Most businesses are not handling identity and access management (IAM) in the right way, according to Gartner.
Somewhere between half and two-thirds of organisations are trying to set up an effective IAM project but are doing it wrong, said Earl Perkins, research vice president at Gartner.
"IAM process requirements should always precede organization and technology decisions," Perkins explained.
"But currently, most IAM planning is done around clusters of technologies, rather than by addressing specific IT or business processes."
Often, businesses start thinking about IAM from the wrong direction or with people involved who shouldn't be, the analyst said.
"IAM should not be planned with operations in mind; rather, it should be based on the foundations of the organisation relative to policies, processes and people," Perkins added.
"Products are actually a relatively small focus of the decision process in an IAM programme."
IAM should be viewed as a process and should not be product-orientated something the market has imposed on IAM, Gartner claimed.
"Instead of looking at IAM as a set of products to be purchased to fill technology gaps in an organisation, viewing IAM as a process attempts to identify where people and IAM technology can be most effectively inserted' to fulfill the practices and policies of the organisation," Perkins added.
"It also contributes in a significant way to how enterprise, and security, architecture is enriched with the addition of IAM-specific architecture."
Recent password thefts, such as the one involving Gawker, may have inspired organisations to tighten up their access management.
