Magic Quadrant for Identity and Access Management as a Service, Worldwide

Transcription

1 G Magic Quadrant for Identity and Access Management as a Service, Worldwide Published: 4 June 2015 Analyst(s): Gregg Kreizman, Neil Wynne Large vendor entrants in 2014 began to make their presence felt. Webcentric but shallow-function services are in high demand. Vendors that can deliver deeper functionality for IGA and legacy application support, including niche vendors, may be the best for your needs. Strategic Planning Assumption By 2019, 25% of IAM purchases will use the IDaaS delivery model up from less than 10% in Market Definition/Description A vendor in the identity and access management as a service (IDaaS) market delivers a predominantly cloud-based service in a multitenant or dedicated and hosted delivery model that brokers core identity governance and administration (IGA), access and intelligence functions to target systems on customers' premises and in the cloud. This Magic Quadrant rates vendors on their ability to be global, general-purpose identity and access management (IAM) service providers for multiple use cases. The vendors in this Magic Quadrant must provide some level of functionality in all of the following IAM functional areas: IGA: At a minimum, the vendor's service is able to automate synchronization (adds, changes and deletions) of identities held by the service or obtained from customers' identity repositories to target applications and other repositories. The vendor also must provide a way for customers' administrators to manage identities directly through an IDaaS administrative interface, and allow users to reset their passwords. In addition, vendors may offer deeper functionality, such as supporting identity life cycle processes, automated provisioning of accounts among heterogeneous systems, access requests (including self-service), and governance over user access to critical systems via workflows for policy enforcement, as well as for access certification processes. Additional capabilities may include role management and access certification.

2 Access: Access includes user authentication, single sign-on (SSO) and authorization enforcement. At a minimum, the vendor provides authentication and SSO to target applications using Web proxies and federation standards. Vendors also may offer ways to vault and replay passwords to get to SSO when federation standards are not supported by the applications. Most vendors offer additional authentication methods. Identity log monitoring and reporting: At a minimum, the vendor logs IGA and access events, makes the log data available to customers for their own analysis, and provides customers with a reporting capability to answer the questions, "Who has been granted access to which target systems and when?" and "Who has accessed those target systems and when?" Page 2 of 37 Gartner, Inc. G

3 Magic Quadrant Figure 1. Magic Quadrant for Identity and Access Management as a Service, Worldwide Source: Gartner (June 2015) Vendor Strengths and Cautions CA Technologies CA Technologies delivers IDaaS under its CA Secure Cloud brand. CA Secure Cloud includes Web application SSO, adaptive authentication and identity administration. The service supports user Gartner, Inc. G Page 3 of 37

4 provisioning to cloud and on-premises systems, including legacy applications. Self-service requests, approval workflows and delegated administration are all supported. The service can be delivered completely from the cloud or in a hybrid model. CA has global regional partners that deliver their own branded versions of IDaaS, underpinned by CA Secure Cloud. Strengths CA Secure Cloud provides greater functional depth for user administration than Web-centric providers. Solid delegated administration and provisioning workflows are provided. The Advanced Authentication SaaS provides adaptive authentication options. CA has a history of successfully leveraging global partners to deliver its solutions and services worldwide. CA's extensive product and service portfolio, as well as its sales and support channels, favors the company in the Overall Viability criterion. CA's portfolio of IAM software and IDaaS can be combined for complex functionality and usecase support, and CA has a broad set of user provisioning connectors to leverage for cloud and legacy application support. Cautions CA has not gained traction in the market and is resetting its strategy. Customers have demanded customized implementations, which is not a design goal for CA Secure Cloud. CA's pricing was above average for Web-centric pricing scenarios. CA Secure Cloud does not yet support password vaulting and forwarding for SSO for target systems that do not support federation standards. This feature is roadmapped. CA Secure Cloud lacks language internationalization, and the interfaces are provided in English only. Centrify Centrify's Identity Service includes Web-centric IDaaS and enterprise mobility management (EMM). The IDaaS portion of the offering provides Web application SSO using federation standards or password vaulting and forwarding, user provisioning, and reporting. The integrated mobility capabilities provide many of the features of stand-alone EMM vendors. Notable features include security configuration and enforcement, device X.509 certificate issuance and renewal, remote device location and wiping, and application containerization. Strengths The EMM features are the strongest in the IDaaS market, and Centrify has a strong relationship with Samsung. Centrify hosts Samsung's own IDaaS offering, and Centrify leverages the Page 4 of 37 Gartner, Inc. G

5 Samsung Knox containerization capability. Centrify added fingerprint biometric support for Apple and Samsung devices in Centrify added privileged account management as an IDaaS offering, and strengthened its support for on-premises applications. Centrify significantly expanded the set of applications for which it can provide user provisioning and license management. The service and on-premises proxy component can be configured to keep some or all identity data on-premises in Active Directory and not replicate it to the cloud. Cloud identity storage is optional. Reporting and analysis features for all events handled by the service are wide-ranging and customizable. Cautions Centrify does not provide business-to-consumer (B2C) or B2B IDaaS offerings. As with other Web-centric IDaaS providers, Centrify does not provide user provisioning workflow or identity governance features. The user provisioning and identity synchronization components are in the early stages of maturity. Bugs have been reported, and Centrify is addressing them with fixes. Marketing programs have been significantly bolstered in 2015; however, brand awareness in IDaaS continues to lag primary competitors. Centrify is facing increased competition from larger vendors. Covisint Covisint is the longest-standing IDaaS vendor in the market. The company may not be well-known among prospects in some industries, geographies and small businesses due to its early focus on larger enterprises. Moreover, Covisint's functionality is often "white-labeled" by its customers. Covisint got its start in the automotive industry and provided integration broker, portal and identity services to support supply chain connectivity. The company has grown those lines of business into other industries. Its work in the automotive industry and in supporting vehicle identities also has helped it build foundation services that can be used in other Internet of Things (IoT) applications. In addition, the company has a history of working through tough integration issues with demanding customers. Strengths Covisint provides strong identity assurance features, with several ID proofing vendor integrations and support for several authentication methods its own and those from third parties. Gartner, Inc. G Page 5 of 37

6 Covisint IDM includes user administration workflow abilities and capable administrative delegation, along with access certification features. The vendor provides deep identity federation and provisioning integration functions using standards and proprietary techniques. Covisint has shown leadership in support of IoT initiatives, particularly in the automotive industry, and IoT is stated as a strong focus going forward. Covisint added a data center in Germany to support customers there, and to grow its presence in the region. Covisint made its service granularly accessible through APIs; it has rearchitected the service to make it more easily implemented in public or private cloud, and to support white labeling. Cautions Although it can support employee-to-saas scenarios, Covisint's focus on large customers with enterprise B2B use cases will make it a less likely choice for small or midsize businesses (SMBs) that are seeking only employee-to-saas use-case support. The scenario pricing that Covisint provided for this research was high for most scenarios, compared with competitors. Covisint is not profitable and has had negative net income since completely separating from Compuware in Although still selling through a direct sales team, Covisint's channel partner strategy to supply its platform as a service (PaaS) to other service providers as a white-labeled service although it could be profitable for the vendor is risky because it could disintermediate Covisint from customers. Exostar Exostar entered the IDaaS market when it was formed by a community of aerospace and defense companies to support their IAM needs related to supply chain. Exostar also created a secure collaboration platform based on top of Microsoft SharePoint, and now it delivers secure , file transfer and WebEx services. The company augments its core services with identity proofing through third parties, but also provides a video "in person" identity proofing service using subjects' webcams for interviews. In addition, Exostar delivers public-key infrastructure (PKI) and one-time password (OTP) token credential management services. Exostar provides IAM that is fully cloudbased, or it can join community participants to the hub via a gateway. Exostar's target market is large companies with cross-organizational collaboration requirements. Exostar views IDaaS as a critical component of its offering, but primarily in the context of helping it to deliver its overall business collaboration capabilities. Strengths Exostar is a long-standing IDaaS vendor, and is one of the few small vendors that is profitable. Page 6 of 37 Gartner, Inc. G

7 Because of its legacy in highly secure markets, Exostar has strict audit requirements to ensure that conditions for security and industry compliance issues are met. The identity proofing capabilities also are unique in this market, and Exostar's identity services are certified by the U.S. government and the SAFE-BioPharma Association. In 2014 and early 2015, Exostar expanded its vertical industry support to the healthcare and airline industries, and within life sciences. Exostar is delivering similar sets of IAM and collaboration functionality to them, with an emphasis on these communities' needs for intellectual property protection. The company has strong customer relationships, and reference customers report that Exostar is a solid partner for implementation, as well as for incorporating customer requirements into its roadmap. Exostar has strong B2B federation and administration capabilities, and it can handle data exchanges in support of complex business agreements for its established communities. In 2014, Exostar added an entitlements management framework to enable user provisioning and the provisioning of application-specific features using customizable workflow components. Cautions The company and its offerings are not geared toward the broader general-purpose IAM market, which would focus on enterprise users' access to SaaS applications, or on consumers' inbound access to enterprises' applications as primary use cases. Rather, Exostar's target market is large companies with cross-organizational collaboration requirements. Authentication and SSO integration features are limited compared with vendors that support general-purpose SSO use cases. Password vaulting and forwarding, as well as social registration and login, are not supported. Exostar provides IDaaS functions to users in multiple geographies, but these users and their companies are predominantly using the services at the behest of Exostar's anchor tenants in aerospace and defense and in life sciences. Exostar picked up a customer in Japan, but otherwise, there is not a strong international presence for Exostar customers and data centers, nor is there broad internalization support. Fischer International Fischer International, a pure-play IAM provider, was one of the first vendors to deliver IDaaS. Fischer's capabilities are available in IDaaS, dedicated hosted, managed or on-premises software delivery models. Fischer provides functionally deep user administration and fulfillment capabilities, some governance functionality, privileged account management, and federated SSO. Strengths Reference customers rate the product and support highly. Gartner, Inc. G Page 7 of 37

8 Fischer's experience and technical capabilities enable it to support IAM functions for legacy onpremises applications in addition to SaaS applications. User administration functionality is deep, with strong connector support to a variety of directories, databases and applications, and access certification features are included. Fischer International emphasizes configuration of out-of-the-box features rather than scripting and custom development. This results in rapid deployment times relative to other deep functionality vendors. However, prospects must ensure that this type of implementation can meet their business process requirements. Fischer's scenario pricing is among the lowest, and references find that this provides solid value for the money. Cautions Despite Fischer's long tenure in the IDaaS market, its brand recognition, market penetration and overall growth have been low compared with its competitors. The focus of Fischer's marketing and sales on the U.S. geographic market and higher education vertical industry has limited the company's growth in other geographies and vertical industries. Access management is limited to SSO, without the authorization enforcement capabilities found in other IDaaS access services. Native mobile application support is not included in the product. IBM This is IBM's first year on the IDaaS Magic Quadrant. In 2014, IBM purchased Lighthouse Security Group, a vendor that delivered its IDaaS underpinned by IBM software. Lighthouse Security Group was evaluated in the 2014 "Magic Quadrant for Identity and Access Management as a Service." IBM has rebranded the offering as Cloud Identity Service, which is provided in a multitenant model. However, components of the service can be delivered in a dedicated model. With the acquisition, IBM can bring its significant resources and relationships to bear in order to advance Cloud Identity Service along with its other offerings. Strengths IBM's functional offering is deep and aligns with the functionality provided by IBM's software deployed on-premises. IBM's offering will be made deeper with the planned incorporation of the functionality obtained through the acquisition of CrossIdeas' IGA capabilities, as well as the integration of Fiberlink's MaaS360 mobile device management (MDM) capabilities. IBM's acquisition of Lighthouse Security Group and its breadth of resources should appeal to customers that are risk-averse and have concerns with smaller vendors. IBM has geographically expanded its data center locations, and IBM's support and professional services organizations are supporting Cloud Identity Service. Page 8 of 37 Gartner, Inc. G

9 The company has some very large customers and can demonstrate high scalability. Cautions Customers report that Cloud Identity Service can take significant effort to go live. This is partly due to the complex nature of projects that IBM takes on for larger customers. IBM will need to deliver a service offering that is more configurable and easy to implement, without requiring significant professional services, in order to compete down-market. While indicators point to the growth of IBM's offering, new clients have not yet translated into references. Despite pricing reductions in 2015, IBM's pricing for several use-case scenarios was among the highest. Ilantus Ilantus provides IDaaS in a dedicated hosted tenant model. The company began as an IAM system integrator, and has experience with traditional large-vendor IAM stacks. It offers four functional services: Identity Express for identity administration, Compliance Express for access governance, Sign On Express for SSO and Password Express for password management. This is Ilantus' first year on the IDaaS Magic Quadrant. Strengths Ilantus' customer references gave the vendor high marks for implementation, support and rapid deployments. Its solutions have been deployed by companies in most vertical industries, and its IGA functionality helps Ilantus support regulated industries. Ilantus' feature set and pricing are strong for the midmarket, which is its current "sweet spot" for customer acquisition. Ilantus' Sign On Express for SSO provides SSO to thick-client applications, in addition to the Web-architected applications that other vendors support. Cautions The company has low penetration in the global IDaaS market. Ilantus has been in the U.S. market as a system integrator since 2000, but has not advanced its IDaaS offerings there or in Europe. However, Ilantus has good penetration in India, and has a foothold in other Asia/Pacific countries in which English is widely spoken. Similar to other small vendors, Ilantus lacks brand recognition, so it will need to step up marketing efforts and sales channel development in order to expand more rapidly. Gartner, Inc. G Page 9 of 37

10 Ilantus demonstrates an understanding of market trends, but its roadmap plans are incremental and mostly designed to keep the service on par with current competitors' capabilities. Building IGA connectors for custom applications is time-consuming and prolongs projects, according to reference customers. Ilantus' federated access to Microsoft Office 365 SSO features lacks Microsoft's rich client support that other IDaaS vendors have. However, Sign On Express for SSO can provide this functionality for Windows clients. iwelcome Netherlands-based iwelcome provides its IDaaS in a dedicated single-tenant delivery model to allow for customization and customer branding. Its offering is heavily based on open-source software and includes authentication, SSO, federation, self-service registration, and user provisioning support for on-premises and SaaS applications. iwelcome has a specific focus on larger enterprise customers with complex requirements. Strengths iwelcome is the only established IDaaS vendor rated in this Magic Quadrant with headquarters located in continental Europe. As a result, it has an early-mover advantage in that region. iwelcome has strong capabilities in access management particularly in authentication method, federation protocol and identity repository support. iwelcome has grown a significant portion of its business by supporting B2C use cases, and owes this success to consumer-oriented features such as supporting multiple authentication methods, social registration and login, configurability of the user experience, and customer portal integration. iwelcome expanded its API support for more functions and added attribute provisioning and validation. Customers can enable or disable these capabilities through the administrative interface. During 2014 and early 2015, the company made advancements in authentication method support, and added identity intelligence features, role administration and provisioning, and System for Cross-Domain Identity Management (SCIM) support. Cautions iwelcome lacks delegated administration. It also lacks core identity governance features (such as access certification and recertification), and its provisioning approval workflow capabilities are minimal. iwelcome relies on integration with customers' established IGA toolsets. The company's overall customer base is small compared with most competitors, although the company grew the business proportionately well for its size during Page 10 of 37 Gartner, Inc. G

11 In 2014, although iwelcome began to enhance its sales resources and marketing efforts internally and through partnerships in other European countries, these efforts will need to expand rapidly in order for the vendor to stay ahead. Support resources and customer engagement will need to expand as well. Existing customers report that the platform is reliable and performs well, but that technical support could be more responsive. Microsoft This is Microsoft's first year on the IDaaS Magic Quadrant. Microsoft entered the IDaaS market in May 2014 with its business-to-employee (B2E)-focused Azure Active Directory services. There are three service levels; the Premium offering provides features that are in line with other Web-centric IDaaS providers, and includes licenses for Microsoft Identity Manager (MIM) that are to be used with customers' on-premises systems. Microsoft also offers Azure Active Directory Premium as part of its Enterprise Mobility Suite, along with Microsoft Intune and Azure Rights Management. Strengths Microsoft joined an established IDaaS market, and was able to leverage its current and substantial customer base particularly Office 365 customers to add Azure Active Directory to contracts. The company has broad and deep marketing, sales and support capabilities. Microsoft already has demonstrated high scalability with Azure Active Directory. The service underpins other Microsoft Azure services. Microsoft has a strong international presence for its service offerings, and continues to expand its infrastructure as a service (IaaS) presence worldwide. The company is able to leverage data sources and machine learning to support intelligence functions, such as identifying known bad IP addresses and devices to help prevent fraudulent activity. Microsoft's strategy demonstrates a strong understanding of technology, socioeconomic, security and jurisdictional trends that will shape its offerings going forward. Cautions Microsoft does not yet provide a B2C IDaaS offering. It is planned for Microsoft's on-premises "bridge" components are Active Directory Federation Services and Azure Active Directory Sync. Customers must implement and manage these two components on their own. Microsoft's Azure AD Connect (similar to other IDaaS vendors' approaches), which will combine these functions, is now in preview. While Azure Active Directory Premium includes access licenses for MIM, customers are responsible for managing that implementation themselves, or with the help of third parties. Gartner, Inc. G Page 11 of 37

12 Microsoft can provide user provisioning to some cloud apps; however, Web-centric competitors have a lead in terms of the number of apps they can provision to, as well as the depth of SaaS fulfillment that supports the provisioning of roles, groups and other attributes. Microsoft can provide provisioning and SSO for enterprise users to social media sites, and has APIs and software development kits (SDKs) for social media support; however, the service does not yet provide packaged social registration and sign-on to Azure Active Directory or target systems. Okta Okta's IDaaS offering is delivered multitenant, with lightweight on-premises components for repository and target system connectors. IDaaS is Okta's core business. Okta delivers basic identity administration and provisioning capabilities, access management for Web-architected applications using federation or password vaulting and forwarding, and reporting. Okta also provides phone-asa-token authentication capabilities. Okta added Mobility Management in Strengths The company's marketing and sales strategies have been effective, as demonstrated by brand recognition and an increased volume of customers. Okta's customer base grew significantly in 2014 and early Okta's continued investment in its API set has led to the delivery of Okta Identity Platform for developers to support integrations with customers' applications and workflows. Gartner again received numerous references, and has confirmed predominantly positive experiences. Okta's investments in mobility management have begun to bear fruit; customers are beginning to use the fundamental MDM functionality integrated with IDaaS to support functions such as mobile SSO, device access policies and device PIN reset. Okta has maintained high, if not perfect, availability. Cautions Okta can synchronize identities from enterprise directories, and has added delegated administration functionality; however, the vendor does not have user provisioning approval workflow beyond one level, nor does it have identity governance features. Okta's canned and custom reporting capabilities are limited. Okta does not yet support the use of social identities for registration and logon. These capabilities were in beta test at the time of publication. Okta's current customer base is predominantly located in the U.S., as are its data centers, but Okta has invested in European and Asia/Pacific expansion in terms of sales and data center location strategies. Okta is facing increased competition from larger vendors. Page 12 of 37 Gartner, Inc. G

13 OneLogin OneLogin's service architecture is multitenant, and lightweight integration components are used for on-premises connections. IDaaS is OneLogin's core business. OneLogin also markets a federated search capability that allows customers to search for content across connected applications, and for these users to be authenticated automatically when search results are returned and selected. Strengths OneLogin significantly expanded its customer base in 2014 and early 2015, and has some large customers. OneLogin has taken a standards-based approach to native mobile application integration, and is one of the vendors that champions the OpenID Native Applications Working Group (NAPPS) specifications. OneLogin has started improving its global sales by expanding its sales organization and developing its channel partnerships. OneLogin secured a third round of venture funding that will help it expand. References were mostly solid, and appreciated the support they received from OneLogin. Cautions OneLogin faces increased competition from larger competitors. OneLogin lacks its own deep user administration and provisioning and identity governance functionalities. OneLogin had some issues with service availability in However, it handled those issues well with customers and is improving the resilience of its service. OneLogin maintains a singular focus on IDaaS, but has not developed a strategy for other product offerings. This could make it difficult to compete against vendors with broader offerings. Ping Identity The PingOne service is a multitenant Web-centric offering. Ping Identity provides a lightweight selfservice bridge component to integrate a customer's Active Directory to the service, and also uses the well-established PingFederate product as the on-premises bridge component for customers when broad protocol and directory support are needed. In addition, PingAccess can be deployed to support proxy access to internal Web applications and APIs. PingID is offered to provide phone-asa-token authentication methods. Gartner, Inc. G Page 13 of 37

14 Strengths By leveraging the PingFederate technology for the bridge component, Ping can provide SSO by integrating with a variety of identity repositories, existing customer access management systems and target application systems. Ping Identity has demonstrated support for multiple workforce and external identity use cases, as well as strong service provider support, via its many service provider customers. Ping Identity has shown strong leadership in identity standards development, as well as openness in working with customers and competitors to evolve the standards. Ping Identity has broad vertical and geographic market penetration through its value-added reseller (VAR) and system integrator partner networks; also, it has made inroads with managed service providers that can offer PingOne functionality. Cautions PingOne is one of the services with strong access features, but very lightweight IGA capabilities. User self-service access request, provisioning workflow and most identity governance features are missing. PingOne has lagged its primary competitors in brand recognition and customer adoption. Ping Identity's reporting capabilities are weak compared with its competitors. Language internationalization features for the administrative and user interfaces are lacking relative to competitors; however, they are improving, with versions becoming available for Ping Identity's target markets later in SailPoint SailPoint IdentityNow was developed predominantly in-house, and features access request and provisioning, access certification, password management, and SSO service elements. The architecture is multitenant and can deliver services completely in the cloud, or it can be bridged to enterprise environments to support on-premises applications. Strengths SailPoint's legacy of providing strong on-premises IGA has helped it deliver a subset of the functionality from the IdentityIQ product in IdentityNow. The more full-featured IdentityIQ can be delivered as a hosted managed service through partners as an alternative. This helps SailPoint strongly support employee-facing use cases. SailPoint's full complement of provisioning connectors provides fulfillment capabilities to a wide variety of identity repositories and target systems, and significant product updates have been made to the password management functionality. SailPoint provides SSO options that include federated SSO and password vaulting and forwarding. Page 14 of 37 Gartner, Inc. G

15 SailPoint has a broad geographic presence for sales and support as a foundation for selling its IDaaS, and it has added data centers in Europe and Sydney, with other Asia/Pacific data centers roadmapped for The company is profitable, and Thoma Bravo became a majority owner in SailPoint, thereby bringing additional resources to the vendor. Cautions SailPoint's IDaaS market share is growing, but still small. IdentityNow does not support social identity use cases. IdentityNow is limited in its ability to support delegated administration for B2B use cases, but this feature is roadmapped for SailPoint has strong VAR and system integration partner sets, but it is just beginning to leverage them for IDaaS market penetration. Salesforce Salesforce provides Salesforce Identity as part of its Salesforce PaaS. It sells Identity as an independent service offering, but also includes Identity for established Salesforce customers. Identity Connect is Salesforce's on-premises bridge component that is sold separately. The service includes the baseline functionality required for inclusion, as well as social registration and login, federation gateway functionality, and deep access request and user provisioning workflow functionality. Strengths Salesforce is able to place commoditization pressure on the market by including IDaaS functionality in its core offering, thereby providing incentives to keep its substantial customer base from being drawn to alternatives. Salesforce Identity takes advantage of the deep access request and approval workflow functionality inherent in the Salesforce platform. Salesforce's strategy demonstrates a strong understanding of technology, socioeconomic, security and jurisdictional trends that will shape its offerings going forward. Salesforce Identity has strong social media and identity standards support. Cautions Salesforce does not support password vaulting and forwarding capabilities for SSO. Salesforce Identity does not provide proxy-based access to on-premises Web applications. Gartner, Inc. G Page 15 of 37

16 The bridge component of Salesforce Identity does not provide the ability to synchronize cloud directory changes to enterprise directories. Professional services are needed to deliver this functionality. Despite Salesforce's considerable PaaS market presence and recent awareness campaigns, Salesforce Identity's brand is not yet well-known in the market. The service is in its second year of availability. Simeio Solutions Simeio Solutions provides a mixture of dedicated hosted and on-premises managed service offerings. Its services are underpinned by products from other well-established IAM software vendors, which allows Simeio to provide Web access management (WAM), identity administration, access request, role and compliance, privileged account management, data loss prevention, risk intelligence, IT governance, risk and compliance services, and directory services. Strengths Simeio's use of major IAM stack vendors' technologies provides it with an arsenal of products that delivers deep functional support for Web and legacy applications. The same vendor partnerships provide referrals to Simeio for customer acquisitions. Simeio also became Dell's exclusive as-a-service provider for Dell's IAM offerings. Simeio's Identity Intelligence Center provides actionable insight into patterns of usage among users that may exist across multiple vendor identity sources and other security systems. Simeio's history as an integrator has given it the experience to help customers plan, design and integrate their IDaaS offerings. A significant portion of Simeio's staff serves in professional services roles. Simeio continues to enhance its administration and user interfaces as abstraction layers among the multiple underpinning vendors' technologies to help with consistency and time to value with implementations. Simeio's service-based roots have enabled it to have a positive cash flow since its inception. A recently announced private equity investment should allow Simeio to further accelerate its growth. Simeio has a good spread in its vertical industry and geographic representation; references highlighted Simeio as a good partner and rated it highly overall. Cautions Simeio's organization and its overall customer base grew in 2014 and early 2015, but not as rapidly as we would have expected, given its relationship with Dell. Simeio's use of OEM software requires the incorporation of these third-party vendors' software licensing costs in its offerings. This tends to make Simeio's pricing high, even for pure Web application use cases. Page 16 of 37 Gartner, Inc. G

17 Simeio is still relatively unknown in the IDaaS marketplace, but is slowly building its customer base and brand awareness, thanks to vendor partners, some of which are also competitors. Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor. Added Microsoft, Ilantus and Salesforce were added to the Magic Quadrant this year. Also, IBM was added because it acquired Lighthouse Security Group. Dropped Symplified's intellectual property and some of its people were acquired by RSA, The Security Division of EMC; therefore, Symplified was dropped from the Magic Quadrant. RSA has just announced its Via offering, which leverages Symplified's technology, but RSA did not meet customer and revenue inclusion criteria for this Magic Quadrant. In addition, Lighthouse Security Group was dropped because it was acquired by IBM. Other Vendors of Note There has been some Gartner client interest in two vendors that specialize in social identity integration: Gigya and Janrain. However, neither one met the IAM functional inclusion criteria for this Magic Quadrant, notably in the IGA functional areas. Pirean and Wipro did not meet the financial or market penetration criteria for this Magic Quadrant. However, these vendors have functionally deep IAM offerings, and also have international headquarters, which may help them to be considered as alternatives to U.S.-based companies. Bitium offers a Web-centric IDaaS, but it did not meet the revenue criteria for inclusion in this Magic Quadrant. Intermedia offers AppID, but it did not meet the customer and revenue criteria for inclusion in this Magic Quadrant. Gartner, Inc. G Page 17 of 37

18 Inclusion and Exclusion Criteria The vendor must provide a minimum level of functionality in all the IAM functional areas outlined in the Market Definition/Description section. Vendors that deliver only one or two of these core IAM functions as a service, such as authentication only, were not covered as part of this research. The following additional inclusion criteria were used. Longevity of offering: Each IDaaS offering has been generally available since at least 31 December 2014 and is in use in multiple customer production environments. Origination of offering: The offering is manufactured and operated by the vendor, or is a significantly modified version obtained through an OEM relationship. (We discount any service offering that has merely been obtained without significant functional modification through a licensing agreement from another vendor for example, as part of a reseller/partner or serviceprovider agreement.) Number of customers and end users (including customers of third-party service providers and their end users): As of 31 December 2014, the vendor had: More than 20 different active customer organizations using its IDaaS offerings in a production environment. Revenue attributed to fees for IDaaS service usage that was greater than $4 million for the year ending 31 December Verifiability: Customer references must be available. Evaluation Criteria Ability to Execute Product or Service The service's overall architecture, with emphasis on the service's global availability and resiliency features, and its flexibility to support on-premises identity repositories and cloud-only implementations. The level of support and expertise required by customers to help maintain the components. The extent to which a service's functions are exposed via APIs for customers' system integration. Security and privacy: The physical and logical controls implemented by the vendor and any underpinning IaaS provider; security for on-premises bridge components and connections between the bridge and the IDaaS; controls for data security, particularly regarding personal information; and vendors' third-party certifications received for the services. Page 18 of 37 Gartner, Inc. G

19 The variety of on-premises identity repositories that can be supported, and the quality of integration with same. The depth and breadth of IGA functionality: Access request. Access approval workflow depth and functionality. Access certification. Attribute discovery and administration. Administrative access enforcement for example, to identify, alert and prevent inappropriate access. Provisioning create, read, update, delete (CRUD) user identities and entitlements to target systems. Configuring target system connectors. The depth and breadth of access functionality: User authentication methods supported. Breadth of SSO support for target systems. Federation standards. Support for mobile endpoints and native mobile application integration. Authorization enforcement. The depth and breadth of identity monitoring and reporting: Canned reporting. Customized reporting. Data export to on-premises systems. Analytics. Integration with Microsoft Office 365, Microsoft SharePoint, customers' on-premises VPNs and WAM systems. Deployment requirements, such as speed of proof of concept and deployment, customer staffing requirements, and factors that add complexity and may affect speed to deployment and staffing. Overall Viability Overall financial health. Gartner, Inc. G Page 19 of 37

20 Success in the IDaaS market in terms of the number and size of customer implementations. This aspect is heavily weighted. The vendor's likely continued presence in the IDaaS market. Sales Execution/Pricing The vendor's capabilities in such areas as deal management and presales support, and the overall effectiveness of the sales channel, including VARs and integrators. The vendor's track record in competitive wins and business retention. Pricing over a number of different scenarios. This aspect is heavily weighted. Market Responsiveness/Record The vendor's demonstrated ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act and market dynamics change. How the vendor can meet customers' evolving IDaaS needs over a variety of use cases. How the vendor has embraced standards initiatives in the IDaaS and adjacent market segments, and responded to relevant regulation and legislation. Marketing Execution The clarity, quality, creativity and efficacy of programs designed to deliver the vendor's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. For example: Marketing activities and messaging. Visibility in the press, social media and other outlets. Vendor's appearance in vendor selection exercises, based on Gartner-client interactions. Brand depth and equity. Customer Experience Customer relationship and services. Customer satisfaction program. Customer references: This evaluation subcriterion was weighted heavily and included input from vendor-supplied references, as well as unsolicited feedback from Gartner-client interactions. Page 20 of 37 Gartner, Inc. G

21 Operations People that is, the size of the organization and the track record of key staff members. Quality and security processes. Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product or Service Overall Viability Sales Execution/Pricing Market Responsiveness/Record Marketing Execution Customer Experience Operations Weighting High Medium High Medium Medium High Low Source: Gartner (June 2015) Completeness of Vision Market Understanding Understanding customer needs: Methods, the effects of the Nexus of Forces (cloud, mobile, social and information) and the IoT. The future of IDaaS and the vendor's place in the market. Also, the vendor's views on top technological, nontechnological and regulatory changes in the market. Marketing Strategy Communication and brand awareness: The clarity, differentiation and performance management of the vendor's marketing messages and campaigns. The appropriateness of the vendor's use of events, social media, other online media and traditional media as part of its marketing efforts. Sales Strategy The vendor's strategy for selling its IDaaS offerings that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates, which extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Gartner, Inc. G Page 21 of 37

22 Offering (Product) Strategy The vendor's approach to developing and delivering its IDaaS offerings, which meet customers' and prospects' needs with respect to their key selection criteria, the needs created by the Nexus of Forces and other market dynamics. Also, the vendor's ability to exploit the Nexus of Forces to improve its IDaaS products and services. The strength of the vendor's roadmap, and how the vendor will increase the competitive differentiation of its IDaaS and ancillary services. Business Model The soundness and logic of the vendor's underlying business proposition: The vendor's views of key strengths and weaknesses relative to competitors. Recent company milestones. Path chosen for future growth. Vertical/Industry Strategy Customer breadth and penetration into various industries and sizes of customer organizations. Views of industry trends and special needs. Strategy for expanding IDaaS adoption in different industries. Innovation Foundational technological and nontechnological innovations. Recent and planned innovations. Organizational culture and how it affects innovation. Geographic Strategy Global geographic reach of customer base and trends. Strategy for expanded geographic customer acquisition. Global nature of technical support and professional services, and language internationalization for administrative and user interfaces. Page 22 of 37 Gartner, Inc. G

23 Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Weighting Medium Medium Medium High Medium Low High Low Source: Gartner (June 2015) Quadrant Descriptions Leaders Leaders in the IDaaS market generally have made strong customer gains. They provide feature sets that are appropriate for current customer use-case needs. Leaders also show evidence of strong vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically demonstrate solid customer satisfaction with overall IDaaS capabilities and/or related service and support. Challengers Challengers also show strong execution, and have significant sales and brand presence. However, they have not shown the Completeness of Vision for IDaaS that Leaders have. Rather, their vision and execution for technology, methodology and/or means of delivery tend to be more focused on or restricted to specific functions, platforms, geographies or services. Challengers' clients are relatively satisfied, but ask for additional functionality, more timely support and higher service levels than are currently delivered. There are no Challengers in this Magic Quadrant. Visionaries Vendors in the Visionaries quadrant provide products that meet many IDaaS client requirements, but they may not have the market penetration to execute as Leaders do. Visionaries are noted for their innovative approach to IDaaS technology, methodology and/or means of delivery. They may see IDaaS as a key part of a much broader service portfolio. They often may have unique features, and Gartner, Inc. G Page 23 of 37

24 may be focused on a specific industry or specific set of use cases. In addition, they have a strong vision for the future of the market and their place in it. Niche Players Niche Players provide IDaaS technology that is a good match for specific use cases. They may focus on specific industries or have a geographically limited footprint, but they can actually outperform many competitors. Vendors in this quadrant often have relatively fewer customers than competitors, but they may have large customers as well as a strong IDaaS feature set. Pricing might be considered too high for the value provided by some niche vendors. Inclusion in this quadrant, however, does not reflect negatively on the vendor's value in the more narrowly focused service spectrum. Niche solutions can be very effective in their areas of focus. Context Vendors rated in this Magic Quadrant come from distinctly different backgrounds. Their pedigrees vary greatly, as do their abilities to provide IAM functional depth and support for different use cases. Their aspirations for servicing customers by geography, industry and customer-size segmentation also vary. Clients are strongly cautioned not to use vendors' positions in the Magic Quadrant graphic (see Figure 1) as the sole source for determining a shortlist of vendors. Vendors were evaluated with regard to their ability to provide a general set of IAM functionalities across multiple use cases, and in multiple geographies and industries, and to do so by providing solid value for money as perceived by their customers. All vendors covered in this Magic Quadrant have succeeded in providing customers with services that meet their needs. However, client requirements particularly those for IAM functional depth, speed to implementation, geographic coverage and price are most likely to strongly affect their choices for a shortlist: 1. Clients focused on Web-architected application targets, employee-to-saas and consumerfacing needs should strongly consider Centrify, Microsoft, Okta, OneLogin, Ping Identity and Salesforce. These vendors also have experience with SMBs, even as they aspire to move upmarket to serve larger clients and have begun to do so. Currently, however, these vendors have limited IGA abilities. They tend to lack multilevel provisioning approval workflows, as well as identity governance features such as access certification, segregation of duties violation detection, or role engineering and certification. These vendors' provisioning connectors for legacy application targets also are lacking. 2. Clients that need more functional depth in IGA and legacy on-premises application targets should strongly consider CA Technologies, Covisint, Fischer International, IBM, Ilantus, Simeio Solutions and SailPoint. European clients especially may be interested in iwelcome. More of these vendors also provide dedicated hosted instances of their offerings as options. 3. Clients that need IAM served as part of a community of interest or an industry consortium should strongly consider Covisint and Exostar. These vendors have a history of providing IAM in a hub configuration that is designed to support collaboration among participants, or to serve Page 24 of 37 Gartner, Inc. G