REPRINT•REPRINT•REPRINT•REPRINT•REPRINT

Research Note Markets 10 April 1998

SSO Magic Quadrant and Market Update H. Flynn

Leaders are finally emerging, but the "single sign-on" market will metamorphose until the end of the century, ultimately vanishing as an independent sector.

Core Topic

Software Infrastructure: Information Security Authentication and Access Control

Key Issues

Which vendors will provide the winning authentication and authorization technologies and products from the laptop to the server?

How will enterprises manage the complexity of authentication and access control in a highly distributed world?

Strategic Planning Assumption

By 2001, the simplification and consolidation of user log-on processes will be one module within broader security management suites (0.8 probability).

Market Sector Definition: Single sign-on (SSO) has often been used as an umbrella term, including consolidated security administration and authentication functions. GartnerGroup limits the term to describe only the function of consolidating the number of log-on processes for end users among deployed and planned, built and bought IT resources. Vendors are positioned in our updated quadrant according to their vision and ability to execute in this area (see Note 1, Note 2 and Figure 1). However, given the degree of heterogeneity in most organizations, to achieve a single log-on process for every end user is unlikely and, in many cases, impossible. This fact - that SSO is a misnomer - has contributed to the failure of the sector to achieve rapid growth, despite widespread recognition of the "too many IDs and passwords" problem. However, the market is active: During 1997 some long-heralded products became available (e.g., from Memco and IBM), others matured significantly (e.g., from Platinum, Unisys and CKS), niche products were acquired (e.g., OpenVision/Veritas Axxion Authenticate, OpenHorizon Connection), deployments continue and are increasing, and users remain interested.

Note 1

GartnerGroup Magic Quadrant Criteria

In establishing vendor positions in this area, we have used the following analytical method and criteria:

Vision

• Does the vendor have a vision/strategic plan?
• Is it in line with industry and sector trends?
• Does it match what GartnerGroup believes to be appropriate for the sector?
• Is the vision comprehensive enough to establish a broad installed base without trying to own every last seat?

Ability To Execute

• Financial strength
• R&D management
• Marketing and sales capabilities
• Alliances

When GartnerGroup clients look at magic quadrants they should pay attention to the date of publication. Within the highly dynamic information security market, positions may be outdated within six months. We recommend that clients place inquiries if they have any questions regarding vendors on the quadrant.

Note 2

Vendor and Product Names

• Axent Technologies (www.axent.com) - Enterprise Resource Manager
• Bull (www.bull.com) - AccessMaster
• Century Analysis Inc. (www.cainc.com) - CAI-Net
• Computer Associates International (www.cai.com) - Unicenter SSO
• CKS (www.cksweb.com) -MyNet
• CyberSafe (www.cybersafe.com) - TrustBroker Security Suite
• Hewlett-Packard (www.hp.com) - Praesidium SSO
• IBM (www.ibm.com) - Global Sign-On
• iT_SEC - iT_SecureSignOn
• Memco (www.memco.com) - Proxima SSO
• Platinum Technology (www.platinum.com) - AutoSecure SSO
• Proginet (www.proginet.com) - SecurPass
• Security Dynamics (www.securitydynamics.com) - Boks SSO/SecurSight Manager
• Softools (www.softools.fr) - SoftSSO
• Unisys (www.unisys.com) - Single Point Security

Figure 1

SSO Vendor Positioning

Source: GartnerGroup

Sector Technology Trends: 1) Convergence With Consolidated Security Administration. Promises and hype are becoming reality: Increasingly, vendors offer these related functions in one product, as a result of new or reinforced technology alliances (e.g., Memco with EagleEye, Unisys with Technologic, Schumann with iT_Sec) as well as continuing product development (e.g., Axent, Platinum). 2) Support for Web Applications. Slowly but surely, SSO vendors are adding support for the authentication mechanisms used on the Web. However, a separate subsector for Web application security management is emerging concurrently, with mostly new players not included on this quadrant (see Note 3). 3) Investment in directories and/or LDAP. This activity simplifies and improves links with user and resource management and improves the leverage of the SSO investment. 4) Integration with PKI technology and smart cards. This promotes the use of public-key technology for user log-on. Entrust Technologies recently announced alliances with a number of vendors in this area; other vendors are offering public-key technology as part of their products (e.g., Bull, Platinum, CyberSafe and iT_Sec). 5)"Out of the box" support for packaged applications.

Note 3

SSO, Security Management and Access Control for the Web

This new market segment fulfills the growing need to rationalize security controls and user privileges across multiple Web applications and Web servers from different vendors. It is receiving high interest because the end user is often the customer. Enterprises will make a tactical decision in this area, with a view to a more strategic investment as enterprise security management suites become a reality. Vendors playing in this space include CyberSafe, Dascom, EnCommerce, Gradient, Netegrity, Raptor (Axent) and Siemens Nixdorf.

Market Outlook: Although requirements of fairly homogeneous IT environments may already be met, the current technology trends will improve the ability of large, heterogeneous organizations to significantly reduce the number of log-ins for users in both the deployed/package environment and future/home-grown applications. Even though the number of deployments is increasing, scalability above users numbering in the low thousands remains unproven. Users should expect continuing metamorphosis and consolidation. The number of players in this market exceeds that required by real demand, i.e., the number of organizations worldwide with sufficient time, financial resources, and procedural foundations to benefit from investment in technology-based solutions. Furthermore, consolidated authentication within NT 5.0 resources, or across all resources supporting public-key cryptography, is looming. Although neither of these will be production-ready within 18 months (0.8 probability) nor will solve the issue of reducing the number of log-ons in the rest of an environment, their promise will be the next inhibitor to SSO products entering mainstream adoption.

Although the number of successful deployments is creeping upward, the SSO market has still not materialized fully: SSO is ceasing to be a stand-alone function, and users remain dissatisfied with the maturity of many current SSO products. Current technology and user trends indicate that by 2001, the simplification and consolidation of user log-on processes will be one module within broader security management suites (0.8 probability).

Bottom Line: The trends are positive, but a single log-on for all users in large heterogeneous enterprises remains elusive. Product acquisition is a strategic decision for any type of organization, and all contracts should include mutually agreed implementation milestones. Despite improving product maturity, users must still invest in procedure and system analysis prior to product selection and deployment. There are enterprise SSO products available for organizations that are ready internally, and there are a few suitable for those with niche requirements (e.g., NT to MVS).

Entire contents (C) 1998 by Gartner Group, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner Group disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner Group shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.