementation of segregation of duties (SoD) and regular recertifications clearly show that a significant number of companies in the financial industry do not currently have an optimal status with regard to handling access authorizations. Currently, only around 12% of companies, i.e. not even every eighth company, implement full and regular recertification of access authorizations. After all, a little more than 40% do this at least partially and regularly, typically with a focus on particularly sensitive systems. On the other hand, a good 11% of companies are not even in the planning or implementation phase for such a recertification solution.

“It is surprising that 60% of the companies have only partially or not at all technically implemented rules for the separation of functions. In view of the fact that this is explicitly required, for example, as a consequence of MaRisk (minimum requirements for risk management), we believe that manual measures are not sufficient, ”comments Martin Kuppinger. "Only a very small number of companies have already done their homework here completely."
Another question applies to the regulations that exist for IAM and IAG in companies. The study looks at four categories of regulations.

While the majority of companies - at least almost 91% - have a central IT security guideline for all areas of IT, the values ​​for special guidelines in the IAM / IAG area are around 50% each. This is questionable insofar as general IT security guidelines are usually not sufficiently specific for the requirements in the area of ​​user and access management. In addition, Segregation of Duties (SoDs) are only touched upon there, if at all. Complete guidelines in this area are essential, but can only be found in 54% of participating companies.

"The results clearly show that there is still a clear need for action on the technical level - think of the implementation of recertification or the separation of functions - but also with the underlying organizational requirements and guidelines," explains Martin Kuppinger. "It is strongly recommended to close the existing gaps and to define the corresponding regulations for IAM / IAG as a whole as well as additional, in-depth guidelines for recertification and the separation of functions, as well as a description of the processes and organizational responsibilities."

The entire study with further results and information on the methodology of the study is available for free download on the Internet at:

1) IAM stands for Identity and Access Management and describes the technologies with which the identities of users and their access rights are managed.
Identity and Access Governance (IAG) looks at governance around identities (for example, orphaned accounts of users who have long since left the company) and access permissions. The point here is to ensure that users have minimal or adequate permissions, but no permissions beyond what they reasonably need in their work. The analysis of access authorizations and regular recertification through manual review processes are essential functions of identity and access governance.

End of communication

KuppingerCole, founded in 2004, is a leading European analyst company for all topics to do with identity and access management, GRC (governance, risk management, compliance) and cloud computing. KuppingerCole stands for expertise, opinion leadership and a manufacturer-neutral view of the expanded IT market. This includes topics such as classic identity and access management (IAM), information rights management (IRM), IT risk management, strong authentication, single sign-on, federation, user-centric identity management, virtualization, cloud computing trends and standards and much more .

More information at: