Magic Quadrant for User Provisioning

Transcription

1 Magic Quadrant for User Provisioning Gartner RAS Core Research Note G , Perry Carpenter, Earl Perkins, 30 September 2010, RA User provisioning manages identities across systems, applications and resources. Compliance remains the main driver of uptake, and identity and access intelligence and role life cycle management are increasingly top-of-mind issues. WHAT YOU NEED TO KNOW This document was revised on 4 October For more information, see the Corrections page on gartner.com. User-provisioning solutions are maturing in function and capability, and the user-provisioning market continues to consolidate. As some identity and access management (IAM) technologies approach a commoditylike state, the boundaries between core IAM products, such as user provisioning and companion product sets, are blurring. Core provisioning functionalities are similar across most vendors (such as workflow engines, approval processes, password management and standard connector sets). Therefore, provisioning vendors seek to differentiate their product sets from those of competitors through expanded IAM functionalities, such as: Role life cycle management Identity and access intelligence (IAI that is, audit, log correlation and management, analytics, monitoring, and reporting) Improved workflow options to improve business process management (BPM) and general governance, risk and compliance (GRC) integration Better integration with adjacent and relevant security technologies, such as security information and event management (SIEM), data loss prevention (DLP), network access control (NAC), and IT GRC management (GRCM) tools Improved integration with other suite components or IAM offerings from other vendors

2 2 Large-scale user-provisioning projects remain complex, requiring experienced integrators and skilled project management for the enterprise. Most provisioning implementations succeed or fail based on these integrators and on the relationship between customers and vendors. Most IAM vendors realize that penetrating midmarket accounts for instance, small or midsize businesses (SMBs) requires simple deployments at the product level. While success rates for complex and/or major user-provisioning initiatives are improving, horror stories related to failed implementations or poorly integrated replacements still abound. Key differentiators when selecting userprovisioning solutions include, but are not limited to: Price, including flexibility of pricing for deployment, maintenance and support programs. Figure 1. Magic Quadrant for User Provisioning ability to execute challengers Hitachi ID Systems Microsoft Siemens Beta Systems Avatier Omada BMC Software Quest Software Evidian SAP leaders Oracle IBM Tivoli CA Technologies Novell Courion Sentillion (Microsoft) Voelcker Informatik Fischer International Global scope, depth, availability and extent of partnerships with consultants and system integrators (SIs) to deliver the solution. niche players visionaries Consultant and SI performance, which remains vital to success. Also vital are the level and extent of experience of industry segment vendors and integrators to deliver successful projects. Source: Gartner (September 2010) completeness of vision As of September 2010 Time to value. The ability to deliver subsidiary services that are not available in the core product through: Integration with component IAM features (for example, common user experience and reporting). Custom development. Augmentation via partnerships or adjacent products or capabilities (for example, role life cycle management, entitlement management, federated provisioning or IAI). Other customer experiences, including satisfaction with installed provisioning systems (that is, reference accounts). Strategy, road map and alignment with other product offerings, including strategies for addressing future cloud-computing and software as a service (SaaS) architectures. Relevance in addressing identity-and-access-specific requirements in BPM and business intelligence. There is no one size fits all provisioning solution; as such, these differentiators will vary in importance, given the specific organization, use cases, budget and business drivers. Gartner recommends enterprises embarking on user-provisioning initiatives to: Prioritize the key issues to be resolved, and provide clarity to the project being implemented Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

3 Document the project scope thoroughly, and seek outside review where possible. Choose the specific technologies required for the specific requirements Do not allow a project to expand scope without a documented rationale. Implement rigorous project oversight to ensure project scope integrity is maintained. Establish a formal change process to bound project scope where possible. Addressing these questions early can help companies avoid failure. Role life cycle management is increasingly viewed as a prerequisite (or, in more complex initiatives, a parallel effort) for many new user-provisioning initiatives. Many enterprises that have deployed user-provisioning systems have discovered that the access request process, such as that provided by role life cycle management, is a missing element. Customers will find that user provisioning and access request management are intricately connected, and planning for provisioning will reflect that. Gartner also recommends that enterprises planning for a virtualization architecture include user-provisioning planning, because it plays an important role for virtual machines (VMs). User provisioning provides the management of accounts and auditing for partitions, hypervisors and VM monitors, as well as enforcing segregation of duties (SOD) for that environment. Gartner believes that organizations facing compliance burdens are realizing that full provisioning implementations (while still ultimately important and necessary for long-term compliance) can actually be postponed or de-emphasized in the short term in favor of IAI solutions. For more detail, see User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects. STRATEGIC PLANNING ASSUMPTION Through 2013, notable identity and access management project failures will cause 50% of all companies to shift their IAM efforts to intelligence rather than administration. MAGIC QUADRANT Market Overview Market Growth Most user-provisioning vendors reported revenue increases in 2009 to 2010, thereby indicating continued growth in the market (see the Market Maturity section below). However, growth for user provisioning is slowing. In Forecast: Security Software Markets, Worldwide, , 2Q10 Update, Gartner Dataquest reported a compound annual growth rate (CAGR) of 4.4% for the userprovisioning market. User provisioning is now an approximately $940 million market, and should become a $1 billion market in The global 2009 CAGR of 4.4% for user provisioning is down from 17.4% in The notable decline in growth is for two reasons: (1) there are ripples from the recent economic downturn; and (2) clients are realizing that they can pursue compliance initiatives via technologies that promise shorter-term wins (such as IAI, privileged-account activity management [PAAM], and Active Directory to Unix bridging). For now, enterprises are shifting spending to those areas. North America exhibited revenue growth of 4.2%; Western Europe, 4.0%; Asia/Pacific, 9.4%; and Latin America, 5.0% down significantly from 2008 across most regions. North America accounted for 47.5% of 2009 market share; Western Europe, 28.1%; Asia/Pacific, 8.7%; and Latin America, 3.1%. Gartner expects user-provisioning revenue opportunities to continue growing through the end of 2010 as the market matures and consolidates, rebounding with a 9% CAGR in However, Gartner believes that this will be the peak. Growth for the provisioning market will drop over the next several years as enterprises deploy new-generation solutions and upgrade existing deployments. User-provisioning technologies and processes continue to mature, with well-established vendors, well-defined IAM suites and a broadbased integrator market for them. Third-generation releases are now available, with most basic capabilities well-structured and wellconfigured. Gartner estimates that, as of mid-2010, approximately 30% to 35% of midsize to large enterprises worldwide, across all industries and sectors, had implemented some form of user provisioning. An additional 20% to 25% of them are evaluating potential solutions. Significant Changes From Last Year s Magic Quadrant The most notable year-over-year changes include the following: Oracle clearly stands out in both vision and execution within the Leaders quadrant. This is due to its rapid acquisition of new customers, internal innovation and improvements of its IAM offerings, the acquisition of Sun Microsystems (which helps augment some of its IAM capabilities), and a compelling road map. Sun Microsystems is absent from the Magic Quadrant due to its acquisition by Oracle. Since publication of the 2009 user-provisioning Magic Quadrant, Quest Software acquired Voelcker Informatik. Both companies receive individual ratings in the 2010 Magic Quadrant, due to the recency of the acquisition, and because Quest intends to keep Quest s ActiveRoles product and Voelcker s ActiveEntry product as separate entities, selling one or the other based on specific customer use-case requirements. Sentillion was acquired by Microsoft and is now part of Microsoft Health Solutions Group. Sentillion provision and 3

4 4 Microsoft Forefront Identity Manager are being rated as separate products, because they are developed, marketed and sold as distinct products. All Leaders continued to improve (horizontally, vertically or both), based on: Past velocity and trajectory A continued commitment to meet road map commitments A continued commitment to meeting customer needs proactively via innovative road maps and/or reactively via partnerships, internal development or acquisitions Many vendors in the Challengers, Niche Players and Visionaries quadrants are beginning to cluster around the midpoint of the chart a sign of overall market maturity and commoditization of the core technologies being rated. Microsoft made the most progress within the Challengers quadrant due to the release of the long-awaited Forefront Identity Manager product, which improves the usability of its provisioning solution, adds deep integration into many important Microsoft components, and much improves the experience for both administrators and end users. BMC Software moved from the Challengers quadrant to the Niche Players quadrant, primarily based on shifting internal priorities, which impact its go-to-market strategy. This is reflected in an overall slowing of its growth. Ilex was dropped from the study this year due to minimal market presence. User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects As discussed in the What You Need to Know section of this research, Gartner sees a subtle shift in the IAM market. That leads us to offer the following Strategic Planning Assumption for both end users and vendors: Through 2013, notable identity and access management project failures will cause 50% of all companies to shift their IAM efforts to intelligence rather than administration. Without a more formal and effective approach to delivering IAM solutions, enterprises will continue to experience challenges in delivery. More importantly, the shift away from IT needs for efficiency of operations, to enterprise needs for accountability, transparency and reliability, is taking place. The business is taking a much more active role in the use of identity management for critical business processes. As such, demands are decidedly different IAI will be increasingly required by the business for auditing and general compliance needs, analytics, forensics investigations, and risk assessments and evaluations. Administration concerns that require elements of monitoring and control do not go away, but attention will now be shared with new analytics results for the business. The inherent length and complexity of user-provisioning programs, combined with implementation horror stories, is at the heart of a notable trend. Specifically, Gartner believes that organizations facing compliance burdens are realizing that full provisioning implementations (while still ultimately important and necessary for long-term compliance) can be postponed or de-emphasized in the short term in favor of IAI solutions. The reasoning is as follows: Intelligence projects focus on auditing, log management and correlation, monitoring, manual remediation, and analytics. Implementing IAI tools is simpler compared with provisioning. IAI tools deliver business value faster than provisioning does. IAI tools more easily span all users and systems. While real benefits can be realized with IAI, user provisioning cannot be delayed for a long time. Consider the following: User provisioning performs update and control functions, not just analysis. Administration projects are becoming mainstream, and vendors are supporting more out of the box solutions. Implementing IAI tools provides insight but does not remove the long-term need for more efficient and effective identity administration. Other Key Trends for 2010 Compliance continues to be a significant driver among global corporations for user provisioning, although this depends on the relative size of the enterprise, the market segment and geography. Security efficiency for cost containment and service-level targeting remains a strong driver worldwide, and is being used to justify the expense for projects that may, in fact, be compliance-driven. The most notable growth regions for provisioning are Western Europe, Asia/Pacific and Latin America. Growth has slowed significantly in North America. Significant contributors to the user-provisioning decision process in 2010 include: Identity audit and reporting (that is, the ability to report fully and accurately on the effects of user provisioning across the enterprise). Role life cycle management, which defines, engineers, maintains and reports on enterprise roles and rules as inputs to the provisioning process.

5 Total cost of ownership (TCO) and the time to value, which are of growing concern as potential customers seek savings during times of economic uncertainty. Specific industry segment size strategies (for example, SMB targeting). Specific industry vertical strategies (for example, healthcare user-provisioning differentiation). GRCM support, driven primarily by enterprise application providers (such as SAP and Oracle) through ERP implementations, and by the need to support fine-grained authorization as part of the user-provisioning process. There is also a desire to deliver an overall IAM governance program that identifies and supports the role of user provisioning, and links it to the information security policy and the establishment of controls. SI and/or consultant selection for project or program implementation. Privacy controls to ensure that what is provisioned is adequately protected from technical and regulatory perspectives. Provisioning for card management tools as part of a security management environment. Many customers, especially large enterprises, continue to evaluate user-provisioning solutions as part of a broader IAM suite or portfolio, depending on their specific requirements. This creates additional challenges for user-provisioning vendors that do not offer a portfolio solution. Nonsuite user-provisioning vendors still offer sufficient innovation and differentiation to compete effectively with portfolio vendors, and still address customer needs that are not aggressively pursued by portfolio vendors (for example, SMBs, specifically in industries such as healthcare). Continued differentiation, agility and partnerships are critical for any nonsuite vendor to remain viable in the long term. Differentiation, especially with regard to price (for example, fixed-cost engagements), rapid deployment, prepackaged (that is, quick and proven) solutions, and ease of use, will be key. At present, four vendors are recognized as single providers of suites or portfolios defined as having at least directory services, user provisioning and Web access management. They are Oracle, IBM Tivoli, Novell and CA Technologies, and all are in the Leaders quadrant. Many other vendors, such as Courion, Siemens, Evidian and Quest, offer partial suites; they and many point vendors are expanding their offerings to full suites through partnerships. Nonsuite provisioning vendors typically partner with other vendors that offer other IAM component products, and they offer comprehensive licensing with customers and partners as competitive leverage to create relationships and opportunities, particularly in displacement strategies. This has as great an impact on the future of the user-provisioning market as product features or SI partnerships do. Some of the user-provisioning vendors sell solutions to managed or hosted service providers, illustrating a design and configuration that would allow a managed or Internet-based service offering for user provisioning. Early indicators show that evaluations, particularly for SMBs, of user provisioning as part of a broader SaaS offering, are occurring in major service provider firms. Although technical improvements in user provisioning continue, project complexity for large implementations remains a challenge for customers, and could result in long planning and deployment periods. Structured and formal methods of planning and implementing user-provisioning solutions in enterprises have improved, but are still evolving. Most IAM project failures are related to issues in vision, governance and the project scoping/definition phase. Customers embarking on an IAM initiative must spend time properly defining and prioritizing specific business challenges and use cases that user provisioning must address. Success practices include, but are not limited to: Developing a clear and compelling vision of the IAM program, selling that vision to key stakeholders, and communicating project status and successes/issues throughout the program. This will embrace far more than user-provisioning implementation projects, of course. Using a decision framework for planning IAM that includes identifying, prioritizing and organizing key resources in the implementation process for user provisioning. Selecting a proven program partner (that is, consultant or system integrator) to lead the effort in a reasonable time frame one that understands the business issues of user provisioning and the technical implementation concerns required to be successful. Addressing issues related to role life cycle management for effective user provisioning. Addressing critical issues in post-implementation customer environments related to fixes, integration or expansion. Before you select an IAM vendor or system integrator, we recommend that you review Q&A for IAM: Frequently Asked Questions, Developing IAM Best Practices, How to Use Visioneering Principles to Drive a Successful Identity and Access Management Program, IAM Foundations, Part 1: So You ve Been Handed an IAM Program... Now What? and related research. Further Trends The role of IAI, SIEM and DLP continue to grow in user-provisioning solutions as security and network events are correlated with identity and access events to provide a full picture of the network. Commoditization of some aspects of IAM is evident, with smaller vendors offering appliance-based solutions for low-volume, simple provisioning needs. In addition, traditional networking and platform vendors (large and small) that provide such solutions will begin 5

6 6 entering the provisioning market, offering simple, basic provisioning for interested audiences and use cases. While in its early stages, IAM as a service will expand to include provisioning for some clients, although a significant market adoption is unlikely before Early predictions of IAM as a service have been impacted by economic conditions interest is high, but deployment is not. Market Maturity User provisioning can be considered a horizontal function in the enterprise. Enterprises consist of vertical functions, such as accounting, finance, human resources and functions specific to that enterprise. Provisioning has an impact on all of them if they are part of the integrated IAM solution. Failure to address this functional concept well inhibits success, and successful vendors and integrators have learned this painful lesson. A comprehensive process for assigning and tracking entitlements within an enterprise can be a key criterion in user provisioning. Role life cycle management actually provides two primary functions. One builds the necessary infrastructure of an access request system by discovering existing entitlements and candidate roles and creating repositories for them. The other provides an administration and reporting system for the access request process. Special tools can also provide an experienced analyst with modeling and analytics tools for reporting on the process to those who need such reports for example, compliance and audit teams. The market for role life cycle management consists of component solutions that are part of the major vendor IAM suites (for example, Oracle and CA) and component stand-alone solutions (for example, Aveksa and SailPoint). The use of such tools can reduce the manual workload related to role discovery and mapping by 40% to 55%. However, the complexity of role life cycle management efforts can rival those of user provisioning, particularly in enterprises with complex IT systems. As with user-provisioning initiatives, rigorous planning and process work are vital to success. A third area of growing maturity is IAI. As compliance and regulatory needs become more specific and are better defined, identity analytics, data correlation and audit reporting are evolving as products and product functions to address specific enterprise needs. Although this remains an ongoing process, many vendors offer compliance dashboards, identity and access log management, or canned reports to address these needs as part of such IAI solutions, or as input into GRCM vendor solutions. Characteristics of Leading Vendors Although the user-provisioning market has matured and vendors from any of the quadrants could potentially address customer needs, particular characteristics of a good candidate vendor still exist: Price and service: As the market continues to move to maturity, price differentiation and pricing options become more important to the vendor as well as to the customer. This pricing extends to preimplementation and postimplementation experience. Good partners: Good user-provisioning vendors have good implementation partners those with proven histories of performance, and the ability to understand and address customer industry requirements that are affected by differences in business segment, region and size. Some vendors have direct integration experience, and industry expertise is a requirement. The ability to define deliverables, phases of the project, metrics and an end state : When embarking on an initiative as potentially complex as user provisioning, customers must ensure that the program is defined with metrics that can be measured, and with projects that have an end. Many earlier user-provisioning experiences lasted for years because of the inability to know when the end has been reached (or even what the goal of Phase 1 is). There must be an end to a businesscritical implementation project (such as user provisioning), or at least those phases of technology and process implementation, to enable the ongoing program to continue. Coupling and uncoupling the suite: A world-class userprovisioning vendor should be able to sell user provisioning and the associated user-provisioning services (for example, identity audit and reporting, or workflow) without requiring customers to buy the entire IAM suite that it sells. Integration is a good thing, but not when the system is so tightly integrated that uncoupling it later on to implement a complementary third-party tool is impossible. This represents an aggressive competition strategy for pure-play, user-provisioning providers. Solution selling vs. making it fit: A leading vendor will provide user provisioning as part of a packaged solution that s tailored to the customer s stated requirements, rather than forcing the customer s requirements to fit the product. The corollary of this is that the customer must have a clear and comprehensive definition of requirements before conducting any formal evaluation of specific tools. Although there must always be some practical compromise, mature, best-in-class solutions are able to look more like the customer s business requirements rather than a vendor s technical specifications. Modularity: Mature user-provisioning products show an awareness of enterprise architectures and the role of the products within them. These products also have a quicker turnaround in feature and version release, because the product design allows for smoother updates and follows a secure system development methodology. Mature product vendors in user provisioning show an awareness of the requirements for service-oriented and service-centric infrastructures, and move to accommodate them with service-centric solutions, where possible.

7 Migration and upgrade: User-provisioning vendors should exhibit a formal plan for migrating from a competitor s offering to their own, and be able to do so quickly and effectively. This also applies to a vendor s ability to provide quick and effective upgrades to their existing solutions. The postimplementation experience: User provisioning is a well-established market. As such, user-provisioning products (and integrators) should demonstrate signs of maturity. If customers are unhappy and seek replacement solutions and services, then there are serious issues with planning and requirements. The postimplementation experience for a new customer and an upgrade customer will say a lot about worldclass user-provisioning vendors in this market. While a single list cannot hope to capture all of the nuances of what makes a leading vendor, it does help develop the mind-set of what to look for. This is relatively independent of vendor size or industry range in the user-provisioning market, and can provide an opportunity for even the smallest vendor to excel in a comparative view of customer experience. User Provisioning as Part of a Suite or Portfolio vs. Pure-Play Product Situations in which customers might choose a pure-play userprovisioning vendor over a suite or portfolio vendor include: Policy-driven or IT concerns regarding vendor lock-in (that is, a monoculture for IAM solutions) Customers that already have solutions for access management or point identity management solutions from a vendor whose user-provisioning solution does not meet requirements Price, time of implementation or industry-specific options The product being just a better fit for customer needs Situations in which customers might choose an IAM suite vendor over a point vendor include: Customers constrained by the number of vendors that they can choose, particularly for a multitool IAM solution of which user provisioning is one An application or infrastructure requirement that specifies the product suite as optimal for integration with that application or infrastructure A licensing or cost advantage achieved by owning products or using services from the suite or portfolio vendor An agreement between a provider of outsourced services and a client in which a consolidated contract with a preferred vendor is more acceptable The product being just a better fit for customer needs Increasingly, IAM suite vendors are using the relationship to the customer as a strategic advantage over a pure-play provider. Relationship includes any existing contracts or provider agreements a customer may already have with that vendor, a desire to pursue a unified maintenance agreement, or a wholesale adoption of that vendor s architecture and road map that includes IAM. This constrains pure-play providers from participating in such an environment. It is important to note that selling component IAM products does not constitute integration. Instead, true user experience, workflow, and reporting and brokering functions, such as common architecture and implementation, constitute customer views of integration. For an in-depth discussion of the actual levels of integration within the major suite vendors, see Comparing IAM Suites, Part 1: Suite or Best of Breed? and Comparing IAM Suites, Part 2: Heterogeneous Deployments and IAM Foundations, Part 2: Tools and Technologies. Addressing the Vendor Viability Question There is a perception that, if a vendor is small, then its long-term viability is questionable; conversely, there is the perception that large vendors are a better bet because they should be around for a long time. This line of thinking, while somewhat reasonable, is fatally flawed. Reality intrudes on these innocent perceptions. For example, in 2008, HP exited the IAM market; and in early 2010, Oracle acquired Sun Microsystems. Further, BMC s focus has shifted its IAM strategy significantly from being a mainstream IAM competitor to mostly being interested in selling to existing BMC customers under its Business Service Management strategy. Other, less notable, examples exist as well. As a result, choosing a large IAM vendor is not as safe as one might believe. However, even with the above-mentioned facts, customers may begin to think something along the following lines, Well, I should just choose the largest company possible, and I ll be safe. As such, many potential IAM purchasers begin to narrow their scope to vendors such as IBM and Oracle. There is still another fatal flaw in that rationale namely, these large companies cannot promise product-level viability. Product-level viability is ultimately what customers are interested in. Consider the following brief sampling of the history related to the lack of product-level viability from large vendors: IBM s discontinuance of Tivoli User Manager in favor of Access360 enrole, which became Tivoli Identity Manager. IBM s OEM (February 2006) and subsequent removal of Passlogix for enterprise single sign-on (ESSO). It was replaced by acquiring ESSO vendor Encentuate in March 2008). IBM s marketing of and subsequent sunset of Tivoli Privacy Manager. No full replacement strategy ever existed. 7

8 8 IBM s marketing of and subsequent sunset of Tivoli Risk Manager. It was replaced via the acquisition of Micromuse and Consul Risk Management. Oracle s acquisition of Bridgestream for role management. Subsequently, it was sunset and replaced by the functionality offered by Sun Role Manager (previously Vaau). Users identities Each comprising an identifier and a set of attributes Users access Interactions with information and other assets User provisioning is a fundamental part of an overall IAM technology offering. The four major categories of IAM are: Quest s purchase of PassGo and sunset of its own SSO tool. CA, Novell and Siemens have all changed focus or strategies in the past. What does this have to do with viability? It shows how invested the vendor is in the IAM strategy. Customers really need to understand how IAM fits into the overall corporate strategy, whether investments are self-serving or customerdriven, and how important it is to the vendor s success. This history shows there is no guarantee of viability at a vendor level or a product level. Gartner believes some diversification may be a prudent course of action. In addition, customers should: Aggressively negotiate contracts related to long-term support. Require proactive measures, such as source codes escrow. Intelligence: IAI is essentially business intelligence for IAM. IAM intelligence technologies provide the means of collecting, analyzing, auditing, reporting and supporting rule-based decision making based on identity and identity-related data. This data helps organizations measure, manage and optimize performance to achieve security efficiency and effectiveness and to deliver business value. Administration: IAM administration technologies offer a means of performing identity-related tasks (for instance, adding a user account to a specific system). In general, administration tools provide an automated means of performing identity-related work that would otherwise be performed by a human; examples include tasks such as creating, updating or deleting identities (including credentials and attributes), and administering access policies (rules and entitlements). User provisioning is an IAM administration technology. Review the vendor s history related to acquisitions. Review the vendor s financial situation. Acquire products that are based on well-understood standards and protocols. Create detailed documentation of the processes that a product automates that way, if forced to change products, a customer will have a pre-established list of functional requirements stating what the product must do. Deployment Costs In 2009, the average ratio of product licensing to consulting/ integration costs was approximately 1-to-3 (for every $1 in software costs, the customer would spend $3 on consulting/integration). For some vendors and implementations, it was as high as 1-to-5, but for others particularly pure-play vendors (where the scope of effort may be smaller if user provisioning alone is addressed) the ratio approached 1-to-2 or even 1-to-1. The goal for most vendors (and integrators) is to have as low a ratio as possible. As the market continues to mature and more preconfigured packages become available, this is possible even for larger portfolio vendors. Market Definition/Description Defining IAM IAM is a set of processes and technologies to manage across multiple systems: Authentication: IAM authentication technologies are deployed to provide real-time assurance that a person is who he or she claims to be to broker authentication over multiple systems and to propagate authenticated identities. Authentication methods embrace many different kinds of credentials and mechanisms, often in combination with various form factors (for instance, hardware tokens or smart cards). At the time of this writing, passwords are still the most often used method of authentication. Authorization: IAM authorization technologies are a form of access control used to determine the specific scope of access to grant to an identity; they provide real-time access policy decision and enforcement (based on identities, attributes, roles, rules, entitlements and so on). Users should be able to access only what their job functions allow them to access. For instance, if a person is a manager, he or she is granted the access necessary to create or edit a performance review; if a person is not a manager, then he or she should be able to review only his or her own performance review and only at a specific stage of the review cycle. Web access management, entitlement management, identity-aware networks and digital rights management tools are examples of authorization management technologies. These categories are based on a foundation of identity repository technologies that include enterprise Lightweight Directory Access Protocol (LDAP) directories, virtual directories, metadirectories, and (increasingly) relational databases. While standard LDAP directories remain the identity repository of choice, limitations inherent in these directories relative to fine-grained authorization and policy implementation may require database participation. LDAP directories are optimized for fast reads and are optimal for

9 large environments. However, there are limits, because in these large-scale environments (that is, more than 500,000 users), there are significant changes requiring replication or writes. Traditional LDAP directories can experience performance problems during synchronization events, resulting in stale or unreliable data. Defining User Provisioning User-provisioning solutions are the main engine of identity administration activities. User-provisioning tools have some or most of the following functions: Workflow and approval processes Password management (with the ability to support self-service) Other credential management Role life cycle management User access administration (with the ability to support selfservice) Resource access administration (with the ability to support selfservice) Basic IAI (analytics, auditing and reporting), including SOD support User-provisioning solutions address an enterprise s need to create, modify, disable and delete identity objects across heterogeneous IT system infrastructures, including operating systems, databases, directories, business applications and security systems. Those objects include: User accounts associated with each user Authentication credentials Typically for information system access, and then most often just passwords, but sometimes for physical access control Roles Business level, provisioning level and line-of-business level Entitlements (for example, assigned via roles or groups or explicitly assigned to the user ID at the target system level) Managing group membership or role assignments, from which entitlements may flow Managing explicit entitlements User profile attributes (for example, name, address, phone number, title and department) Access policies or rule sets (for example, time-of-day restrictions, password management policies, how business relationships define users access resources and SOD) User-provisioning products are a subset of identity administration products, which are a subset of the broader IAM landscape (intelligence, administration, authentication and authorization). All user-provisioning products offer the following capabilities for heterogeneous IT infrastructures: Automated adds, changes or deletes of user IDs at the target system Password management functionality For example, simplified help desk password reset, self-service password reset and password synchronization, including bidirectional synchronization (sold as a separate product by some userprovisioning vendors because they had their start there) Delegated administration of the user-provisioning system Self-service request initiation Role-based provisioning through capabilities provided by role life cycle management features or partners Workflow Provisioning and approval HR application support for workforce change triggers to the user-provisioning product Reporting the roles assigned to each user and the entitlements that each user has Event logging for administrative activities A comprehensive user-provisioning solution has the following additional capabilities: SOD administration and reporting: Enterprises need to automate and manage application-level business policies and rules to identify SOD violations. They also need to quickly remove those violations from the application environment, and ensure that new SOD violations are not introduced in the course of the ongoing management and identity administration of the application. Today, SOD tools exist primarily for ERP applications ERP-specific, transaction-level knowledge is required to successfully enforce SOD in these environments. However, a generic SOD framework is required to address all SOD application needs in the enterprise. Typically, a role is used as the container to segregate conflicting business policies in the application environment. Many user-provisioning vendors deliver capabilities for this heterogeneous framework. It does not alleviate an ERP product s need for SOD, because these tools have extensive integration with ERP applications. User-provisioning vendors should continue to partner with ERP vendors to deliver complete SOD solutions. 9

10 10 Role life cycle management: Regulatory compliance initiatives are directing IAM efforts back to the drawing board for role development. The role becomes a very important control point that enterprises need to manage in a life cycle manner just as they do an identity. Enterprises need the ability to automate processes to: Define existing roles through role-mining automation. Manage formal and informal business-level roles for any view of the enterprise (for example, location, department, country and functional responsibility), and to feed user-provisioning products to ensure that the link is made between the business role and associated IT roles. Establish a process by which the development process for new roles in the enterprise follows the same management process used for existing roles, and ties those new roles to the automated role life cycle management solution. Deliver a generic framework to address all role life cycle management needs. Most user-provisioning vendors are partnering with role life cycle management vendors, acquiring them or building that expertise with the user-provisioning solution. Manage the role throughout its life cycle role owner, role changes, role review, role assignment, role retirement and rolebased reporting options. IAI audit reporting: Meeting the regulatory compliance requirements of reporting on SOD, roles, who has access to what, who did what, and who approved and reviewed what (referred to as the attestation process in auditing terms) for all IT resources is complex and expensive in the heterogeneous IT infrastructure. Reporting tools need to be in place to leverage the user-provisioning authoritative repository, and all other repositories that are used for the authentication and authorization process to produce reports on SOD, role, who has access to what, and who approved and reviewed what, which include the entire enterprise s IT assets. In addition, centralized event logs for all identity management activities those from the user-provisioning and access management products, as well as all systems where authentication and authorization decisions are being made in real time are needed to do a proper job of reporting who did what. No user-provisioning vendor (or suite vendor) provides all identity management capabilities noted above without some partnering. For most enterprises, additional products are required to round out the functionality set. Security information and event management (SIEM) tools can be used for who did what reporting at the event level, with granularity by time of day, geography, network port and other details; and we are seeing increased vendor interest in creating integration paths between core IAM products and SIEM (and other) intelligence or analytics tools. DLP tools provide content awareness for accessing files and databases, and will play a significant role in delivering more-precise entitlement assignments. The 2010 Magic Quadrant focuses on vendor delivery of ease of deployment, ongoing operations, and maintenance and vendor management as a sign of maturity. The research also emphasizes marketing vision and execution, and evaluates sales and advertising execution as part of the overall experience: How do the user-provisioning vendors deliver core userprovisioning capabilities as an enterprise management system in support of an ongoing, changing business environment? Similar to the 2009 Magic Quadrant, in 2010, we evaluated how easy it is to change and maintain workflow and connectors, but we also evaluated software services (scripts) and other functionality, such as integrating the user-provisioning product with the HR application and building the authoritative repository. Because user provisioning is a maturing market, we also evaluated vendors marketing and sales effectiveness in terms of market understanding, strategy, communications and execution. We evaluated each vendor s organization for such services, its ability to change to reflect customer demands and its overall success as measured by customers. Increased attention was given to the vendor s role life cycle management vision, strategy and road map particularly in terms of IAI, compliance reporting and remediation. We also increased attention on the IAI capabilities, their ease of use and their attractiveness to end users (via relevant out-ofthe-box reports, applicable dashboards and so on). Increased attention was given to adjacent technologies in GRCM, SIEM, network access control (NAC) and DLP, and their ultimate impact on IAI functionality for provisioning. We focused on the early stages of service-architected user provisioning to prepare for large-scale, large-volume provisioning requirements. Early uses of large-scale provisioning are already evident. Gartner ranks vendors in the Magic Quadrant based partly on product capability, market performance, customer experience and overall vision to determine which vendors are likely to: Dominate sales and influence technology directions during the next one to two years. Be visible among clients through several marketing and sales channels. Generate the greatest number of information requests and contract reviews. Have the newest and most-updated installations. Be the visionaries and standard bearers for the market.

11 Inclusion and Exclusion Criteria The following criteria must be met for vendors to be included in the user-provisioning Magic Quadrant: Support for minimum, core user-provisioning capabilities across a heterogeneous IT infrastructure Automated adds, changes and deletes of user IDs at the target system Password management functionality Delegated administration Self-service request initiation Role-based provisioning supported by role life cycle management IAI Workflow provisioning and approval HR application support for workforce change triggering to the user-provisioning product Reporting the roles assigned to each user and the entitlements that each user has An event log for administrative activities Products deployed in customer production environments, and customer references Vendors not included in the 2010 Magic Quadrant may have been excluded for one or more of the following reasons: They did not meet the inclusion criteria. They support user-provisioning capabilities for only one specific target system (for example, Microsoft Windows and IBM iseries). They had minimal or negligible apparent market share among Gartner clients, or currently available products. They were not the original manufacturers of a user-provisioning product This includes value-added resellers (VARs) that repackage user-provisioning products (which would qualify for their original manufacturers); other software vendors that sell IAM-related products, but don t have user-provisioning products of their own; and external service providers that provide managed services (for example, data center operations outsourcing). Added No new vendors were added to this year s study. Dropped Ilex Dropped due to minimal market share and minimal client mentions. Sun Microsystems Dropped due to its acquisition by Oracle. Other Vendors of Note econet ( Based in Munich, Germany, and founded in 1994, econet has, since early 2006, entered the user-provisioning market with cmatrix a service management, service-oriented offering targeted at service providers primarily in EMEA. In many respects, econet s marketing and sales model is very similar to Fischer International s. Early clients include Siemens and KPMG. econet continues to market to the IAM-as-a-service candidate either the provider of such services or the client interested in developing a private IAMas-a-service experience. Fox Technologies ( A Mountain View, California, company, FoxT has products that focus primarily on access control and service account management. However, FoxT ApplicationControl addresses basic elements of password management, account administration (including basic provisioning), and audit reporting as part of an IAM package including SOD enforcement, monitoring and reporting. Ilex ( Based in Asnières-sur-Seine, France, near Paris, Ilex provides three major products: Sign&go (Web and ESSO), Meibo (workflow, basic provisioning and some role management), and Meibo People Pack (extended reporting and audit for provisioning). Founded in 1989, Ilex has accumulated a small, yet solid customer base, predominantly in France. With features such as Service Provisioning Markup Language (SPML) support, a simple design and userfriendly interface, and good connector kits for provisioning and SSO, Ilex is able to effectively compete in a number of banking and finance, telecommunications, and transportation industry segments against larger competitors. Imanami ( Based in Livermore, California, Imanami is a lesser-known company, but it has some notable clients. Imanami s GroupID Synchronize serves as a data synchronization engine for an Active Directory environment through custom scripting, enabling Microsoft-centric enterprises to leverage their infrastructures to some extent. AT&T (formerly, Cingular Wireless) is a client. 11

12 12 Institute for System-Management ( Based in Rostock, Germany, near Berlin, ism is a small company focused on German-speaking-country markets with its bi-cube product for provisioning, SSO, and process and role life cycle management. Privately funded, this 10-year-old enterprise takes a process-centric, business intelligence focus to deliver a series of preconfigured process and configuration modules ( cubes ) that can be linked together to provide user-provisioning and role life cycle management functionality. It has a small customer base in Germany, Austria and Spain, in large industries, such as telecommunications and insurance. ism continues to refine the modules to form a more standardized user-provisioning and process management product offering. Lighthouse Security Group ( com) Headquartered in Lincoln, Rhode Island, Lighthouse Security Group established its SaaS-based offering after building up experience developing a managed offering in the U.S. defense market. Lighthouse s offering is unique, in that it has overlaid a common, easy-to-use graphical administration capability onto IBM Tivoli s core IAM products to deliver a relatively complete set of IAM functions as a multitenant, SaaS-based service. Lighthouse s approach allows customers to take advantage of the multifaceted feature set of IBM Tivoli s provisioning, Web access management and federation products, while being shielded from many of those products complexities. This provides integration hooks into many enterprise identity repositories for automated provisioning and leverages these repositories as authentication and entitlement sources. While extensive administrative and access control event data is logged, reporting is the customer s responsibility. Several SaaS target applications have been integrated with the service. NetIQ ( NetIQ, a global enterprise software vendor headquartered in Houston, Texas, is perhaps best known for its operations management and monitoring technologies and security monitoring technologies. However, many organizations are unaware that NetIQ has also been quietly growing a respectable IAM portfolio and a solid customer base for those tools. NetIQ is best suited for organizations that have selected Active Directory as their core or one of their core directories. The IAM solution components available from NetIQ include user provisioning (via NetIQ Directory and Resource Administrator, Advanced Edition), compliance and audit management, privileged-account activity management, Active Directory-Unix bridge (OEM of Centrify), and user self-service (including password reset) capabilities. OpenIAM ( [commercial] and [open source]) Headquartered in Cortlandt Manor, New York, OpenIAM has created an integrated suite of provisioning, access management and federation components, offered in professional open-source and enterprise licensing models. Components use a common enterprise service bus for integration. OpenIAM s Identity Manager product provides core capabilities found in other commercial products, such as self-service, password management and audit, and it includes SPML-based connectors to many commonly used targets. The company s Access Manager product provides support for password- and certificate-based authentication, coarse- and finegrained authorization, XACML 2.0 support, and SAML identity provider and service provider federation support, and it includes a security token service. OpenIAM has been fortunate to receive support from early government and SI customers, who have been pushing and funding OpenIAM to expand its capabilities. OpenIAM offers a very attractive support and pricing model. SailPoint ( SailPoint is based in Austin, Texas, and serves the Global 1000, with customers that include seven top-tier global banks, four of the world s largest property and casualty insurers, the largest global telecommunications provider, two of the largest biotechnology manufacturers in the world, and three of the top healthcare insurers. SailPoint originally entered the market as a technology innovator, augmenting customers existing provisioning systems in order to meet needs in role and compliance management and identity governance. SailPoint now also sells an access request-based user-provisioning solution that is a fully integrated component of the IdentityIQ solution. Evaluation Criteria Ability to Execute Gartner evaluates technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability to capitalize on their vision and succeed doing so. For user provisioning, the ability to execute hinges on key evaluation criteria: Product/Service: These are core goods and services offered by the technology provider that compete in or serve the defined market. This includes current product or service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements or partnerships, as defined in the market definition and detailed in the subcriteria. Specific subcriteria are: Password management, including shared account or service account password management support User account management or role-based provisioning Management of identities Workflow persistent state, nested workflows, subworkflows, templates of common user-provisioning activities and change management Identity auditing reports Connector management

13 Integration with other IAM components User interfaces Ability to configure, deploy and operate message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product or brand and organization in buyers minds. This mind share can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Specific subcriteria are: 13 Role life cycle management Integrated communications execution Resource access administration Impact analysis modeling for change SPML 2.0 support Overall Viability (Business Unit, Financial, Strategy, Organization): This includes an assessment of the overall organization s financial health; the financial and practical success of the business unit; and the likelihood of the individual business unit to continue investing in the product, offering the product and advancing the state of the art in the organization s portfolio of products. Specific subcriteria are: History of investment in the division Contribution of user provisioning to revenue growth Sales Execution/Pricing: This is the technology provider s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Specific subcriteria are: Customer perception measurement Customer Experience: This is the relationships, products, and services or programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways that customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, SLAs, and so on. Specific subcriteria are: Customer support programs SLAs Operations: This is the organization s ability to meet its goals and commitments. Factors include the quality of the organizational structure, such as skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Specific subcriteria are: Training and recruitment Number of major reorganizations during the past 12 months Pricing Market share Additional purchases (for example, relational database management system, application server and Web server) Market Responsiveness and Track Record: This is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider s history of responsiveness. Specific subcriteria are: Product release cycle Timing Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Source: Gartner (September 2010) Weighting High Standard Standard High High High Standard Competitive replacements Marketing Execution: This is the clarity, quality, creativity and efficacy of programs designed to deliver the organization s

14 14 Completeness of Vision Gartner evaluates technology providers on the ability to convincingly articulate logical statements about current and future market directions, innovations, customer needs, and competitive forces, and how well these map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunities for the provider. For user provisioning, completeness of vision hinges on key evaluation criteria: Market Understanding: This is the ability of the technology provider to understand buyers needs and translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers wants and needs, and can shape or enhance those desires with their added vision. Specific subcriteria are: Market research delivery Product development Agility in responding to market changes Marketing Strategy: This is a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Specific subcriteria are: Integrated communications planning Advertising planning Sales Strategy: This is the strategy for selling products using the appropriate network of direct and indirect sales, marketing, service, and communications affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Specific subcriteria are: Business development Partnerships with system integrators Channel execution Offering (Product) Strategy: This is a technology provider s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Specific subcriteria are: Product themes Foundational or platform differentiation Business Model: This is the soundness and logic of a technology provider s underlying business proposition. Specific subcriteria are: Track record of growth Frequency of restructuring Consistency with other product lines Vertical/Industry Strategy: This is the technology provider s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Subcriteria are: SMB support Industry-specific support Innovation: This is the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Specific subcriteria are: Distinct differentiation in features or services Synergy from multiple acquisitions or focused investments Role life cycle management (discovery, modeling, mining, maintenance, certification and reporting) Service-oriented provisioning Geographic Strategy: This is the technology provider s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the home or native geography, directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Specific subcriteria are: Home market International distribution Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Source: Gartner (September 2010) Weighting Standard High High Standard Standard High High Standard

15 Leaders Leaders are high-momentum vendors (based on sales, world presence and mind share growth), and they have evident track records in user provisioning across most, if not all, market segments. Business investments position them well for the future. Leaders demonstrate balanced progress and effort in the Execution and Vision categories. Their actions raise the competitive bar for all products in the market. They can and often do change the course of the industry. Leaders should not be the default choice for every buyer; rather, clients are warned not to assume that they should buy only from the Leaders quadrant. Leaders may not necessarily offer the best products for every customer project, and may even prove to have a higher TCO than some nonleading vendors. Leaders provide solutions that offer relatively lower risk, and provide effective integration with their own solutions as well as with competitors solutions. Every vendor included in the Leaders quadrant is there because it meets legitimate business or company needs. Challengers Challengers have solid, reliable products that address the needs of the user-provisioning market, with strong sales, visibility and clout that add up to execution higher than that of Niche Players. Challengers are good at winning contracts, but they do so by competing on basic functions or geographic presence, rather than specifically on advanced features. Challengers are efficient and expedient choices for more-focused access problems, or for logical partnerships. Many clients consider Challengers to be good alternatives to Niche Players or, occasionally, even Leaders, depending on the specific geography or industry. Challengers are not second-place vendors to Leaders and should not be considered as such in evaluations. Challengers in this Magic Quadrant all have strong product capabilities, but often have fewer production deployments than Leaders do. Business models vary, as do overall product strength and breadth, marketing strategy, and business partnerships. This has kept some Challengers from moving into the Leaders quadrant. Visionaries Visionaries are distinguished by technical and/or product innovation, but have not yet achieved a record of execution in the user-provisioning market to give them the high visibility of Leaders, or they lack the corporate resources of Challengers. Buyers should be wary of a strategic reliance on these vendors, and should closely monitor these vendors viability. Given the maturity of this market, Visionaries represent good acquisition candidates. Challengers that may have neglected technology innovation and/or vendors in related markets are likely buyers of Visionary vendors. As such, these vendors represent a higher risk of business disruption. Visionaries invest in the leading-edge features that will be significant in the next generation of products, and that will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver Challengers and Leaders. Clients pick Visionaries for best-of-breed features, and in the case of small vendors, they may enjoy more personal attention. Niche Players Niche Players offer viable, dependable solutions that meet the needs of buyers, especially in a particular industry, platform focus or geographic region. However, they sometimes lack the comprehensive features of Leaders, or the market presence and/ or resources of Challengers. Niche Players are less likely to appear on shortlists, but they fare well when given a chance. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders. Niche Players may address subsets of the overall market, and often do so more efficiently than Leaders. Clients tend to pick Niche Players when stability and focus on a few important functions and features are more important than a wide and long road map. Customers that are aligned with the focus of Niche Players often find their offerings to be best of need solutions. Vendor and Avatier Avatier Identity Management Suite (AIMS) v.8 (July 2009) Avatier Account Creator, Avatier Account Terminator, Avatier Identity Enforcer, Avatier Identity Analyzer, Avatier Password Station, Avatier Compliance Auditor Avatier is a pure-play identity management vendor focusing on user provisioning, password management, audit and compliance reporting, and SOD/rule enforcement. It features an innovative Web services connector architecture for heterogeneous integration across different platform environments. In the U.S., most Avatier sales are direct. Internationally, Avatier is sold through an expanding number of midtier services and consulting partners. Avatier s focus is on creating identity management products that are simple and easy to understand for end users and administrators. The result is a very intuitive, graphical-userinterface-driven environment that is understandable even by people with modest technical skills; a resulting positive benefit is that implementations generally are extremely quick compared with most competitors. Avatier demonstrates consistent execution on its innovative vision and significant customer wins and satisfaction. Avatier s roots are in password management, where it has traditionally picked up many small and midsize enterprise customers; however, it also has a number of successful large enterprise implementations and notable brand-name customers. Avatier is directory-agnostic for its identity repository and supports multiple databases for logging and other identity object storage. 15

16 16 Avatier s technology and subfunctions (such as its password policies) are developed with service-oriented architecture (SOA) in mind, and can be accessed through Web services. The client front end and target connectors also support SOA. industries. The new SAM Enterprise leverages mature rolebased design via its built-in role life cycle management support for unlimited role hierarchies, dynamic roles, SOD and role mining. Avatier s deployment ratio is very good, estimated at 1-to-0.33, where for every $1 spent on licensing, only $0.33 is spent on deployment. Avatier competes against large IAM suite vendors, such as Oracle and IBM Tivoli, and has difficulty gaining the attention of decision makers at larger enterprises, where larger competitors enjoy more access and exposure. As a pure-play provider, Avatier must partner with a shrinking number of partners to provide suite-style solutions to clients who want them. Avatier s innovative approach of hiding IAM complexity (for example, its shopping cart models for entitlements) doesn t always appeal to traditional old school technologists. Beta Systems SAM Enterprise Identity Manager v.1.1 (October 2009) SAM Enterprise Identity Manager is Beta Systems new next generation identity-provisioning system. It replaces the older SAM Jupiter product, while retaining rich feature support for both the mainframe and other systems. The user interface is also greatly improved from previous versions. SAM Enterprise is one of the longest-lived role-based IAM solutions on the market. Although most of its sales remain direct, partnerships and reseller agreements exist. Integrator partnerships with providers such as T-Systems, IBM Global Services and Accenture also ensure implementation options for customers. Beta Systems also has Europe-based VARs, and offers a managed/hosted service for SAM Enterprise. Beta Systems is, at present, undergoing a significant organizational and road map realignment for IAM to position itself for better competitiveness in the market. SAM Enterprise s new interface for workflow creation focuses on simplifying IAM concepts and process development for business users. Beta Systems offers an entry package with fixed project prices for a defined function set. SAM Enterprise is now platform-independent and supports multiple databases for its identity repository and for the storage of other IAM-related data and objects. Beta Systems showed early strength in the banking and financial services sector and is attempting to expand in other Beta Systems offers customers more-flexible pricing options such as fixed-cost implementations. Customer growth due to organizational and road map changes from 2007 to 2009 was marginal, with a temporary drop in 2008 revenue. Audit and reporting analytics and presentation capabilities lag those of competitor offerings. Beta Systems customer base remains 78% concentrated in Europe. North American market presence remains small (approximately 22%). Beta Systems is attempting to expand its U.S. market share and expand into Latin America. Current customers have complained about the quality and thoroughness of Beta Systems documentation; this is being addressed via documentation updates. BMC Software BMC Identity Management Suite BMC User Administration and Provisioning v.5.5 (December 2009) BMC Software is a long-standing IAM provider, still with significant market share dating back more than a decade with the original Control-SA product. BMC is one of the first companies to have recognized and leveraged the value of process-centric IAM (user provisioning). BMC has relationships with technology partners to deliver IAM suite options, such as reduced sign-on (Hitachi ID Systems), role engineering (SailPoint) and Web access management (Symphony Services). BMC s key system integration and consulting partners include Eclipse, Ilantus Technologies, Logic Trends and Wipro Technologies. BMC s VAR channel partners include Accenture and Capgemini, particularly in Europe. BMC s Service Request Management module can be used as provisioning workflow by customers, as an option to BMC Identity Management Suite s User Administration and Provisioning workflow. Integration with BMC s Business Service Management (BSM) offering gives BMC s provisioning product some unique capabilities in the areas of self-service, help desk, change management and asset management.

17 BMC s BSM message and approach to provisioning, which is based on IT Infrastructure Library (ITIL), is innovative and is a differentiator, for existing BMC customers as well as new ones. BMC sells its user-provisioning solution as part of its BSM solution. There is reduced marketing to audiences with specific IAM needs. BMC has less-extensive SI partnerships than leading vendors do. BMC s revenue from IAM has declined by nearly 20% from 2008 to This is likely due to the change in IAM focus and active marketing of IAM. Customer concerns include better user interfaces, slow response to support questions and inconsistent postdeployment support. CA Technologies CA Identity Manager v.12.5 SP1, CA Role & Compliance Manager v.12.5 SP1, CA Enterprise Log Manager v.12.5 SP1 (March 2010) CA Technologies demonstrates customer momentum, a commitment to a role life cycle and compliance management strategy (as evidenced by its Eurekify and IDFocus acquisitions, and integration of these with CA Identity Manager), and audit and compliance reporting. CA Identity Manager and CA Role & Compliance Manager are integral to CA s broader IAM contentaware IAM strategy and delivering identity management to, for and from the cloud. CA Identity Manager is based on IdentityMinder (from 2002) and etrust Admin (from 2000), and has a long heritage in the IAM business. Acquisitions and significant internal investment have accounted for expanded capabilities, and CA continues to successfully pursue this strategy to fill out its IAM portfolio. CA plays an active role in international identity and security standards (technical and process-centric) for user provisioning. CA Technologies has a cohesive and aggressive marketing, sales and integrator strategy. Major integration and consulting partners include Deloitte, PricewaterhouseCoopers and Accenture. Mycroft, Logic Trends, Northrop Grumman and Telecom Italia are key VARs. Since entering the Leaders quadrant in 2008, CA Technologies has consistently demonstrated a strong IAM commitment, overcoming many past negative market perceptions, and delivering competitive IAM solutions. CA has significantly increased license revenue growth for its IAM products in the past year. CA is demonstrating a commitment to simplifying IAM deployments and offering rapid deployment strategies (based on a thorough scoping of customer needs) and fixed-cost implementations. CA Identity Manager has comprehensive features for policy modeling, integration capabilities, delegated administration, Web services, multiple-connector design and entitlement certification capabilities. CA Identity Manager s use with key components of its broad IAM portfolio (CA Role & Compliance Manager, CA Enterprise Log Manager, CA DLP, CA SiteMinder and CA Access Control) is a differentiator. Additionally, a recently expanded relationship incorporates CA s monitoring of IT risk and compliance metrics into SAP s business process risk management. CA s acquisition of Eurekify is significant. Eurekify is generally regarded as an effective product for statistical role mining and analysis. Customers like CA Identity Manager s ease of use postimplementation, broad functionality (particularly for workflow needs) and integration capabilities with service management. Administrative interfaces for CA s IAM products are well-suited to IT end users; however, the overall richness of the interfaces for business-focused end users (such as those who may be performing attestation and certification duties) is still maturing. CA all but ignores the SMB market. While it actively markets to or solicits SMBs, feature set messaging and support structures are generally tailored to larger accounts. CA still needs to refine better presales scoping for fit, postsales implementation and troubleshooting. Recent steps in CA s rapid deployment project strategy are showing good signs that it is addressing postsales deployment issues. Integrating multiple acquisitions takes time, and CA is committed to creating meaningful integration; however, some customers still feel and comment on the disconnect between products. Courion Courion Access Assurance Suite v.8.0 (as of December 2009) Courion AccountCourier, RoleCourier, PasswordCourier, ComplianceCourier and CertificateCourier Courion is the only pure-play IAM vendor in the Leaders quadrant. It continues to innovate and grow, in spite of challenging economic conditions. Courion focuses on simplicity and enabling business users. It consistently performs well in proofs of concept compared with larger IAM players. Courion s focus is on simplifying IAM and making it more businessfriendly through its access assurance messaging and the increasing number of IAI products and integration options that it offers. While approximately 75% of its customers are those with less than 25,000 users, Courion has delivered solutions for larger customers, scaling to over 1 million production users. To stay competitive with large portfolio vendors (that is, Oracle, IBM, CA and Novell), Courion leverages a partnership model that includes RSA, The 17

18 18 Security Division of EMC, for access management; Imprivata for ESSO; Cyber-Ark Software for shared account/privileged account management; Citrix Systems for enabling Citrix XenApp provisioning; and others. Courion has extended its integration capabilities to include data loss prevention and user activity management (SIEM and log analysis) products from companies like RSA and Symantec. Courion continues to expand its relationship with EMC and is adding new resellers worldwide. Courion s solutions work with cloud-based applications, and it participates in SaaS with its partners Identropy and Accenture, showing continued innovation. Courion has a fixed-cost implementation strategy. It requires rigorous preproject scoping and customer interaction, and Courion s track record is good. Courion usually demonstrates a low ratio of product cost to deployment cost generally in the 1-to-1 range. It has the lowest ratio of any vendor in the Leaders quadrant. Courion is innovating the provisioning connector market. Its fixed price per connector is comparatively low, and it charges the same price for new custom connectors as it does for already existing connectors. Courion is one of the few vendors in the study to deliver an in-house-architected solution. As a result, Courion customers are able to achieve out of the box integration for many use cases. Courion products are built with extensibility in mind, and they work well in complex, heterogeneous environments. Courion s competitors continue to improve by adding many features similar to Courion s. The competition is always a step or two behind, and maintaining innovation pace and consistency in an increasingly commoditizing market will be challenging. Courion still faces name recognition issues. Other larger and formative brand names immediately come to mind when customers begin their IAM product searches. As such, Courion may be inadvertently overlooked in an organization s RFI and/or RFP process. Evidian Evidian Identity & Access Manager (June 2010) Based in France, Evidian has long been a respected provisioning vendor in Europe. With the most recent release of its solution, version 9, in June 2010, Evidian introduces a major update in terms of functionalities, packaging and deliveries. However, it remains compatible with its legacy solution, which is a decade old. Evidian also offers a Web access management solution as part of a broader IAM portfolio. Evidian is one of the few vendors in the user IAM market that natively constructs the core systems of user provisioning, which are then integrated on a single architecture that includes ESSO and Web access management. Evidian is a serious regional player within European markets, where its name recognition has greatly improved in the past few years. Evidian provides most of the key functions expected of user provisioning, and has particular strengths in the simplicity of deployment and good reporting features. Evidian is committed to role life cycle management, moving from needing a third-party vendor to supply role-mining functionality, to now offering it within the Evidian Policy Manager product. Evidian uses its access management solutions as a primary means of introducing user provisioning to the enterprise. For access reconciliation, Evidian Identity & Access Manager doesn t yet leverage the core provisioning application s workflow as much as it could; future releases are expected to address this. Many features that customers expect in audit and compliance reporting systems are not yet available; however, they are slated for release in Evidian is having difficulty acquiring market share in North America, which fell from 12% in 2008 to 11% in Courion lacks the global reach of major competitors in terms of marketing, sales and support, and it is increasingly dependent on a network of predeployment and postdeployment partners outside of North America. Increased sales mean that Courion will need to transfer its best-in-class planning and deployment skills to those partners. Password management functionality is basic when used independently from the access management solutions.

19 Fischer International Fischer Identity v.4.1 (January 2010) Fischer Role & Account Management, Automated Role & Account Management Fischer International remains in the Visionaries quadrant primarily due to its innovation as a managed IAM service provider, and as an IAM as a service (IaaS) delivery model through partners in the SaaS and cloud-computing markets. The company has a scalable, multitenant, service-based architecture to enable SaaS and hosting by itself and its service provider partners in addition to on-premises delivery. Fischer has been a visionary in cloud-based IAM architecture for several years. As such, it has even placed a trademark on the phrase Identity as a Service. Fischer s technical architecture is a small-footprint, Java-based SOA framework that produces rapid, configurable delivery. Fischer s customer base is small, and growth has been slow. However, it has been growing in both cloud-based and on-premises deployments due to a refocused sales strategy and increased marketing investments. Fischer has also expanded outside North America by signing global and Europe-based providers and resellers. Fischer permits service providers (and enterprises) to offer user provisioning as a service in several delivery models on-premises, remotely managed, hosted and cloud-based (SaaS) including highly customized enterprise deployments. Fischer s technology is multitenant, and security is specified for each client organization as well as for the master organization (service provider). As a result, only specified people or roles are permitted to manage each component or process for each individual client organization or the master organization. Fischer delivers a simple cross-domain framework. It also provides nonstop support for operations, fault tolerance, highprivilege account management and connector management. The company has strong support for cross-industry standards, which has resulted in interoperability across systems. Fischer s customers consistently remark on: (1) Fischer s ownership of the success of the project; and (2) the overall smoothness and swiftness of the implementation. Fischer s cost model is created to be easily understood by current and potential clients. For example, with the exception of custom connectors for homegrown applications, all existing and new custom connectors are free (included in the overall product cost). Customers like Fischer s adherence to open standards for heterogeneous platform and application support, its flexibility of workflow development, and its support responsiveness. Fischer s audit and reporting features are basic when compared with more-robust dashboards and GRC-focused interfaces offered by other vendors. Currently, all reporting data is stored in a database for retrieval, using auditor-recommended standard reports as well as custom reports. Fischer has limited out-of-the-box connectors, although most major systems are represented. However, the solution allows new connectors to be constructed and deployed at no cost to the client organization. As the cloud-based model becomes more compelling and accepted, large vendors (such as Oracle and IBM) will increasingly focus on SaaS models for identity management. Fischer, like all small innovative vendors, risks being overtaken by those competitors. Fischer is a small company. Its success depends on its partner network for visibility and support, and on the ability of its product to continue to deliver satisfactorily for those partners. Hitachi ID Systems Hitachi ID Identity Manager v (February 2010), Hitachi ID Password Manager v (June 2010) In early 2008, Hitachi ID Systems acquired M-Tech Information Technology, a Canada-based, privately owned IAM company founded in M-Tech was well-known first for its P-Synch password management offering. M-Tech expanded into user provisioning, as well as other point IAM products and compliance products over subsequent years. Hitachi ID Identity Manager v.6.0 was a major rewrite, with a new back-end and automation engine. The result is a substantially different product that doesn t sacrifice existing client upgrade plans. Hitachi ID Identity Manager performs general identity management tasks (that is, provisioning, synchronization and deprovisioning), extending self-service access requests to business users. It also directly manages authorizations (entitlements) with built-in workflow. Other components include Hitachi ID Org Manager (business process automation for organization chart maintenance), Hitachi ID Access Certifier (for audit and compliance attestation reporting), Hitachi ID Group Manager (for request-based, self-service Active Directory group management), and Hitachi ID Privileged Password Manager (providing shared-account password management capabilities). Hitachi ID has an extensive professional service team to design and implement its products, and to train customers on their use and maintenance. It has system integration and consulting partnerships with KPMG, HCC Consulting and ACS, although most integration is done by Hitachi ID s service team. 19

20 20 Hitachi ID has reseller relationships with providers such as CompuCom Systems, Insight Enterprises and IBM Global Services. It has close active partnerships with HP, CSC and BMC Software, providing Hitachi ID channels and bandwidth for global reach for sales and implementation. Key product strengths include: (1) It has many built-in components, including request screens, access certification, authorization processes, and autodiscovery of IDs and entitlements; (2) the base price includes all connectors and unlimited servers; (3) user adoption is aided by a managed enrollment system and accessibility from Web browsers, PC login screens and phones; and (4) it has multiple policy enforcement engines, including SOD detection and prevention and role-based access control (RBAC) enforcement with controlled scope. The identity repository is SQL-based, normalized and replicated across servers. Hitachi ID s sales and support staff undergoes an extremely rigorous training period, thereby making its technical savvy and customer support record differentiators. Hitachi ID has one of the lowest ratios of product cost to deployment cost (at about 1-to-1). Like a few other competitors, Hitachi ID also offers fixed-cost implementations. This strategy leads to better preproject scoping and increased customer confidence. Even though Hitachi is a global brand, and M-Tech was recognized for solid password management and provisioning solutions, Hitachi ID is still somewhat unknown. Hitachi ID currently lacks robust role-mining capabilities. Hitachi ID must compete with larger suite vendors for deals in which the customer is seeking a broad range of products. To compete effectively, Hitachi ID must partner with a shrinking number of best-of-breed vendors. Hitachi ID customers express concerns over the user interface, the need to use a proprietary scripting language to accomplish customization, and a lack of robust audit-reporting functions. Some of these concerns have been addressed in the current version (6.1.3), and other versions are due for improvement in IBM Tivoli IBM Tivoli Identity Manager (IBM TIM) v.5.1 (June 2009) IBM Tivoli is a global player in IT management (for example, service management and security management), and has over a decade of IAM experience. For large organizations, IBM is frequently a default shortlist choice. Its global reach, name recognition and staying power are formidable. IBM expands its IAM offerings via acquisitions as needed, based on market demands or to help meet an IAM vision. IBM Tivoli acquired Consul, a major z/os security administration and audit vendor, and rebranded it as Tivoli zsecure suite and Tivoli Security Information and Event Manager. This improved its identity audit solution for addressing compliance and audit needs. The acquisition of Encentuate extended IBM s ability to provide enterprise single signon and privileged-identity management capabilities. The acquisition of MRO Software provided the ability to integrate with physical asset provisioning and service catalogs. Additional acquisitions (for example, Internet Security Systems) provided integration of IBM TIM s provisioning, workflow, audit and reporting capabilities to the security event, application development and business intelligence environment. Managed services are offered via IBM Global Services and IBM s global partner network. SaaS options are offered by partners such as Lighthouse Security Group and Logica. IBM has partnerships with global and regional system integrators around the world, such as IBM Global Technology Services, Deloitte, Accenture, Unisys, Atos Origin, Saudi Business Machines, SecurIT, Tata Consultancy Services, Wipro Technologies, Advanced Integrated Solutions, Vicom Computer Services, Insight Enterprises, Softchoice, Forsythe Solutions Group, Arrow Enterprise Computing Solutions, Sirius Computer Solutions, MSI Systems Integrators, Insight UK, Pirean, Tectrade and Logicalis. New development for IBM s user-provisioning tools has been slow during the past year (as evidenced by the June 2009 release date for IBM TIM v.5.1), likely due to the market shift in priorities that is, moving from administration to compliance and IAI. However, IBM is providing its customers with early access to new role management and modeling tools, prior to expected general availability next year. IBM TIM supports major platform environments for deployment, including the mainframe (Linux on IBM System z). Provisioning and approval workflow technologies are rich, with extensive connector libraries. IBM Tivoli Directory Integrator, a development kit for unique connectors, is also included with the product. Password management functions and delegated administration are competitive. The base product includes full runtime versions of DB2, WebSphere Application Server and IBM Directory Server. Also included are 20 infrastructure (database, mail, OS and network) adapters (connectors). Policy simulation features in IBM TIM help users simulate role and/or provisioning policy scenarios to determine their effects on production environments before deployment. Operational role management capabilities are embedded in the core IBM TIM product, including recertification (attestation), SOD checks, and hierarchical role provisioning for extended role management functions such as role modeling and approval. IBM has partnerships with several third-party role management vendors to help mine and model roles. Examples of partner offerings that are integrated and certified with IBM TIM include Aveksa, SailPoint and SecurIT. IBM also has integrations with Approva and SAP NetWeaver for ERP SOD checking.

21 Additional compliance capabilities are provided in the form of integration with the Tivoli SIEM product for closed-loop access reporting and auditing. IBM lags in role analytics and mining, trailing every other IAM vendor in the Leaders quadrant. At the time of this writing, IBM is addressing this by providing its customers an early technology preview tool called the Role Modeling Assistant, while the production-ready capability is under development. IBM Tivoli s ability to address complex IAM issues for clients is challenged by its complexity of solution offerings, despite early indications of improvements in IBM TIM v.5.1. IBM would do well to better understand customers specific requirements and to help customers better shape their vision and goals for IAM during the sales and implementation cycle in order to focus deployment efforts and improve time to value for customers. Customers remain concerned about the complexity of the product in configuration and deployment, the intensive prework that s necessary to accurately map workflows to business processes, and the effects of version releases on established deployments. Microsoft Microsoft Forefront Identity Manager (FIM) 2010 (April 2010) Microsoft released a long-awaited new version of its IAM offering in April It also rebranded the offering. Instead of Identity Lifecycle Manager (ILM), the company has incorporated the offering as part of its Forefront brand and has labeled the new solution as Forefront Identity Manager. FIM has several updates to ILM that have improved the overall function of the offering. Microsoft has added an improved password and credential functionality for FIM, resulting in a better delegation and reset ability, and bringing up the function set to industry par. Microsoft s use of SharePoint, Exchange and SQL Server provide a means for business users to directly participate in FIM through the use of existing collaboration and office tools. New workflow functions based on the work Microsoft is doing in the Windows Workflow Foundation (WWF) allow improved options for automating specific IAM processes. Windows Server 2008 has added Active Directory Federation Services (AD FS) 2.0 as an update, providing improved and expanded functionality in federation, including expanded support for industry standards in federation, such as SAML. While not part of FIM, this can be used with FIM in combined access and provisioning deployments. Some new connector options are offered to improve heterogeneous support for synchronization and joining. While improved, Microsoft s connector architecture still does not have options that best-in-class competitors possess. Workflow in FIM has rudimentary functionalities, compared with those of best-in-class competitors. Pricing for FIM has changed somewhat to a per-server and peruser client access license (CAL) basis, potentially resulting in increased costs for the customer based on need. If a customer is using the FIM synchronization service only to synchronize identity information or to provision users, then CALs are not required. However, if users take advantage of any of the new FIM management tools and technologies, then CALs are required to provision and manage them. So, similar to ILM, if customers use it only for synchronization, no CAL charge is triggered. Novell Novell Identity Manager Roles Based Provisioning Module v.3.7, password self-service for Identity Manager v.3.7, Designer for Novell Identity Manager v.3.7, Novell Sentinel v.7, (February 2010); Novell Identity Audit v.1.0 (October 2008), Novell Access Governance Suite v (May 2009) Novell is a solid technology innovator. Its IAM portfolio of products is well-respected by industry experts, technology professionals, long-standing customers and enterprise users seeking a complete solution for provisioning. Significant new customer wins, such as Verizon s cloud-based security solution, and Novell s strategic partnership with VMware, further illustrate Novell s innovation by moving into cloud-computing and IAM-as-a-service markets. Novell continues to improve in the Leaders quadrant. Although Novell s IAM sales declined overall in 2009, primarily due to the economy and organizational changes, Novell continues to succeed via: Innovative, enterprise-class products, and significant customer wins Continued focus on partnerships, sales and marketing Competitive countermoves and replacements Gartner has seen a noticeable increase of customer interest in Novell during Some of this is attributed to former Sun customers who are evaluating options, and some to a renewed focus following organizational shifts and acquisition challenges. Although Novell had previously experienced a drag on its business due to customers past associations with its NetWare business, this increased interest indicates that many customers have moved past these perceptions. The market should not count out Novell. 21

22 22 Novell addresses role life cycle management via a combination of internal Novell development integrated via license agreement with Aveksa s products. Improvements in resource recertification and attestation reporting, and tighter integration with SIEM logging and reporting via its Sentinel product, provide forensic and monitoring capabilities to provisioning management. Novell s network of smaller, region-based integration and consulting continues to grow through established integration providers such as Atos Origin, Deloitte and Wipro Technologies, as well as global alliance partners such as HP and SAP. Novell s suite has significant compliance and intelligence functionality, addressing unified policy needs through its combined role life cycle management and SIEM solutions. Novell s market share within the financial services and government verticals has improved due to an improved compliance management functionality. Integration among Novell s IAM portfolio products is homogeneous, and deployment times and customer experience are improving. Novell is an active participant in an open-source identity framework that includes provisioning through its membership in the Eclipse Higgins project. Novell is also active in international standards work with the role it plays in Linux, security and identity standards. Novell Identity Manager supports SPML. Novell customers like the tight integration of the product for different provisioning functions, designer capabilities for configuration, and the deployed solution s ease of use and functionality. Novell continues to battle a negative market perception; this is Novell s biggest enemy in More often than not, all vendors are evaluated not solely on the merits of their solutions but also on vendors wallet share with a customer or their executive relationships. Customers who understand the value of Novell s technology leadership need to fight for the inclusion of Novell as a viable vendor for it to be considered. An effective way to do this is to request a proof of concept at the outset. Customers wish for a simpler licensing structure. Novell will address this issue with the upcoming Identity Manager release 4 due in the fourth quarter of Novell does not have the same financial resources, partner network or visibility as its larger competitors do, and is at a disadvantage in new-customer acquisition as a result. Omada Omada Identity Suite (OIS) v.7 (March 2010) Omada addresses compliance-centric user-provisioning needs based on Microsoft technologies, resulting in enterprise solutions that can manage advanced business scenarios across heterogeneous environments. It has a strategic partnership with Microsoft to extend Microsoft Forefront Identity Manager 2010 (and the older ILM 2007) capabilities for customers. Omada has a long history with SAP and recently enhanced its SAP integration capabilities such as integrating into SAP BusinessObjects GRC. Omada is also focused on providing business-centric GRC management solutions. This demonstrates its business-focused market approach and its ability to provide products and services that are not purely based on its Microsoft relationship. Omada has recently taken steps to enhance its attestation and recertification offering with high-end risk management capabilities, such as risk assessment surveys. Omada has system integration and reseller partnerships that include Logica, Traxion and Avanade. A major part of Omada s staff is dedicated to consulting, integration and support. Solution support is offered directly to the customer or via partners. OIS addresses attestation and recertification, compliance reporting, and SOD management workflows (and the ability to provide auditable approval paths to override SOD violations). It performs role life cycle management capabilities with its advanced RBAC module, applying roles over heterogeneous repository and access infrastructures via FIM management agents, which are supplied out of the box from Microsoft, Omada and partners custom builds. Omada is uniquely positioned to provide compliance modules for Microsoft Forefront Identity Manager, such as attestation, role life cycle management and compliance reporting. Omada has introduced a SharePoint Governance Manager offering in conjunction with FIM to apply RBAC functionality to SharePoint and deliver compliance reporting for SharePoint. Omada provides granular role-based integration with SAP. Omada s pricing for OIS is competitive, reflecting lower-cost alternatives to larger user-provisioning offerings via Microsoft s embedded components in the enterprise (for example, Active Directory and SQL Server). While Omada is really an augmentation of Microsoft s userprovisioning functionality, it integrates well into the FIM portal environment, providing an intuitive and natural work environment for administrators and end users. Customers like the emphasis on Microsoft IAM architecture, the expanded reporting functionality for SharePoint, workflow improvements and good preimplementation/postimplementation support.

23 Omada uses Microsoft Forefront Identity Manager 2010 (and, for legacy customers, ILM 2007) as its foundation for delivering its functionality, thus underscoring Omada s dependence on Microsoft s IAM direction. While Omada does augment the functionality offered from Microsoft, it still does not have the ability to offer role mining. Customers who desire that functionality will need to integrate with another vendor, or wait until Omada realizes its plan to deliver role mining. Omada s market penetration into North America and other non- European regions continued to grow significantly in 2009, but at a slower rate than in More global customers are needed before Omada can be considered a major contender in the IAM marketplace. Early trends in its 2010 numbers indicate some growth in North America. Omada is dependent on Microsoft continuing its investments in making Microsoft Forefront Identity Manager an attractive provisioning platform with enterprise-ready performance and scalability. Oracle Oracle Identity and Access Management Suite and Oracle Identity Manager v BP10 (January 2010) Oracle is the leader in this Magic Quadrant. It continues to execute on its vision of an integrated and scalable IAM suite. Via its acquisition of Sun, Oracle accomplished two things: (1) the obvious takeout of a competitor; and (2) the acquisition and subsequent integration of many of Sun s competitive technology differentiators for example, Sun Role Manager, now Oracle Identity Analytics. (For more-detailed analysis of the Sun acquisition, see Oracle and Sun: Managing IAM Under a Single Identity. ) Some uncertainty is still felt by Sun customers; possibly, migrating from Sun to Oracle is not welcome. Much hinges on the manner in which Oracle manages this transition. Oracle is committed to delivering comprehensive IAM. While Oracle Identity Management 11g is not rated in this Magic Quadrant due to its recent release, it should be stated that it (if it is delivered as described) will be another competitive differentiator for Oracle. Oracle s IAM can run on two different databases, seven different OSs, four different application servers and multiple Java Development Kit vendors. The company continues to acquire other companies as needed. It is also expanding a global network of resellers and implementation partnerships. The Sun acquisition adds even more options. Oracle s IAM portfolio provides solutions for user provisioning, password management, role life cycle management, Web access management, federation, IAI, reporting, directory and virtual directory, fraud prevention and authentication, entitlement management, and GRC capabilities. Other IAM-related needs (for example, ESSO and SIEM) are addressed via partnerships. Oracle continues to demonstrate a commitment to improving integration among the products in its IAM portfolio. Risk-based user self-service decision making is possible through application programming interface integration with identity-proofing services. Oracle Identity Manager can integrate with proofing services by native API integration or when codeployed with Oracle Adaptive Access Manager. Oracle s database back end, the identity repository, is scalable and proven. Oracle s access at all enterprise levels (business to IT) is pervasive. The company uses that access for cross-selling opportunities with IAM. Aggressive sales and marketing strategies have resulted in a new-customer acquisition that is several times the rate of the general provisioning market. Oracle has comprehensive training for its network of global integration partners. These partners (system integrators, VARs and technical partners) include Deloitte, Accenture, KPMG, PricewaterhouseCoopers and Wipro, as well as Oracle s consultancy and services in user provisioning. Oracle possesses a portfolio and a matching vision for IAM, including user provisioning. The message has moved from an earlier strategy of application-centric provisioning, which addresses provisioning, workflow and reporting needs for a multiapplication environment, to including a service-centric view of IAM. Customers like Oracle s aggressive IAM road map, access to Oracle s development teams for changes, configurability during deployments, workflow and provisioning engine capabilities. Oracle s SIEM and compliance/audit integration and reporting are less mature than those of competitors IBM Tivoli and Novell. The introduction of Oracle Identity Analytics, while positive, is still not competitive with leading vendors in this area. IAM-related reporting is accomplished via Oracle BI Publisher. While capable and full-featured, it can produce overly complex IAM reports. Recent acquisitions and new product additions have caused confusion among some current and new customers when comparing the pricing models for earlier software packages with what is currently available. There continues to be mixed reviews for Oracle integration and deployment experiences, which is attributed to uneven training and experience of consultants and system integrators for the product. 23

24 24 Quest Software Quest ActiveRoles Server (November 2009) The most significant change Quest Software has made this year to its IAM solution ActiveRoles is the acquisition in July of the German IAM provider Voelcker Informatik. Voelcker s ActiveEntry solution provides Quest with extended functionality into the role management and IAI management markets. Several feature updates to ActiveRoles have also occurred during this period. Quest s acquisition of Voelcker ActiveEntry signals a more aggressive move to engage competitors and improve both the geographic reach and functionality of its offerings. Quest s reputation in the Windows administration and management markets is enhanced by new offerings in role and IAI management through the Voelcker acquisition. Quest has taken some steps to improve its partnerships with IAM integrators by providing expanded services for its offerings. Quest still has some issues with name recognition as a viable IAM competitor, especially beyond the Microsoft Windowscentric customer population. This is starting to change, but is still evident. Quest connector options for IAM synchronization and joining of applications and repositories are rudimentary. The combined Quest-Voelcker offering has some concerns to resolve about overlapping functionality for both new and existing customers. SAP SAP NetWeaver Identity Management v.7.1 (June 2009) SAP is a global leader in business management software. It enjoys strong name recognition and is deployed widely in many of the world s largest organizations. SAP has been in the provisioning market for a relatively short amount of time; its acquisition of MaXware in 2007 serves as a formal kickoff of SAP s IAM strategy to integrate IAM deeply into the SAP ecosystem. SAP has been consistently making progress toward that goal, and due to the out-of-the-box SAP integration possibilities, there are definite benefits to choosing SAP NetWeaver in order to manage identities in SAP-centric environments. It should be noted, however, that SAP customers who use NetWeaver to manage their SAP environment will typically end up deploying two provisioning systems: NetWeaver for granular management of SAP, and then another vendor to manage the rest of their heterogeneous ecosystem. Key features of SAP NetWeaver Identity Management include: User interface and management console Runtime components (linked to external repositories via virtual directory) An Identity Center database for logs, configuration and identity stores Provisioning and workflow functionality User self-service and password management Reporting via SAP NetWeaver Business Warehouse Metadirectory and identity store Identity Provider for Web-based SSO and identity federation via SAML 2.0 Implementation projects at customer premises can be led by either SAP consultants or a selection of solution integrators. The Identity Services framework of SAP delivers a virtual directory technology and virtualization of target systems as part of connector management, and reflects a well-structured, application-driven approach to provisioning. SAP s GRCM solution, BusinessObjects Access Control, is coupled with SAP NetWeaver Identity Management to augment the Identity Services framework, and to deliver provisioning and SOD capabilities. SAP views NetWeaver Identity Management as a significant contributor to the evolution of SAP applications to a common process layer for management. The process modeling layer delivered via SAP NetWeaver Business Process Management leverages a common Identity Management layer to deliver security and context to business process. SAP bundles Identity Provider with SAP NetWeaver Identity Management to allow for Web-based SSO and identity federation via SAML 2.0. Identity Provider comes at no additional cost. SAP customers like the rapid implementation and customization capabilities of the product, the basic role life cycle management integration with provisioning, the deep integration with other SAP products via predefined scenarios, and the virtual directory functionality.

25 25 SAP s road map for user provisioning is targeted specifically at established SAP customers, and is primarily for SAP application portfolio and integration needs. While SAP customers may find this differentiating from other vendors, non-sap customers will not. Sentillion has a fixed fee for implementation services so that customers know the associated costs upfront. The fixed fee implementation is approximately a 1-to-1 ratio of software to services, which is among the lowest of the provisioning vendors. SAP views NetWeaver Identity Management as vital for counteracting efforts by Oracle to introduce Oracle solutions into a predominantly SAP customer environment via an Oracle IAM solution. Such a defensive approach may protect SAP assets, but adds little for the customer. NetWeaver Identity Management s reporting and compliance capability is robust; however, the interface is geared more toward technical administrators rather than to business users. Sentillion (Microsoft) Sentillion provision v.3.5 (May 2010), provision BridgeBuilder v.3.01 (May 2009) Sentillion is solely focused on meeting the identity management needs of healthcare entities, where it is a recognized brand name. Consistent innovation in healthcare provisioning needs, continued customer growth and increasing name recognition within healthcare make Sentillion the vendor to beat within the healthcare market. Sentillion s strategy for user provisioning in a specialized, complex industry is built on the concept of purpose-built healthcare, and addresses role-based and fine-grained provisioning. Although many customers may be classified as SMBs by their user count, the complexity of healthcare role environments ensures that planning and implementation remain challenging. Sentillion delivers focused consulting and integration services, and has some integration partners to address these challenges (CTG HealthCare Solutions, Vitalize Consulting Solutions and Logic Trends in North America; E.Novation and VisionWare in Europe). Sentillion leverages Active Directory as the identity repository to streamline the infrastructure required to deploy its product. At the end of 2009, Microsoft announced an intent to purchase Sentillion to combine the Sentillion product line with its Amalga Unified Intelligence System (UIS) offering. The acquisition closed in early 2010, and now Sentillion functions as part of the Microsoft Health Solutions Group. Understandably, the Microsoft acquisition is a source of both excitement and uncertainty for customers of each company. Currently, Microsoft s intent is to keep the development of Sentillion and the Microsoft Forefront Identity Manager solution separate. Sentillion will continue to focus on building solutions on its own platform to meet the needs of the healthcare industry, and FIM will be Microsoft s premier IAM solution. However, synergy between the two product lines is undeniable, and there will likely be at least some sharing of knowledge and code logic between the two teams so that each can more rapidly expand support to new systems. Because of Sentillion s healthcare focus, it provides more out-of-the box connector (that is, bridge in Sentillion s nomenclature) support to healthcare-industry-specific systems (for example, McKesson-Horizon, GE Healthcare and ChartMaxx products) than most of its competitors do. In addition, Sentillion s industry focus gives it a strategic advantage over its competition in areas where healthcarespecific industry policy, terminology or use cases dominate the project or program needs. Customers gain access to Sentillion s online open-source community IdMPOWER which allows customers to share custom-built provisioning software adapters for clinical and nonclinical applications. Customers like the industry-specific focus, the personalized predeployment customer support during planning and implementation, and the company s quick response to new customer needs. Focusing only on healthcare comes with a price whether it is support for features or standards. Sentillion is driven by its customers, and the product is a custom solution for the healthcare industry. This concern will be mitigated if or when there is knowledge sharing between the Sentillion and Microsoft FIM teams. Several other vendors (large and small) are beginning to focus their sights on the healthcare market. As these vendors win healthcare accounts, they are able to develop and commoditize healthcare-focused provisioning connectors, reports and other related solutions thus eating away at Sentillion s competitive advantage. At this point, it is unclear what Microsoft has planned to alleviate that threat. Role life cycle management and GRC capabilities remain limited, although Sentillion s capability is generally good enough for many customers. However, given the highly regulated industry that it targets, coupled with the increasing general market demand for role management and GRC-focused solutions, we expect that Sentillion will continue innovation in this area as needed.

26 26 Siemens Siemens DirX Identity Business Suite v.8.1b (January 2010), DirX Identity Pro Suite v.8.1b (January 2010), DirX Audit v.2.0b (April 2010) Siemens, with its business division Siemens IT Solutions and Services, is a long-standing and well-respected IAM vendor based in Germany. It has a solid IAM solution and has consistently demonstrated the ability to attract and acquire new customers. The Siemens DirX suite includes Audit, Identity (provisioning and account management), Access, Directory and Biometrics product lines. Siemens is one of the world s largest multinational companies in energy, healthcare, communications and other industries, and it has significant resources available for IAM product development, management and delivery. Siemens has a well-thought-through road map, which demonstrates a sound market understanding and a commitment to ongoing investment in the DirX product line. Siemens is a veteran at role-based provisioning. Role life cycle management (for example, administration, certification and reporting) is part of DirX Identity, based on the RBAC standard, and has been available since While role discovery is available in the base product, business analytics as a result of discovery are provided via third-party partnerships. Siemens provides user-provisioning solutions with good role management functionality, and a partnership model that provides predeployment and postdeployment coverage. While the DirX road map is comprehensive, some of the components, which are becoming standard across many vendors (for instance, compliance dashboarding), are slated for release in late This lags behind market need, and may reflect negatively on Siemens in proof-of-concept environments. Siemens primary focus is on selling to its own customer base (which is large enough to sustain steady growth of IAM sales). Siemens DirX product line is worthy of consideration in many circumstances, and Siemens will frequently win net new accounts based solely on its IAM technology. However, moreaggressive sales and marketing to non-siemens customers are warranted. Voelcker Informatik Voelcker ActiveEntry 4.1 (February 2010) Voelcker is a Berlin-based IAM provider that slowly built a reputation in Germany and Austria during the past 13 years for a flexible service management and automation platform delivering IAM functionality. In 2009 to 2010, the company enjoyed significant expansion, and in July 2010, it was acquired by U.S.-based Quest Software. Voelcker s ActiveEntry represents an advanced view of IAM as a customizable set of service management and automation components, together with an advanced IAI solution, resulting in a less painful deployment experience when compared with competitor offerings. ActiveEntry is a service-oriented-based solution using an object-oriented approach to IAM data, resulting in a combined provisioning and role management capability where needed. Voelcker expanded its partner network to provide additional geographic availability, expanding also to the U.S. prior to its acquisition by Quest. Until the Quest acquisition, Voelcker s name recognition and marketing remained minimal, resulting in a slow but substantial growth rate. ActiveEntry does not include a connector set in the same manner as competitors do. ActiveEntry contains connectors for Active Directory, Exchange, SharePoint, Lotus Notes, LDAP, SAP and FIM. It contains a no coding required wizard to build connectors for XML-based protocols, as well as the ability to integrate with any connector architecture. ActiveEntry will undergo some changes in focus and direction due to its coexistence with Quest s existing ActiveRoles offering.

27 Acronym Key and Glossary Terms AIMS Avatier Identity Management Suite API application programming interface BSM BMC Software s Business Service Management EMEA Europe, the Middle East and Africa ESSO enterprise single sign-on GRC governance, risk and compliance GRCM GRC management IAI identity and access intelligence IAM identity and access management ILM Microsoft Identity Lifecycle Manager ITIL IT Infrastructure Library NAC network access control OIM Omada Identity Manager PAAM privileged account activity management RACF Resource Access Control Facility RBAC role-based access control RFI request for information RFP request for proposal SaaS software as a service SI system integrator SIEM security information and event management SLA service-level agreement SMB small or midsize business SOA service-oriented architecture SOD segregation of duties SPML Service Provisioning Markup Language SSO single sign-on VAR value-added reseller VM virtual machine Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. 27

28 28 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization s financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization s portfolio of products. Sales Execution/Pricing: The vendor s capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor s history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization s message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor s underlying business proposition. Vertical/Industry Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the home or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.