This document is licensed to iwelcome KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 iwelcome Identity & Access Management as a Service iwelcome delivers Identity and Access Management as a Service. The company, based in the Netherlands, runs all services from data centers located within the EU and covers a broad set of features for both managing identity and access for cloud and on-premise services. by Martin Kuppinger mk@kuppingercole.com April 2015 Content 1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 4 4 Copyright... 5 Related Research #71,031 Advisory Note Cloud IAM more than just Single Sign-On to Cloud Applications #70,998 Advisroy Note The New ABC for IT: Agile Business, Connected #70,969 Leadership Compass Cloud User and Access Management
1 Introduction iwelcome, a company headquartered in the Netherlands, was founded a few years ago and is backed by venture capital. The company has built its own platform for what KuppingerCole calls Cloud User and Access Management, a central functionality within the broader scope of Cloud IAM. The company, since its beginning, has managed to win a number of large and prominent customers, particularly in the Benelux area, and is now expanding into other regions. Both Cloud computing and Identity and Access Management (IAM) can trace their beginnings to the late 1990 s. Cloud computing began as web services then developed into Software as a Service (SaaS) later expanding to cover such areas as Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) even, within the last couple of years, Identity (Management) as a Service (IDaaS/IDMaaS). IAM began with Provisioning applications and later expanded to include some, or all, of: Single Sign-On (SSO); Web Access Management and Identity Federation; Various forms of Access Control (_BAC) Role-based, Attribute-based, Rules-based, Risk-based, etc.; Governance, Risk and Compliance (GRC) including Access Governance; Strong and adaptive Authentication; And a number of other services, depending on who is defining them. Without specifically looking at functionality, we can see that many different architectures are being described when talking about Cloud IAM (aka IDMaaS, IDaaS, ): Is the service on-premises, in the cloud or a hybrid? Is the service controlled by the enterprise or by a third party as a managed service? Are only employees covered, only external users, a partial mix (employees and partners, but not vendors or customers for example) or are all entities using the organization s resources managed within the single system? Is access managed for only on-premise services, cloud-based services or both? If there are multiple identity data stores, are they synchronized or federated, and are they only cloud-based or can they be hybrid - on-premise and cloud? Kuppinger-Cole believes that in the future there will be at least two distinct approaches to Cloud IAM that overlap in their core functionality. One is Cloud-based IAM/IAG that provides Identity Provisioning and Access Governance capabilities as a Cloud service. These services in fact are a direct counterpart to established on-premises Identity Provisioning and Access Governance solutions they feature the same concepts and provide these as a real multi-tenant cloud service or, more frequently, as a managed service. These types of solutions also provide good out-of-the-box integration with on-premise systems, allowing management and governance for identities and access to these services. The second group of solutions primarily focuses on managing what we call the new ABC: Agile Business, Connected. They focus on managing external users, such as business partners and customers, and their access to Cloud services and on-premises web-based applications. Commonly, these services are a combination of identity federation, self-service registration, directory services, and access management solutions, all provided as a Cloud service. Page 2 of 6
While both groups of solutions might converge in the long run, both provide far more functionality than just Cloud Single Sign-On, which will not remain sufficient for success in business. In fact, the iwelcome offering is a mix of both concepts, which qualifies for the emerging market segment of Cloud User and Access Management, while providing strong support for existing on-premise environments such as Cloud-based IAM/IAG solutions do. Thus, it is a good fit for customers that want to move their IAM infrastructure to the cloud while supporting both the existing infrastructure and upcoming cloud services. 2 Product Description iwelcome is a company based in the Netherlands that provides a Cloud User and Access Management service. The service is run from datacenters within the EU, hosted by Interoute. It is built on a number of standard products, particularly from the Open Source community, which are extended by iwelcome. Furthermore, iwelcome adapts these tools so that they can be run in a multi-tenant environment that can be easily customized. Basically, the offering consists of two layers: The iwelcome Identity Portal which gives access to the functionality for both end users and administrators through a web interface; The backend services that provide a set of functionality. The Identity Portal is the out-of-the-box starting porting for using the iwelcome platform. Users have their individual landing pages that grant them access to their applications, both cloud services and onpremise applications. Here, users can, for instance, configure their accounts and reset their passwords, but also request additional access to applications. Furthermore, iwelcome provides an extensive set of Restful APIs for accessing the functionality and allows for massive customization. Particularly larger customers tend to integrate iwelcome functionality into existing portals and applications using these interfaces. Administrators can also use this portal. They can manage users, access reports, review access, and monitor the environment. In particular the review or recertification capabilities are noteworthy here, given that this capability is quite rare in Cloud User and Access Management today. The portal is based on a number of backend services. These include: Single Sign-On to both on-premise and cloud applications; Strong authentication based on the iwelcome Authenticator App and, in addition, a number of authentication mechanisms such as SMS, GRID, etc.; Support for risk- and context-based (adaptive) authentication allowing controlled access based on the current risk and context; Role-based access control; Access Governance capabilities, including reporting and recertification of access, supporting common audit requirements; Logging and reporting capabilities plus a monitoring service for the current state of the environment; Page 3 of 6
User management for integrating with on-premise identity stores and flexibility, including the ability to add custom workflows and delegated administration; and Identity Federation. The approach taken by iwelcome allowed them to quickly start offering a service for Cloud User and Access Management, while also supporting integration of external users. iwelcome provides strong support for self-registration and social logins, including wizards for guiding new users. Further capabilities include access to the registration process via restful APIs and automatic proofing and updating of attributes from trusted attribute providers. A significant portion of iwelcome customers are using the platform for consumer-centric use cases. The biggest challenge of iwelcome s approach might be support for a growing number of tenants. All tenants are technically segregated, which is positive from a compliance and governance perspective. Furthermore, iwelcome has a well thought-out approach to scaling and relies on a common backend, not forking development for individual customers. Overall, the clear segregation provides advantages from a security perspective, while still providing the cloud advantages of multi-tenancy and elasticity to the customers. Furthermore, iwelcome provides strong integration back to existing on-premise IAM services. This also includes tight integration with primary Windows authentication. iwelcome s founders have a strong background in IAM integration. They leverage this knowledge and have a pan-european partner network to ensure integration capability. The list of Cloud services supported out-of-the-box is still rather small, but includes a number of complex business applications. In addition, iwelcome provides strong standards support for rapid integration of Cloud services. We expect to see a quickly growing number of such preconfigured integrations. 3 Strengths and Challenges With its Identity & Access Management as a Service offering, iwelcome provides a strong feature set in the emerging Cloud User and Access Management market. The solution is well thought-out and continuously improved. While the number of out-of-the-box connectors to cloud services is relatively small, compared to some other players in the market, integration of other services is quite easy based on the standard Identity Federation support and SSO capabilities of iwelcome. Furthermore, iwelcome is quite experienced in complex integrations. iwelcome will also potentially benefit from the fact that their services are run from EU-located datacenters. This is quite attractive for EU-based customers, which should definitely have a look at iwelcome. The datacenters are not owned by iwelcome, but well chosen. Overall, iwelcome is an interesting player in the emerging Cloud User and Access Management market with specific strengths, particularly their integration of Access Governance services and their strong support for on-premise environments. They might play an interesting role in the future evolution of that market. Notably, iwelcome provides a strong product offering that is not only interesting to EU customers, but has a strong feature set of its own, thus being an option for customers from all regions. Page 4 of 6
Strengths Strong integration back to existing onpremise IAM services Tight integration with Windows authentication and existing identity stores Run from EU datacenters Well thought-out approach for covering security and privacy concerns particularly of EU customers Integrated Access Governance capabilities including recertification Strong support for consumer-centric use cases Challenges Still limited number of preconfigured out-ofthe-box integrations to Cloud services, but strong standard support for simple integration based on SAML, SCIM etc. allowing for rapid integration Only third party datacenters as of now, however all based in the EU (which might be a challenge for customers in other regions) 4 Copyright 2015 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Page 5 of 6
This document is licensed to iwelcome The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Straße 16 65193 Wiesbaden Germany Téléphone +49 (211) 23 70 77 0 Fax +49 (211) 23 70 77 11 www.kuppingercole.com