Magic Quadrant for Identity and Access Management as a Service, Worldwide

Transcription

1 G Magic Quadrant for Identity and Access Management as a Service, Worldwide Published: 4 June 2015 Analyst(s): Gregg Kreizman, Neil Wynne Large vendor entrants in 2014 began to make their presence felt. Webcentric but shallow-function services are in high demand. Vendors that can deliver deeper functionality for IGA and legacy application support, including niche vendors, may be the best for your needs. Strategic Planning Assumption By 2019, 25% of IAM purchases will use the IDaaS delivery model up from less than 10% in Market Definition/Description A vendor in the identity and access management as a service (IDaaS) market delivers a predominantly cloud-based service in a multitenant or dedicated and hosted delivery model that brokers core identity governance and administration (IGA), access and intelligence functions to target systems on customers' premises and in the cloud. This Magic Quadrant rates vendors on their ability to be global, general-purpose identity and access management (IAM) service providers for multiple use cases. The vendors in this Magic Quadrant must provide some level of functionality in all of the following IAM functional areas: IGA: At a minimum, the vendor's service is able to automate synchronization (adds, changes and deletions) of identities held by the service or obtained from customers' identity repositories to target applications and other repositories. The vendor also must provide a way for customers' administrators to manage identities directly through an IDaaS administrative interface, and allow users to reset their passwords. In addition, vendors may offer deeper functionality, such as supporting identity life cycle processes, automated provisioning of accounts among heterogeneous systems, access requests (including self-service), and governance over user access to critical systems via workflows for policy enforcement, as well as for access certification processes. Additional capabilities may include role management and access certification.

2 Access: Access includes user authentication, single sign-on (SSO) and authorization enforcement. At a minimum, the vendor provides authentication and SSO to target applications using Web proxies and federation standards. Vendors also may offer ways to vault and replay passwords to get to SSO when federation standards are not supported by the applications. Most vendors offer additional authentication methods. Identity log monitoring and reporting: At a minimum, the vendor logs IGA and access events, makes the log data available to customers for their own analysis, and provides customers with a reporting capability to answer the questions, "Who has been granted access to which target systems and when?" and "Who has accessed those target systems and when?" Page 2 of 37 Gartner, Inc. G

3 Magic Quadrant Figure 1. Magic Quadrant for Identity and Access Management as a Service, Worldwide Source: Gartner (June 2015) Vendor Strengths and Cautions CA Technologies CA Technologies delivers IDaaS under its CA Secure Cloud brand. CA Secure Cloud includes Web application SSO, adaptive authentication and identity administration. The service supports user Gartner, Inc. G Page 3 of 37

4 provisioning to cloud and on-premises systems, including legacy applications. Self-service requests, approval workflows and delegated administration are all supported. The service can be delivered completely from the cloud or in a hybrid model. CA has global regional partners that deliver their own branded versions of IDaaS, underpinned by CA Secure Cloud. Strengths CA Secure Cloud provides greater functional depth for user administration than Web-centric providers. Solid delegated administration and provisioning workflows are provided. The Advanced Authentication SaaS provides adaptive authentication options. CA has a history of successfully leveraging global partners to deliver its solutions and services worldwide. CA's extensive product and service portfolio, as well as its sales and support channels, favors the company in the Overall Viability criterion. CA's portfolio of IAM software and IDaaS can be combined for complex functionality and usecase support, and CA has a broad set of user provisioning connectors to leverage for cloud and legacy application support. Cautions CA has not gained traction in the market and is resetting its strategy. Customers have demanded customized implementations, which is not a design goal for CA Secure Cloud. CA's pricing was above average for Web-centric pricing scenarios. CA Secure Cloud does not yet support password vaulting and forwarding for SSO for target systems that do not support federation standards. This feature is roadmapped. CA Secure Cloud lacks language internationalization, and the interfaces are provided in English only. Centrify Centrify's Identity Service includes Web-centric IDaaS and enterprise mobility management (EMM). The IDaaS portion of the offering provides Web application SSO using federation standards or password vaulting and forwarding, user provisioning, and reporting. The integrated mobility capabilities provide many of the features of stand-alone EMM vendors. Notable features include security configuration and enforcement, device X.509 certificate issuance and renewal, remote device location and wiping, and application containerization. Strengths The EMM features are the strongest in the IDaaS market, and Centrify has a strong relationship with Samsung. Centrify hosts Samsung's own IDaaS offering, and Centrify leverages the Page 4 of 37 Gartner, Inc. G

5 Samsung Knox containerization capability. Centrify added fingerprint biometric support for Apple and Samsung devices in Centrify added privileged account management as an IDaaS offering, and strengthened its support for on-premises applications. Centrify significantly expanded the set of applications for which it can provide user provisioning and license management. The service and on-premises proxy component can be configured to keep some or all identity data on-premises in Active Directory and not replicate it to the cloud. Cloud identity storage is optional. Reporting and analysis features for all events handled by the service are wide-ranging and customizable. Cautions Centrify does not provide business-to-consumer (B2C) or B2B IDaaS offerings. As with other Web-centric IDaaS providers, Centrify does not provide user provisioning workflow or identity governance features. The user provisioning and identity synchronization components are in the early stages of maturity. Bugs have been reported, and Centrify is addressing them with fixes. Marketing programs have been significantly bolstered in 2015; however, brand awareness in IDaaS continues to lag primary competitors. Centrify is facing increased competition from larger vendors. Covisint Covisint is the longest-standing IDaaS vendor in the market. The company may not be well-known among prospects in some industries, geographies and small businesses due to its early focus on larger enterprises. Moreover, Covisint's functionality is often "white-labeled" by its customers. Covisint got its start in the automotive industry and provided integration broker, portal and identity services to support supply chain connectivity. The company has grown those lines of business into other industries. Its work in the automotive industry and in supporting vehicle identities also has helped it build foundation services that can be used in other Internet of Things (IoT) applications. In addition, the company has a history of working through tough integration issues with demanding customers. Strengths Covisint provides strong identity assurance features, with several ID proofing vendor integrations and support for several authentication methods its own and those from third parties. Gartner, Inc. G Page 5 of 37

6 Covisint IDM includes user administration workflow abilities and capable administrative delegation, along with access certification features. The vendor provides deep identity federation and provisioning integration functions using standards and proprietary techniques. Covisint has shown leadership in support of IoT initiatives, particularly in the automotive industry, and IoT is stated as a strong focus going forward. Covisint added a data center in Germany to support customers there, and to grow its presence in the region. Covisint made its service granularly accessible through APIs; it has rearchitected the service to make it more easily implemented in public or private cloud, and to support white labeling. Cautions Although it can support employee-to-saas scenarios, Covisint's focus on large customers with enterprise B2B use cases will make it a less likely choice for small or midsize businesses (SMBs) that are seeking only employee-to-saas use-case support. The scenario pricing that Covisint provided for this research was high for most scenarios, compared with competitors. Covisint is not profitable and has had negative net income since completely separating from Compuware in Although still selling through a direct sales team, Covisint's channel partner strategy to supply its platform as a service (PaaS) to other service providers as a white-labeled service although it could be profitable for the vendor is risky because it could disintermediate Covisint from customers. Exostar Exostar entered the IDaaS market when it was formed by a community of aerospace and defense companies to support their IAM needs related to supply chain. Exostar also created a secure collaboration platform based on top of Microsoft SharePoint, and now it delivers secure , file transfer and WebEx services. The company augments its core services with identity proofing through third parties, but also provides a video "in person" identity proofing service using subjects' webcams for interviews. In addition, Exostar delivers public-key infrastructure (PKI) and one-time password (OTP) token credential management services. Exostar provides IAM that is fully cloudbased, or it can join community participants to the hub via a gateway. Exostar's target market is large companies with cross-organizational collaboration requirements. Exostar views IDaaS as a critical component of its offering, but primarily in the context of helping it to deliver its overall business collaboration capabilities. Strengths Exostar is a long-standing IDaaS vendor, and is one of the few small vendors that is profitable. Page 6 of 37 Gartner, Inc. G

7 Because of its legacy in highly secure markets, Exostar has strict audit requirements to ensure that conditions for security and industry compliance issues are met. The identity proofing capabilities also are unique in this market, and Exostar's identity services are certified by the U.S. government and the SAFE-BioPharma Association. In 2014 and early 2015, Exostar expanded its vertical industry support to the healthcare and airline industries, and within life sciences. Exostar is delivering similar sets of IAM and collaboration functionality to them, with an emphasis on these communities' needs for intellectual property protection. The company has strong customer relationships, and reference customers report that Exostar is a solid partner for implementation, as well as for incorporating customer requirements into its roadmap. Exostar has strong B2B federation and administration capabilities, and it can handle data exchanges in support of complex business agreements for its established communities. In 2014, Exostar added an entitlements management framework to enable user provisioning and the provisioning of application-specific features using customizable workflow components. Cautions The company and its offerings are not geared toward the broader general-purpose IAM market, which would focus on enterprise users' access to SaaS applications, or on consumers' inbound access to enterprises' applications as primary use cases. Rather, Exostar's target market is large companies with cross-organizational collaboration requirements. Authentication and SSO integration features are limited compared with vendors that support general-purpose SSO use cases. Password vaulting and forwarding, as well as social registration and login, are not supported. Exostar provides IDaaS functions to users in multiple geographies, but these users and their companies are predominantly using the services at the behest of Exostar's anchor tenants in aerospace and defense and in life sciences. Exostar picked up a customer in Japan, but otherwise, there is not a strong international presence for Exostar customers and data centers, nor is there broad internalization support. Fischer International Fischer International, a pure-play IAM provider, was one of the first vendors to deliver IDaaS. Fischer's capabilities are available in IDaaS, dedicated hosted, managed or on-premises software delivery models. Fischer provides functionally deep user administration and fulfillment capabilities, some governance functionality, privileged account management, and federated SSO. Strengths Reference customers rate the product and support highly. Gartner, Inc. G Page 7 of 37

8 Fischer's experience and technical capabilities enable it to support IAM functions for legacy onpremises applications in addition to SaaS applications. User administration functionality is deep, with strong connector support to a variety of directories, databases and applications, and access certification features are included. Fischer International emphasizes configuration of out-of-the-box features rather than scripting and custom development. This results in rapid deployment times relative to other deep functionality vendors. However, prospects must ensure that this type of implementation can meet their business process requirements. Fischer's scenario pricing is among the lowest, and references find that this provides solid value for the money. Cautions Despite Fischer's long tenure in the IDaaS market, its brand recognition, market penetration and overall growth have been low compared with its competitors. The focus of Fischer's marketing and sales on the U.S. geographic market and higher education vertical industry has limited the company's growth in other geographies and vertical industries. Access management is limited to SSO, without the authorization enforcement capabilities found in other IDaaS access services. Native mobile application support is not included in the product. IBM This is IBM's first year on the IDaaS Magic Quadrant. In 2014, IBM purchased Lighthouse Security Group, a vendor that delivered its IDaaS underpinned by IBM software. Lighthouse Security Group was evaluated in the 2014 "Magic Quadrant for Identity and Access Management as a Service." IBM has rebranded the offering as Cloud Identity Service, which is provided in a multitenant model. However, components of the service can be delivered in a dedicated model. With the acquisition, IBM can bring its significant resources and relationships to bear in order to advance Cloud Identity Service along with its other offerings. Strengths IBM's functional offering is deep and aligns with the functionality provided by IBM's software deployed on-premises. IBM's offering will be made deeper with the planned incorporation of the functionality obtained through the acquisition of CrossIdeas' IGA capabilities, as well as the integration of Fiberlink's MaaS360 mobile device management (MDM) capabilities. IBM's acquisition of Lighthouse Security Group and its breadth of resources should appeal to customers that are risk-averse and have concerns with smaller vendors. IBM has geographically expanded its data center locations, and IBM's support and professional services organizations are supporting Cloud Identity Service. Page 8 of 37 Gartner, Inc. G

9 The company has some very large customers and can demonstrate high scalability. Cautions Customers report that Cloud Identity Service can take significant effort to go live. This is partly due to the complex nature of projects that IBM takes on for larger customers. IBM will need to deliver a service offering that is more configurable and easy to implement, without requiring significant professional services, in order to compete down-market. While indicators point to the growth of IBM's offering, new clients have not yet translated into references. Despite pricing reductions in 2015, IBM's pricing for several use-case scenarios was among the highest. Ilantus Ilantus provides IDaaS in a dedicated hosted tenant model. The company began as an IAM system integrator, and has experience with traditional large-vendor IAM stacks. It offers four functional services: Identity Express for identity administration, Compliance Express for access governance, Sign On Express for SSO and Password Express for password management. This is Ilantus' first year on the IDaaS Magic Quadrant. Strengths Ilantus' customer references gave the vendor high marks for implementation, support and rapid deployments. Its solutions have been deployed by companies in most vertical industries, and its IGA functionality helps Ilantus support regulated industries. Ilantus' feature set and pricing are strong for the midmarket, which is its current "sweet spot" for customer acquisition. Ilantus' Sign On Express for SSO provides SSO to thick-client applications, in addition to the Web-architected applications that other vendors support. Cautions The company has low penetration in the global IDaaS market. Ilantus has been in the U.S. market as a system integrator since 2000, but has not advanced its IDaaS offerings there or in Europe. However, Ilantus has good penetration in India, and has a foothold in other Asia/Pacific countries in which English is widely spoken. Similar to other small vendors, Ilantus lacks brand recognition, so it will need to step up marketing efforts and sales channel development in order to expand more rapidly. Gartner, Inc. G Page 9 of 37

10 Ilantus demonstrates an understanding of market trends, but its roadmap plans are incremental and mostly designed to keep the service on par with current competitors' capabilities. Building IGA connectors for custom applications is time-consuming and prolongs projects, according to reference customers. Ilantus' federated access to Microsoft Office 365 SSO features lacks Microsoft's rich client support that other IDaaS vendors have. However, Sign On Express for SSO can provide this functionality for Windows clients. iwelcome Netherlands-based iwelcome provides its IDaaS in a dedicated single-tenant delivery model to allow for customization and customer branding. Its offering is heavily based on open-source software and includes authentication, SSO, federation, self-service registration, and user provisioning support for on-premises and SaaS applications. iwelcome has a specific focus on larger enterprise customers with complex requirements. Strengths iwelcome is the only established IDaaS vendor rated in this Magic Quadrant with headquarters located in continental Europe. As a result, it has an early-mover advantage in that region. iwelcome has strong capabilities in access management particularly in authentication method, federation protocol and identity repository support. iwelcome has grown a significant portion of its business by supporting B2C use cases, and owes this success to consumer-oriented features such as supporting multiple authentication methods, social registration and login, configurability of the user experience, and customer portal integration. iwelcome expanded its API support for more functions and added attribute provisioning and validation. Customers can enable or disable these capabilities through the administrative interface. During 2014 and early 2015, the company made advancements in authentication method support, and added identity intelligence features, role administration and provisioning, and System for Cross-Domain Identity Management (SCIM) support. Cautions iwelcome lacks delegated administration. It also lacks core identity governance features (such as access certification and recertification), and its provisioning approval workflow capabilities are minimal. iwelcome relies on integration with customers' established IGA toolsets. The company's overall customer base is small compared with most competitors, although the company grew the business proportionately well for its size during Page 10 of 37 Gartner, Inc. G

11 In 2014, although iwelcome began to enhance its sales resources and marketing efforts internally and through partnerships in other European countries, these efforts will need to expand rapidly in order for the vendor to stay ahead. Support resources and customer engagement will need to expand as well. Existing customers report that the platform is reliable and performs well, but that technical support could be more responsive. Microsoft This is Microsoft's first year on the IDaaS Magic Quadrant. Microsoft entered the IDaaS market in May 2014 with its business-to-employee (B2E)-focused Azure Active Directory services. There are three service levels; the Premium offering provides features that are in line with other Web-centric IDaaS providers, and includes licenses for Microsoft Identity Manager (MIM) that are to be used with customers' on-premises systems. Microsoft also offers Azure Active Directory Premium as part of its Enterprise Mobility Suite, along with Microsoft Intune and Azure Rights Management. Strengths Microsoft joined an established IDaaS market, and was able to leverage its current and substantial customer base particularly Office 365 customers to add Azure Active Directory to contracts. The company has broad and deep marketing, sales and support capabilities. Microsoft already has demonstrated high scalability with Azure Active Directory. The service underpins other Microsoft Azure services. Microsoft has a strong international presence for its service offerings, and continues to expand its infrastructure as a service (IaaS) presence worldwide. The company is able to leverage data sources and machine learning to support intelligence functions, such as identifying known bad IP addresses and devices to help prevent fraudulent activity. Microsoft's strategy demonstrates a strong understanding of technology, socioeconomic, security and jurisdictional trends that will shape its offerings going forward. Cautions Microsoft does not yet provide a B2C IDaaS offering. It is planned for Microsoft's on-premises "bridge" components are Active Directory Federation Services and Azure Active Directory Sync. Customers must implement and manage these two components on their own. Microsoft's Azure AD Connect (similar to other IDaaS vendors' approaches), which will combine these functions, is now in preview. While Azure Active Directory Premium includes access licenses for MIM, customers are responsible for managing that implementation themselves, or with the help of third parties. Gartner, Inc. G Page 11 of 37

12 Microsoft can provide user provisioning to some cloud apps; however, Web-centric competitors have a lead in terms of the number of apps they can provision to, as well as the depth of SaaS fulfillment that supports the provisioning of roles, groups and other attributes. Microsoft can provide provisioning and SSO for enterprise users to social media sites, and has APIs and software development kits (SDKs) for social media support; however, the service does not yet provide packaged social registration and sign-on to Azure Active Directory or target systems. Okta Okta's IDaaS offering is delivered multitenant, with lightweight on-premises components for repository and target system connectors. IDaaS is Okta's core business. Okta delivers basic identity administration and provisioning capabilities, access management for Web-architected applications using federation or password vaulting and forwarding, and reporting. Okta also provides phone-asa-token authentication capabilities. Okta added Mobility Management in Strengths The company's marketing and sales strategies have been effective, as demonstrated by brand recognition and an increased volume of customers. Okta's customer base grew significantly in 2014 and early Okta's continued investment in its API set has led to the delivery of Okta Identity Platform for developers to support integrations with customers' applications and workflows. Gartner again received numerous references, and has confirmed predominantly positive experiences. Okta's investments in mobility management have begun to bear fruit; customers are beginning to use the fundamental MDM functionality integrated with IDaaS to support functions such as mobile SSO, device access policies and device PIN reset. Okta has maintained high, if not perfect, availability. Cautions Okta can synchronize identities from enterprise directories, and has added delegated administration functionality; however, the vendor does not have user provisioning approval workflow beyond one level, nor does it have identity governance features. Okta's canned and custom reporting capabilities are limited. Okta does not yet support the use of social identities for registration and logon. These capabilities were in beta test at the time of publication. Okta's current customer base is predominantly located in the U.S., as are its data centers, but Okta has invested in European and Asia/Pacific expansion in terms of sales and data center location strategies. Okta is facing increased competition from larger vendors. Page 12 of 37 Gartner, Inc. G

13 OneLogin OneLogin's service architecture is multitenant, and lightweight integration components are used for on-premises connections. IDaaS is OneLogin's core business. OneLogin also markets a federated search capability that allows customers to search for content across connected applications, and for these users to be authenticated automatically when search results are returned and selected. Strengths OneLogin significantly expanded its customer base in 2014 and early 2015, and has some large customers. OneLogin has taken a standards-based approach to native mobile application integration, and is one of the vendors that champions the OpenID Native Applications Working Group (NAPPS) specifications. OneLogin has started improving its global sales by expanding its sales organization and developing its channel partnerships. OneLogin secured a third round of venture funding that will help it expand. References were mostly solid, and appreciated the support they received from OneLogin. Cautions OneLogin faces increased competition from larger competitors. OneLogin lacks its own deep user administration and provisioning and identity governance functionalities. OneLogin had some issues with service availability in However, it handled those issues well with customers and is improving the resilience of its service. OneLogin maintains a singular focus on IDaaS, but has not developed a strategy for other product offerings. This could make it difficult to compete against vendors with broader offerings. Ping Identity The PingOne service is a multitenant Web-centric offering. Ping Identity provides a lightweight selfservice bridge component to integrate a customer's Active Directory to the service, and also uses the well-established PingFederate product as the on-premises bridge component for customers when broad protocol and directory support are needed. In addition, PingAccess can be deployed to support proxy access to internal Web applications and APIs. PingID is offered to provide phone-asa-token authentication methods. Gartner, Inc. G Page 13 of 37

14 Strengths By leveraging the PingFederate technology for the bridge component, Ping can provide SSO by integrating with a variety of identity repositories, existing customer access management systems and target application systems. Ping Identity has demonstrated support for multiple workforce and external identity use cases, as well as strong service provider support, via its many service provider customers. Ping Identity has shown strong leadership in identity standards development, as well as openness in working with customers and competitors to evolve the standards. Ping Identity has broad vertical and geographic market penetration through its value-added reseller (VAR) and system integrator partner networks; also, it has made inroads with managed service providers that can offer PingOne functionality. Cautions PingOne is one of the services with strong access features, but very lightweight IGA capabilities. User self-service access request, provisioning workflow and most identity governance features are missing. PingOne has lagged its primary competitors in brand recognition and customer adoption. Ping Identity's reporting capabilities are weak compared with its competitors. Language internationalization features for the administrative and user interfaces are lacking relative to competitors; however, they are improving, with versions becoming available for Ping Identity's target markets later in SailPoint SailPoint IdentityNow was developed predominantly in-house, and features access request and provisioning, access certification, password management, and SSO service elements. The architecture is multitenant and can deliver services completely in the cloud, or it can be bridged to enterprise environments to support on-premises applications. Strengths SailPoint's legacy of providing strong on-premises IGA has helped it deliver a subset of the functionality from the IdentityIQ product in IdentityNow. The more full-featured IdentityIQ can be delivered as a hosted managed service through partners as an alternative. This helps SailPoint strongly support employee-facing use cases. SailPoint's full complement of provisioning connectors provides fulfillment capabilities to a wide variety of identity repositories and target systems, and significant product updates have been made to the password management functionality. SailPoint provides SSO options that include federated SSO and password vaulting and forwarding. Page 14 of 37 Gartner, Inc. G

15 SailPoint has a broad geographic presence for sales and support as a foundation for selling its IDaaS, and it has added data centers in Europe and Sydney, with other Asia/Pacific data centers roadmapped for The company is profitable, and Thoma Bravo became a majority owner in SailPoint, thereby bringing additional resources to the vendor. Cautions SailPoint's IDaaS market share is growing, but still small. IdentityNow does not support social identity use cases. IdentityNow is limited in its ability to support delegated administration for B2B use cases, but this feature is roadmapped for SailPoint has strong VAR and system integration partner sets, but it is just beginning to leverage them for IDaaS market penetration. Salesforce Salesforce provides Salesforce Identity as part of its Salesforce PaaS. It sells Identity as an independent service offering, but also includes Identity for established Salesforce customers. Identity Connect is Salesforce's on-premises bridge component that is sold separately. The service includes the baseline functionality required for inclusion, as well as social registration and login, federation gateway functionality, and deep access request and user provisioning workflow functionality. Strengths Salesforce is able to place commoditization pressure on the market by including IDaaS functionality in its core offering, thereby providing incentives to keep its substantial customer base from being drawn to alternatives. Salesforce Identity takes advantage of the deep access request and approval workflow functionality inherent in the Salesforce platform. Salesforce's strategy demonstrates a strong understanding of technology, socioeconomic, security and jurisdictional trends that will shape its offerings going forward. Salesforce Identity has strong social media and identity standards support. Cautions Salesforce does not support password vaulting and forwarding capabilities for SSO. Salesforce Identity does not provide proxy-based access to on-premises Web applications. Gartner, Inc. G Page 15 of 37

16 The bridge component of Salesforce Identity does not provide the ability to synchronize cloud directory changes to enterprise directories. Professional services are needed to deliver this functionality. Despite Salesforce's considerable PaaS market presence and recent awareness campaigns, Salesforce Identity's brand is not yet well-known in the market. The service is in its second year of availability. Simeio Solutions Simeio Solutions provides a mixture of dedicated hosted and on-premises managed service offerings. Its services are underpinned by products from other well-established IAM software vendors, which allows Simeio to provide Web access management (WAM), identity administration, access request, role and compliance, privileged account management, data loss prevention, risk intelligence, IT governance, risk and compliance services, and directory services. Strengths Simeio's use of major IAM stack vendors' technologies provides it with an arsenal of products that delivers deep functional support for Web and legacy applications. The same vendor partnerships provide referrals to Simeio for customer acquisitions. Simeio also became Dell's exclusive as-a-service provider for Dell's IAM offerings. Simeio's Identity Intelligence Center provides actionable insight into patterns of usage among users that may exist across multiple vendor identity sources and other security systems. Simeio's history as an integrator has given it the experience to help customers plan, design and integrate their IDaaS offerings. A significant portion of Simeio's staff serves in professional services roles. Simeio continues to enhance its administration and user interfaces as abstraction layers among the multiple underpinning vendors' technologies to help with consistency and time to value with implementations. Simeio's service-based roots have enabled it to have a positive cash flow since its inception. A recently announced private equity investment should allow Simeio to further accelerate its growth. Simeio has a good spread in its vertical industry and geographic representation; references highlighted Simeio as a good partner and rated it highly overall. Cautions Simeio's organization and its overall customer base grew in 2014 and early 2015, but not as rapidly as we would have expected, given its relationship with Dell. Simeio's use of OEM software requires the incorporation of these third-party vendors' software licensing costs in its offerings. This tends to make Simeio's pricing high, even for pure Web application use cases. Page 16 of 37 Gartner, Inc. G

17 Simeio is still relatively unknown in the IDaaS marketplace, but is slowly building its customer base and brand awareness, thanks to vendor partners, some of which are also competitors. Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor. Added Microsoft, Ilantus and Salesforce were added to the Magic Quadrant this year. Also, IBM was added because it acquired Lighthouse Security Group. Dropped Symplified's intellectual property and some of its people were acquired by RSA, The Security Division of EMC; therefore, Symplified was dropped from the Magic Quadrant. RSA has just announced its Via offering, which leverages Symplified's technology, but RSA did not meet customer and revenue inclusion criteria for this Magic Quadrant. In addition, Lighthouse Security Group was dropped because it was acquired by IBM. Other Vendors of Note There has been some Gartner client interest in two vendors that specialize in social identity integration: Gigya and Janrain. However, neither one met the IAM functional inclusion criteria for this Magic Quadrant, notably in the IGA functional areas. Pirean and Wipro did not meet the financial or market penetration criteria for this Magic Quadrant. However, these vendors have functionally deep IAM offerings, and also have international headquarters, which may help them to be considered as alternatives to U.S.-based companies. Bitium offers a Web-centric IDaaS, but it did not meet the revenue criteria for inclusion in this Magic Quadrant. Intermedia offers AppID, but it did not meet the customer and revenue criteria for inclusion in this Magic Quadrant. Gartner, Inc. G Page 17 of 37

18 Inclusion and Exclusion Criteria The vendor must provide a minimum level of functionality in all the IAM functional areas outlined in the Market Definition/Description section. Vendors that deliver only one or two of these core IAM functions as a service, such as authentication only, were not covered as part of this research. The following additional inclusion criteria were used. Longevity of offering: Each IDaaS offering has been generally available since at least 31 December 2014 and is in use in multiple customer production environments. Origination of offering: The offering is manufactured and operated by the vendor, or is a significantly modified version obtained through an OEM relationship. (We discount any service offering that has merely been obtained without significant functional modification through a licensing agreement from another vendor for example, as part of a reseller/partner or serviceprovider agreement.) Number of customers and end users (including customers of third-party service providers and their end users): As of 31 December 2014, the vendor had: More than 20 different active customer organizations using its IDaaS offerings in a production environment. Revenue attributed to fees for IDaaS service usage that was greater than $4 million for the year ending 31 December Verifiability: Customer references must be available. Evaluation Criteria Ability to Execute Product or Service The service's overall architecture, with emphasis on the service's global availability and resiliency features, and its flexibility to support on-premises identity repositories and cloud-only implementations. The level of support and expertise required by customers to help maintain the components. The extent to which a service's functions are exposed via APIs for customers' system integration. Security and privacy: The physical and logical controls implemented by the vendor and any underpinning IaaS provider; security for on-premises bridge components and connections between the bridge and the IDaaS; controls for data security, particularly regarding personal information; and vendors' third-party certifications received for the services. Page 18 of 37 Gartner, Inc. G

19 The variety of on-premises identity repositories that can be supported, and the quality of integration with same. The depth and breadth of IGA functionality: Access request. Access approval workflow depth and functionality. Access certification. Attribute discovery and administration. Administrative access enforcement for example, to identify, alert and prevent inappropriate access. Provisioning create, read, update, delete (CRUD) user identities and entitlements to target systems. Configuring target system connectors. The depth and breadth of access functionality: User authentication methods supported. Breadth of SSO support for target systems. Federation standards. Support for mobile endpoints and native mobile application integration. Authorization enforcement. The depth and breadth of identity monitoring and reporting: Canned reporting. Customized reporting. Data export to on-premises systems. Analytics. Integration with Microsoft Office 365, Microsoft SharePoint, customers' on-premises VPNs and WAM systems. Deployment requirements, such as speed of proof of concept and deployment, customer staffing requirements, and factors that add complexity and may affect speed to deployment and staffing. Overall Viability Overall financial health. Gartner, Inc. G Page 19 of 37

20 Success in the IDaaS market in terms of the number and size of customer implementations. This aspect is heavily weighted. The vendor's likely continued presence in the IDaaS market. Sales Execution/Pricing The vendor's capabilities in such areas as deal management and presales support, and the overall effectiveness of the sales channel, including VARs and integrators. The vendor's track record in competitive wins and business retention. Pricing over a number of different scenarios. This aspect is heavily weighted. Market Responsiveness/Record The vendor's demonstrated ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act and market dynamics change. How the vendor can meet customers' evolving IDaaS needs over a variety of use cases. How the vendor has embraced standards initiatives in the IDaaS and adjacent market segments, and responded to relevant regulation and legislation. Marketing Execution The clarity, quality, creativity and efficacy of programs designed to deliver the vendor's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. For example: Marketing activities and messaging. Visibility in the press, social media and other outlets. Vendor's appearance in vendor selection exercises, based on Gartner-client interactions. Brand depth and equity. Customer Experience Customer relationship and services. Customer satisfaction program. Customer references: This evaluation subcriterion was weighted heavily and included input from vendor-supplied references, as well as unsolicited feedback from Gartner-client interactions. Page 20 of 37 Gartner, Inc. G

21 Operations People that is, the size of the organization and the track record of key staff members. Quality and security processes. Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product or Service Overall Viability Sales Execution/Pricing Market Responsiveness/Record Marketing Execution Customer Experience Operations Weighting High Medium High Medium Medium High Low Source: Gartner (June 2015) Completeness of Vision Market Understanding Understanding customer needs: Methods, the effects of the Nexus of Forces (cloud, mobile, social and information) and the IoT. The future of IDaaS and the vendor's place in the market. Also, the vendor's views on top technological, nontechnological and regulatory changes in the market. Marketing Strategy Communication and brand awareness: The clarity, differentiation and performance management of the vendor's marketing messages and campaigns. The appropriateness of the vendor's use of events, social media, other online media and traditional media as part of its marketing efforts. Sales Strategy The vendor's strategy for selling its IDaaS offerings that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates, which extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Gartner, Inc. G Page 21 of 37

22 Offering (Product) Strategy The vendor's approach to developing and delivering its IDaaS offerings, which meet customers' and prospects' needs with respect to their key selection criteria, the needs created by the Nexus of Forces and other market dynamics. Also, the vendor's ability to exploit the Nexus of Forces to improve its IDaaS products and services. The strength of the vendor's roadmap, and how the vendor will increase the competitive differentiation of its IDaaS and ancillary services. Business Model The soundness and logic of the vendor's underlying business proposition: The vendor's views of key strengths and weaknesses relative to competitors. Recent company milestones. Path chosen for future growth. Vertical/Industry Strategy Customer breadth and penetration into various industries and sizes of customer organizations. Views of industry trends and special needs. Strategy for expanding IDaaS adoption in different industries. Innovation Foundational technological and nontechnological innovations. Recent and planned innovations. Organizational culture and how it affects innovation. Geographic Strategy Global geographic reach of customer base and trends. Strategy for expanded geographic customer acquisition. Global nature of technical support and professional services, and language internationalization for administrative and user interfaces. Page 22 of 37 Gartner, Inc. G

23 Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Weighting Medium Medium Medium High Medium Low High Low Source: Gartner (June 2015) Quadrant Descriptions Leaders Leaders in the IDaaS market generally have made strong customer gains. They provide feature sets that are appropriate for current customer use-case needs. Leaders also show evidence of strong vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically demonstrate solid customer satisfaction with overall IDaaS capabilities and/or related service and support. Challengers Challengers also show strong execution, and have significant sales and brand presence. However, they have not shown the Completeness of Vision for IDaaS that Leaders have. Rather, their vision and execution for technology, methodology and/or means of delivery tend to be more focused on or restricted to specific functions, platforms, geographies or services. Challengers' clients are relatively satisfied, but ask for additional functionality, more timely support and higher service levels than are currently delivered. There are no Challengers in this Magic Quadrant. Visionaries Vendors in the Visionaries quadrant provide products that meet many IDaaS client requirements, but they may not have the market penetration to execute as Leaders do. Visionaries are noted for their innovative approach to IDaaS technology, methodology and/or means of delivery. They may see IDaaS as a key part of a much broader service portfolio. They often may have unique features, and Gartner, Inc. G Page 23 of 37

24 may be focused on a specific industry or specific set of use cases. In addition, they have a strong vision for the future of the market and their place in it. Niche Players Niche Players provide IDaaS technology that is a good match for specific use cases. They may focus on specific industries or have a geographically limited footprint, but they can actually outperform many competitors. Vendors in this quadrant often have relatively fewer customers than competitors, but they may have large customers as well as a strong IDaaS feature set. Pricing might be considered too high for the value provided by some niche vendors. Inclusion in this quadrant, however, does not reflect negatively on the vendor's value in the more narrowly focused service spectrum. Niche solutions can be very effective in their areas of focus. Context Vendors rated in this Magic Quadrant come from distinctly different backgrounds. Their pedigrees vary greatly, as do their abilities to provide IAM functional depth and support for different use cases. Their aspirations for servicing customers by geography, industry and customer-size segmentation also vary. Clients are strongly cautioned not to use vendors' positions in the Magic Quadrant graphic (see Figure 1) as the sole source for determining a shortlist of vendors. Vendors were evaluated with regard to their ability to provide a general set of IAM functionalities across multiple use cases, and in multiple geographies and industries, and to do so by providing solid value for money as perceived by their customers. All vendors covered in this Magic Quadrant have succeeded in providing customers with services that meet their needs. However, client requirements particularly those for IAM functional depth, speed to implementation, geographic coverage and price are most likely to strongly affect their choices for a shortlist: 1. Clients focused on Web-architected application targets, employee-to-saas and consumerfacing needs should strongly consider Centrify, Microsoft, Okta, OneLogin, Ping Identity and Salesforce. These vendors also have experience with SMBs, even as they aspire to move upmarket to serve larger clients and have begun to do so. Currently, however, these vendors have limited IGA abilities. They tend to lack multilevel provisioning approval workflows, as well as identity governance features such as access certification, segregation of duties violation detection, or role engineering and certification. These vendors' provisioning connectors for legacy application targets also are lacking. 2. Clients that need more functional depth in IGA and legacy on-premises application targets should strongly consider CA Technologies, Covisint, Fischer International, IBM, Ilantus, Simeio Solutions and SailPoint. European clients especially may be interested in iwelcome. More of these vendors also provide dedicated hosted instances of their offerings as options. 3. Clients that need IAM served as part of a community of interest or an industry consortium should strongly consider Covisint and Exostar. These vendors have a history of providing IAM in a hub configuration that is designed to support collaboration among participants, or to serve Page 24 of 37 Gartner, Inc. G

25 the community's common business partners for access to a set of community-owned applications. Exostar also is recommended for clients that need secure collaboration services on top of IDaaS. Clients generally should expect more complex, time-consuming and costly implementations when they have requirements for IGA functional depth, and when they have legacy (non-web-architected) on-premises application targets. These requirements generally indicate a stronger need for IAM process and data modeling and target system integration functions, such as connector development and configuration. System integrators have been needed when clients implemented traditional IAM software suites with these types of requirements. Several of the vendors listed above in No. 2 come from system integration backgrounds. IDaaS customers should expect best practices and operational excellence from these vendors due to their familiarity with the software components that underlie the solutions. There should be some deployment and integration efficiency gains relative to do-it-yourself approaches. However, customers should not expect to easily "forklift" an existing, complex IAM implementation with multiple IGA workflows and many legacy system connectors to the cloud without significant integration work and quality assurance testing. Dedicated per-client IAM infrastructure also drives up the cost of the offering relative to multitenant offerings. The cost of underlying IAM third-party software licenses also may drive up the overall costs of the implementation. Security Gartner clients rightly express concerns with regard to data security and protection of enterprise users' passwords when IDaaS is being considered. The following are generally true for IDaaS security practices, with some exceptions: Some user identity data will be held in the cloud. Most commonly, this data includes first and last names and addresses. Some vendors, such as Centrify and Ping Identity, require no user attributes to be held in the cloud, with the assumption that all data needed for provisioning users to SaaS application targets is held in the on-premises directory and can be accessed by the vendors' bridge components. Centrify offers on-premises-only or hybrid cloud implementation, and the hybrid implementation requires some identity data to reside in the cloud. Ping Identity's solution works similarly. Generally, as the number of attributes needed to provision users' accounts grows, that data must at least pass through vendors' IDaaS services in order to be provisioned to SaaS targets. A cloud-only implementation of IDaaS must hold all these attributes. Data is encrypted in transit over networks. However, one exception is that passwords are sent in the clear during transmittal to target systems when federation is not supported and Secure Sockets Layer (SSL) is not used between the browser and target system. This is essentially the same as when a user's browser interacts directly with an application without IDaaS controlling the access. Also, SSL usually is used for SaaS sign-on flows, whether an IDaaS is brokering the access or not. Identity data in the vendor's cloud is encrypted at rest. Vendors have different strategies for managing encryption keys. Most vendors generate different encryption key pairs for each customer's instance of the service, and there is variance in how those keys are managed. Gartner, Inc. G Page 25 of 37

26 Technically, the keys may be under the customer's strict control, or the vendors' operations staff may control the keys. In the latter case, the vendors claim that their personnel will have other controls in place to ensure that there is no inappropriate use of the keys. On-premises bridge components will use SSL/Transport Layer Security (TLS) to communicate with the service, and many of the vendors will require no inbound firewall port to be opened to support this. Communications are initiated outbound from the bridge. With few exceptions, providers use IaaS providers, rather than their own operations centers, to host their offerings. All vendors maintain some type of third-party security certification, as do the IaaS providers that host the IDaaS. SOC 2 is common. ISO/IEC is becoming more common. No security is perfect. Ultimately, prospective customers must decide whether vendors' stated control sets are sufficient for their needs. IDaaS vendors give significant attention to ensure the security of their platforms. Based on the number of enterprise security breaches that have been made public, and the lack of any such breaches for IDaaS providers, Gartner believes that IDaaS vendors are more likely to provide better security for IAM services than their customers could do for themselves. Availability The use of IDaaS may introduce a single point of failure. IDaaS vendors generally have taken care to architect their services with network and system redundancy features, and to host their services on an IaaS that has been provisioned with sufficient redundancy to guarantee adherence to IDaaS vendors' service-level agreements. Also, IDaaS vendors have generally architected their onpremises bridge components to be implemented redundantly, if the customers choose to do so. Nevertheless, a major system failure with the IDaaS has the potential to temporarily leave customers without access to the applications that IDaaS serves. Some vendors had outages during 2014 and 2015 that lasted a day or less. These events were isolated and rare. Organizations face similar risks when they manage their own IAM services, and when components such as federation servers fail. Clients that choose to accept the risks of using IDaaS should have an emergency business continuity process in place that includes these steps: Bring up any available in-house federation technology and federate to key target systems, if possible. If federation services are not available, then temporarily turn off federation at target systems and fall back to password-based authentication. Issue temporary passwords for all target application accounts that can support passwordbased authentication. Fall back to manual user provisioning processes. Page 26 of 37 Gartner, Inc. G

27 Data Residency Most of the vendors covered in this research are U.S.-based. Gartner clients from other countries may have concerns about employees', business partners' and customers' personal data that could be held in the cloud. Despite the use of local or regional data centers to host services and data, international clients still may be concerned about the U.S. government's ability to get access to the data. This is currently a risk that clients must evaluate, and then determine whether it is acceptable. We recommend the following for clients that intend to use IDaaS, but have concerns about U.S. providers: Have the vendor prove Safe Harbor certification, or, preferably, require the vendor to sign the EU's model contracts on privacy. Require your sole ownership of encryption keys, if possible, and evaluate the controls associated with the development and operations staff, and their access to the keys. If these recommendations do not provide enough comfort, then Gartner recommends that clients evaluate IDaaS providers in suitable jurisdictions. Pricing Gartner asked vendors to provide "street" price quotes for several use-case and volume usage scenarios. Vendors were cautioned against providing list prices. However, several vendors chose to respond with list prices. Vendors were asked to provide all costs, including startup costs, over a three-year subscription period. Three of the most commonly required scenarios are included below, with a range of costs and averages. Gartner clients should use the figures below for budgeting purposes. However, clients should expect to pay significantly less (on average) than these figures would indicate, due to the inflated prices that some vendors chose to deliver for our surveys. Gartner's observations of the price quotes submitted by our clients have corroborated this finding. Scenarios 1 and 2: 1,000-Employee and 10,000-Employee Workforces, Web-Architected Applications Number of users: 1,000 in the workforce ("any" staff) who use the service several times daily. Endpoints: Company-owned PCs; approximately 60% Windows Active Directory and 10% Mac OS X, 30% mix of Apple and Android tablets and smartphones. User location: Could be anywhere a mix of on-premises corporate LAN and external use cases. All identities and attribute data are held in Active Directory. Support to: Five externally hosted (SaaS) applications and five internal Web application targets. Allow the company's administrator to directly manage users' identities, and provision these to Active Directory. Subsequently and automatically provision accounts to the five SaaS applications, with the assumption that there is an available provisioning API for all five, and that Gartner, Inc. G Page 27 of 37

28 the vendor already has created provisioning connectors for three of the five applications. Two of the applications need connectors created for the customer. User self-service application access request, administrator approval, subsequent provisioning as described above, and user self-service password reset. User authentication to the service and SSO to all target applications, three using SAML federation and two using password vaulting and forwarding; support for identity-providerinitiated federated SSO to your service, based on an Active Directory authentication; and service-provider-initiated redirect authentication for an externally located user who connects to SaaS first, and to support authentication against your service and corporate Active Directory. Reporting for all administrative and access events. We requested pricing for two variants. Scenario 1 included support of the above requirements for 1,000 internal users. Scenario 2 included support of the above requirements for 10,000 users, and with the added requirement that 5,000 of those users be provided with SMS or voice-based OTP authentication. Here are the results: The average three-year cost of the 1,000-user scenario was $144,216. The average three-year cost of the 10,000-user scenario was $611,269. In both scenarios, vendors that had significant gaps in the required functionality were removed from the average calculation, as were the high pricing and low pricing that were significantly out of line with the other vendors' pricing. Scenario 3: 100,000-User Consumer-Facing and Business-Facing Implementation 100,000 external consumers (50,000 individual consumer users and 50,000 business partners' users from 100 companies). Average usage: Once per month per user. Endpoints: Any endpoint with a Web browser from any location. Access to three internal on-premises Web applications, and two SaaS applications. Identity data for the on-premises applications to consume will be held in an on-premises LDAPexposed directory. Self-service user administration and password reset. Delegated user administration for business partner administrators to serve their own users. Administrators can grant or deny user access to any of the five applications. Automated user provisioning to any approved application, with the assumption that all targets have a provisioning API available, and that the vendor has not yet created a connector for any of these applications. User authentication and SSO for all users to all applications. Page 28 of 37 Gartner, Inc. G

29 Acceptance of Facebook and LinkedIn identities for initial consumer registration, account linking, and subsequent login to the service, and also subsequent SSO to a customer's applications. Five of the largest business partners must have support for federated authentication to your applications using SAML, and be based on user authentication at the business partner's internal identity provider. Reporting for all administration and access events. There was wide variance in the pricing for this scenario. However, there also was wide disparity between two groups of vendors. There was one group of seven vendors that could deliver the functionality for an average price of $307,423. The other higher-priced group of seven vendors averaged a price of $1,610,575. Pricing for consumer-facing implementations is in its early days, and vendors are at various stages of maturity in responding realistically to these requests from customers. In all cases, clients are strongly encouraged to understand their own total costs of ownership for managing the same IAM functions in-house, so that these costs can be compared with IDaaS pricing. Gartner also collected pricing data for other scenarios, including those requiring more indepth IGA functionality and legacy on-premises application support. Pricing was highly variable for these implementations. Clients interested in these scenarios should contact Gartner for more information. Trends What key trends are shaping the IDaaS market, and how will the market evolve? Acquisitions and IaaS and PaaS Vendor Momentum Are Changing the Competitive Forces in the Market Microsoft made Azure Active Directory Premium generally available in May Since that time, Microsoft's sales organization has been very active in its customer base, and has been offering Azure Active Directory Premium during renewals and as augmentations to existing contracts. Microsoft also has the extensive and rapidly growing Office 365 customer base to sell to. To paraphrase multiple Gartner clients, Microsoft is selling on the idea that, "You already have your organization's identities in Azure Active Directory for Office 365 or other Azure services. Why not take advantage of the broader feature set of Premium?" Other Web-centric IDaaS vendors are now repeatedly identifying Microsoft as the vendor that is "showing up" most often in competitive situations. Salesforce became more active in the IDaaS market in 2014 and early It also makes the case to its extensive customer base that IDaaS is built into the Salesforce platform, and therefore, is easy to take advantage of. The vendor currently offers Salesforce Identity free to licensed users of Salesforce products; this has helped it to build continued loyalty to the platform, and opened up opportunities to sell Salesforce Identity to nonlicensed users. Gartner, Inc. G Page 29 of 37

30 In 2014, IBM acquired Lighthouse Security Group, which provided a relatively full-featured IDaaS that was underpinned by IBM's software, and IBM was Lighthouse's key partner. Therefore, the acquisition was highly synergistic, and it was the latest of three IAM acquisitions by IBM; the others were Trusteer (Web fraud detection) and CrossIdeas (IGA). IBM already has an extensive service arm and the SoftLayer IaaS. IBM is now poised to deliver deep IDaaS functionality to the broader market. RSA acquired the intellectual property of Symplified and hired some of its employees. In April 2015, RSA announced Via, its rebranded IDaaS offering that features access management as well as user administration and identity governance functionality, which was originally obtained from the Aveksa acquisition. Intermedia, a provider of hosted Microsoft products and unified communications services, acquired IDaaS vendor SaaSID in Intermedia has incorporated the acquired functionality into AppID, a service that can be purchased stand-alone or with other Intermedia services. In "Microsoft and Salesforce.com Make Waves in the IDaaS Pool," we predicted that, "By 2019, 40% of IDaaS revenue will accrue to PaaS vendors, up from less than 5% in 2014." The acquisitions and competitive strategies highlighted above continue to support this prediction. Furthermore, the incorporation of IDaaS into PaaS offerings exerts a considerable commoditization force on the Webcentric IDaaS markets. While there is plenty of business to go around, and stand-alone IDaaS players aren't in immediate danger of extinction, these vendors will need to continue finding ways to differentiate themselves in this highly competitive market. Web-Centric IDaaS Leads the Market in Terms of Customer Acquisition Web-centric IDaaS vendors continue to make solid gains in the market. Gartner estimates that 85% of client interactions on the topic of IDaaS indicate a need for Web-centric solutions to support B2E SaaS target system integration and consumer-facing use cases. Ten percent of interactions indicate a need for more full-featured B2E IDaaS with legacy on-premises application support and IGA needs. Five percent of interactions indicate specialized needs for B2B Web-centric requirements, such as those needed by SaaS providers to serve their customers, or hub-and-spoke configurations to support collaboration and supply chain requirements. As Web-centric vendors have moved upmarket, they find that larger organizations tend to have existing IAM software solutions in place. These prospects, which may wish to extend their current implementations with IDaaS, or which are hoping to replace their on-premises solutions, tend to have needs for deeper IGA functionality than the Web-centric vendors typically provide. These prospects also tend to require customization and integration with legacy architected systems as well as a variety of directories and databases. This is forcing shallow-function, Web-centric IDaaS vendors to add deeper functionality and integration capabilities to their roadmaps. Web-centric vendors have begun to develop these features, such as multilevel access approval workflow and access certification, but, mostly, they have not been delivered to the market yet. Conversely, the IDaaS vendors with deeper IAM functionality and integration capabilities tend toward implementations that are larger and more complex, and they do not have their offerings price-tuned for rapid handling of the down-market Web-centric use cases. These vendors will need Page 30 of 37 Gartner, Inc. G

31 to provide a streamlined, rapidly deployable offering for these use cases if they wish to gain a piece of the SMB market. Mobile Support Continues to Improve IDaaS vendors' native mobile application support remains a frontier capability, particularly for authentication and SSO. Most IDaaS vendors support a portal-like interface on mobile devices for Web applications that are under IDaaS management. IDaaS vendors' support for customers' and third-party native apps is nascent. IDaaS vendors began supporting customers' mobile apps by offering SDKs. Customers can develop their apps using the IDaaS vendor's SDK, which will provide authentication to the IDaaS vendor's service. However, this is generally a proprietary approach that would require some rework, should the customer switch IDaaS vendors. Centrify provides this approach, but it also supports a containerization approach, and provides MDM features as part of its offering. Okta released Okta Mobility Management in 2014, and it includes MDM features. The product also includes Mobile Connect, which provides SSO for native mobile apps using SAML. Some vendors are choosing to support OpenID Connect NAPPS. The OpenID Foundation NAPPS continues to develop a standards-based approach to supporting authentication and SSO for multiple native apps. Ping Identity and OneLogin have been heavily involved in the evolution of the NAPPS specifications. The work is moving along slowly; however, if this working group is successful, then customers should have a standardized approach for getting authentication and SSO functions for native mobile apps; also, they should have easier portability for these apps in terms of switching IDaaS vendors, or even moving to on-premises access managers that support the standards. Containerization approaches will remain proprietary, but will offer customers security protections beyond authentication and SSO, such as data security, jailbreak detection and security policy enforcement. IDaaS vendors are in various stages of maturity in providing API-based access to their services. We are also noting that several IDaaS vendors tout their services' directory integration with other sources of identity, such as Salesforce, Google, Microsoft and Workday. Thus, IDaaS has a future of supporting traditional enterprise needs as well as service-to-service needs for example, use cases wherein enterprise CRM systems call an IDaaS to create an identity, and then provision that identity to several systems within the enterprise and on SaaS applications (see "Provisioning User Accounts to Cloud Applications"). Several IAM functions will commoditize. SSO to Web applications is a commodity, and IGA and intelligence functions will take a bumpy and winding road to commoditization. User self-service access request and profile management, password reset, access approvals and account provisioning to Web-centric targets, and canned and customized reporting are on the way to commoditization. More advanced IGA and analytics features will take longer, or will remain as differentiators for some vendors. Clients should expect overall downward pricing pressure in the market for the next three years. Gartner, Inc. G Page 31 of 37

32 On-Premises Replacement Wholesale replacement of traditional on-premises IAM software stacks, which are serving multiple use cases for large enterprises, has been relatively rare. These on-premises implementations are long-standing, tend to be well-staffed and have been deployed to support legacy architected systems not just Web-architected and SaaS apps. Nevertheless, there are vendors that can support multiple use cases, have software with deep functionality that can be cloud-delivered, and are capable of replacing legacy on-premises IAM tools. These vendors have been conservatively building businesses to do these things, and more customers are starting to use these vendors. However, these kinds of deals are an order of magnitude less in number than the more popular and easy-to-deliver Web-centric IDaaS deals. Full-featured IDaaS implementations that support legacy applications can be deployed more rapidly, and can remove some of the complexity of traditional software deployments. Integration with legacy systems, multistep approval workflows, access certification, and other IGA functions that are prevalent in mature IAM implementations still take time to plan, design and implement, and they add costs to implementations. Decisions to outsource complex IAM implementations aren't made easily. Therefore, enterprises that are considering a "build" or "extend" versus "outsource" decision should focus on two key areas. 1. Inhibitors to successful on-premises IAM adoption, or issues with the current implementation that would potentially be alleviated or circumvented by the move to IDaaS, such as: Inappropriate staffing levels or skills Organizational battles over duplicative IAM implementations obtained through mergers, acquisitions or independent organizational buying decisions Insufficient planning prior to tool selection and implementation Project scope creep Poor operational efficiency by IAM, resulting in too much time taken for IAM functions Poor operational effectiveness by IAM, resulting in audit findings for access violations With the exception of inappropriate staffing levels or skills, these inhibitors will not be automatically removed by switching to IDaaS. There often are root causes for these inhibitors that have nothing to do with the delivery model for IAM, and these issues must be addressed with solid IAM program management and governance. IDaaS simply may help to go around the problems, or alleviate some of them. 2. Total cost of ownership. There is no free lunch. Clients that judge IDaaS to be too expensive may not have done their homework in terms of understanding the full costs of managing onpremises IAM. These costs include: Fully burdened staff costs for implementers, operations staff members and a portion of the help desk personnel Software investment costs and ongoing maintenance Page 32 of 37 Gartner, Inc. G

33 Estimated patch and upgrade costs Infrastructure and operations for resilient implementations and business continuity See "Use Business Drivers and Cost Analysis to Make IDaaS Versus On-Premises Software Delivery Model Choices." Market Overview This Magic Quadrant underscores a market that is still in its early days and is largely driven by Web application use cases. Competitive forces have increased due to PaaS vendors entering the market, and because of acquisitions by IBM and RSA. Salesforce and especially Microsoft are beginning to have profound effects on the market in terms of competition and downward price pressure. These also are the reasons why this Magic Quadrant features fewer Leaders and Challengers compared with the 2014 version. The IDaaS market originally was fueled by SMBs that made SaaS the predominant application delivery model. Most of their applications already were in the cloud, and they preferred to buy rather than build infrastructure. In turn, SaaS applications became new identity silos, each with their own administration, authentication and event-logging capabilities. IDaaS vendors can create connections one time to SaaS vendors for the purposes of authentication, SSO and account management (when SaaS vendors provide APIs to enable this). These connections can then be reused for new clients. This relieves the IDaaS customers of having to create these connections themselves. IDaaS vendors also can bridge to customers' on-premises identity and authentication services, and use data held or removed from there (such as directory group or organizational unit membership) to provision and deprovision accounts on SaaS targets. This automation saves customers the effort of manually provisioning and deprovisioning accounts, and also can help with avoiding orphaned and active accounts on SaaS that can leave enterprises vulnerable and paying for unused accounts. In the past few years, vendors with the ability to broker all the functions between enterprise users and SaaS have become appealing to organizations of all sizes. Cloud security and data residency concerns, however, often are key factors in evaluating IDaaS vendors. The growth of the IDaaS market has been driven by the following factors: The need to instill IAM disciplines for managing identities for SaaS applications The need to gain faster time to value over traditional on-premises software The desire to avoid IAM implementation failures The desire to reduce IAM talent costs in design, implementation and support Gartner, Inc. G Page 33 of 37

34 Gartner estimates that the market size for multifunction IDaaS at year-end 2014 was $283 million. We estimate that 2015 revenue will be approximately $400 million. The 2014 estimate does not include revenue from vendors that provide single-function IDaaS offerings for example, authentication-as-a-service vendors. However, revenue from authentication-as-a-service vendors was believed to be approximately $480 million in 2014 that is, 20% of a $2.4 billion user authentication market. Authentication as a service is a simple function to deliver, compared with multifunction IDaaS. Over the past few years, Web-centric IDaaS vendors have made solid gains at the lower ends of the market, supporting the employee-to-cloud use case. As these vendors have moved upmarket, they find that larger organizations tend to have IAM solutions in place, and have deeper IGA functionality needs than Web-centric vendors can provide. These prospects also require integration with legacy architected systems. This is forcing shallow-function, Web-centric IDaaS vendors to add deeper functionality and integration capabilities to their roadmaps. Conversely, IDaaS vendors with deeper IAM functionality and integration capabilities tend toward larger, complex implementations, and do not have price-tuned offerings for rapid handling of Web-centric use cases. These vendors will need to provide a streamlined, rapidly deployable offering for these use cases if they wish to gain a piece of the SMB market. The employee-to-cloud use case drove growth in the early IDaaS market, and it still predominates. B2C use cases have grown in importance as organizations look to replace a mixture of customdeveloped IAM products and traditional on-premises IAM products. Some larger organizations also are "peeling off" the part of their IAM needs that are served by IDaaS, even when they may own IGA and access tools that could be extended to the cloud. For this use case, IDaaS is being viewed as a quick win, and sometimes as a way to standardize a solution for one part of the enterprise IAM problem space. (See the Context section above for a deeper analysis of market trends, a closer look at security and data residency concerns, and information on pricing.) Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "How Markets and Vendors Are Evaluated in Gartner Magic Quadrants" "Microsoft and Salesforce.com Make Waves in the IDaaS Pool" "Use Business Drivers and Cost Analysis to Make IDaaS Versus On-Premises Software Delivery Model Choices" "Magic Quadrant for User Authentication" "Magic Quadrant for Identity Governance and Administration" "Market Guide for Web Access Management Software" "Provisioning User Accounts to Cloud Applications" Page 34 of 37 Gartner, Inc. G

35 Evidence The following sources were used in the creation of this research: Gartner client interactions Phone interviews and online surveys for vendor-provided references A comprehensive vendor survey that aligned with the evaluation criteria Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Gartner, Inc. G Page 35 of 37

36 Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. Page 36 of 37 Gartner, Inc. G

37 GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT USA Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G Page 37 of 37