Identity Provisioning

Transcription

1 KuppingerCole Leadership Compass by Martin Kuppinger October 2012 Identity Provisioning Leaders in innovation, product features, and market reach for Identity Provisioning. Your compass for finding the right path in the market. KuppingerCole Scenario The Future of Authentication Report No.: 70341

2 KuppingerCole Leadership Compass Identity Provisioning by Martin Kuppinger October 2012 Content 1. Management Summary Methodology Product Rating Vendor Rating Vendor Coverage Market Segment Specific features analyzed Market Leaders Product Leaders Innovation Leaders Product evaluation Atos DirX Identity Avatier Identity and Access Risk Management Suite Beta Systems SAM Enterprise Identity Management Suite CA IdentityMinder Courion Access Risk Management Suite CrossIdeas IDEAS econet cmatrix Evidian Identity & Access Manager Fischer Automated Role & Account Management ForgeRock OpenIDM Hitachi ID Management Suite IBM Security Identity Manager Page 2 of 49

3 11.13 ILEX Meibo/MPP ism bi-cube Microsoft Forefront Identity Manager Identity Manager from NetIQ Omada Identity Suite (based on Microsoft FIM) Oracle Identity Manager Quest One Identity Manager SailPoint IdentityIQ SAP NetWeaver Identity Management The Dot Net Factory EmpowerID Products at a glance Related Research Documents Product Report: CrossIdeas IDEAS July 2012 Product Report: Quest One Identity Manager Dec Advisory Note: The Open API Economy Dec Vendor Report: Fischer International Nov Vendor Report: Courion Nov Scenario: Understanding Identity and Access Management Oct Product Report: SailPoint IdentityIQ Oct Product Report: Evidian Identity & Access Manager Oct Product Report: DirX Identity Oct Technology Report: Access Governance Architectures March 2011 Page 3 of 49

4 1. Management Summary Identity Provisioning is still one of the core segments of the overall IAM market. Thus it comes to no surprise that this segment is more crowded by vendors than virtually all the other IAM market segments. This Leadership Compass provides an overview and analysis of the Identity Provisioning market segments. It shows that there are several established vendors with mature solutions, but also some very interesting smaller or regional vendors with a good potential for growth and for delivering what customers require. Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit. However, this Leadership Compass will help identifying those vendors customers should have a closer look at. Page 4 of 49

5 2. Methodology KuppingerCole Leadership Compass is a tool which provides an overview of a particular IT market segment and identifies the leader in that market segment. It is the compass which assists you in identifying the vendors and products in a particular market segment which you should consider for product decisions. It should be noted that it is inadequate to pick vendors based only on the information provided within this report. Customers must always define their specific requirements and analyze in greater detail what they need. This report doesn t provide any recommendations for picking a vendor for a specific customer scenario. This can be done only based on a more thorough and comprehensive analysis of customer requirements and a more detailed mapping of these requirements to product features, i.e. a complete assessment. We look at four types of leaders: Product Leaders: Product Leaders identify the leading-edge products in the particular market segment. These products deliver to a large extent what we expect from products in that market segment. They are mature. Market Leaders: Market Leaders are vendor which have a large, global customer base and a strong partner network to support their customers. A lack in global presence or breadth of partners can prevent a vendor from becoming a Market Leader. Innovation Leaders: Innovation Leaders are those vendors which are driving innovation in the particular market segment. They provide several of the most innovative and upcoming features we hope to see in the particular market segment. Overall Leaders: Overall Leaders are identified based on a combined rating, looking at the strength of products, the market presence, and the innovation of vendors. Overall Leaders might have slight weaknesses in some areas but become an Overall Leader by being above average in all areas. For every area, we distinguish between three levels of products: Leaders: This identifies the leaders as defined above. Leaders are products which are exceptionally strong in particular areas or overall. Challengers: This level identifies products which are not yet leaders but have specific strengths which might make them leaders. Typically these products are also mature and might be leading-edge when looking at specific use cases and customer requirements. Followers: This group contains products which lag behind in some areas, such as a limited feature set or only a regional presence. The best of these products might have specific strengths, making them a good or even best choice for specific use cases and customer requirements but are of limited value in other situations. Page 5 of 49

6 Our rating is based on a broad range of input and a long experience in that market segment. Input consists of experience from KuppingerCole advisory projects, feedback from customers using the products, product documentation, a questionnaire sent out before creating the KuppingerCole Leadership Compass, and other sources. Page 6 of 49

7 3. Product Rating KuppingerCole as an analyst company regularly does evaluations of products and vendors. The results are, amongst other types of publications and services, published in the KuppingerCole Leadership Compass Reports, KuppingerCole Product Reports, and KuppingerCole Vendor Reports. KuppingerCole uses a standardized rating to provide a quick overview on our perception of the products or vendors. Providing a quick overview of the KuppingerCole rating of products requires an approach combining clarity, accuracy, and completeness of information at a glance. KuppingerCole uses the following categories to rate products: Security Interoperability Functionality Usability Integration Security security is measured by the degree of security within the product. Information Security is a key element and requirement in the KuppingerCole IT Model (#70129 Scenario Understanding IT Service and Security Management). Thus, providing a mature approach to security and having a well-defined internal security concept are key factors when evaluating products. Shortcomings such as having no or only a very coarse-grained, internal authorization concept are understood as weaknesses in security. Known security vulnerabilities and hacks are also understood as weaknesses. The rating then is based on the severity of such issues and the way a vendor deals with them. Functionality this is measured in relation to three factors. One is what the vendor promises to deliver. The second is the status of the industry. The third factor is what KuppingerCole would expect the industry to deliver to meet customer requirements. In mature market segments, the status of the industry and KuppingerCole expectations usually are virtually the same. In emerging markets they might differ significantly, with no single vendor meeting the expectations of KuppingerCole, thus leading to relatively low ratings for all products in that market segment. Not providing what customers can expect on average from vendors in a market segment usually leads to a degradation of the rating, unless the product provides other features or uses another approach which appears to provide customer benefits. Integration integration is measured by the degree in which the vendor has integrated the individual technologies or products in the portfolio. Thus, when we use the term integration, we are referring to the extent in which products interoperate with themselves. This detail can be uncovered by looking at what an administrator is required to do in the deployment, operation, management and discontinuation of the product. The degree of integration is then directly related to how much overhead this process requires. For example: if each product maintains its own set of names and passwords for every person involved, it is not well integrated. And if products use different databases or different administration tools with inconsistent user interfaces, they are not well integrated. On the other hand, if a single name and password can allow the admin to deal with all aspects of the product suite, then a better level of integration has been achieved. Page 7 of 49

8 Interoperability interoperability also can have many meanings. We use the term interoperability to refer to the ability of a product to work with other vendors products, standards, or technologies. In this context it means the degree to which the vendor has integrated the individual products or technologies with other products or standards that are important outside of the product family. Extensibility is part of this and measured by the degree to which a vendor allows its technologies and products to be extended for the purposes of its constituents. We think Extensibility is so important that it is given equal status so as to insure its importance and understanding by both the vendor and the customer. As we move forward, just providing good documentation is inadequate. We are moving to an era when acceptable extensibility will require programmatic access through a well-documented and secure set of APIs. Refer to the Open API Economy Document (#70352 Advisory Note: The Open API Economy) for more information about the nature and state of extensibility and interoperability. Usability accessibility refers to the degree in which the vendor enables the accessibility to its technologies and products to its constituencies. This typically addresses two aspects of usability the end user view and the administrator view. Sometimes just good documentation can create adequate accessibility. However, overall we have strong expectations regarding well integrated user interfaces and a high degree of consistency across user interfaces of a product or different products of a vendor. We also expect vendors to follow common, established approaches to user interface design. We focus on security, functionality, integration, interoperability, and usability for the following key reasons: Increased People Participation Human participation in systems at any level is the highest area of cost and potential breakdown for any IT endeavor. Lack of Security, Functionality, Integration, Interoperability, and Usability Lack of excellence in any of these areas will only result in increased human participation in deploying and maintaining IT systems. Increased Identity and Security Exposure to Failure Increased People Participation and Lack of Security, Functionality, Integration, Interoperability, and Usability not only significantly increase costs, but inevitably lead to mistakes and breakdowns. This will create openings for attack and failure. Thus when KuppingerCole evaluates a set of technologies or products from a given vendor, the degree of product Security, Functionality, Integration, Interoperability, and Usability which the vendor has provided is of highest importance. This is because lack of excellence in any or all of these areas will lead to inevitable identity and security breakdowns and weak infrastructure. Page 8 of 49

9 4. Vendor Rating For vendors, additional ratings are used as part of the vendor evaluation. The specific areas we rate for vendors are Innovativeness Financial strength Market position Ecosystem Innovativeness this is measured as the capability to drive innovation in a direction which aligns with the KuppingerCole understanding of the particular market segment(s) the vendor is in. Innovation has no value by itself but needs to provide clear benefits to the customer. However, being innovative is an important factor for trust in vendors, because innovative vendors are more likely to remain leading-edge. An important element of this dimension of the KuppingerCole ratings is the support of standardization initiatives if applicable. Driving innovation without standardization frequently leads to lock-in scenarios. Thus active participation in standardization initiatives adds to the rating of innovativeness. Market position measures the position the vendor has in the market or the relevant market segments. This is an average rating over all markets in which a vendor is active, e.g. being weak in one segment doesn t lead to a very low overall rating. This factor takes into account the vendor s presence in major markets. Financial strength even while KuppingerCole doesn t consider size to be a value by itself, financial strength is an important factor for customers when making decisions. In general, publicly available financial information is an important factor therein. Companies which are venture-financed are in general more likely to become an acquisition target, with massive risks for the execution of the vendor s roadmap. Ecosystem this dimension looks at the ecosystem of the vendor. It focuses mainly on the partner base of a vendor and the approach the vendor takes to act as a good citizen in heterogeneous IT environments. Page 9 of 49

10 5. Vendor Coverage KuppingerCole tries to include all vendors within a specific market segment in their Leadership Compass documents. The scope of the document is global coverage, including vendors which are only active in regional markets like Germany or the US. However, there might be vendors which don t appear in a Leadership Compass document due to various reasons: Limited market visibility: There might be vendors and products which are not on our radar yet, despite our continuous market research and work with advisory customers. This usually is a clear indicator of a lack in Market Leadership. Denial of participation: Vendors might decide on not participating in our evaluation and refuse to become part of the Leadership Compass document. KuppingerCole tends to include their products anyway as long as sufficient information for evaluation is available, thus providing a comprehensive overview of leaders in the particular market segment. Lack of information supply: Products of vendors which don t provide the information we have requested for the Leadership Compass document will not appear in the document unless we have access to sufficient information from other sources. Borderline classification: Some products might have only small overlap with the market segment we are analyzing. In these cases we might decide not to include the product in that KuppingerCole Leadership Compass. The target is providing a comprehensive view of the products in a market segment. KuppingerCole will provide regular updates on their Leadership Compass documents. Page 10 of 49

11 6. Market Segment This KuppingerCole Leadership Compass looks at the category of Identity Provisioning systems. Identity Provisioning products as we know them today are mostly organized around those four components: Connectors Workflow engine Reconciliation engine coupled with a repository engine Form generator to handle graphical user interface Identity Provisioning products today typically provide some basic, sometimes also some more evolved, access governance functionality. This includes, for example, role management and reporting. Other typical features are user self-service, delegated administration, and password management. In addition to this, configurable workflows for request procedures and approvals are a key element. It is impossible to understand Identity Provisioning complexity without having a quick look backward. Most historical Identity Provisioning products in the market date back to the late 1990 s and early 2000 s. They were designed back then and have evolved over time. That was the time of central authentication repositories and metadirectories, and the area of three-tier web architectures. In fact those years fit with the explosion of distributed systems IT departments had to handle. On one hand the number of systems (servers, desktops, applications, network hardware, etc.) to control was growing exponentially, while the number of skilled system administrators wasn t growing at the same rate. On the other hand the number of requests from business units to add new users, grant privileges, enforces policies etc. was exploding. Last but not least everything had to be executed faster and faster and served at a lower cost. As a result early Identity Provisioning systems were designed to help automate systems administration of IT. Before Identity Provisioning, it was common to wait days or even weeks for a user to get an account on a mainframe resource or application. With Identity Provisioning, business owners became able to serve enduser requests almost in real time from a small web interface, this without asking the permission of any IBM mainframe administrator. For those reasons, the first Identity Provisioning systems started to focus on connectivity with targeted systems: how to populate a user on an IBM-3270, how to enable someone on Cisco's VPN, Obviously as soon as the system administration bottleneck was handled, the problem moved to the next level. As it was now simple to grant access to any resource, users had accounts on multiple systems, and the issue moved from how do I grant access to John on this or that system? to how do I control what John has access to?. To verify that grants were given on purpose, Identity Provisioning introduces the concept of workflow to verify authorizations before accepting a request. Then in order to keep track of allocated resources a central repository was built, couple with a reconciliation engine. Page 11 of 49

12 Last but not least as requests were now handled directly by business owners or endusers, traditional command lines became a no go option and a friendly GUI interface became one of the most important components of any Identity Provisioning implementation. In recent years, compliance and basic access governance functions became a must have feature. Many regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, EU Privacy Protection Directive, etc. moved the responsibility of enforcing identity management policies from system and business administrators to the top management. As a direct result, key requirement for Identity Provisioning moved from how to quickly enable my business? to how to make sure no one can sue me? That put new challenges on Identity Provisioning. With Access Governance, a new product category appeared that somewhat overlaps and somewhat integrates with classical Identity Provisioning (#70,219 Access Governance Architectures). While it remains obvious that whatever some vendors claim the provisioning requirement is not going to be disappear any time soon, but will continue to change. When looking at Identity Provisioning in that Leadership Compass, our expectations are that products provide mature basic capabilities as defined at the beginning of this section plus sufficient role management and basic access recertification capabilities. We don t necessarily expect full Access Governance functionality, i.e. access analytics, recertification, risk management, and related features. We also don t expect what some vendors call Access Intelligence, i.e. advanced analytical capabilities beyond what is commonly found in Access Governance products. We also expect products to provide a strong and flexible internal security model, flexibility in customization, and other standard features any software product should provide like the ability not to lose customizations when updating a product. Page 12 of 49

13 7. Specific features analyzed When evaluating the products, besides looking at the aspects of overall functionality partner ecosystem size of the company licensing models number of customers number of developers traditional core features of Identity Provisioning we also considered some specific features. These include: Connector toolkit Heritage of connectors ESB interfaces SRM interfaces SPML/SCIM support Deployment models Customization A toolkit for simple creation of custom connectors to target systems is highly recommended. Having connectors as OEM components or provided by partners is considered a risk for ongoing support and available know-how at the vendor. Having interfaces to ESBs (Enterprise Service Bus) adds architectural options for integrating Identity Provisioning with existing systems and for connecting to target systems. We expect that systems provide out-of-the-box integration to leading SRM (Service Request Management) systems for manual fulfillment of provisioning requests. Support for these two standards (Service Provisioning Markup Language/ System for Cross-domain Identity Management) is highly recommended. Supporting different deployment models like hard/soft appliances and cloud deployment gives customer a broader choice. Systems that require little or no coding and that support scripting or, if programming is required, a range of programming languages, are preferred. Authentication mechanisms We expect Identity Provisioning systems to support different types of authentication to the system, including strong authentication options, to limit the risk of fraud using these systems. Internal security model All systems are required to have a sufficiently strong and fine-grained internal security model. Page 13 of 49

14 Multi tenancy Role/SoD concept Shopping cart paradigm Given the increasing number of cloud deployments, but also specific requirements in multi-national and large organizations, support for multi-tenancy is highly recommended. Provisioning should be feasible based on role concepts and with support for the definition of SoD rules (Segregation of Duties), despite the fact that Access Governance tools are increasingly used on top of Identity Provisioning. These approaches are pretty popular for simplifying the access request management process by using shopping cart paradigms familiar to the users. The support for these functions is added to our evaluation of the products. We ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market. Page 14 of 49

15 8. Market Leaders Based on our evaluation of the products, we ve identified (as mentioned above) different types of leaders in the Identity Provisioning market segment. The market leaders are shown in figure 1. Fig. 1: Market leaders in the Identity Provisioning market segment. The market is affected by a situation where several very large software vendors compete with a large number of smaller vendors, which, frequently, are only acting regionally. Market leadership is mainly a hint at the overall position of the vendor, its strength in sales, and its partner ecosystem. It has to be noted that this doesn t allow any conclusion about whether the products of the different vendors fit to the customer requirements. Page 15 of 49

16 9. Product Leaders The second view we provide is about product leadership. That view is mainly based on the analysis of product features and the overall capabilities of the various products. Fig. 2: Product leaders in the Identity Provisioning market segment. Here it has to be noted that products which appear more at the left side frequently gained their rating because they take another approach to Identity Provisioning than usual. That is particularly true for vendors like CrossIdeas, Ilex, econet, Avatier, or even Evidian. Again, to select a product it is important to look at the specific features and map them to the customer requirements. There are sufficient examples where products which weren t feature leaders still were the better fit for specific customer scenarios. Page 16 of 49

17 10. Innovation Leaders The third angle we took when evaluating products was about innovation. Innovation is, from our perspective, a key capability in IT market segments. Innovation is what customers require to receive new releases that meet new requirements. Thus, a look at innovation leaders is also important, beyond analyzing product features. Fig. 3: Innovation leaders in the Identity Provisioning market segment. Again, in some cases products which appear more to the left of that figure do not necessarily fail in innovation but are focused on specific requirements or very focused approaches, like Evidian with their focus on a more complete solution for SMBs and their tight integration of Access Management, Single Sign-On, and Identity Provisioning or Ilex with their toolset approach for quickly developing IAM applications plus a specific solution for the needs of SMBs. Page 17 of 49

18 11. Product evaluation This section contains a quick rating for every product we ve included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports available, providing more detailed information. Page 18 of 49

19 11.1 Atos DirX Identity Atos IT Solutions and Services acquired the former Siemens SIS (IT Solutions and Services) unit. As part of this acquisition, the DirX products became part of the Atos portfolio. DirX Identity is the Identity Provisioning solution within that portfolio. The product is well established in the market, with several very large installations. It is sort of a standard Identity Provisioning product covering the classical features commonly found in that market segment, like connectors to target systems, workflow functionality, role management, and additional access governance capabilities. In addition, Atos provides a number of vertical integrations for industries like Facility Management and Healthcare, based on the specific domain knowledge and with technical integrations. Strengths/Opportunities Mature, well established product with proven ability to execute in very large scale deployments Strong role- and rule-based approach for provisioning Consistent use of web services for interoperability Weaknesses/Threats Room for improvement regarding flexibility of integrated Access Governance features No support for enterprise bus concepts Table 1: Atos DirX Identity major strengths and weaknesses. Besides the neutral usability rating which is mainly caused by limitations in delivery models and above average need for programming in customization, the product rating overall is. The product has strong capabilities in core provisioning features including connectivity to target systems and scalability and high-availability features. It also provides a strong role management approach. Based on the long history in role management, the concepts implemented in that area are very mature and leadingedge. Atos has added additional capabilities for a more flexible management beyond roles, based, for example, on organizational structures and using rules to manage entitlements. Main features are exposed via web services, which allows for simple interoperability. Security Functionality Integration Interoperability Usability strong neutral Table 2: Atos DirX Identity rating. Overall, Atos DirX Identity is a mature and feature-rich product. Atos provides its own managed services and has a worldwide presence. The partner ecosystem is fairly limited. Page 19 of 49

20 11.2 Avatier Identity and Access Risk Management Suite Avatier is a vendor which follows a different approach than most other vendors in the Identity Provisioning market. The different components of its offering focus on providing a simple and familiar experience to end users along with an easy-to-use graphical configuration interface for administrators. The latest innovation feature support for new types of mobile devices and a shopping cart approach for requesting access, assets and other resources. Overall, the paradigm is very much driven by a service request-oriented approach and a high degree of user centrism while still providing broad support for automation. The focus is clearly on a configuration approach providing lower time-to-value compared to more complex solutions. Strengths/Opportunities Innovative, highly user-centric approach on Identity Provisioning. Fast implementation focusing on end user service requests. Weaknesses/Threats Some lack of support for authentication mechanism or multi-tenancy. Very limited partner ecosystem. No significant footprint outside of North America. Table 3: Avatier Identity and Access Risk Management Suite major strengths and weaknesses. This makes the Avatier solution an interesting alternative to common approach on Identity Provisioning. However it will not suit the needs of all customers. Security is good but some features like a broad support for different, strong authentication mechanisms is lacking as well as multi-tenancy support. Avatier clearly is one of the products which either fit to what customers are looking for or not it is different but worth having a look at. A shortcoming of Avatier clearly is their very limited partner ecosystem. Avatier claims that the simplicity of the solution reduces this requirement. Security Functionality Integration Interoperability Usability neutral Table 4: Avatier Identity and Access Risk Management Suite rating. Overall, Avatier Identity and Access Risk Management Suite is an interesting choice for several customers, taking another approach to Identity Provisioning than most of the other products. Currently, the vendor has no significant footprint outside of North America. Page 20 of 49

21 11.3 Beta Systems SAM Enterprise Identity Management Suite Beta Systems is a German vendor, offering its SAM Enterprise Identity Management Suite for many years now. The company has a significant customer base, with some focus on the finance industry. It is sort of a standard Identity Provisioning product covering the classical features commonly found in that market segment, like connectors to target systems, workflow functionality, and role management. Beta Systems recently started improving the integrated Access Governance/Intelligence functionality. Strengths/Opportunities Very mature approach to role management Connector approach with tight application integration, supporting also Dynamic Authorization Management Strong support for mainframe environments Weaknesses/Threats Based on several components with some conceptual differences Just starting adding Access Governance and Intelligence functionality Table 5: Beta Systems SAM Enterprise Identity Management Suite major strengths and weaknesses. Beta Systems SAM Enterprise Identity Management Suite supports a broad range of platforms, with exceptionally strong support for mainframe environments. Over the course of the last few years, Beta Systems has enhanced the functionality significantly, partially by adding components acquired or licensed from other vendors. That results in a slight lack of integration at the administrative level. However, user interfaces are well integrated. The company is just starting to add enhanced Access Governance and Intelligence functionality. However, support for role management is strong, based on a long experience. Besides this Beta Systems is one of the few vendors offering connectors with tight application integration, allowing applications to request authorization decisions at runtime and thus enabling Dynamic Authorization Management as an integrated feature. Security Functionality Integration Interoperability Usability strong strong neutral Table 6: Beta Systems SAM Enterprise Identity Management Suite rating. Overall, Beta Systems SAM Enterprise Identity Management Suite is a mature and feature-rich product. Beta Systems has a presence in major markets and a sufficient partner ecosystem. Page 21 of 49

22 11.4 CA IdentityMinder CA Technologies is amongst the largest infrastructure software vendors worldwide and offers a broad portfolio of products in the IAM market segment, including CA IdentityMinder (formerly CA Identity Manager) as its solution for Identity Provisioning. This tool is built on different tools CA Technologies had developed and acquired over time. The current version is well integrated and provides the full feature set to be expected from Identity Provisioning solutions. Strengths/Opportunities Mature product with a broad range of features and good integration of these Tight integration with other CA products including CA GovernanceMinder (Access Governance) Large customer base Weaknesses/Threats Requires CA SiteMinder for advanced internal security features like different authentication mechanisms Relatively small number of partners in ecosystem but strong own service offerings Table 7: CA IdentityMinder major strengths and weaknesses. Based on the long history of the product and the market position of CA Technologies, it is no surprise that CA has done a large number of deployments of CA IdentityMinder. As a consequence, there is - besides a mature and rich feature set - a number of additional solutions from CA Services available which add to this functionality. Like some other vendors, CA Technologies is following a concept which tries to avoid too many redundancies between the products in its portfolio. Thus most Access Governance features are part of CA GovernanceMinder, whilst CA SiteMinder acts as sort of the first line of defense when it comes to security. This approach is not uncommon and has its strengths (when building on the entire ecosystem) and potential weaknesses (when requiring just one of the products but some functionality beyond its core features). Security Functionality Integration Interoperability Usability strong strong Table 8: CA IdentityMinder rating. Overall, CA IdentityMinder is a mature product with tight integration into a suite of products. CA Technologies has a global presence but only a fairly small number of specialized partners; however the company has own service offerings on a global scale. Page 22 of 49

23 11.5 Courion Access Risk Management Suite Courion is a vendor which has evolved from supporting specific problems especially around password synchronization towards a company with a suite covering major areas of IAM today. The Courion Access Risk Management Suite is their integrated offering which includes the provisioning capabilities but also adds advanced Access Governance and Access Risk Management capabilities on top of that. Courion has chosen to extend the reach of its main product beyond core provisioning and take the path of providing a more comprehensive suite covering several capabilities. Strengths/Opportunities Broad, integrated feature set for provisioning and access governance Mature provisioning capabilities Good connectivity also with more complex platforms like mainframe environments Weaknesses/Threats No significant footprint in the market outside of North America Suite approach might provide more functionality than required (but is modular) Table 9: Courion Access Risk Management Suite major strengths and weaknesses. Courion has opted for an approach which focuses on providing a broad set of features and enhancing Identity Provisioning beyond its traditional scope. Given that the suite is sufficiently modular, that allows customers to rely on portions of this feature set if required. Classical provisioning capabilities are strong, with a significant number of connectors also covering the more complex target platforms. Courion also provides exceptionally strong integration with other elements of IT infrastructure like SIEM platforms etc. Security Functionality Integration Interoperability Usability strong strong Table 10: Courion Access Risk Management Suite rating. Overall, Courion has a very strong product offering with a broad feature set. Their major weakness is the lack of an ecosystem and footprint outside of the North American market. Page 23 of 49

24 11.6 CrossIdeas IDEAS CrossIdeas is an Italian vendor which started as part of the largest Italian system integrator, Engineering spa. They have been in the market for several years now. Originally they provided a Dynamic Authorization Management system for externalizing authorization decisions from applications. Over time, strong role management and overall Access Governance capabilities have been added. Recently, CrossIdeas beyond connecting to other provisioning tools started adding its own connectors. Thus they also can directly provision to target systems now. However, they didn t start as provisioning tool from scratch but took another, rather uncommon way. Strengths/Opportunities Excellent business-oriented framework for managing access, including full Access Governance Integration with Dynamic Authorization Management, beyond static provisioning Weaknesses/Threats Limited number of own connectors, just started building their connector framework Very small but growing partner ecosystem Different approach than classical provisioning, based on Access Governance capabilities, will not fit to every use case Table 11: CrossIdeas IDEAS major strengths and weaknesses. Due to its history, IDEAS is not a typical Identity Provisioning solution. However, having some provisioning capabilities available now qualifies them as a newcomer in this market, which is moving towards providing increased Access Governance capabilities anyway. Besides their strong features in that area with a very businesscentric approach, tying well into existing business processes, a rather rare feature in that market segment is the tight integration with Dynamic Authorization Management, allowing it to externalize authorization decisions instead of just statically provisioning access controls to target systems. On the other hand, their connector framework as of now is somewhat limited so customers have to carefully evaluate whether this is what they require. Security Functionality Integration Interoperability Usability strong neutral neutral neutral neutral Table 12: CrossIdeas IDEAS rating. Overall, IDEAS is more an Access Governance and Dynamic Authorization Management tool with some provisioning capabilities. Thus it depends on the customer requirements whether this is a good fit for their provisioning needs or not. Page 24 of 49

25 11.7 econet cmatrix The German software vendor econet entered the Identity Provisioning market with another approach than most of the other vendors. Their product econet cmatrix is titled an Identity & Services Manager, not only providing access controls but also the management of IT services like mail services, telephony, and others a user requires. Thus their provisioning scope is larger than what most other vendors focus on. On the other hand, their reach towards a multitude of platforms is somewhat limited in contrast to other vendors. Strengths/Opportunities Service provisioning beyond access controls, including accounts etc. out-of-the-box. Lightweight offering for SMB customers. Service Management-oriented approach. Weaknesses/Threats No MSP/cloud offerings available yet. Processes frequently require coding. Limited presence in the market, small partner ecosystem. Table 13: econet cmatrix major strengths and weaknesses. In general, econet is following an approach which is closer to Service Request Management (SRM) than that which most other vendors offer. The target is to provide everything to the user that the user requires, based on defined processes and integrated with audit capabilities. However, if customers need specific processes beyond the standard processes which will be the case in most large environments coding is virtually inevitable. Besides this, market presence is rather limited and as of now focused mainly on Germany. Security Functionality Integration Interoperability Usability strong neutral Table 14: econet cmatrix rating. Overall, econet cmatrix provides an interesting set of features which should suit many customer scenarios well, due to their focus on provisioning all types of services. However, market presence is somewhat limited and customization shouldn t be underestimated. Page 25 of 49

26 11.8 Evidian Identity & Access Manager The French vendor Evidian is part of Groupe Bull, one of the leading European IT companies. Evidian has been in the IAM business for many years. Their product, Identity & Access Manager, has been developed over a number of years and provides a good set of features in Identity Provisioning. The target market of Evidian is mid-sized businesses for whom they provide an integrated solution with all major features required. These go beyond pure Identity Provisioning, allowing customers to implement an integrated approach for core IAM requirements. Notably, Evidian has in its fairly large customer base also several very large accounts, not being limited to smaller deployments. Strengths/Opportunities Established product with good feature set in core functionality. Excellent integration to Evidian SSO/Access Management solutions. Integrated offering with a consistent concept for managing identities and access. Weaknesses/Threats Limited deployment models. Conceptual approach might not be a perfect fit to some customer requirements. No ESB and SRM integration out-of-thebox. Table 15: Evidian Identity & Access Manager major strengths and weaknesses. Evidian has developed a tightly integrated product which covers all major aspects of Identity Provisioning. It is focused on providing a consistent set of processes for users. Besides the core provisioning capability, the product is tightly integrated with the SSO (Single Sign-On) and Access Management solutions offered by Evidian. A shortcoming is the lack of cloud/msp deployment models and appliance offerings. There is also a lack of advanced integration, like support for ESB (Enterprise Service Bus) concepts or SRM (Service Request Management) integration out-of-the-box. On the other hand the product can use existing external workflow systems. The product allows a quick start for many scenarios, especially in medium-sized business. However it might not be the perfect fit for some customer scenarios. Security Functionality Integration Interoperability Usability strong neutral Table 16: Evidian Identity & Access Manager rating. Overall, Evidian delivers a mature product with a strong feature set and a wellthought out conceptual approach. The company is mainly focused on the European markets. Page 26 of 49

27 11.9 Fischer Automated Role & Account Management Fischer International Identity is a vendor which is different from all other provisioning vendors in that the company focuses on SaaS delivery models for IAM as their main approach and core competency. The product is available for on-premise deployment as well but the entire architecture has been defined for SaaS deployments, requiring only a gateway at the customer s sites. However, this approach suits well also for onpremise. Based on that concept, full multi-tenancy is a logical design principle of the solution. Strengths/Opportunities SaaS delivery model as standard option. No coding required, customization is done via configuration and graphical design components. Well-defined user interfaces for quickstart deployments. Weaknesses/Threats No ESB support yet, SaaS approach is more difficult to integrate. User interfaces might not suit every organization s needs. Table 17: Fischer Automated Role & Account Management major strengths and weaknesses. Their SaaS delivery model is supported by several MSPs, including Wipro as a global partner. Due to their SaaS approach, the clear focus is on providing a large set of features, well-defined standard configurations, and avoiding programming. There is no need for coding, but sometimes intensive configuration is needed. Besides that there are graphical tools for designing user interfaces and workflows. For companies looking for tight and flexible integration with existing IT solutions, the SaaS approach might become an inhibitor. Even for on-premise deployments, the ETL-based approach for interoperability might be too limited in more complex scenarios. Despite the good out-of-the-box user interfaces, they might not suit every customer s needs pure customization might hit its limits. The partner ecosystem of Fischer is still somewhat limited in size but growing and based on few global, engaged partners. Security Functionality Integration Interoperability Usability strong strong Table 18: Fischer Automated Role & Account Management rating. Overall, Fischer provides an interesting approach to Identity Provisioning. SaaS deployments are interesting, however they might not suit the needs of every customer, including global organizations with legal requirements regarding the data held outside of the organization. Page 27 of 49

28 11.10 ForgeRock OpenIDM ForgeRock is a company providing open source IAM solutions. One of their products is OpenIDM 2.0, an open source provisioning solution. This is not built on the former Sun Identity Manager/Oracle Waveset product but leverages the OpenICF connector framework which adopted the former Sun Microsystems open source project Identity Connector Framework. The product has a somewhat limited capability with several features still missing. Nevertheless it may be an option for companies looking for open source solutions only or focusing on approaches which they can greatly customize to suit specific needs. The product strategy for OpenIDM is focused on a one stack approach with integration to other products and lightweight APIs for easy, accessible adoption. This might suit the needs of customers which need to heavily customize or very tightly integrate a provisioning tool with existing IT environments. Strengths/Opportunities Open source product for Identity Provisioning. Broad set of connectors based on OpenICF framework. Weaknesses/Threats Somewhat limited set of features. Very limited partner ecosystem and deployment models as of now. No support for role management. Table 19: ForgeRock OpenIDM major strengths and weaknesses. ForgeRock provides a basic Identity Provisioning solution as of now. There are some fundamental features missing, including support for role management approaches. ForgeRock claims that this limitation can be addressed by mimicking it through their rule-based concept, however that would be fairly complex in most organizations. The partner ecosystem is also limited, as well as deployment options. A strength is the breadth of available connectors based on the open source OpenICF project and, for some customers, the fact that the product is open source and flexible to integrate and customize. Security Functionality Integration Interoperability Usability neutral neutral Table 20: ForgeRock OpenIDM rating. Overall, ForgeRock OpenIDM can not currently be considered a leading-edge solution in the market. The product mainly will attract customers looking for an open source approach to Identity Provisioning. Page 28 of 49

29 11.11 Hitachi ID Management Suite Hitachi ID provides a product called ID Management Suite which is a mature solution for managing identities and their access. It integrates Access Governance features, including SoD (Segregation of Duty) support and certification features. The product builds on an open, flexible architecture. The price to pay for that flexibility might be an above average effort for coding when it comes to customization. Hitachi ID provides a well-defined model for segregation of code and customizations, allowing retaining customizations beyond release changes. Strengths/Opportunities Good support for Access Governance features. Mature solution supporting Identity Provisioning requirements. Tight integration with Microsoft SharePoint and Windows Explorer. Weaknesses/Threats No shopping cart paradigm supported. Customization might require above average coding. Limited footprint outside of North America. Table 21: Hitachi ID Management Suite major strengths and weaknesses. In general, the product provides a mature set of features, delivering what customers typically need. However, the architecture and access control model have to be carefully reviewed to understand whether they suit the needs of the organization. The architecture provides high flexibility and scalability and is well-thought out. On the other hand customization needs might be above average and some features like shopping cart paradigms are not supported out of the box. The SoD approach implemented ensures that SoD violations and the impact of changes are handled correctly at all layers in a multi-layered role/entitlement model which is not the case with all products in the market. Some specific strengths are the integration with Microsoft SharePoint and Windows Explorer, allowing users to directly request access on resources from these environments. Security Functionality Integration Interoperability Usability strong neutral Table 22: Hitachi ID Management Suite rating. Overall, Hitachi ID Management Suite is an interesting product with a well-thought architecture and feature set, providing good flexibility. It thus is an interesting alternative to established products. The vendor still has a limited footprint outside of North America. Page 29 of 49

30 11.12 IBM Security Identity Manager IBM Security Identity Manager, formerly known as IBM Tivoli Identity Manager (ITIM), is one of the most established products in the market. The name change is due to the formation of an IBM Security Business Unit. Thus several Tivoli products have been shifted to that new unit and the brand name has changed. However, it is still the same well-known product. IBM has a very large installed base, ranging amongst the top 5 vendors in the worldwide market in that aspect. Strengths/Opportunities Mature product with good support for standard feature set. Strong support for different target systems. Integration with User Activity Monitoring. Weaknesses/Threats Workflow and role management based on separate components. No multi-tenancy support yet. Table 23: IBM Security Identity Manager major strengths and weaknesses. IBM Security Identity Manager is an established product supporting a broad range of different target systems with deep integration. With the new role management capabilities and enhanced workflow capabilities based on another IBM product (former Lombardi) IBM has addressed some of the functional shortcomings of former releases. However, the price to pay is an increased number of different components which have to work together. IBM provides out-of-the-box integration, nevertheless there are several components at the system-level which needs to be handled. Another critical aspect is the lack of real multi-tenancy support. On the other hand, IBM Security Identity Manager is integrated with User Activity Monitoring features and Governance capabilities of other IBM solutions, fitting well into more comprehensive concepts of overall governance and security. Security Functionality Integration Interoperability Usability strong neutral Table 24: IBM Security Identity Manager rating. Overall, IBM Security Identity Manager is a mature offering. IBM has added several new features, but at the price of of having a set of like external workflow systems. These are integrated out-of-the-box, however his still leads to increased complexity of the overall environment customers need to handle. Page 30 of 49