Ovum Decision Matrix: Selecting an Identity Management Solution for the Telecoms Industry,

Transcription

1 Ovum Decision Matrix: Selecting an Identity Management Solution for the Telecoms Industry, Publication Date: 23 Oct 2014 Product code: IT Adaora Okeleke

2 Summary Catalyst Telcos use identity management (IDM) for several purposes: to support business operations, secure data access, support and protect customer-facing channels, and sustain internal operations and service delivery. Telcos are also considering how they can deploy IDM infrastructure to support new revenue streams by providing identity-based services to both enterprise and consumer customers. Many discussions center on how telcos can use SIM cards within mobile devices as a secure element to generate and store credentials, which can be used as a digital signature or to provide strong, multi-factor authentication services to customers. Other IDM services include the creation of a single sustainable identity based on a mobile phone number, which allows users to seamlessly access online resources without having to remember multiple credentials. To achieve these objectives, telcos need an identity management partner with a robust and secure IDM platform that meets their demands and provides the support and expertise they require. This Ovum Decision Matrix (ODM) evaluates vendors identity management solutions for telcos, highlighting the vendor solutions that Ovum sees as market leaders, challengers, and followers. Ovum view It is key for telcos to identify customers and maintain their access to information and services. Effective identity management services are a fundamental component of modern telco operations, providing easy and safe access for users and keeping data and systems secure. IDM systems enable telcos to secure access to internal data infrastructure and manage resource consumption. Telcos need to define access for the customers, partners, and employees in their ecosystem. The value proposition of IDM is constantly under discussion, especially as telcos consider new revenue opportunities. The current climate has forced telcos to examine how they can use their existing assets to improve overall performance. Current technology trends such as the growing use of mobile devices for online activities, and the delivery of cloud services are increasing telcos interest in IDM. Telcos also need to assure a simple and secure online experience. These trends present telcos with an opportunity to increase revenues by playing the role of identity service providers. Telcos hold a vast amount of data on customers, and they need to use this data to handle customers identity needs when they access services online. In light of the growing and unique IDM needs in the telecoms industry, Ovum has assessed the IDM portfolios of seven of the leading IDM solution providers for the telecoms vertical. Oracle and CA Technologies offer the most comprehensive solutions, providing support for all the IDM capabilities assessed. Courion, Gemalto, Ping Identity, SafeNet, and UnboundID have used their strong domain capabilities within the IDM portfolio to deepen their positions in the telco market. Our assessment positions these companies as challengers or followers in the telecoms vertical. IDM vendors have been upgrading their solutions and services to capture revenues and establish a strong competitive position. They are investing in research and development (R&D) to deliver solutions that are compelling to the market. IDM vendors with deep pockets continue to acquire companies with innovative solutions, embedding some of these within their existing solutions to 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 enhance their overall IDM portfolio. IDM vendors are strengthening their brands through marketing efforts and partnerships. The telecoms market opportunity for IDM vendors is huge and has great appeal as new opportunities open up for them to offer a market-focused range of products and services. Recent activities in the mobile identity space lead us to believe that the next few years will be categorized by the entrance of new IDM vendors, and by new collaborations between platform and cloud vendors to capture more opportunities in the telecoms space. IDM vendors need to ensure their offerings are both comprehensive and relevant to counter the competition. They need to back their market-focused offerings with professional services that support the telco experience while working with these platforms. Key findings Telcos are looking to IDM solutions to improve their operations and meet their business needs, and to add security and user convenience to their operations. Oracle and CA Technologies, the market leaders, offer broad IDM features and functionality that meet a high proportion of telcos needs. They both have strong brand awareness within the telco market and among competitors. Ping Identity, SafeNet, and UnboundID provide compelling IDM products with expertise in specific IDM areas. These products could compete with those provided by the market leaders. The industry recognizes these companies as strong competitors and continues to include them in request for proposal (RFP) processes. Courion was the only vendor rated as a market follower. This vendor delivers strong solutions in very specific areas of expertise. The scope of its solutions is therefore limited compared to those provided by the other vendors analyzed in this report. Vendors are targeting the telecoms space with emerging solutions as the industry opens up to new service opportunities. These include mobile identity platforms from SecureKey SecureKey s Briidge.net Exchange and Briidge.net Connect platforms and Ericsson s Etalio platform. Market drivers and developments Telcos look to identity management to improve operations and meet business needs Telcos are facing rather precarious times. Their revenues remain threatened by increasing competition from peers and companies providing substitute services, and this is causing revenue leakage. Telcos need to control their operating costs to ensure their businesses remain profitable. Therefore, telcos need to develop new service offerings and improve their operational efficiency to protect both top-line and bottom-line revenue growth. Telcos are investing in IDM to meet both operational and business challenges. Ovum s security software market forecasts indicate that telcos investments in identity management will grow from $368m in 2014 to $565m in 2018 at a CAGR of 10.98%. This CAGR value is the fourth-highest value behind healthcare, media and entertainment, and retail industries Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 Figure 1: Enterprise security spending for identity and access management across industries in 2014 Source: Ovum Security Software Market Forecasts A number of telcos have examined how they can use their assets to improve operations and revenues, and IDM is one option that meets multiple telco requirements. With respect to operations, telcos can use IDM to give uses secure and easy access to all operational systems. This would improve telcos security position and provide service differentiation. With respect to business opportunities, telcos can leverage the capabilities provided by IDM to enhance the services they provide to both consumer and enterprise customers, as well as the overall experience they deliver. The IDM needs of telcos go beyond managing identities, within and outside the telco s premise, to include the innovative use of IDM to strengthen service offerings and enhance revenue growth. Telco operations need a strong IDM solution to operate efficiently A growing number of telcos need to work closer with an industry-focused IDM provider to support and improve their operational activities. Telcos rely on user identity provisioning and de-provisioning services to manage the creation of user accounts at the point of purchase, and automation plays a vital role in accelerating these processes and delivering an optimal experience to customers across all channels. IDM also creates and controls user access to the networks and services offered to customers. Telcos providing multi-play services need to use IDM to support the interactions between different user stores that hold customer data. Like in every other industry, telcos use IDM to provide secure access to internal data systems and enterprise applications. These systems are accessed by employees, partners, and customers. Telcos need to grant different levels of access and control to each type of user depending on the resources they need. Identities need to be centrally administered and authenticated against internal repositories so that the right people get access to the right systems and applications. The fragmented approach to operations within telcos businesses has resulted in employees and partners needing to access a growing number of systems. An integrated IDM solution pulls together access to these systems, providing seamless access and ease of use between these fragmented systems. For example, every new service is set up with its own set of management systems that handle the daily running of the service. By providing IDM functionalities such as federated identity management and single sign-on (SSO) services, telcos are able to provide access to these systems using a consistent single-credential approach Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 The growing use of mobile devices drives opportunities for new telco services Telcos are one of many business groups continually connected to their customers through mobile devices. Customers use these devices to access the majority of web content, with access control based on verification of the user s identity. Usernames and passwords are the de-facto means of verifying these details. However, the use of static credentials is considered weak and difficult to use. Usernames and passwords can be easily detected by guessing, cracking, or using/reusing valid credentials from different sources. This undermines data security, representing a significant risk from both a safety and customer experience perspective. Telcos can control these challenges by providing customers with credentials that are easily accessible and easy to use. Mobile devices can be used to securely store or create these credentials each time authentication is required. There are quite a number of ways to achieve this. First, telcos can create credentials and embed them within SIM cards. Second, telcos can use mobile apps that create one or more forms of a multi-factor credential set, such as one-time passwords, software-based credentials, and biometrics, each time access is required. This would limit the difficulty experienced each time access is required, and make the strength of the authentication process appropriate, balancing ease of access with business and data protection. To deliver these services, telcos need robust identity management systems that can support today s identity needs. In addition to core IDM capabilities, telcos identity management platforms need to provide strong authentication methods to validate end users are who they say they are, while also easing this process. In addition, telcos require "identity attribute brokering capabilities," which enable telcos to share customer data in a selective manner following customer consent. Leveraging IDM capabilities to enhance enterprise services Telcos have a growing need for identity management services that adequately protect the services they deliver to enterprise customers. Security goes beyond just protecting access to the enterprise s network and its resources, to protecting and assuring the identities that can access the enterprise s data. In addition, it costs enterprise customers to set up and manage IDM infrastructure to secure the services provided by telcos, so they are looking to telcos to provide features that assure the security of these services. As a result, telcos are supporting their current offerings with identity-based services, such as authentication. For example, Telstra s recent investment in TeleSign will enhance its authentication capabilities. Telcos are also seeking to resell these identity-based services to enterprises in order to grow revenues. Vendor solution selection Inclusion criteria Telcos need to upgrade their current IDM infrastructure to meet their current business and operational challenges. In Ovum s view, telcos need to work with an IDM vendor that has a strong position in the IDM market and a strong portfolio of IDM assets in line with IDM needs, and which continuously evolves its IDM portfolio to meet the changing needs of the IDM market. The IDM market consists of a number of vendor solutions covering some or all identity management functions. We used the following criteria when selecting companies for this decision matrix: The vendor s platform must be in commercial use by at least one telco customer Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 The IDM solution must support one or more of the following IDM core functionalities: user provisioning and de-provisioning; administration and policy management; federated identity management; authentication; and single sign-on. The solution must also have a significant level of brand awareness among telcos. This assessment is based on market impact and recognition within the telecoms industry and among peers. Exclusion criteria Vendors are excluded if they only provide a narrow range of IDM capabilities or if they only focus on a particular aspect of user and systems access. For example, vendors lacking a specific telco offering have been excluded. Vendor solutions have been excluded from this ODM for the following reasons: The solution only provides support for a single IDM functionality. The vendor does not have a product that is commercially utilized by any telco. All vendors with platforms at the proof-of-concept stages were not included in this research. The vendor refuses to provide Ovum with sufficient information that enables accurate assessment of the solution. This includes information obtained during product and demo briefings with Ovum and the completion of an RFI document. Methodology Technology assessment In this assessment dimension, Ovum analyzed a series of IDM features and functionalities that are important and should be considered by all telcos. This took into account the main driver of IDM: to improve operational efficiency and revenues. This assessment provides differentiation between the leading solutions in the marketplace. The criteria groups identified for identity management are as follows: Core functionality assessment: IDM is a vast subject area, so we have limited our evaluation of the core functions to the following functionalities, which are highly critical to telcos need for IDM. These include: user provisioning and de-provisioning; federated identity management; authentication; single-sign on; administration; and policy management. This is based on telcos taking on key roles as identity providers and building their ability to perform operations efficiently. Product roadmap: The vendors 12 to 24 month development plans for the platform. Demand from telcos for IDM is evolving from supporting internal operational needs to supporting new and existing service offers. Therefore, we have based our assessment on how the vendor s portfolio appeals to telcos IDM needs. Platform architecture: The vendor s platform architecture based on industry principles that support the integration of external applications, and on the standards supported by the platforms. Platform configuration: The IDM solution s flexibility and ease with which system features can be defined by users. We assessed the degree to which configuration is performed by business users, IT staff, and the vendor itself, as well as the time required for training and product deployment Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 6

7 Offering maturity: The stage that the IDM solution is currently at within the maturity lifecycle. We consider how long the offering has been in the market and the completeness of the solution. Standards and frameworks supported: The number of relevant standards supported by the vendor s platform. Support for a broad range of standards and frameworks is critical to telcos operations. Strategy and execution assessment In this dimension, Ovum reviewed the capabilities of the solution around the following key areas: Deployment options: The different modes of deployment of the IDM solutions available to telcos. This examines flexibility and determines how quickly telcos could start utilizing the solution without experiencing glitches in the deployment process. Vendor support capability: The vendor s capacity to provide on-demand support services to telco clients across different geographies. We also examined the number of staff dedicated to providing support, and the level of support on offer, as this will play a critical role in telcos deployment of IDM. Partner network: The level of access and support the partner network provides to clients. The criteria used for this assessment include the size of the network in terms of numbers, the types of companies involved in these networks, geographic coverage of the partners, any formal accreditation requirements that need to be met, and any certifications that partners need to obtain. Training resources: The vendor s ability to meet the training needs of telcos. This was determined by assessing the number of staff dedicated to training, and the different formats in which training can be delivered, including online, on-site, or through videos. We also considered the range of courses provided Interoperability: How easily the IDM solution can be integrated into telcos existing IT infrastructure relative to the demand for integration for the project. We assessed factors such as the operating systems, database platforms, and types of user repositories it supports. Scalability: The number of identities that can be managed using a vendor s solution. This examines the extent to which the IDM solution can scale to meet the growing number of identities that telcos face when delivering identity-based services. Telecoms fit: The solution s ability to support all of a telco s use cases for IDM, covering both consumer and enterprise use cases. We also considered the solution s support for multi-entity and/or multi-regional operations using a single instance of the platform. Market impact assessment This dimension assesses the global market impact of the solution. Market impact is measured across five categories, each of which has a maximum score of 10. Revenue: Each solution s global IDM revenues are calculated as a percentage of the market leader's. This percentage is then multiplied by 10 and rounded to the nearest integer. Overall global revenue carries the highest weighting in the market impact dimension. Revenue growth: Each solution s revenue growth for the last 12 months is calculated as a percentage of the growth rate of the fastest-growing solution in the market. The percentage is then multiplied by 10 and rounded to the nearest integer Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 7

8 Geographical penetration: Ovum determines the number of countries in which the vendor has a presence. This number is calculated as a percentage of the market leaders geographic reach, multiplied by 10, and then rounded to the nearest integer value. IDM revenue: Ovum determines each solution s revenues from IDM. These revenues are calculated as a percentage of the market leader's revenues, multiplied by 10, and then rounded to the nearest integer. Telco IDM revenue: Ovum estimates each vendor s revenues in the IDM space from the telecoms industry. These revenues are calculated as a percentage of the market leader's revenues, multiplied by 10, and then rounded to the nearest integer. Ovum ratings Market leader: This category represents the leading IDM solutions that we believe are worthy of a place on most telcos IDM selection shortlists. The vendor has established a commanding market position with a product that is widely accepted as best-of-breed. Market challenger : The solutions in this category have good market positioning and the vendors are selling and marketing their products well. The products offer competitive functionality and a good price-performance proposition, and should be considered as part of the IDM selection by telcos. Market follower : Solutions in this category are typically aimed at meeting the requirements of a particular kind of customer. As a tier-one offering, they should be explored as part of the technology selection. Market and solution analysis Ovum Decision Matrix: identity management for telcos, Identity management is critical to telcos overall business. It may seem insignificant as it is not as popular as other technologies associated with the industry. However, discussions around telcos becoming identity providers will put this technology in the limelight. Like every other enterprise sector, IDM is engrained within telcos operations, so each vendor s relative positioning is strengthened by its ability to meet a large proportion of use cases. It is important for telcos to have a single IDM platform that is able to support multiple operations. This is cost effective and enables telcos to achieve a quick ROI. Figure 2 provides a summary of the relative positioning of the vendor solutions analyzed in this Decision Matrix Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 8

9 Figure 2: Ovum Decision Matrix: identity management for telcos, Source: Ovum Table 1: Ovum Decision Matrix: Identity management for telcos, Market leaders Market challengers Market followers CA Technologies Ping Identity Courion Oracle SafeNet UnboundID Gemalto Source: Ovum Market leaders: CA Technologies and Oracle Vendors need complete, robust IDM solutions to meet the identity and authentication needs of telcos. With cost playing a major role, telcos selection processes are focused on getting the most benefit from their investments. The ideal IDM solution allows telcos to use a single platform covering a broad scope of IDM features and capabilities, satisfying both business and operational needs. IDM solution vendors need strong brand awareness and an established support portfolio. Oracle and CA Technologies are market leaders in providing identity management solutions for telcos, with both vendors supporting the majority of telcos IDM needs. They both have established relationships with telcos, and have used their strong position in the IDM market to enhance their offerings. They have also used their strong partner ecosystems to extend their global presence in the market. The Oracle IDM platform supports all major components of IDM and caters for telcos operational and business demands. Oracle s history with telcos goes back to the Sun IDM technology and its directory infrastructure. The Sun Directory provided telcos around the world with a store to hold information on subscribers at the point of purchase, and over the lifecycle of the relationship. Through its acquisition of Sun, Oracle extended its telco client base and gained higher visibility in the market. Oracle s platform approach allows it to offer scale in the use cases that the platform supports (customers, enterprises, and partners) Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 9

10 CA Technologies IDM platform presents a strong portfolio of IDM capabilities. Its products CA Identity Manager, CA SiteMinder, and CA Advanced Authentication deliver its core IDM functionalities. These solutions can be delivered via the cloud, making them attractive to telcos seeking the cost efficiencies of this delivery model. CA s IDM suite offers a simple approach to managing the overall identity lifecycle. CA SiteMinder is used by most telcos to manage access to their web portals, while CA Advanced Authentication provides telcos with multiple choice authentication methods, including the specialist authentication methods the vendor inherited from its Arcot acquisition. Market challengers: Gemalto, Ping Identity, SafeNet, and UnboundID A key factor for telcos is how IDM can support the ongoing release of new telco services while delivering a better customer experience. Although relatively new to the market compared to the leaders, Gemalto, SafeNet, Ping Identity, and UnboundID are rated as market challengers, as their solutions extend telcos use of IDM beyond its internal use. These companies have established their positions in the IDM market through their strong niche capabilities and extended reach. Gemalto is a leading provider of enterprise user authentication solutions. Its Protiva IDConfirm 1000 product s strong capabilities enable tier-1 telcos to authenticate their employees identities for access to enterprise resources. Gemalto s Mobile ID solution, provided by acquired asset Valimo, has been used extensively by a number of telcos to authenticate and provide simple access to online services. The vendor continues to strengthen its position in telco IDM, working with the GSM Association (GSMA) to realize the notion of telcos becoming mobile identity service providers. Potentially, the release of its cloud-based Mobile Identity platform could transform the vendor s position within the telecoms industry. Ping Identity s suite of IDM solutions Ping Federate, PingOne, and Ping Access is respected in the areas of federated identity management and single sign-on (SSO). Ping Identity s ability to utilize existing user stores appeals to most telcos as it limits the obstacles to integrating its solution with existing enterprise offers. Telcos can quickly deploy Ping s IDM systems and support customers with varying user data stores such as Active Directory (AD) or Lightweight Directory Access Protocol LDAP sources. The vendor s increased flexibility in deploying its vast array of connectors provides access to many of the cloud application platforms that telco enterprise clients are demanding. SafeNet is an established leader in authentication. Its SafeNet authentication-as-a-service solution can be easily integrated into existing enterprise offerings or delivered as a white-labeled service. It also provides strong authentication capabilities that support both enterprise and consumer use. The tokens provided by this service can be reused, limiting the cost of using it. UnboundID, though a new entrant compared to the other vendors in this group, presents a strong challenge to the leading platform providers and the entire IDM market. By leveraging the skills and expertise of former Sun Microsystems staff, the company has succeeded in developing a telco-scale user data repository that scales to support the needs of telcos and offers them the opportunity to deliver new services to their consumer customers. UnboundID Identity Broker enables telcos to deliver core consumer identity services, and allows the policy and consent-driven exchange of customer data within a trusted domain Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 10

11 Market followers: Courion Ovum has identified Courion as a market follower, meaning the vendor is worthy of consideration by telcos selecting an IDM solution. Although Courion does not currently deliver the full scope of IDM capabilities assessed for this Decision Matrix, or possess the strong market impact performance of the market leaders, it is a specialist in its area of coverage within the IDM portfolio. The company is, however, building up its IDM portfolio through product enhancements and partnerships. Courion s Access Assurance suite delivers one of the best user provisioning, de-provisioning, and password management product sets in the IDM industry, and is often chosen as the partner of choice by identity management vendors that do not have a provisioning or password management solution of their own. The user interface and workflow processes are simple and easy to use, and can be easily adapted to any system. Across the telecoms sector, the Courion brand is already well-known for its strong provisioning and password management capabilities. The company has further developed Big Data and analytics capabilities, which can help telcos to drive more cost-effective IDM-related projects. Emerging vendors With mobile devices becoming the most common media for online activities and transactions, Ovum has included a few vendors with mobile identity management capabilities. These companies are either relatively new to the IDM market and the telecoms industry, or are moving into the IDM space to support mobile identity-based services for telcos. As this service proposition evolves, more companies will make their way into the IDM ecosystem. Table 2: Emerging vendors: identity management for the telcos, Vendors Area of specialization Name of product(s) SecureKey Ericsson Source: Ovum Cloud-based mobile identity management platform Cloud-based mobile identity management platform SecureKey Briidge.net Exchange and Briidge.net Connect platforms Etalio platform SecureKey SecureKey s cloud-based identity management portfolio includes the Briidge.net Exchange and the Briidge.net Connect platforms. It delivers identity and authentication services for large-scale consumer and citizen identities. The Canada-based company is not new to the IDM market, having worked within the financial and government markets in the US and Canada. It plans to debut its digital identity solutions in the telecoms market soon. Briidge.net Exchange enables identity federation using consumers trusted credentials already held identity providers (IDPs), while Briidge.net Connect is a cloud-based, multi-factor authentication service platform that supports a broad range of authentication devices. These services support all types of mobile devices and PCs. SecureKey recently announced that it would collaborate with Oberthur Technologies, a specialist in using SIM cards to provide security-based services. The companies will jointly market a mobile identity and authentication solution that uses SIM cards to store credentials Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 11

12 Ericsson Etalio Ericsson, one of the world s leading providers of telecoms network equipment, is moving into the identity management space with its Etalio platform, though it has been supporting telcos with identity management solutions for some time now. Its relevant capabilities include single sign-on (SSO) and federation of identities across the different applications used by telcos. It plans to introduce a cloud-based identity and authentication platform. Etalio is the vendor s latest solution for telcos. It creates mobile identities for customers using SIM cards and mobile phone numbers, allows users to create unique identities that represent who they are, and ensures that only data approved by the user is shared with each service or app that requests access to it. The SIM card within the mobile device then becomes a secure identity token that can be used for authentication on any web resource. Market leaders Market leaders: technology Figure 3: Ovum Decision Matrix: identity management for telcos, market leaders technology Source: Ovum This technology assessment considers all the factors discussed above in the "technology assessment" section of the methodology. Vendor platforms that are missing some core functions, but that work with third parties to support these capabilities, have had their scores reduced proportionate 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 12

13 to the points given to vendors that have homegrown technology within their IDM solutions. Oracle, CA technologies, Courion, and UnboundID featured as market leaders in this section. The overall market leaders, CA Technologies and Oracle, obtained the highest scores in five of the six categories assessed. Apart from supporting all six of the core IDM technology assessment functions considered in this research, both vendors apply advanced techniques such as risk analytics to assess end-user transactions and determine whether a higher level of assurance for authentication and access control is required. Both platforms are leveraged by telcos customer portals to provide direct access to these services. Oracle supports this function using its web and enterprise SSO capabilities, while CA Technologies leverages its widely used web SSO capabilities. UnboundID recorded high scores for its product roadmap, platform architecture, and offering maturity. Its strong product roadmap aligns with some of the core IDM capabilities telcos are seeking. Courion on the other hand obtained high scores for its platform architecture and the standards and protocols it supports. This support makes its platform flexible enough to adapt to any telco environment. Market leaders: strategy and execution Figure 4: Ovum Decision Matrix: identity management for telcos, market leaders execution Source: Ovum Oracle scored the highest overall in our strategy assessment. CA Technologies and Ping Identity obtained the next highest scores. Oracle and CA Technologies have large partner networks and long-standing relationships with telcos, setting these market leaders apart in the telecoms market. Our assessment considers telcos extensive need for IDM, which goes beyond just secured access to internal resources by customers, employees, and partners, to supporting consumer use cases such as access to online portals. The support for multi-country operations using a single IDM platform is 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 13

14 also a core consideration for telcos. This comes largely from the need to cut down on the cost of managing multiple platforms, and simplify process workflows across all business operations. Oracle and CA Technologies offer robust solutions that cut across telcos user segments. Gemalto also presented an IDM solution portfolio that supports all user segments, and the vendor s telco engagements are increasing due to the value that its mobile ID capabilities bring to telcos identity-based services. Interoperability and scalability were key factors in our strategy and execution assessment. Telcos are not homogenous, and they need to scale to a large number of identities to handle the large user bases they manage. Interoperability considered how easy it is for each IDM platform to exchange and use information from existing infrastructure. Ping Identity and SafeNet, in addition to the market leaders, presented highly interoperable systems. These solutions can integrate with existing user stores, enabling easy implementation and integration with existing systems. IDM solutions provided by Oracle, Ping Identity, and UnboundID had deployments that supported the largest number of identities. Market leaders: market impact Figure 5: Ovum Decision Matrix: identity management for telcos, market leaders market impact Source: Ovum Oracle obtained the highest overall score for market impact, followed by UnboundID and CA Technologies. The high ratings for Oracle and CA Technologies reflect not just the strong recognition these vendors solutions have within the telecoms industry, but also the fact that telcos are looking to engage with companies that support the core IDM functionalities and cater for all customer types. The 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 14

15 prolific use of the Sun Directory by telcos has contributed to Oracle s high market impact scores, with the acquisition of Sun Microsystems in 2010 by Oracle having extended its customer footprint in the market. CA Technologies obtained the second-highest scores for its geographical reach, estimated IDM revenues, and IDM revenues obtained from telcos. The vendor s strong IDM portfolio and global partner ecosystem have together enhanced the company s telco-focused propositions. UnboundID, one of vendors that achieved a challenger position, obtained the highest score for revenue growth. This owes largely to the company growing from a lower base, but it can also be attributed to the solution s ability to manage large customer data. Vendor analysis CA Technologies market leader Figure 6: CA Technologies radar diagrams Source: Ovum Ovum assessment CA Technologies is one of the leading IT management software and solutions providers within the telecoms industry. Headquartered in Islandia, New York, US, the company has established a strong position in the telecoms industry as an IDM provider supporting tier-1 telcos, such as BT, as well as smaller CSPs. The company ranks telecoms among its top five industries Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 15

16 The company s IDM proposition for the telecoms industry consists of three products, which are part of its CA Identity and Access Management (IAM) portfolio. The CA IAM suite is managed by CA s Security business within its Enterprise Solutions business unit. CA Technologies has the capacity to support the business needs of telcos, as it can draw from a pool of specialists covering development, support, sales, services, and marketing. The CA IAM solution has been built both organically and through acquisitions. Acquisitions include Netegrity, an identity and access software specialist, and Arcot, a specialist in the identity authentication market. The Arcot acquisition complemented CA s Single Sign-On access management portfolio (formerly CA SiteMinder), as well as CA s cloud security strategy, through leveraging Arcot s advanced authentication and fraud-prevention capabilities. CA s latest acquisition of Layer 7 strengthens the management and security of its application programming interface (API). CA Technologies IDM solution covers the core IDM functionalities assessed in this Decision Matrix. It addresses trends in the telecoms market and the need of telcos to automate the creation of identities and manage the entire identity lifecycle for customers, employees, and partners. It offers the following products: CA Identity Manager (formerly CA IdentityMinder) comprises a provisioning server, provisioning roles, and identity policies, which together allow telcos to automate the provisioning and de-provisioning process based on business rules and approval workflows. CA Advanced Authentication a multi-factor authentication (MFA) system that helps telcos to deploy and manage a wide range of authentication methods, from passwords to software and hardware tokens and credentials. MFA extends to the access of enterprise VPNs and provides secured access using any device, from PCs to mobile devices. CA Single Sign-On (formerly CA SiteMinder) provides SSO and federated identity management capabilities. Federation comes as an add-on facility within CA Single Sign-On,and together they support a secure centralized web application management system that can secure access to a telco s web applications and portals for employees, customers, and partners. The vendor s IDM solution provides a flexible approach to deployment, as it can be performed on-premise, as a hybrid solution, or delivered as a cloud service using CA CloudMinder. The CA Advanced Authentication product provides risk-based authentication functionality, which assesses conditions such as time of access, location of access, and device from which access is being sought, to obtain a risk score that then validates the authentication process. The CA Identity Manager architecture presents a flexible approach for telco deployment, as it uses a flexible two-tier or three-tier architecture that can be arranged to fit each telco s needs. CA s roadmap for the next months highlights the vendor s commitment to developing a solution that is in sync with the needs of the telecoms industry. These plans include extending enterprise user self-service capabilities to consumers in order to improve the consumer experience, and providing a qualified process that can be implemented for identity-proofing within the telco s enterprise, and integrated with external identity-proofing providers. CA Technologies global partner network, one of the strongest of the vendors analyzed, enables the vendor to market its solution effectively. Its network of partners consists of distributors, service providers, solution providers, and system integrators. Examples of partners include Wipro and Mycroft, and its service provider partners include telcos such as NTT Communications, Telefonica, 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 16

17 and Verizon, while its global system integrator partners include Accenture, PwC, and Deloitte. CA offers comprehensive partner programs, which include training sales, technical sales, and implementation and support courses complemented by assessments and accreditations. CA Technologies received the second-highest score for overall revenues for IDM, and the third-highest score for revenues obtained from the telecoms industry. The company enjoys a larger geographic reach than some of the other vendors analyzed (excluding Oracle), with more dominance in North America. CA Technologies is positioned within the market leader group because of the overall strength of its IDM portfolio for the telecoms industry. The comprehensive solution aligns with telcos core needs for IDM across all user segments: customers (enterprise and consumer), employees, and partners. Telcos can easily extend CA s IDM functionalities to other services or applications using the pre-installed federation capability. CA has good brand awareness within the telecoms industry, and its strong partnership portfolio enables quicker access to telco clients. Courion market follower Figure 7: Courion radar diagrams Source: Ovum Ovum assessment Courion was founded in 1996 and is headquartered in Westborough, Massachusetts, US. The vendor is dedicated to the production of identity and access management products, which support the 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 17

18 delivery of provisioning services, access management, and intelligence. It helps telcos to provide the right level of access to the right people at the right time. Courion is focused solely on identity and access management products, so is completely dedicated to this product line. The company has approximately 200 employees, with 81 of these dedicated to research and development in centers located in the US and India, and 48 dedicated to implementation and support services. The company has relied on in-house capabilities to develop its solution, but it relies on partnerships to extend the capabilities of its platform. These partners include RSA and SecureReset. Courion presents very strong provisioning capabilities using its Access Assurance Suite (AAS). Courion AAS is an integrated platform that includes: Account Courier for automated account creation. Access Request Manager for managing user access requests. ComplianceCourier for certification of user access rights. RoleCourier for the provision of standardized processes for policy definition of user roles. Access Insight uses predictive analytics to analyze current identity and access data, and perform risk assessments based on any anomalies identified. This helps telcos to reduce the occurrence of threats and reduce the overheads associated with setting up or running IDM systems. For example, by providing these routine checks, telcos could be made aware of any unused access rights that have been created for employees. As IDM licenses are sold according to the number of accounts managed, these reports help to limit overheads. Federated identity management is not included in Courion s AAS suite, but Courion will soon integrate it into the suite following its recent collaboration with Ping Identity for its federated management solution. This integration will enhance its currently limited scope by providing access to cloud services. As a result, Courion will support the federation of user access and identities both on-premise and based in the cloud, and provide the convenience of SSO. Courion s Access Assurance Suite can be set up to suit each organization s core needs for IDM. The user interface is simple and well laid out, providing easy access to components required for the management of the overall identity lifecycle. The suite can be customized using widgets that are easy to understand in terms of use and structure. Courion s Access Intelligence Engine (AIE) monitors the access environment and provides notifications of incorrect access based on configured business policies. The product ensures that account creation and access specification are performed correctly the first time. Courion s AAS platform does not require proprietary databases, servers, or repositories, but can use a customer s existing user data store and databases, thus limiting the inconvenience and time required to deploy the platform. Courion Access Assurance Suite presents a modular approach to configuration, providing telcos with flexibility when selecting products. The company s plans for the next 12 to 24 months remain fixed on enhancing its enterprise business case. Future plans include expanding the use of intelligence in automating functions, such as creating access groupings based on existing users access, requesting access for users based on certain attributes, and providing guidance for users seeking access rights. The platform can be provided as an on-premise solution or as a cloud-based offering. It does not support any authentication methods, so telcos deploying this platform will need to rely on a third-party 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 18

19 solution to provide this capability. This third-party capability can be provided by vendors such as RSA or SecureReset. The company s partner network is limited compared to the other vendors analyzed in this report. Most of its market is concentrated within North America, and its brand awareness outside this region is limited. Courion s market impact is ranked below average due to its limited telco customer base remains limited compared to other vendors. Courion needs to better market its full portfolio of IDM products and extend its geographical reach. Its PasswordCourier product has gained more traction in the telecoms market than its other products. Courion s Access Assurance Suite is positioned within the follower group because of its limited coverage of telcos IDM needs. Nevertheless, it does deliver complete user provisioning and access management functionality, so should be considered by telcos. By adding predictive analytics to its overall offering, Courion will enable telcos to reduce the cost of operating IDM systems. The vendor s recent technology collaborations reflect its aim of enhancing its current offerings to deliver more IDM capabilities. Gemalto market challenger Figure 8: Gemalto radar diagrams Source: Ovum 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 19

20 Ovum assessment Gemalto is one of the leading providers of digital security. It offers secure software, devices, and services to industries such as telecoms, financial services, and government. The company provides identity and access security solutions, which are housed within its Platforms and Service Business group. Gemalto s IDM portfolio for the telecoms markets includes its Protiva IDConfirm 1000 and Mobile ID products, created by Valimo, which was acquired in Both products provide strong authentication capabilities: the Protiva IDConfirm 1000 serves the enterprise use case for employee identity authentication, while Mobile ID serves the consumer use case by allowing telcos to authenticate the mobile identities of consumers to online service providers. Gemalto recently announced its intention to acquire SafeNet. This investment could strengthen Gemalto s IDM portfolio and customer base. The company has also announced the release of its cloud-based IDM solution, CloudEntr, to enhance telcos managed services proposition to enterprise customers. Of the 12,000 employees recruited by Gemalto, about 800 are dedicated to the company s security solutions, with about 200 engaged in research and development activities. Its research centers are located in Europe (France and Prague, Czech Republic), North America (Austin, Texas), and Asia (Singapore). Gemalto is a strong player in the area of user authentication. Protiva IDConfirm 1000 provides a vast array of authentication methods and channels, ranging from mobile-based software tokens, to hardware tokens such as SIM-based tokens, to SMS tokens. Other capabilities include multi-factor authentication using methods such as one-time password (OTP) (SMS-based and mobile device based), hardware-based (based on OAuth time- or event-based methodologies), and using smart cards (leveraging PKI or OAuth event-based methods). However, Gemalto does not support the use of biometrics as a secondary form factor for authentication, but does support the use of secure elements within a mobile (NFC or SIM card enabled) to perform authentication. Federation management and SSO on Protiva IDConfirm 1000 are provided via third-party solutions, such as Microsoft Active Directory Federation Service (ADFS) for on-premise applications, and Ping Identity for cloud-based enterprise applications. The Gemalto Mobile ID solution provides federation capabilities using the ETSI standards. Gemalto s roadmap for the next 12 to 24 months reflects its move to strengthen its portfolio of authentication capabilities. It has split its development plans to cover the platform and hardware devices supported for authentication. For the platform, the company plans to deploy an identity credential lifecycle management solution using a trusted service manager (TSM). This will include provisioning and de-provisioning of a user identity on an NFC- or SIM-enabled device. Gemalto will target its Mobile ID solution at increasing the protocols (such as OpenID Connect and SAML) that support the federation of identities. Other plans include the addition of an end-user self-registration portal. The company relies heavily on its internal resources to support global deployments. However, telco customers that outsource IT functions to local system integrators could request that Gemalto works jointly with these local providers. Its vendor support is well structured, and it provides training and certification programs to telco customers as well as sales channel partners. Gemalto delivered a relatively good performance in terms of its overall IDM revenues and the revenues it generates from the telecoms vertical. It attained an average rating for geographical reach, 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 20