This document was revised on 10 November 2009. For more information, see the Corrections page on gartner.com.

User-provisioning solutions are maturing in function and capability.

The provisioning market continues to consolidate, and boundaries between identity and access management (IAM) companion products are blurring.

Core provisioning functionality (i.e., workflow engines, approval processes, password management and "standard" connector sets) is similar across most vendors.

Provisioning vendors seek to find relevant means of differentiating their product sets from competitors through features such as:

• Role life cycle management
• More and better workflow options to enable business process management (BPM) and general governance, risk and compliance (GRC) needs
• Improved IAM intelligence (i.e., audit, analytics, monitoring, reporting)
• Better integration with security information and event management (SIEM), data loss prevention (DLP), and IT GRC management (GRCM) tools

Large-scale user-provisioning projects remain complex initiatives, and require experienced integrators and skilled project management on the part of the enterprise. With relative functional parity evident in the software, most provisioning implementations succeed or fail based on these integrators, and on the relationship between customers and vendors.

Success rates for complex and/or major user-provisioning initiatives are improving, but still plagued by first-generation "horror stories" and poorly integrated replacements.

Customers should consider key differentiators when selecting user-provisioning solutions that include, but are not limited to:

• Price, including flexibility of pricing for deployment, maintenance and support programs
• Global scope, depth, availability, and extent of partnerships with consultants and system integrators to deliver the solution
• Consulting and integrator performance, which remains vital to success
• Delivery time of projects that match the business plan
• The ability to deliver subsidiary services that are not available in the core product through:
  • Integrating component IAM features (e.g., common user experience, reporting)
  • Custom development
  • Augmentation via partnerships or adjacent products or capabilities (for example, role life cycle management, entitlement management, federated provisioning or IAM intelligence)
• The level and extent of experience of customer-industry-segment vendors and integrators to deliver successful projects
• Other customer experiences, including satisfaction with installed provisioning systems (that is, reference accounts)

There is no "one size fits all" provisioning solution; as such, these differentiators will vary in importance, given the specific organization, use case(s), budget and business driver(s).

Organizations must know which issues they are trying to address by deploying user provisioning. Key concerns for customers include:

• A lack of clarity and priority in the issues to be resolved
• Project scoping
• Selecting the correct technology
• Rigorous project oversight
• Changing business goals during projects (i.e., "trying to hit a moving target")

Addressing these concerns early can help companies avoid a "quagmire" situation.

Role life cycle management is often a prerequisite (or, in more complex initiatives, a parallel effort) for many new user-provisioning initiatives, and should be considered (at a minimum) as a concurrent requirement during the evaluation process. Many enterprises that have deployed user-provisioning systems have discovered that an "entitlement assignment" capability (like role life cycle management) is a missing element. Customers should verify that the user-provisioning provider has an inherent role life cycle management capability, has a role life cycle management partner or can articulate a comprehensive role life cycle management strategy relative to its offerings. This ability will enhance user-provisioning integration to areas such as IAM intelligence, GRCM and entitlement management.

Ensure that planning for virtualization in the enterprise includes user provisioning, since it plays an important role for virtual machines (VMs) by providing account provisioning and auditing for partitions, hypervisors, and VM monitors, as well as enforcing segregation of duties (SOD) for that environment.

IAM is a set of processes and technologies to manage across multiple systems:

• Users' identities — each comprising an identifier and a set of attributes
• Users' access — interactions with information and other assets

User provisioning is a key identity administration technology. User-provisioning tools have some or most of the following functions:

• Workflow and approval processes
• Password management (with the ability to support self-service)
• Other credential management
• Role life cycle management
• User access administration (with the ability to support self-service)
• Resource access administration (with the ability to support self-service)
• Basic IAM intelligence (analytics, auditing, reporting), including SOD support

User provisioning is part of an overall IAM technology offering. The four major categories of IAM are:

• Intelligence: This combines SIEM, SOD control and other monitoring tools to perform comprehensive activity, event and incident monitoring, reporting, and analytics for auditing and research purposes.
• Administration: This is where user provisioning exists along with role life cycle management and other administrative tools to provide the basic administration capabilities for handling identities and entitlements, including resource access administration. It is also focused on providing the necessary service management capabilities to administer and manage identities effectively, from workflow to delegation, and from self-service to connector management.
• Authentication: This focuses on identity-proofing (that is, verifying users' civil identities), as well as authentication methods and infrastructure, various single sign-on (SSO) technologies, identity federation and personal identity frameworks.
• Authorization: Focuses on authorization or entitlement management, and delivers Web access management, operating system access management and content access management, as well as network access control capabilities. Access management is also involved in encryption, digital rights management and DLP.

These categories are based on a foundation of identity repository technologies that include enterprise Lightweight Directory Access Protocol (LDAP) directories, virtual directories, metadirectories, and (increasingly) relational databases. While standard LDAP directories remain the identity repository of choice, limitations inherent in these directories relative to "fine-grained" authorization and policy implementation may require database participation. LDAP directories are optimized for fast reads and are optimal for large environments, but there are limits, because in these large-scale environments (i.e., more than 500,000 users), there are significant changes requiring replication or "writes." Traditional LDAP directories can experience performance problems during synchronization events, resulting in "stale" or unreliable data.

User-provisioning solutions are the main engine of identity administration activities. Gartner ranks vendors in the Magic Quadrant based partly on product capability, market performance, customer experience and overall vision to determine which vendors are likely to:

• Dominate sales and influence technology directions during the next one to two years.
• Be visible among clients through several marketing and sales channels.
• Generate the greatest number of information requests and contract reviews.
• Account for the newest and most-updated installations.
• Be the visionaries and standards bearers for the market.

Key Market Trends

• An interesting pattern is emerging in the 2009 Magic Quadrant. Notice that vendor ratings are clustering into three main sections — clear leaders have separated themselves from other competitors. The remaining vendors are clustered within the Challengers and Niche Players quadrants. Gartner believes that market forces will eventually pull these vendors to the center of the Magic Quadrant. One other fairly distinct group, the Visionaries, appears to be unaffected by the "gravitational force." Visionary companies are less focused on mass-market drivers; instead, they focus on resolving very specific IAM-related issues, and on creating products that address those issues.
• Several vendors are now offering more commercial off-the-shelf-like solutions to help small and midsize businesses (SMBs), or those afraid of long, custom implementations. Vendors are increasingly offering "fixed price" implementations.
• Most vendors made progress in user-provisioning execution, showing improvements in features and functionality, marketing and sales execution, and customer base expansion. Many vendors also showed improvements in completeness of vision and customer experience because they focused more on their role management capabilities, reporting functionality and user interfaces. Concerns remain in large-scale implementations regarding areas such as workflow and connector management, and project duration. Gartner believes that more vendors are seeking to address these concerns through better presales project scoping, offering fixed-price implementations, and offering more "off the shelf" (rather than highly customized) deployment scenarios. Note that the 2009 Magic Quadrant reflects a higher standard, so vendors must improve their standing just to stay in the same Magic Quadrant position as in 2008.

Key Changes for 2009

• There are some key changes for vendors in this research:
  • Ilex is a new vendor added to the study.
  • As of this writing, Sun Microsystems is in the process of being acquired by Oracle; this introduced uncertainty regarding Sun for the long term. However, Sun is still shown as a separate vendor for the purposes of this study, because the acquisition process is not complete as of this writing. Note that Sun did not participate actively in the study.
• Although most vendors showed improvements in their Magic Quadrant scores, some (such as CA and Hitachi ID Systems) showed substantial progress, partly due to one or more of the following:
  • Increased momentum in customer base growth
  • Expanded partner alliances
  • Improvements in product functionality
  • Addition of significant adjacent product sets
  • Success in enabling swift customer deployments
• Sun was negatively impacted mainly due to its impending acquisition by Oracle. Sun's lower ability to execute rating in 2009 is due to uncertainty and customer perception concerns, not because of a lack of product functionality. Sun has and retains a strong presence in the market. Its IAM product portfolio is leading-edge.
• Oracle remains in the No. 1 position, partly due to its:
  • Sustained momentum from aggressive marketing and sales
  • Linkage to other Oracle product lines (via licensing and/or integration)
  • Consistent execution against its stated product road map
  • Expanded portfolio due to acquisitions (e.g., BEA Systems) and vision
• IBM Tivoli retains the No. 2 slot, partly due to its:
  • Depth of service-based orientation toward delivery
  • Mature product sets
  • Expanding customer base
  • Feature innovations (e.g., role and entitlement management)
  • Successful efforts in simplifying the administration experience, particularly with IBM Tivoli Identity Manager (ITIM) 5.0 and above
• IBM Tivoli and Oracle remain close in the ratings for overall feature-function capabilities, although there are some differences enhanced by good integrators. IBM Tivoli has somewhat closed the gap with Oracle, compared with 2008.
• Novell's position improved in the Leaders quadrant, partly due to its:
  • Execution against a focused strategy of improving the customer experience
  • Increased number of integration partners
  • Improved marketing
  • Customer additions
  • Capitalizing on competitor consolidation uncertainty
• CA improved substantially in the study, partly due to its:
  • IAM-related acquisitions (e.g., Eurekify and Orchestria)
  • Better vision
  • Aggressive, focused marketing
  • Improved partnership model
  • Improved deployment model
• CA has demonstrated overall increased momentum in the market, and has revitalized its plans to be a global IAM player.

• Courion remains in the Leaders quadrant, partly due to its:
  • Expanding customer base
  • Innovative partnering to offset the lack of a full IAM suite
  • Innovation in technology, specifically in role life cycle management and IAM intelligence
  • Consistent and focused messaging
• In the Visionaries quadrant, Volcker Informatik demonstrated noticeable improvement, partly due to:
  • Significant innovation in its vision and approach to provisioning
  • Improved servicing of its clients (predeployment and post-deployment)
  • Its expanded partner base and expanded reach outside Germany
• Sentillion and Fischer International remain in the Visionaries quadrant due to similar capabilities. Sentillion remains the vendor to beat in healthcare, providing increasingly innovative approaches to deal with a unique industry segment's needs, and responding to the increased attention it is receiving in the U.S. Fischer has lost some early momentum while revising its marketing and partnership strategy, but it still remains innovative in targeting service providers for an all-service-based provisioning offering. All three vendors in the Visionaries quadrant have a relatively small customer base and limited abilities to deliver through worldwide channels. However, they are doing some of the more-advanced user-provisioning work in technology and approach.
• Microsoft remains in the Challengers quadrant with a lower execution rating, due to its postponement of the next version of Identity Lifecycle Manager (ILM — to be called Forefront Identity Manager). Microsoft still experienced significant customer demand in Microsoft-centric environments, partly due to its:
  • Lower deployment costs for basic provisioning, even with integration costs
  • Integration with existing Microsoft infrastructure
• Hitachi ID (formerly M-Tech Information Technology) demonstrated notable improvement in the Challengers quadrant (and claimed the top Challenger spot), partly due to its:
  • Continued innovation
  • Access to more R&D funding and resources with parent company Hitachi
  • Refined sales and marketing strategy
  • Continued commitment to customer service
• Siemens and Beta Systems remain in the Challengers quadrant with little perceptible movement. However, "little movement" actually indicates progress that is sufficient to counteract the "drift" of maturity that would cause static companies to lose position, but it does not indicate substantial or notable forward momentum. Beta Systems appears poised for forward momentum, with restructuring in the IAM organization and some IAM-related acquisitions in 2009.
• BMC Software remains in the Challengers quadrant, although with some loss in execution due to its redefinition of IAM as part of its Business Service Management (BSM) strategy. While innovative, BMC's IAM products don't get the same exposure as its competitors do — they market and productize their IAM solutions for IAM-specific sales. However, BMC's ability to sell IAM to existing BMC customers remains strong.
• Avatier moves into the Challengers quadrant, partly due to consistent execution on its vision, significant customer wins, and an innovative and rapidly deployable product.
• Evidian and Quest Software had positive momentum from 2008. Evidian continues to increase its name recognition and customer acquisitions, particularly in Europe, and has shown notable improvement in its position in this study. Quest placed considerable effort on creating a unified brand/messaging strategy, as well as enforcing consistency across its acquired products. It also acquired additional IAM products to broaden its suite appeal.
• SAP continued to execute its strategy predominantly for SAP customers that have considerable investments in SAP offerings and a need for user provisioning. SAP also improved its plans with partners, such as Novell, to broaden feature set offerings and appeal to wider audiences.
• Omada, which was a new vendor to the 2008 Magic Quadrant, remains in the Niche Players quadrant in 2009, but has made notable progress in its Ability to Execute rating. Its reliance on Microsoft ILM (and the future Forefront Identity Manager) as a foundation for its solution somewhat limits its ability to show innovation in vision beyond Microsoft's vision of that foundation. However, Omada's product does (and, even with Forefront Identity Manager, will continue to) provide the added functionality that's needed in a robust IAM system.
• Ilex, a small provisioning vendor located in France, is new to the 2009 Magic Quadrant. It has a basic and innovative approach to provisioning that is being leveraged by a small but notable number of customers.
• Most user-provisioning vendors reported healthy revenue increases in 2008-2009, thereby indicating continued growth market (see the Market Maturity section below). The 2008 Gartner Dataquest report on the security market indicated a compound annual growth rate (CAGR) of 15.5% for the user-provisioning market, which is approaching $1 billion in 2009. This growth rate is down from 21.2% in 2007, but it is very healthy considering current economic conditions. Gartner expects user-provisioning revenue opportunities to continue growing through 2009 as the market matures and consolidates, with a peak occurring in 2010 as enterprises deploy new-generation solutions and upgrade existing deployments.
• The economy has been a major topic in 2009. The "global economic downturn" has resulted in longer cycle times for customer decisions to buy provisioning. Companies are also more open to considering single components of suites (i.e., "best of breed"), as opposed to entire suite purchases from a single vendor.
• Compliance continues to be a significant driver for global corporations for user provisioning, although this depends on the relative size of the enterprise, the market segment and geography. Security efficiency for cost containment and service-level targeting remains a strong driver worldwide, and is being used to justify the expense for projects that may, in fact, be compliance-driven. Interest in user provisioning continues to increase in Europe, the Middle East and Africa (EMEA), the Asia/Pacific region and Latin America, with modest growth in North America.
• Significant contributors to the user-provisioning decision process in 2009 include:
  • Role life cycle management, which defines, engineers, maintains, and reports on enterprise roles and rules as inputs to the provisioning process
  • GRCM support, driven primarily by enterprise application providers (such as SAP and Oracle) through ERP implementations and by the need to support fine-grained authorization as part of the user-provisioning process
  • A desire to deliver an overall IAM governance program that identifies and supports the role of user provisioning, and links it to the information security policy and the establishment of controls
  • System integrator and/or consultant selection for project or program implementation
  • Privacy, which provides user control of what is provisioned, and ensures that what is provisioned is adequately protected from technical and regulatory perspectives
  • Provisioning for card management tools as part of a security management environment
  • Identity audit and reporting (that is, the ability to report fully and accurately on the effects of user provisioning across the enterprise)
  • Specific industry segment strategies (for example, healthcare user-provisioning differentiation)
  • Specific industry segment size strategies (for example, SMB targeting)
  • Total cost of ownership (TCO) and the rapidity of implementation, which are of growing concern as potential customers seek savings during times of economic uncertainty
• Many customers, especially large enterprises, continue to evaluate user-provisioning solutions as part of a broader IAM suite or portfolio, depending on their specific requirements. This creates additional challenges for user-provisioning vendors that do not offer a portfolio solution. To date, nonsuite user-provisioning vendors have offered sufficient innovation and differentiation to compete effectively with portfolio vendors, and have addressed enterprises that are not aggressively pursued by portfolio vendors (for example, SMBs, specifically in industries such as healthcare). Continued differentiation, agility and partnerships will be necessary for any "nonportfolio" vendor to remain viable in the long term. Differentiation, especially with regard to rapid deployment, "prepackaged" (i.e., quick and proven) solutions and ease of use, will be key.
• At present, there are five vendors recognized as single providers of suites or portfolios (defined as directory, provisioning and Web access management): Oracle, IBM Tivoli, Sun, Novell and CA. All five vendors are in the Leaders quadrant. Siemens, Evidian and Quest offer partial suites. They and many point vendors are expanding their offerings to full suites through partnerships.
• Vendors with major product offerings other than user provisioning use comprehensive licensing with customers and partners as competitive leverage to create opportunities, particularly in displacement strategies. This will have as great an impact on the future of the user-provisioning market as product features or system integrator partnerships.
• Some of the user-provisioning vendors sell their solutions to internal service providers, illustrating a design and configuration that would allow a managed or Internet-based service offering for user provisioning. Early indicators show that evaluations, particularly for SMBs, of user provisioning as part of broader software-as-a-service (SaaS) offering, are occurring in major service provider firms.
• Although technical improvements in user provisioning continue, project and program complexity for large implementations remains a challenge for customers, and could result in long planning and deployment periods.
• The roles of IAM intelligence, SIEM and DLP will continue to grow in user-provisioning solutions as security and network events are correlated with identity and access events to provide a full picture of the network.
• Commoditization of some aspects of IAM (as well as user provisioning) is beginning, with smaller vendors offering appliance-based solutions for low-volume, simple provisioning needs. In addition, traditional networking and platform vendors (large and small) that provide such solutions will begin entering the provisioning market, offering simple, basic provisioning for interested audiences and use cases.
• While in its early stages, IAM as a service will expand to include provisioning for some clients, although a significant market presence is unlikely before 2011. Early predictions of IAM as a service have been impacted by economic conditions — interest is high, but deployment is not.

Market Growth

• User provisioning grew in terms of revenue at a global rate of 15.5%, and is now approximately a $900 million market. North America exhibited revenue growth of 14.5%, Western Europe 15.7%, the Asia/Pacific region 20.1%, and Latin America 18.9%, which is strong performance across most geographies. North America accounted for 46.8% of 2008 market share, Western Europe 30.6%, the Asia/Pacific region 8.3%, and Latin America 3%.
• User provisioning is entering an early maturity phase of its life cycle with well-established vendors and well-defined IAM suites. Third-generation releases are now available, with most basic capabilities well-structured and well-configured. Gartner estimates that, as of mid-2009, approximately 25% to 30% of midsize to large enterprises worldwide, across all industries and sectors, had implemented some form of user provisioning. An additional 20% to 25% are evaluating potential solutions.
• Structured and formal methods of planning and implementing user-provisioning solutions in enterprises have improved, but are still evolving. Most IAM program/project failures are related to issues in the project scoping/definition phase. Customers embarking on an IAM initiative must spend time properly defining and prioritizing specific business challenges and use cases that user provisioning must address. Success practices include, but are not limited to:
  • Using a decision framework for planning IAM that includes identifying, prioritizing and organizing key resources in the implementation process for user provisioning
  • Developing a clear and compelling vision of the IAM program, "selling" that vision to key stakeholders, and communicating project status and successes/issues throughout the program
  • Selecting an effective program partner (that is, consultant or system integrator) to lead the effort in a reasonable time frame — one that understands the business issues of user provisioning and the technical implementation concerns required to be successful
  • Addressing issues related to role life cycle management for effective user provisioning
  • Addressing critical issues in post-implementation customer environments related to fixes, integration or expansion

Before selecting an IAM vendor or system integrator, we recommend that you review "Q&A for Q&A for IAM: Frequently Asked Questions" and "Developing IAM Best Practices."

Market Maturity

User provisioning is not just an IT project implementation issue, but also a business program concern — one that has broader implications across the enterprise or institution and requires cross-organization communication. Failure to address this is a primary inhibitor to established user-provisioning projects, and is the most common cause of program or project failures. Vendors that recognize this need and are able to effectively address it have been (and still are) leaders in user provisioning. This remains a key decision criterion, with equal weighting for market share and revenue.

Role life cycle management addresses another user-provisioning concern: A comprehensive process for assigning and tracking entitlements within an enterprise is an important element in user provisioning. Role life cycle management addresses user provisioning in four areas:

• Discover and/or Define: The development of an initial role framework enables an enterprise to begin the definition phase of roles. The information required to construct the framework will exist in several areas throughout the enterprise as line-of-business and functional role definitions.
• Build: This includes the role mining, role discovery, entitlement discovery and role creation phases, which may require a tool or set of tools to enable an enterprise to build. Enterprises take the role and privilege frameworks already defined and, using a tool, perform correlation analyses that may deliver a recommended role set (sometimes called "candidate roles") based on actual target entitlement assignments. These candidate roles may be vetted with business owners to create a set of roles that will subsequently be automated through user provisioning, or through the role management tools.
• Administer: In this phase, fine-tuning is conducted for the constructed roles, as well as ongoing changes through systems or controls. Regular reviews and approvals are required during this phase for those changes. This step can be successfully executed most often if the enterprise is using automation; otherwise, the enterprise usually reverts to a manual process that won't be used.
• Report: The final life cycle phase involves verification, attestation (management's review and certification) and risk management steps for roles, supporting the growing proliferation of regulations and audits such that reports can be reviewed by management and auditors to ensure that the least privileges and SOD are implemented.

Previous user-provisioning projects failed to account for role life cycle management, or did not provide sufficient functionality to administer entitlements. New vendors have entered the IAM market to supplement the user-provisioning process and ensure that this customer requirement is addressed. With the notable exception of IBM (which relies on internal development and partners), all user-provisioning vendors in the Leaders quadrant now have role life cycle management functionality as part of their portfolios. Many of the remaining vendors also offer this functionality natively or via partnerships with role life cycle management vendors. The use of such tools is projected to reduce the manual workload related to role discovery and mapping by between 40% and 55%. Note, however, that no technology area (including role life cycle management) is without "horror stories." As with user-provisioning initiatives, rigorous planning and process work are vital to success.

A third area of growing maturity is IAM intelligence. As compliance and regulatory needs grow more specific and are better defined, identity analytics, data correlation and audit reporting continue to evolve (as separate products and as functionality included with user-provisioning products) to address the specific needs of the world's user-provisioning community. Although this remains an ongoing process, many vendors are now offering compliance dashboards or "canned" reports to address these needs as part of such IAM intelligence solutions, or as input into GRCM vendor solutions.

Characteristics of a Leading Vendor

Although the user-provisioning market has matured and vendors from any of the quadrants could potentially address customer needs, particular characteristics of a good candidate vendor exist in every occasion:

• Good partners: Good user-provisioning vendors have good implementation partners — those with proven histories of performance, and the ability to understand and address customer industry requirements that are affected by business segment differences, region and size. Some vendors have direct integration experience, and industry expertise is a requirement.
• The ability to define deliverables, phases of the project, metrics and an "end state": When embarking on an initiative as potentially complex as user provisioning, it is critical that the program be defined with metrics that can be measured, and with projects that have an end. Many earlier user-provisioning experiences lasted for years because of the inability to know when the end has been reached (or even what the goal of Phase 1 is). There must be an end to a business-critical implementation project (such as user provisioning), or at least those phases of technology and process implementation, to enable the ongoing program to continue.
• Coupling and uncoupling the suite: A world-class user-provisioning vendor should be able to sell you only user provisioning and the associated user-provisioning services (for example, identity audit and reporting, or workflow) without requiring you to buy the entire IAM system that it sells. Integration is a good thing, but not when it is so tightly integrated that uncoupling it later on to purchase a complementary tool is impossible. This represents aggressive competition with pure-play, user-provisioning providers.
• Solution selling vs. making it fit: A leading vendor will provide user provisioning as part of a packaged solution that's tailored to your stated requirements, rather than forcing your requirements to fit the product. The corollary of this is that you must have a clear and comprehensive requirement definition before any formal evaluation of specific tools. Although there must always be some practical compromise, mature, best-in-class solutions can look more like your business requirements rather than a vendor's technical specifications.
• Modularity: Mature user-provisioning products show an awareness of enterprise architectures and the role of the products within them. These products also have a quicker turnaround in feature and version release because the product design allows for smoother updates and follows a secure system development methodology. Mature product vendors in user provisioning show an awareness of the requirements for service-centric infrastructures, and move to accommodate them with service-centric solutions, where possible.
• The post-implementation experience: User provisioning is a well-established market. As such, user-provisioning products should demonstrate signs of maturity. If customers are unhappy and seek replacement solutions, then there are serious issues with planning and requirements. The post-implementation experience for a new customer and an upgrade customer will say a lot about world-class user-provisioning vendors in this market.

This is not an exhaustive list, but merely a representative one. It is relatively independent of vendor size or industry range in the user-provisioning market, and can provide an opportunity for even the smallest vendor to excel in a comparative view of customer experience.

User Provisioning as Part of a Suite/Portfolio vs. Pure-Play Product

Situations in which customers might choose a pure-play user-provisioning vendor over a suite or portfolio vendor include:

• Policy-driven or IT concerns regarding vendor lock-in (that is, a "monoculture" for IAM solutions)
• Customers already have solutions for access management or "point" identity management solutions from a vendor whose user-provisioning solution does not meet their requirements
• Cost, time of implementation or industry-specific options
• The product is just a better fit for customer needs

Situations in which customers might choose a user-provisioning suite vendor over a point vendor include:

• Customers constrained by the number of vendors that they can choose, particularly for a multitool IAM solution — of which user provisioning is one
• An application or infrastructure requirement that specifies the product suite as optimal for integration with that application or infrastructure
• A licensing or cost advantage achieved by owning products or using services from the suite or portfolio vendor
• An agreement between a provider of outsourced services and a client in which a consolidated contract with a preferred vendor is more acceptable
• The product is just a better fit for customer needs

Although it is possible, for example, to choose a user-provisioning product from one suite/portfolio vendor, even if you have an access management product from another vendor (pure-play or suite/portfolio), this practice is occurring less often for a number of reasons:

• Aggressive licensing often makes the provisioning solution from the same vendor as the access management solution more desirable from a cost perspective.
• Shared maintenance from the same suite vendor is often less expensive, and easier to manage and receive.
• The growing maturity of the IAM market is equalizing many of the basic function and feature sets of the individual point solutions. It is also lessening differentiation and negating some of the best-of-breed, technically based arguments.

However, marketing adjacent products does not constitute integration. Instead, true user experience, workflow, reporting and brokering functions, such as common architecture and implementation, constitute customer views of integration.

Interestingly enough, IAM suite vendors' trend of acquiring role life cycle management solutions is contrary to the suite/portfolio practice. Because role life cycle management is in an earlier maturity phase than user provisioning, it is not uncommon to have a role solution from a pure-play provider, or even one from a different suite/portfolio provider. This will change as suite/portfolio vendors gradually incorporate role life cycle management capabilities by design or by acquisition. Earlier editions of access management also remain well-entrenched, and make it difficult to provide a suite/portfolio solution if that vendor cannot provide for the user-provisioning requirements of that customer.

In 2008, the average ratio of product licensing to consulting/integration costs was approximately 1-to-3 (for every $1 in software costs, the customer would spend $3 on consulting/integration). For some vendors and implementations, it was as high as 1-to-5, but in others — particularly pure-play vendors (where the scope of effort may be smaller if user provisioning alone is addressed) — the ratio approached 1-to-2 or even 1-to-1. The goal for most vendors (and integrators) is to have as low a ratio as possible. As the market continues to mature and more preconfigured packages become available, this is possible even for larger portfolio vendors.

User-provisioning solutions address an enterprise's need to create, modify, disable and delete identity objects across heterogeneous IT system infrastructures, including operating systems, databases, directories, business applications and security systems. Those objects include:

• User accounts associated with each user
• Authentication credentials — typically for information system access, and then most often just passwords, but sometimes for physical access control
• Roles — business level, provisioning level, line-of-business level
• Entitlements (for example, assigned via roles, groups or explicitly to the user ID at the target system level)
• Managing group membership or role assignments, from which entitlements may flow
• Managing explicit entitlements
• User profile attributes (for example, name, address, phone number, title and department)
• Access policy/rule sets (for example, time-of-day restrictions, password management policies, how business relationships define users' access resources and SOD)

Gartner distinguishes user provisioning from identity management in that user-provisioning products are a subset of identity administration products, which are a subset of the broader IAM landscape (intelligence, administration, authentication and authorization). All user-provisioning products offer the following capabilities for heterogeneous IT infrastructures:

• Automated adds/changes/deletes of user IDs at the target system
• Password management functionality (for example, simplified help desk password reset, self-service password reset and password synchronization, including bidirectional synchronization [sold as a separate product by some user-provisioning vendors because they had their start there])
• Delegated administration of the user-provisioning system
• Self-service request initiation
• Role-based provisioning through capabilities provided by role life cycle management features or partners
• Workflow — provisioning and approval
• HR application support for workforce change triggers to the user-provisioning product
• Reporting the roles assigned to each user and the entitlements that each user has
• Event logging for administrative activities

A comprehensive user-provisioning solution has the following additional capabilities:

• SOD Administration and Reporting: Enterprises need to automate and manage application-level business policies and rules to identify SOD violations. They also need to quickly remove those violations from the application environment, and ensure that new SOD violations are not introduced in the course of the ongoing management and identity administration of the application. Today, SOD tools exist primarily for ERP applications — ERP-specific, transaction-level knowledge is required to successfully enforce SOD in these environments. However, a generic SOD framework is required to address all SOD application needs in the enterprise. Typically, a role is used as the container to segregate conflicting business policies in the application environment. Many user-provisioning vendors deliver capabilities for this heterogeneous framework. It does not alleviate an ERP product's need for SOD because these tools have extensive integration with ERP applications. User-provisioning vendors will continue to partner with ERP vendors to deliver complete SOD solutions.
• Role life cycle management: Regulatory compliance initiatives are directing IAM efforts back to the role development drawing board. The role becomes a very important control point that enterprises need to manage in a life cycle manner — just as they do an identity. Enterprises need the ability to automate processes to:
  • Define existing roles through role-mining automation.
  • Manage formal and informal business-level roles for any view of the enterprise (for example, location, department, country, functional responsibility), and to feed user-provisioning products to ensure that the link is made between the business role and associated IT roles.
  • Establish a process by which the development process for new roles in the enterprise follows the same management process used for existing roles, and ties those new roles to the automated role life cycle management solution.
  • Deliver a generic framework to address all role life cycle management needs. Most user-provisioning vendors are partnering with role life cycle management vendors, acquiring them or building that expertise with the user-provisioning solution.
  • Manage the role throughout its life cycle — role owner, role changes, role review, role assignment, role retirement and role-based reporting options.
• IAM intelligence audit reports: Meeting the regulatory compliance requirements of reporting on SOD, roles, "who has access to what," "who did what," and "who approved and reviewed what" (referred to as "the attestation process" in auditing terms) for all IT resources is complex and expensive in the heterogeneous IT infrastructure. Reporting tools need to be in place to leverage the user-provisioning authoritative repository, and all other repositories that are used for the authentication and authorization process to produce SOD, role, "who has access to what," and "who approved and reviewed what" reports, which include the entire enterprise's IT assets. In addition, centralized event logs for all identity management activities — those from the user provisioning and access management products, as well as all systems where authentication and authorization decisions are being made in real time — are needed to do a proper job of reporting "who did what."
• Resource access administration: Not every enterprise manages access by roles, nor is it advisable to always do so. Rather, the need to administer access at the system/entitlement level is required for many users. Today's user-provisioning products only provision users to existing roles/groups in a supported system; they do not go deeply enough into each system to create and administer roles/groups and associated privileges, nor do they explicitly assign privileges to a user outside the role/group structure; however, with some vendors, we see signs of this functionality on product road maps for some specialized systems (e.g., target systems that are specialized to specific industry verticals).

User-provisioning products also do not deliver an end-user or system view of IT resources and associated privileges. To do so, the products need:

• The view of the IT resource
• System-specific knowledge built into their connector portfolios to administer and manage roles, groups and privileges
• A relationship between the identity and the IT resource to produce the required views

Today, these functions are delivered via native system-level tools. The platform where most remote access administration capability is needed is Active Directory in Microsoft Windows. Microsoft's SharePoint is also a platform where this capability is needed, and we are seeing vendor focus in this area. In addition, various mainframe-based Resource Access Control Facility (RACF) administrative tools enable you to provide remote access administration, administering access at the entitlement level in RACF (with greater ease than using native RACF commands and Interactive System Productivity Facility panels). Some user-provisioning vendors have remote access administration capabilities; others are partnering with Microsoft-specific vendors, such as Quest Software, to deliver remote access administration capabilities.

No user-provisioning vendor (or suite vendor) provides all identity management capabilities noted above without some partnering. For most enterprises, additional products are required to round out the functionality set. SIEM tools can be used for "who did what" reporting at the event level, with granularity by time of day, geography, network port and other details; and we are seeing increased vendor interest in creating integration paths between "core" IAM products and SIEM (and other) intelligence/analytics tools. DLP tools provide "content awareness" for accessing files and databases, and will play a significant role in delivering more precise entitlement assignments (in role management).

The 2009 Magic Quadrant focuses on vendor delivery of ease of deployment, ongoing operations, and maintenance and vendor management as a sign of maturity. The research also emphasizes marketing vision and execution, and evaluates sales and advertising execution as part of the overall experience:

• How do the user-provisioning vendors deliver core user-provisioning capabilities as an enterprise management system in support of an ongoing, changing business environment? Similar to the 2008 Magic Quadrant, in 2009, we evaluated how easy it is to change and maintain workflow and connectors, but we also evaluated software services (scripts) and other functionality, such as integrating the user-provisioning product with the HR application and building the authoritative repository.
• Because user provisioning is a maturing market, we also evaluated vendors' marketing and sales effectiveness in terms of market understanding, strategy, communications and execution. We evaluated each vendor's organization for such services, its ability to change to reflect customer demands and its overall success as measured by customers.
• In 2009, increased attention was given to the vendor's role life cycle management vision, strategy, and road map — particularly in terms of compliance reporting and remediation.
• In 2009, we also increased attention on the IAM intelligence capabilities, their ease of use and their "attractiveness" (via relevant out-of-the-box reports, applicable dashboards, and so on) to end users.
• Increased attention was given to "adjacent" technologies in GRCM, SIEM and DLP, and their ultimate impact on IAM intelligence functionality for provisioning.
• We focused on early stages of "service architected" user provisioning to prepare for large-scale, large-volume provisioning requirements. Early uses of large-scale provisioning are already evident.

Inclusion Criteria

User-provisioning vendors are considered for the 2009 Magic Quadrant under the following conditions:

• Support for minimum, core user-provisioning capabilities across a heterogeneous IT infrastructure
• Automated adds/changes/deletes of user IDs at the target system
• Password management functionality
• Delegated administration
• Self-service request initiation
• Role-based provisioning supported by role life cycle management
• Workflow provisioning and approval
• HR application support for workforce change triggers to the user-provisioning product
• Reporting the roles assigned to each user and the entitlements that each user has
• An event log for administrative activities
• Products must be deployed in customer production environments, and customer references must be available
• Gartner considers whether aspects of companies' products, execution or vision are noteworthy

Exclusion Criteria

User-provisioning vendors that are not included in the 2009 Magic Quadrant may have been excluded for one or more of the following reasons:

• Invited to participate, but did not reply to our request for information
• Did not meet the inclusion criteria
• Supplied user-provisioning capabilities for only one specific target system (for example, Windows, iSeries)
• Had minimal or negligible apparent market share among Gartner clients, or no shipping products
• Were not the original manufacturers of a user-provisioning product — this includes value-added resellers (VARs) that repackage user-provisioning products (which would qualify for their original manufacturers); other software vendors that sell IAM-related products, but don't have user-provisioning products of their own; and external service providers that provide managed services (for example, data center operations outsourcing)

Ilex

None

econet

Based in Munich, Germany, since 1994, econet has, since early 2006, entered the user-provisioning market with cMatrix — a service management, service-oriented offering targeted at service providers primarily in EMEA. In many respects, econet's marketing and sales model is very similar to Fischer International's. Early clients include Siemens and KPMG. econet continues to market to the IAM as a service candidate — either the service provider of such services or the client interested in developing a private IAM as a service experience.

FoxT

A Mountain View, California, company, FoxT has products that focus primarily on access control and service account management. However, its BoKS Access Control for Applications addresses basic elements of password management, account administration (including basic provisioning), and audit reporting as part of an IAM package, including SOD enforcement, monitoring and reporting.

Imanami

Based in Livermore, California, Imanami is a lesser-known company, but it has some notable clients. Imanami's GroupID Synchronize serves as a data synchronization engine for an Active Directory environment through custom scripting, enabling Microsoft-centric enterprises to leverage their infrastructures to some extent. Clients include AT&T (formerly Cingular Wireless) and Mervyns.

Institut fur System-Management (iSM)

Based in Rostock (near Berlin), Germany, iSM is a small company focused on German-speaking country markets with its bi-Cube product for provisioning, SSO, and process and role life cycle management. Privately funded, this 10-year-old enterprise takes a process-centric, business intelligence focus to deliver a series of preconfigured process and configuration modules (cubes) that can be linked together to provide user provisioning and role life cycle management functionality. It has a small customer base in Germany, Austria and Spain in large industries, such as telecommunications and insurance. iSM continues to refine the modules to form a more-standardized user provisioning and process management product offering.

Gartner evaluates technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability to capitalize and succeed in capitalizing on their vision. For user provisioning, the ability to execute hinges on key evaluation criteria:

Product/Service: These are core goods and services offered by the technology provider that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships, as defined in the market definition and detailed in the subcriteria. Specific subcriteria are:

• Password management, including shared account/service account password management support
• User account management/role-based provisioning
• Management of identities
• Workflow: Persistent state, nested workflows, subworkflows, templates of common user-provisioning activities and change management
• Identity auditing reports
• Connector management
• Integration with other IAM components
• User interfaces
• Configure, deploy and operate
• Role life cycle management
• Resource access administration
• Impact analysis modeling for change
• Service Provisioning Markup Language (SPML) 2.0 support

Overall Viability (Business Unit, Financial, Strategy, Organization): This includes an assessment of the overall organization's financial health; the financial and practical success of the business unit; and the likelihood of the individual business unit to continue investing in the product, offering the product and advancing the state-of-the-art in the organization's portfolio of products. Specific subcriteria are:

• History of investment in division
• Contribution of user provisioning to revenue growth

Sales Execution/Pricing: The technology providers' capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Specific subcriteria are:

• Pricing
• Market share
• Additional purchases (for example, relational database management system, application server, Web server)

Market Responsiveness and Track Record: The ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider's history of responsiveness. Specific subcriteria are:

• Product release cycle
• Timing
• Take-aways

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in buyer's minds. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word of mouth and sales activities. Specific subcriteria are:

• Integrated communication execution
• Customer perception measurement

Customer Experience: The relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, service-level agreements (SLAs) and so on. Specific subcriteria are:

• Customer support programs
• SLAs

Operations: The organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, such as skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Specific subcriteria are:

• Training and recruitment
• Number of major reorganizations during the past 12 months

Gartner evaluates technology providers on their ability to convincingly articulate logical statements about current and future market directions, innovations, customer needs and competitive forces, and how well they map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunities for the provider. For user provisioning, completeness of vision hinges on key evaluation criteria:

Market Understanding: The ability of the technology provider to understand buyers' needs and translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those desires with their added vision. Specific subcriteria are:

• Market research delivery
• Product development
• Agility to market changes

Marketing Strategy: A clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Specific subcriteria are:

• Integrated communications planning
• Advertising planning

Sales Strategy: The strategy for selling products using the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Specific subcriteria are:

• Business development
• Partnerships with system integrators
• Channel execution

Offering (Product) Strategy: A technology provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology, and feature set as they map to current and future requirements. Specific subcriteria are:

• Product theme(s)
• Foundational or platform differentiation

Business Model: The soundness and logic of a technology provider's underlying business proposition. Specific subcriteria are:

• Track record of growth
• Frequency of restructuring
• Consistency with other product lines

Vertical/Industry Strategy: The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Subcriteria are:

• SMB support
• Industry-specific support

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Specific subcriteria are:

• Distinct differentiation in features or services
• Synergy from multiple acquisitions or focused investments
• Role life cycle management (discovery, modeling, mining, maintenance, certification and reporting)
• Service-oriented provisioning

Geographic Strategy: The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Specific subcriteria are:

• Home market
• International distribution

Leaders are high-momentum vendors (based on sales, world presence and mind share growth) with evident track records in user provisioning across most, if not all, market segments. Business investments position them well for the future. Leaders demonstrate balanced progress and effort in execution and vision categories. Their actions raise the competitive bar for all products in the market. They can and often do change the course of the industry.

Leaders should not be default choices for every buyer; rather, clients are warned not to assume that they should buy only from the Leaders quadrant. Leaders may not necessarily offer the best products for every customer project, and may even prove to have a higher TCO than some nonleaders. Leaders provide solutions that offer relatively lower risk, and provide effective integration with their own solutions as well as competitors' solutions. Every vendor included in the Leaders quadrant is there because it meets legitimate business/company needs.

Oracle and IBM Tivoli continue to dominate the user-provisioning market in presence and relative market share. Novell and CA also represent significant presences. Sun's reduced rating is primarily due to its impending acquisition by Oracle, which is causing some customer concern. Courion is the only pure-play provider in the Leaders quadrant, and remains there due to its innovative vision, solid technology, agility to market changes and increased momentum in customer sales.

CA demonstrated the most significant "jump" within the Leaders quadrant. This was precipitated by some key acquisitions within the IAM space (most notably of role management vendor Eurekify and DLP vendor Orchestria), as well as an increased focus on product marketing, sales and continued momentum with client sales.

Oracle continues its aggressive growth in 2009 — but movement within the Magic Quadrant is less dramatic due to consolidation, market maturation "inertia" and competitor performance. Oracle is successfully executing on its previously stated vision, and continues to gain customers and partners. Oracle's long-term vision is a compelling differentiator for Oracle customers.

IBM Tivoli has continued to innovate across its broad security offerings, incorporating compliance and SIEM capabilities as part of a broad strategy for visibility into infrastructure and services, while also capitalizing on previous efforts to streamline the administrator experience. Customer feedback regarding ITIM 5.0 and above is positive, and confirms IBM's commitment to provide "best in class" products.

As stated above, in 2009, Sun's ability to execute has suffered because the company's outlook is cloudy, due to the looming acquisition by Oracle. Sun is still one of the more mature user-provisioning providers in the market, and has made notable enhancements to its product in 2009. In addition, despite some trepidation and uncertainty related to the acquisition, Sun still has a compelling IAM product and vision, and is making some sales.

Novell continues to show that it is an aggressive and viable competitor in the Leaders quadrant through strategic marketing moves, leading product capabilities, continued leadership focus, and an improved integration and consulting partner list. Novell's addition of an OEM partnership with role management vendor Aveksa is notable, as is its continued focus on the integration of IAM and SIEM.

Courion's continued innovation in "next stage" provisioning and role life cycle management, coupled with a loyal customer base and high track record for success, has helped it earn its leadership status. Although the company will always be challenged by larger platform/portfolio vendors, Courion's countermove is to partner with a number of other best-of-breed vendors, and to offer vendor sourcing (i.e., reselling) through a single vendor so that customers can still adopt a "single contract" and a "one throat to choke" mentality.

Challengers have solid, reliable products that address the needs of the user-provisioning market with strong sales, visibility and clout that add up to higher execution than niche players. Challengers are good at winning contracts, but they do so by competing on basic functions or geographic presence, rather than specifically on advanced features. Challengers are efficient and expedient choices for more-focused access problems, or for logical partnerships. Many clients consider challengers to be good alternatives to niche players, or occasionally even leaders, depending on the specific geography or industry. Challengers are not second-place vendors to leaders and should not be considered as such in evaluations.

Challengers in this Magic Quadrant all have strong product capabilities, but often have fewer production deployments than leaders do. Business models vary, as do overall product strength and breadth, marketing strategy and business partnerships. This has kept some challengers from moving into the Leaders quadrant.

Hitachi ID has demonstrated the most notable up-and-to-the-right movement within the Challengers quadrant — claiming the top spot — due to its continued innovation, focus on expanding sales and commitment to customer service.

European provider Siemens and Beta Systems experienced little movement. BMC has dropped in ability to execute for the second successive year because it's adopting a more integrated selling strategy for its user-provisioning offering, and incorporating it into the company's broader BSM strategy and focus on selling into its existing customer base, rather than seeking to use IAM as an entry point for sales. BMC's vision rating, however, remains strong due to this mature approach.

Avatier has pushed into the Challengers quadrant in 2009 due to consistent execution on its vision, its significant customer wins, and its innovative and rapidly deployable product. Microsoft remains in the Challengers quadrant, but its ability to execute score was negatively impacted by the delayed release of Forefront Identity Manager.

Visionaries are distinguished by technical and/or product innovation, but have not yet achieved the record of execution in the user-provisioning market to give them the high visibility of leaders, or they lack the corporate resources of challengers. Buyers should be wary of a strategic reliance on these vendors, and should monitor the vendors' viability closely. Given the maturity of this market, visionaries represent good acquisition candidates. Challengers that may have neglected technology innovation and/or vendors in related markets are likely buyers of visionary vendors. As such, these vendors represent a higher risk of business disruption.

Visionaries invest in the leading-edge features that will be significant in the next generation of products, and that will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver challengers and leaders. Clients pick visionaries for best-of-breed features, and, in the case of small vendors, they may enjoy more personal attention.

In this Magic Quadrant, Sentillion and Fischer International continue to provide leading-edge capabilities in healthcare and service provider markets, respectively, showing innovation and vision in technology and market execution, albeit on a small scale because of their scope and breadth. Both vendors demonstrated modest movement up and to the right. Their attention to innovation and customer experience is more mature than other competitors.

German-based company Volcker Informatik has made notable movement in the area of completeness of vision. It consistently provides a combination of innovative architectures and features, as well as a high-touch customer model, to deliver in a number of quality, low-maintenance solutions.

Niche players offer viable, dependable solutions that meet the needs of buyers, especially in a particular industry, platform focus or geographic region, but they sometimes lack the comprehensive features of leaders, or the market presence and/or resources of challengers. Niche players are less likely to appear on shortlists, but they fare well when given a chance. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders.

Niche players may address subsets of the overall market, and often do so more efficiently than leaders. Clients tend to pick niche players when stability and focus on a few important functions and features are more important than a "wide and long" road map. Customers that are aligned with the focus of niche players often find their offerings to be "best of need" solutions.

Omada improved in 2008-2009 due to significant customer acquisition and expanded market opportunity. However, its vision remains dependent on Microsoft's ILM offering, and Omada focuses primarily on customers with Microsoft-centric application portfolios and needs. Recent work with SAP integration may improve this rating for 2009-2010.

Quest Software has demonstrated continued improvement due to increased focus on integration and by delivering a solid, understandable vision. Quest is a well known Microsoft Windows, application and database management company. Its market share and mind share have continued to increase.

SAP's integration of MaXware into its NetWeaver Identity Management portfolio represents a major step for the software giant. MaXware's provisioning and data synchronization capabilities are being linked with SAP's governance and control offerings to provide a comprehensive approach to compliance-driven IAM. Relationships with Novell and Omada have improved its market visibility in IAM, particularly for SAP customers of other SAP products.

Evidian's provisioning solution has adherents in EMEA, and it addresses password and access management as a first priority, although the solution also provides user provisioning and some role management functionality. Evidian's position as a niche player is primarily because of its geographic coverage.

Ilex, a small IAM-focused company located near Paris, enters the Magic Quadrant for the first time in 2009. Although a small company, Ilex has developed a customer base for one or more of its IAM offerings, particularly in healthcare, public sector and government.

Any statements worded as "customers do not like," "customers are concerned" and so forth in the Vendor Strengths and Cautions section were gleaned through survey responses, customer interviews and other client interactions. Note that they are customer perceptions, and as such, they represent the opinions of the specific customers surveyed or interviewed. The statements made are not representative of the vendor's comparison to other vendors; rather, it is the vendor's performance weighed against the customer's expectations. Also note that some customers may be running back-level versions of the product, so some of the issues mentioned may not exist in the most recent versions of products.

Avatier Identity Management Suite (AIMS) v.8 (July 2009): Avatier Account Creator, Avatier Account Terminator, Avatier Identity Enforcer, Avatier Identity Analyzer, Avatier Password Station, Avatier Compliance Auditor

• Avatier pushes into the Challengers quadrant in 2009 through consistent execution on its innovative vision, significant customer wins, and a focus on taking the pain and fear out of identity management.
• Avatier is a pure-play identity management vendor focusing on user provisioning, password management, audit/compliance reporting and SOD/rule enforcement. Its technology features an innovative Web services connector architecture for heterogeneous integration across different platform environments.
• Avatier's focus is on creating identity management products that are simple and easy to understand for end users and administrators. The result is a very intuitive, graphical-user-interface-driven environment that is understandable even by people with modest technical skills; a resulting positive benefit is that implementations generally are extremely quick, when compared with most competitors.
• Avatier's roots are in password management, where it has traditionally picked up many SMB customers; however, it also has a number of successful large enterprise implementations and notable name-brand customers. In the U.S., the vast majority of Avatier sales are direct. Internationally, Avatier is sold through a number of midtier services and consulting partners. Avatier continues to focus on expanding its partnerships with integrators and consulting providers.
• Avatier's technology and subfunctions (such as its password policies) are developed with service-oriented architecture (SOA) in mind, and can be accessed through Web services. The client front end and target connectors also support SOA.
• The typical industry ratio for provisioning costs when estimating licensing vs. deployment is 1-to-3. This means that for every $1 spent on the product, $3 is spent on deploying it. Avatier's deployment ratio is very good, estimated at 1-to-0.33, where for every $1 spent on licensing, only $0.33 is spent on deployment.
• Customers like the product's ease of use, strong customer-centric support and the ownership that Avatier takes in making each customer successful.

• Avatier competes against large IAM vendors, such as Oracle and IBM Tivoli. The company has made good progress, but it has difficulty gaining the attention of decision makers at larger enterprises, where larger competitors enjoy more access and exposure. As a result, Avatier continues to experience difficulty in winning customers that are predisposed to favoring large vendors.
• Avatier must compete in proposals where the customers consider provisioning as part of a broader IAM solution that may include Web access management, enterprise single sign-on (ESSO), directory/metadirectory services or combinations of these components, in addition to user provisioning. This requires partnering with a shrinking number of vendors in the market, and competing with aggressive licensing from suite competitors — which is possible, but increasingly challenging.
• Avatier seeks to empower nontechnical end users to perform complex tasks. As such, the sophistication of its customers is generally not that of a big IT organization, and IAM-related concepts and operations can be confusing to some customers — even if the product is technically easier to use/implement than some competitors' products.
• Some technically minded customers have difficulty adapting to Avatier's implementation of a role-based philosophy and "shopping cart" models for entitlements.

SAM Jupiter product suite: SAM Jupiter v.3.5 (September 2008)

• Although SAM Jupiter began on the mainframe nearly a decade ago (and still has many deployments on mainframe, z/OS and z/Linux platforms), the product is available on Unix and Windows platforms — and has been for the past five years.
• SAM Jupiter has most user-provisioning features found in competitor products, although password management, overall user interface experience and compliance reporting functionality are basic. Advanced password management can be provided by Beta Systems' acquisition of Proginet.
• Beta Systems has shown early strength in the banking and financial services sectors, and with customers that have extensive mainframe deployments. Approximately 70% of Beta's customer base is concentrated in Europe.
• SAM Jupiter was one of the first IAM products to incorporate basic role life cycle management into a product's provisioning processes. The solution has built-in role life cycle management support for unlimited role hierarchies, dynamic roles, SOD and role mining.
• SAM Jupiter is also used by some service providers to host user provisioning primarily for internal customers, underscoring early experience in the managed IAM service business.
• Although most of its sales remain direct, partnerships and reseller agreements exist. Integrator partnerships with providers such as T-Systems, IBM Global Services and Accenture also ensure implementation options for customers. Beta Systems also has European-based VARs for reselling SAM Jupiter in EMEA.

• Beta Systems has completed significant reorganizations in product planning and development, and hired to replace some key departures in architecture and planning. This resulted in a significant loss of momentum at the end of 2008; however, as of this writing, the company is showing signs of improvement.
• Customer growth remains modest, with a slight drop in 2008 revenue primarily due to economic conditions. A modest rebound has been developing in mid-2009.
• Beta Systems had an alliance with Israeli-based Eurekify to supplement its built-in role management delivery capabilities — adding upfront role mining and analysis — for full cycle role life cycle management. Eurekify was acquired by competitor CA in early 2009, requiring Beta Systems to seek another alternative, resulting in a new alliance with Swiss-based role management provider ipg.
• Beta Systems' customer base remains 70% concentrated in Europe. More partners are required worldwide to compete actively in the volatile system integration and consulting service arena for user provisioning. North American market presence remains small.
• SAM Jupiter needs additional support for third-party workflow systems, detailed historical auditing capabilities, and more integration with role modeling and analytics providers. A recent partnership with Swiss-based ISOnet will provide the workflow support.

BMC Identity Management Suite v.5.5.01 (March 2009)

BMC Identity Management Suite: BMC User Administration and Provisioning v.5.5 (March 2008)

• BMC Software is a long-standing IAM provider, still with significant market share dating back more than a decade with the original Control-SA product.
• BMC is one of the first companies to have recognized and leveraged the value of process-centric IAM (user provisioning), which is applied to resolve compliance and audit issues.
• BMC has relationships with technology partners to deliver IAM suite options, such as reduced sign-on (Hitachi), role engineering (Aveksa, SailPoint) and Web access management (Symphony Services).
• BMC has key system integration and consulting partners, such as Eclipse, Ilantus Technologies, Logic Trends and Wipro Technologies. BMC's VAR channel partners include Accenture and Capgemini, particularly in Europe.
• BMC's Identity Management Suite is a solution tailored for IT service management. BMC's Service Request Management module can be used as provisioning workflow by customers, as an option to BMC Identity Management Suite's User Administration and Provisioning workflow.
• BMC's IT-Infrastructure-Library- (ITIL-) based BSM message and approach to provisioning is innovative, and is a differentiator.
• Support for multitenant delivery (and, hence, managed IAM services) is a near-term upgrade, as is extended integration support for SAP and Oracle PeopleSoft HR.

• BMC does not actively market and sell User Administration and Provisioning as a distinct IAM offering, but rather as part of its BSM solution. This is a potential concern due to reduced marketing to audiences with specific IAM needs, and causes BMC to "turn inward' to focus primarily on existing BMC IAM customers.
• BMC has less-extensive integrator partnerships than leading vendors do.
• Growth in IAM has been minimal, and growth in license revenue was less than 4% from 2007 to 2008.
• Customer concerns include better user interfaces, basic role management capabilities, slow response to support questions and inconsistent post-deployment support.

CA Identity Manager Release 12 (June 2008) — OEM of Workpoint (workflow) v.3.3.2, CA Role & Compliance Manager Release 12 (compliance and audit reporting)

• CA demonstrates the most progress in the Leaders quadrant in 2009 (having first entered in 2008). Although CA has not made many significant changes to its provisioning product, its continued forward-and-upward movement is due to: (1) momentum from last year; (2) increased focus on and visibility of its role management strategy (as evidenced by its acquisition of role management vendor Eurekify, and the integration of the product with CA Identity Manager); a second acquisition, IDFocus, adds capabilities related to SOD violation checks; (3) a cohesive and aggressive marketing and sales strategy that is effectively positioning CA on the shortlists of many IAM product selection committees; and (4) significant market share and mind share.
• CA Identity Manager is based on IdentityMinder (from 2002) and eTrust Admin (from 2000), and, therefore, has a long heritage in the IAM business. Acquisitions have accounted for expanded capabilities, and, as previously noted, CA continues to successfully pursue this strategy to fill out its IAM portfolio.
• CA's purchase of Eurekify is very significant. Eurekify is generally regarded as one of the best products for statistical role mining and analysis. This was not only a tactical removal of a "best of breed" partner for many of CA's competitors; at a more strategic level, the integration of Eurekify (now CA Role & Compliance Manager) demonstrates CA's aggressive commitment to be a broad suite vendor.
• CA plays an active role in international identity/security standards for user provisioning. Technical standards (such as SPML) and service management standards (such as ITIL) are supported. Major integration and consulting partners include Deloitte, PricewaterhouseCoopers and Capgemini. Logic Trends, Rolta and TCS are key VARs.
• CA Identity Manager has comprehensive features, such as policy modeling, integration capabilities, delegated administration, a Web services identity management interface, multiple open interfaces on the back end for connectivity to target systems, and entitlement certification capabilities. Identity Manager's use with CA Clarity PPM for GRCM reporting is a differentiator.
• Customers like CA Identity Manager's ease of use post-implementation, broad functionality (particularly for workflow needs) and integration capabilities with service management.

• As CA continues to integrate its acquisitions, it will face issues related to the vision and road map of user provisioning, due to previous perceptions of complex implementations.
• Although great progress was achieved from 2008 to 2009, very little change other than integration has occurred within CA Identity Manager (as evidenced by the June 2008 release date).
• CA all but ignores the SMB market because its market comprises primarily larger customers (60% of CA's installed customer base is greater than 50,000 users per company). While it actively markets to or solicits SMBs, feature set messaging and support structures are generally tailored to larger accounts.
• CA customers continue to be concerned about implementation durations, cost and complexity. While most of this is attributable to the use case complexity, CA still needs better presales scoping for fit, post-sales implementation and troubleshooting. Recent steps in CA's rapid deployment project strategy are showing very good signs of addressing post-sales deployment issues.
• Multiple user interfaces for similar administrator functions, as a result of integrating eTrust Admin and IdentityMinder, are first generation. The connector library could use application support for environments, such as HTTP calls, and fewer customer builds; these issues were noted in the 2008 "Magic Quadrant for User Provisioning" study, and were a highlight for rapid deployment maturity.

Courion Access Assurance Suite (AccountCourier) v.8.0 (as of April 2008) — also see RoleCourier, PasswordCourier, ComplianceCourier and CertificateCourier

• Courion maintains a spot in the Leaders quadrant and is making some progress due to:
  • Improved product marketing
  • A compelling compliance story
  • Continued technical innovation
  • Product-line expansion in growth areas for IAM intelligence
  • Significant customer wins and competitor displacements
• Courion is one of few vendors with a fixed-cost implementation strategy. It requires rigorous preproject scoping and customer confidence to succeed, and Courion's track record is very good.
• Courion usually demonstrates a low product-to-deployment cost ratio — generally in the 1-to-1 or slightly higher range. Of the vendors in the Leaders quadrant, this is the best product-to-deployment cost ratio.
• Courion continues to do well, despite current economic conditions, by delivering:
  • A good TCO model
  • Integrated role life cycle management
  • A VAR channel network
  • Consistent vision
• Courion is one of the few vendors in the study to deliver an in-house architected solution. As a result, Courion customers are able to deliver "out of the box" integration for many use cases.
• Although approximately 70% of the company's customers are SMBs, Courion has extended its reach and delivered scalable solutions for larger customers.
• To stay competitive with large portfolio vendors (i.e., Oracle, IBM, CA and Novell), Courion leverages a broad partnership model, which includes RSA (The Security Division of EMC) for access management, Imprivata for ESSO, Citrix for enabling Citrix XenApp provisioning and others. Courion's participation in SaaS, with its partners Identropy and Accenture, shows continued innovation.
• Customers like Courion's simple, compact architecture, quick deployment capabilities, focus on customer requirements, and flexibility in configuration and customization.

• Courion is chasing a shrinking market as a smaller, pure-play vendor, and requires a faster pace of technological innovation, durable partnerships and a compelling business story. To remain competitive, its market must expand horizontally and vertically (e.g., internationally and cross-industry) at a significant rate to avoid marginalization.
• Courion lacks the global reach of major competitors in terms of marketing, sales and support, and is increasingly dependent on a network of partners for services that they have previously provided. Increased sales means that Courion will need to transfer its best-in-class planning and deployment skills to those partners, if quality of experience is to be maintained.
• Established and potential customers do not like the complexity of custom connector construction (required despite the visionary framework), the lack of customizable workflows for access requests/approvals, the length of time needed for the delivery of new connectors, and complex role management. Courion's product road map addresses these issues.

Evidian User Provisioning, Approval Workflow and Policy Manager 8.0, Evolution 2 (August 2008)

• Evidian's Java Platform, Standard-Edition-based user-provisioning solution is more than a decade old with the most-recent release of Version 8, Evolution 2 in August 2008.
• Evidian is one of the few vendors in the user IAM market that natively constructs the core systems of user provisioning, which are then integrated on a single architecture. Evidian is a Bull Group Company, which has a large international presence.
• Evidian provides most of the key functions expected of user provisioning, and has particular strengths in the simplicity of deployment and good reporting features.
• While basic role administration functions are available, an associate partnership with BHold provides additional functionality, such as role mining.
• Evidian's license revenue has tripled since 2004, as has its penetration in the North American market. Primary markets remain France and Germany. Evidian maintains a significant partnership with Quest Software in access management.
• Although Evidian has some large implementations, more than 80% of its installed base is in enterprises with fewer than 10,000 seats.
• Evidian uses its access management solutions as a primary means of introducing user provisioning to the enterprise.

• For access reconciliation and synchronization, Evidian User Provisioning doesn't yet leverage the core provisioning application's workflow.
• PDF-based presentation isn't yet provided.
• Autocode generation is not a feature of connector management.
• Password management functionality is basic: There is no external identity-proofing service support, or help desk or problem management integration.
• In auditing, predefined reports for specific attestation categories are not yet available.
• No best-practice SOD controls are available out of the box.

Fischer Identity v.4.0 (June 2009) — IaaS Password Reset and Synchronization Service, IaaS Access Termination Service, IaaS Role & Account Management Service, IaaS Automated Role & Account Management Service, IaaS Privileged Account Access Service, IaaS Identity Compliance Service, Fischer Provisioning, Fischer Password Manager, Fischer iComply, Fischer iFly

• Fischer International remains in the Visionaries quadrant primarily due to its innovation as a managed IAM service provider, and as an "IAM as a service (IaaS)" delivery model through partners in the SaaS and cloud computing markets. The company has a scalable, multitenant, service-based architecture to enable SaaS and hosting by itself and its service provider partners.
• Fischer remains the only company in the 2009 Magic Quadrant to have staked its success on a cloud-based model. As such, it has even placed a trademark on the phrase "Identity as a Service."
• Fischer is also one of the few vendors whose solution was developed entirely in-house (i.e., no acquisitions). Its architectural model was first released in 2005, but has since been updated and added to significantly.
• Fischer permits service providers (and enterprises) to offer user provisioning as a service in several delivery models — perpetual, on-premises, hosted and cloud-based (SaaS) — including highly customized enterprise deployments.
• Fischer's technology is multitenant, and security is specified for each client organization as well as for the master organization (service provider). As a result, only specified people/roles are permitted to manage each component or process for each individual client organization or the master organization.
• Fischer's technical architecture is a small footprint, Java-based SOA framework that produces a rapid, configurable delivery model for service providers. Fischer's customer base is small and growth has also been slow. Some of this slow growth is due to world economic conditions, but Fischer has also made a conscious business decision to focus on potential service partners in much of its marketing.
• Fischer delivers a simple cross-domain framework. It also provides nonstop support for operations, fault tolerance, high-privilege account management and connector management. The company has strong support for cross-industry standards, which has resulted in cross-interoperability across systems.
• Customers like Fischer's adherence to open standards for heterogeneous platform and application support, its flexibility of workflow development, and its support responsiveness.

• Some customers may consider Fischer's audit and reporting features to be lackluster when compared with more-robust dashboard and GRC-focused interfaces offered by other vendors. Currently, all reporting data is stored in a database for retrieval and report generation using third-party tools.
• Fischer has a relatively low number of out-of-the-box connectors, although most major systems are represented. However, the solution allows new connectors to be swiftly created and deployed.
• As the cloud-based model becomes more compelling and accepted, large vendors (such as Oracle and IBM) will increasingly focus on SaaS models for identity management. Their R&D buckets are deeper and their reach is broader. Thus, Fischer is in danger of a large vendor simply thanking it for the "lessons learned" and then taking a dominant market position.
• Fischer has undergone considerable organizational restructuring with new executive leadership. This may be considered a strength, but it also introduces some uncertainty for prospective customers.
• Fischer is a small company. Its success depends on its partner network for visibility and support, and on the ability of its product to continue to deliver satisfactorily for those partners.
• Fischer remains a regional solution rather than an international solution, but it is making inroads. Global presence is needed for the same reasons as strategic partnerships are for name recognition and growth. Fischer has recently started working with multiple partners that can help it extend its global reach.

Hitachi ID Identity Manager v.6.0.1 (June 2009), Hitachi ID Password Manager v.6.4.5 (April 2009)

• Hitachi ID claims the top spot in the Challengers quadrant in 2009. In early 2008, Hitachi ID acquired M-Tech Information Technology, a Canadian-based, privately owned IAM company since 1992. M-Tech was well-known first for its P-Synch password management offering, and then it expanded into user provisioning as well as other "point" IAM products and compliance products. Hitachi ID has successfully emerged from the fog of acquisition and is continuing to address the needs of IAM customers.
• Hitachi ID Identity Manager v.6.0 was a major rewrite of much of the application, with a new back end, a new automation engine and much more. For customers or prospects that may have only looked at previous releases, the new version is worth a second look.
• Hitachi ID Identity Manager performs general identity management tasks (i.e., provisioning, synchronization, deprovisioning), extending self-service access requests to business users, and manages authorizations (entitlements) directly with built-in workflow. Other components include Hitachi ID Org Manager (business process automation for organization chart maintenance), Hitachi ID Access Certifier (for audit/compliance attestation reporting), Hitachi ID Group Manager (for request-based, self-service Active Directory group management) and Hitachi ID Privileged Password Manager (providing rudimentary shared account password management capabilities).
• Hitachi ID has an extensive professional service team to design and implement its products, and to train customers on their use and maintenance. It has system integration and consulting partnerships with KPMG, HCC and ACS, although most integration is done by Hitachi ID's service team.
• Hitachi ID has reseller relationships with providers such as CompuCom Systems, Insight and IBM Global Services. It has partnerships with CA/Eurekify for role life cycle management and Approva for SAP GRCM integration and reporting. Hitachi ID also partners closely with Microsoft.
• Key product strengths include: (1) self-service login ID reconciliation for users to map logins to profiles, access certification to clean up dormant/orphan accounts and find/remove "stale" privileges; (2) self-service workflow to request accounts and group memberships to automate authorization workflows, instead of (or in addition to) roles; and (3) a managed user enrollment system. The identity repository leverages built-in database replication, which is WAN-friendly (low bandwidth, high latency) and encrypted.
• Hitachi ID's sales and support staff undergoes an extremely rigorous training and "break in" period, thereby making its technical savvy and customer support record a differentiator.
• Hitachi ID has one of the lowest software-to-deployment cost ratios (at about 1-to-1). Like a few other competitors, Hitachi ID also offers fixed-cost implementations. This strategy leads to better preproject scoping and increased customer confidence.
• Customers like the easy configuration, which lowers implementation costs and makes Hitachi ID a good choice for outsourcing and managed service providers that need fast, multiple deployments.

• Even though Hitachi is a global brand, and M-Tech was recognized for solid password management and provisioning solutions, Hitachi ID is still somewhat unknown.
• Hitachi ID currently lacks robust role-management capabilities. With customers becoming increasingly focused on role management, and with other large vendors incorporating role mining, modeling, and life cycle management capabilities into their products, the lack of such functionality within Hitachi ID's core product set puts it behind the curve.
• Hitachi ID must compete with larger suite vendors for deals in which the customer is seeking a broad range of products. To compete effectively, Hitachi ID must partner with a shrinking number of best-of-breed vendors.
• Hitachi ID customers do not like the cumbersome user interface, the need to use a proprietary scripting language to accomplish customizations, and a lack of robust audit-reporting functions. These complaints will be largely mitigated with the release of v.6.0 and above.

IBM Tivoli Identity Manager (ITIM) v.5.1 (June 2009), ITIM for z/OS v.5.0 (August 2008) and ITIM Express v.4.6 (March 2006)

• IBM Tivoli is a global player in several IT management offerings, including service management, and has successfully expanded into IAM during the past 10 years, thereby making IBM experienced in IAM.
• IBM often expands its IAM offerings via acquisitions on an "as needed" basis. IBM Tivoli's acquisition of Consul, a major z/OS security administration and audit vendor, resulted in the addition of the Tivoli zSecure suite and Tivoli Compliance Insight Manager, thereby improving its identity audit solution for addressing compliance and audit needs. Additional acquisitions (for example, Internet Security Systems) provide integration of ITIM's provisioning, workflow, audit and reporting capabilities to the security event, application development and business intelligence environment, and provide managed service capabilities.
• IBM Tivoli has made additional improvements on its v.5.0 release in the areas of ease of use and integration of the suite components, as evidenced by early feedback from customers using ITIM 5.1.
• ITIM supports major platform environments for deployment, including z/OS.
• Provisioning and approval workflow technologies are relatively complete, with extensive connector libraries. A development kit for unique connectors is also provided. Password management functions and delegated administration are competitive.
• Policy simulation features in ITIM help users simulate role and/or provisioning policy scenarios to determine their effects on production environments before deployment.
• For customers interested in deploying roles and role-based access control, IBM has added core operational role management functionality to ITIM 5.1. This feature leverages role structures that are defined outside of ITIM, and, thus, is not a full role management solution — but it is a step in the right direction.
• For role engineering, IBM has partnerships with several third-party role management vendors to help mine and model roles. Examples of partner offerings that are integrated and certified with ITIM include Aveksa, SailPoint and Securit. IBM also has integrations with Approva and SAP NetWeaver for ERP SOD checking.

• IBM Tivoli's ability to address complex IAM issues for clients is challenged by its complexity of solution offerings, despite early indications of improvements in ITIM 5.1.
• Tivoli's approach to addressing customer requirements in project planning sometimes generates project duration concerns. This can be managed with strong customer leadership to curtail "scope creep."
• While IBM Tivoli has made substantial progress by embedding operational role management into ITIM 5.1, its approach to role engineering via partnerships with other vendors is a noticeable departure and potential deficit for a vendor in the Leaders quadrant. IBM Tivoli's primary competitors (Oracle, CA and Sun) have acquired former partners to fulfill client needs for single-source solutions, and the remaining competitors (Novell and Courion) have a better integration story and execution.
• Customers remain concerned about the complexity of the product in configuration and deployment, the intensive prework that's necessary to accurately map workflows to business processes, and the effects of version releases on established deployments.

Meibo, Meibo People Pack, Sign&go Sante v.3.5 (April 2009)

• Ilex is introduced on the 2009 Magic Quadrant as an alternative to larger competitor provisioning solutions.
• Ilex is based near Paris with a provisioning platform, productivity toolset and SSO (Web and enterprise) offering as a basic suite. Although it is a small company, Ilex has developed a customer base for one or more of its IAM offerings, particularly in healthcare, public sector and government.
• Ilex has many of the user-provisioning features found in competitor products, although role management, compliance reporting and connector management are lacking some features.
• Ilex Meibo 3.5 has a workflow foundation, script editing and integration capability with collaboration offerings. Meibo People Pack provides productivity features for white/yellow pages, organization charts and basic resource management.
• Ilex supports SPML v.1, and the future edition of Meibo (v.4.0) will include support for SPML v.2.
• Although initially rated in the Niche Players quadrant, Ilex should be considered for its pricing, relatively simple implementation and configuration capabilities, and feature sets found in the People Pack.

• Ilex is primarily directory and e-mail-centric, and is focused on providing productivity functions for repositories and collaboration suites. While workflow, integration and reporting capabilities are available (compared with full-scale offerings), they are basic.
• Ilex has a small (but growing) customer base and needs to build a more substantial set of customers to gain relevance and consideration.
• Architecturally, Meibo and Meibo People Pack are loosely integrated, and could use tighter integration to enable the People Pack to leverage more of Meibo's base functionality. This "bridge" is planned for the next release.
• While Ilex has VARs and system integrators, with the exception of Logica, those partners are relatively small. More partners in these areas are needed to offer more options to clients. Ilex is developing an indirect sales model and is actively seeking partners.

Microsoft Identity Lifecycle Manager (ILM) (May 2007), Feature Pack 1 (October 2007) with certificate management

Future version (1Q10): Microsoft Forefront Identity Manager

• Despite the disappointment of delaying the release of a much-anticipated update to ILM until 2010, Microsoft retains its positioning as a challenger because of its strategic presence and partnerships in the Identity IAM marketplace. Microsoft's new brand for ILM is Microsoft Forefront Identity Manager.
• Microsoft Active Directory and identity repositories that depend on Active Directory are now virtually ubiquitous. As such, most companies in need of IAM solutions turn to Microsoft for viable alternatives to the primary IAM vendors.
• Microsoft has its own integration and consulting business, as well as relationships with global integrators and consultants such as Avanade, Accenture, and Oxford Computing Group.
• Microsoft's relationships also extend to independent software vendors (ISVs), such as Omada, BHold and Evidian, and resellers, such as Quest Software, Omada and others.
• The technical heart of Microsoft's offering remains metadirectory synchronization through Microsoft ILM 2007 (which is the successor to Microsoft Identity Integration Server [MIIS]). Many Microsoft provisioning implementations are MIIS-based, with ILM deployments growing. Many customers are waiting for (or evaluating) Forefront Identity Manager before deciding whether they want to go with Microsoft as their IAM vendor.
• ILM 2007 certificate and smart card management includes out-of-the-box auditing and reporting, and the ability to manage users by role through profile templates or managing certificates based on user role.
• Although the synchronization and user-provisioning component of the product does not include role life cycle management or out-of-the-box reporting, customers can use their established reporting products to get access to the data in the Microsoft SQL database. Partnerships are available for role life cycle management.
• Microsoft remains the (licensing and startup) price leader, providing products for basic provisioning and identity audit reporting at 50% to 65% of the prices of leading competitors through a simple, Windows-Server-based platform offering. Integrating other component technologies for workflow and role life cycle management (some from partners and integrators) adds more to the cost, but most implementations still occur at 65% to 80% of current competitor prices.
• Microsoft's ubiquity in the marketplace makes it a potential vendor of choice in the SMB market, after Forefront Identity Manager is released and the initial "lessons learned" reports begin to establish a broad knowledge/experience-base around the product.
• Customers like the rich and tightly integrated Active Directory/collaboration design of ILM, the balance between function/extensibility vs. complexity, and startup pricing.

• In a sense, Microsoft has backed itself into a corner. The continued wait for "something better" in Forefront Identity Manager (in 2010) is a concern to existing and potential customers. Potential customers may see strategic or tactical advantages to using Microsoft as their vendor, but they don't want to implement a soon-to-be-replaced solution (ILM 2007), they don't want to use a product that is currently only in beta, and they don't trust the anticipated release time frame (1Q10) for the new product.
• Implementing ILM 2007 is a custom-build process. The product includes an adapter set and Software Development Kit (SDK) to link directories, databases, applications, mainframes and other enterprise systems. Historically, Microsoft has not provided equivalent adapter sets compared with competitors, but customers can use the SDK to build the necessary adapters. Alternatively, some customers may choose (or require) a partner (such as Centrify, Omada or Quest) to add the needed functionality. Microsoft's user-provisioning solution has a pricing model that takes into account the life cycle maintenance costs of a customized solution using its component technologies, or by using its partner program to bring provisioning, workflow, advanced password management and audit reporting together, and to support the custom solution in the long term. Startup prices are still the best in the market, but also consider the total operational life cycle costs to maintain a custom system.
• Microsoft product planning prioritizes Microsoft-centric customer requirements for user provisioning first, and will continue to address any established or future solution feature set development that way. Although Microsoft supports some connectors to resources (such as SAP, Oracle and Mainframe), customers should be aware that the prioritization of Microsoft over other systems could affect the degree or timeliness of heterogeneous support.
• MIIS and ILM customers report frustration regarding the custom-build nature involved in deploying the products, the manual nature of setting up reports and the overall component feel of the current solution.

Novell Identity Manager Roles Based Provisioning Module v.3.6.1 — password self-service for Identity Manager v.3.6.1, Designer for Novell Identity Manager v.3.6.1, Novell Sentinel v.6.1, Novell Identity Audit v.1.0 and Novell Identity Assurance Solution v.3.0

• Novell continues to improve in the Leaders quadrant, although slower than the progress it made in 2008. Although smaller in terms of revenue and reach, Novell continues to succeed via:
  • Continued focus on partnerships, sales and marketing
  • Competitive countermoves and replacements
  • Innovative, enterprise-class products and significant customer wins
• Novell's product strategy centers on addressing unified policy and compliance management through role-based provisioning management and real-time validation, auditing and remediation. This includes addressing links between business governance and IAM governance.
• Novell's IAM solution is homogeneous, with almost no acquisitions; the integration among Novell's IAM portfolio products is "deeper" than its competitors in the Leaders quadrant. This deeper integration benefits Novell in two ways: (1) customer perception related to how well the products will function together; and (2) the deeper integration can translate into swifter deployment time frames.
• Novell addresses role life cycle management via a combination of internal-Novell development supplemented by an OEM partnership with Aveksa. Improvements in resource recertification/attestation reporting, and tighter integration with SIEM logging and reporting via its Sentinel product, provide forensic and monitoring capabilities to provisioning management.
• Novell's network of smaller, regional-based integration and consulting continues to grow through established integration providers such as Atos Origin, Deloitte and Wipro, as well as global alliance partners such as HP and SAP.
• Novell is an active participant in an open-source identity framework that includes provisioning through its membership in the Eclipse Higgins project. Novell is also active in international standards work with the role it plays in Linux, security and identity. Novell Identity Manager supports SPML.
• Novell customers like the:
  • Tight integration of the product for different provisioning functions
  • Designer capabilities for configuration
  • Ease of use and functionality of the deployed solution

• Name recognition and customer perceptions of Novell as a major IAM suite provider remain issues. Novell's historical success in other areas did not translate into current or future IAM success, and they hinder Novell's efforts during suite selections.
• Competitors have additional revenue opportunities (e.g., Oracle's enterprise applications, Tivoli's management platforms) and leverage them with their own IAM solutions. Novell needs to emphasize IAM's role more with its system software business.
• While Novell's marketing message has improved, issues remain with positioning relative to competitors and to industry presence. A more-comprehensive, service-centric approach is evolving and looks promising, but is incomplete.
• Contrary to Gartner's opinion, some customers express concern regarding Novell's viability, longevity and continued progress, although the company has no cash concerns and has been very aggressive in addressing competitor moves and in expanding its partner ecosystem.
• Customers wish for more out-of-the-box reports and a simpler licensing structure. They do not like the degree of customization required for solutions, nor their complexity and licensing complexity.

Omada Identity Manager (OIM) v.6.2 (April 2009)

• Omada addresses Microsoft-centric user-provisioning needs. It has a strategic partnership with Microsoft to extend Microsoft ILM 2007 and Microsoft Forefront Identity Manager 2010 capabilities for customers. Recent moves to address aspects of SAP-focused provisioning have also occurred.
• Omada has system integration and reseller partnerships that include, but are not limited to, Logica, Traxion and Avanade. A major part of Omada's staff is dedicated to consulting, integration and support. Solution support is offered directly to the customer or via partners.
• OIM addresses delegated administration, self-service access requests, SOD, workflows with approvals and compliance reporting with a .NET-based programming platform. It performs some role life cycle management capabilities with its advanced role-based access control (RBAC) module, applying roles over heterogeneous repository and access infrastructures via ILM Management Agents, which are supplied out of the box from Microsoft, Omada, and partners' custom builds.
• Omada has introduced a SharePoint Governance Manager offering in conjunction with Identity Manager to apply RBAC functionality to SharePoint and deliver compliance reporting for SharePoint. Omada has also made progress in improving levels of integration with SAP, particularly with NetWeaver Access Control.
• Although about 75% of Omada customers are in EMEA, Omada's sales doubled in North America during 2008 to approximately 10% of the customer base. The remainder is from various parts of the world. Industry vertical penetration is almost evenly and predominantly spread among healthcare, government, manufacturing and utilities.
• Omada's pricing for OIM is competitive, reflecting lower-cost alternatives to larger user-provisioning offerings via Microsoft "embedded" components in the enterprise (e.g., Active Directory, SQL Server).
• Customers like the emphasis on Microsoft IAM architecture, the expanded reporting functionality for SharePoint, workflow improvements and good preimplementation/post-implementation support.

• Omada literally uses Microsoft ILM 2007 and Forefront Identity Manager 2010 beta as its foundation for delivering its functionality, thus underscoring Omada's total dependence on Microsoft's IAM direction to be successful. While decisions can be made within Omada for feature sets and new product opportunities, the road map is dominated by Microsoft's road map for IAM.
• Omada's product development methodology and upgrade process is still volatile, but much better than it was in 2007. Some work is still needed to refine the development and delivery methodology for the product, including post-sales support, and best-practice implementations at the organizational and process level by the customer.
• While North American market penetration is improving rapidly, a more-uniform distribution of customers worldwide is needed (as well as a support infrastructure for them) before Omada can be considered a major contender in the IAM marketplace.
• Omada customers do not like the degree of dependency on Microsoft frameworks, nor do they like the early state of Microsoft's role life cycle management features.

Oracle IAM Suite and Oracle Identity Manager v.9.1.0.2 (January 2009)

• Oracle is the leader in this Magic Quadrant. It continues to consistently execute on its vision of an integrated and scalable IAM suite. The Oracle Identity Manager platform can run on two different databases, seven different operating systems, four different application servers and multiple Java Development Kit vendors. Oracle continues to demonstrate strong growth in customer acquisitions, and with its broadening global network of resellers and implementation partnerships.
• Oracle's database back end, the identity repository, is highly scalable, well-understood and proven.
• Risk-based user self-service decision making is possible through application programming interface (API) integration with identity-proofing services. Oracle Identity Manager can integrate with proofing services by native API integration or when codeployed with Oracle Adaptive Access Manager.
• Oracle's access to business boardrooms, and to public-sector decision making as a major database and enterprise application provider, is pervasive. The company uses that access for cross-selling opportunities with IAM. An aggressive and accelerated sales and marketing strategy has resulted in a growth rate of customers that is several times the rate of the general provisioning market. This continues to feed global partnership opportunities and customer interest.
• Oracle has demonstrated an interest in ensuring that its network of global partnerships is properly trained in best practices for implementing and maintaining the IAM products. As a result, these partners (system integrators, VARs and technical partners), such as Deloitte, Accenture, KPMG, PricewaterhouseCoopers and Wipro, and Oracle's consultancy and services in user provisioning, have become more experienced.
• Oracle's IAM portfolio is broad, including solutions for user provisioning, password management, role management, Web access management, federation, IAM intelligence reporting, directory and virtual directory, fraud prevention/authentication, entitlement management and GRC capabilities. Other IAM-related needs (e.g., ESSO, SIEM) are addressed via partnerships. Oracle continues to demonstrate a commitment to improving integration among the products in its IAM portfolio.
• Oracle possesses a portfolio and matching vision for IAM, including user provisioning. The message has moved from an earlier strategy of "application centric" provisioning, which addresses provisioning, workflow and reporting needs for a multiapplication environment, to include a "service centric" view of IAM. This message underscores the increasing need for a portfolio that includes provisioning to address requirements in a modular, reusable manner (that is, SOA-centric), and performed with a deployed, in-house implementation or a managed IAM service delivered via hosted solutions.
• Customers like the access to Oracle's development teams for changes, configurability during deployments, workflow and provisioning engine capabilities and recent improvements in connector library additions.

• IAM-related reporting is accomplished via Oracle BI Publisher. While this is an extremely capable and full-featured product, IAM reporting may seem overly complex for some environments when compared with other vendors' IAM reporting dashboards.
• While Oracle is known to aggressively discount the cost of connectors, the list price is high and is off-putting to clients.
• Oracle's integration strategy for SIEM with provisioning compliance and audit reporting is not as mature as that of competitors IBM Tivoli and Novell, although the vision of Oracle's IAM solution includes it. There is generally no stated direction other than Oracle uses partners for these types of services. Stated direction, market messaging and implementation options are required to validate capability and intent.
• While Oracle's acquisition of Sun remains incomplete, some potential customers for either vendor are keeping their distance and maintaining a "wait and see" attitude. To satisfy this trepidation, Oracle will need to make strong statements of direction and intent as soon as possible within the legal limits that surround these types of transactions.
• Despite a concerted effort by Oracle, there continue to be mixed reviews for Oracle integration and deployment experiences attributed to uneven training and experience of consultants and system integrators for the product. However, this is improving.

Quest One Identity Solution — also see Quest ActiveRoles Server v.6.1.0 (November 2008) — ActiveRoles Quick Connect v.4.0 (March 2009), Quest Password Manager v.4.5.1 (November 2008), ActiveRoles Self-Service Manager v.1.0 (November 2008), Quest InTrust v.10.1 (March 2009), Quest Reporter v.6.3 (May 2009)

Quest Access Manager v.1.1 (May 2009) and Quest Authentication Services v.3.5.1 (May 2009)

• During the past year, Quest has focused on increasing the consistency and integration across its IAM-related projects. In addition, Quest has been creating a more-unified marketing message (the Quest One Identity Solution) for its identity management products.
• Quest Software has a "download and try" product capability on its website that encourages potential customers to test the product. One of the unstated messages is that "you don't need extensive/expensive professional service engagements" to be productive with these tools. However, Quest has a professional service staff that is focused on the integration of multiple Quest products into more-comprehensive solutions.
• Quest Software continues to expand partnerships and create an expanded vision of how its products work together to achieve "point objectives" and more-strategic initiatives.
• Quest Software is a major supplier of Windows and Unix management products. ActiveRoles v.6.1 is Quest's offering for enterprise user provisioning. Quest provides user provisioning as a feature set of several Windows, application and database management solutions, and is sometimes used to supplement larger provisioning implementations that do not effectively address Microsoft and Linux-centric administration.
• Quest Software's marketing approach is direct sale. It possesses system integrator and reseller relationships with IBM Global Services, EDS (an HP Company) and Dell. Active Directory administration and Unix/Linux integration are central to Quest's solution. The company has a growing base of notable customers and deployment scenarios.
• ActiveRoles is primarily a solution for Microsoft-centric organizations of up to 50,000 users, which account for almost 90% of Quest's sales. In addition to Quick Connect for cross-platform heterogeneous provisioning, the system is integrated with Microsoft's ILM, and can be integrated with IBM Tivoli, Sun or any other systems that support SPML 2.0. Quest also proposes InTrust, ChangeAuditor and Quest Reporter for identity audit reporting and compliance, and for user-provisioning audit reporting. Quest Password Manager has been updated, and ActiveRoles Self-Service Manager has been introduced for expanded password, group and attestation management capabilities.
• Customers like the relative ease of use and empowerment that come with the ability to quickly understand the systems.

• Quest's IAM product portfolio can come across as a loose collection of "point project" related tools without a central, unifying platform; as such, perception issues may cause some customers to dismiss Quest, even when its products may address customers' needs. This perception is only partly warranted. ActiveRoles is a platform of sorts, but the company's messaging is indeed project-based.
• The Quest brand uses Microsoft as a delivery platform. For consideration by customers with heterogeneous requirements, Quest must reiterate ActiveRoles' heterogeneous capabilities.
• ActiveRoles is well-suited for SMBs, but it has fewer customer references in large industry segments of more than 50,000 customers. The solution is scalable, but some of the complexities indicative of large-scale provisioning projects remain outside Quest's core competencies. This will need to be addressed if Quest is to be considered more than a niche player.
• Customers' concerns usually revolve around uneven post-deployment support, the lack of predefined scripts/functionality and perceived performance issues. Quest recently implemented changes to help address these concerns.

SAP NetWeaver Identity Management, NetWeaver Identity Management v.7.1 (June 2009)

• SAP NetWeaver Identity Management key features include:
  • User interface and management console
  • Runtime components (linked to external repositories via virtual directory)
  • An Identity Center database for logs, configuration and identity stores
  • Provisioning and workflow functionality
  • User self-service and password management
  • Basic reporting, auditing and logging
  • Metadirectory and identity store
• The Identity Services framework of SAP delivers a virtual directory technology and virtualization of target systems as part of connector management, and reflects a well-structured, application-driven approach to provisioning.
• SAP's GRC solution, BusinessObjects Access Control, will be coupled with SAP NetWeaver Identity Management to augment the Identity Services framework, and to deliver provisioning and SOD capabilities.
• SAP views NetWeaver Identity Management as a significant contributor to the evolution of SAP applications to a common process layer for management. The process modeling layer delivered via SAP NetWeaver Business Process Management leverages a common Identity Management layer to deliver security and context to business process.
• SAP customers like the rapid implementation and customization capabilities of the product, the basic role life cycle management integration with provisioning, the deep integration with other SAP products via predefined scenarios and the virtual directory functionality.

• SAP's agenda for user provisioning is targeted specifically at established SAP customers, and is primarily for SAP application portfolio and integration needs. While SAP customers may find this differentiating from other vendors, non-SAP customers will not.
• SAP views NetWeaver Identity Management as vital for counteracting efforts by Oracle to introduce Oracle solutions into a predominantly SAP customer environment via an Oracle IAM solution. Such a defensive approach may protect SAP assets, but adds little for the customer.
• NetWeaver Identity Management's reporting and compliance capability lacks a number of features, including predefined user, event and compliance reports. These and other reports are actually delivered via SAP's NetWeaver Access Control solution.
• Current SAP federation functionality is lacking, but evolving. This will cause issues with SAP's plans for a rich SSO experience in its SOA and federation initiatives.

Sentillion proVision v.3.1 (May 2009)

• Sentillion's singular focus is on meeting the identity management needs of healthcare entities. It remains in the Visionaries quadrant due to its continuing innovation in healthcare provisioning needs, continued customer growth, its increasing name recognition within healthcare, and its expanding partner network for resale and system integration.
• Sentillion customers gain access to its online open-source community — IdMPower — which allows them to share custom-built provisioning software adapters for clinical and nonclinical applications.
• Sentillion's strategy for user provisioning in a specialized, complex industry is built on the concept of "purpose built" healthcare, and addresses role-based and fine-grained provisioning. Although customers are classified as SMBs by their user count, the complexity of healthcare role environments ensures that planning and implementation remain challenging. Sentillion delivers focused consulting and integration services, and also has some integration partners (for example, CTG HealthCare Solutions and Logic Trends) to address these challenges.
• Sentillion leverages Active Directory as the identity repository to streamline the infrastructure required to deploy its product.
• Because of Sentillion's healthcare focus, it provides more out-of-the box connector (i.e., "bridge" in Sentillion's nomenclature) support to healthcare-industry-specific systems (for example, McKesson-Horizon products, IDX Systems products and ChartMaxx) than most of its competitors do. In addition, Sentillion's industry focus gives it a strategic advantage over its competition in areas where industry policy, terminology or healthcare-specific use cases dominate the project/program needs.
• Sentillion has a fixed fee for implementation services so that customers know the associated costs upfront. The fixed fee implementation is approximately a 1-to-1 software to service ratio, which is among the lowest of the provisioning vendors.
• Sentillion has a reseller network that includes companies such as Logic Trends and Vitalize Consulting Solutions to expand product availability in recognition of Sentillion's growth in the healthcare market.
• Customers like the industry-specific focus, the personalized predeployment customer support during planning and implementation, and the company's quick response to new customer needs.

• Focusing only on healthcare comes with a price. Whether it is support for features or standards, Sentillion is driven by its customers, and the product is a custom solution for the healthcare industry. Sentillion does not sell proVision directly to other markets; however, it is sold in nonhealthcare markets by a network of channel partners. Organizations outside healthcare that are evaluating Sentillion should conduct a side-by-side comparison.
• Several other vendors (large and small) are beginning to focus their sights on the healthcare market. As these vendors win healthcare accounts, they are able to develop and commoditize healthcare-focused provisioning connectors, reports and other related solutions — thus eating away at Sentillion's competitive advantage. Sentillion must continue innovating and establishing other business partnerships to counter this challenge, expand awareness of the company, and continue to create compelling differentiation between its offerings and more-generic competitor products.
• Role life cycle management and GRC capabilities remain limited, although Sentillion's capability is generally "good enough" for many customers. However, given the highly regulated industry that it targets, coupled with the increasing general market demand for role management and GRC-focused solutions, we expect that Sentillion will continue innovation in this area as needed.

Siemens DirX Identity Business Suite, DirX Identity Pro Suite (September 2008), DirX Audit (June 2009)

• Siemens is one of the world's largest multinational companies in energy, healthcare, communications and other industries, and it has significant resources available for IAM product development, management and delivery.
• Siemens' latest edition of DirX Identity Business Suite (8.1) was released in September 2008, with an adjunct release of DirX Audit in June 2009. Version 8.1 was released in August 2009, almost eight years after the initial product release.
• Role life cycle management (e.g., administration, certification, reporting) is part of DirX Identity, based on the RBAC standard, and has been available since 2002. While role discovery is available in the base product, business analytics as a result of the discovery is provided via a partner (Swiss-based ipg).
• Roughly two-thirds of Siemens' implementations are based in Europe and have grown during the past three years. In terms of vertical industry penetration, Siemens is relatively widespread across most, with a slightly larger penetration in government and manufacturing.
• Siemens provides user-provisioning solutions with good role management functionality, and a partnership model that provides predeployment and post-deployment coverage.

• Siemens DirX Identity does not provide a Web-centric user experience for developers during provisioning, approval and synchronization workflow creation — nor does it provide preformatted workflow templates out of the box.
• Siemens DirX Audit is an early edition offering with no detailed custom reporting available out of the box. However, prepackaged reports by Siemens are available.
• Almost 80% of Siemens' implementations are in companies with 50,000 or fewer users, and a significant percentage of these are existing Siemens customers. While DirX Identity is scalable, larger clients are not actively pursued as part of marketing strategy.
• Siemens' primary focus is on customers of major Siemens systems, of which there are many.
• While Siemens has improved somewhat via the latest DirX Audit release, concerns still exist regarding capability and messaging around full-scale compliance reporting and business support for GRC needs.

Sun Identity Manager v.8.1 (June 2009) — Sun Role Manager v.4.1

• Despite customer uncertainty about Oracle's acquisition of Sun, the company remains in the Leaders quadrant for 2009. Sun demonstrates:
  • Technical platform expertise
  • Diverse and experienced partnerships in consulting and system integration
  • A growing customer base
  • Consistent customer service
• At the end of 2007, Sun acquired role life cycle management vendor Vaau to enhance provisioning capabilities and create a more business-centric view for IAM in enterprises. Sun Role Manager is integrated with Sun Identity Manager v.8.0 and above. Feature sets address basic as well as advanced requirements for delivering a role-based framework for better provisioning experiences.
• Sun is a leader in open source, as shown by:
  • A commitment to deliver open-source versions of its user-provisioning software
  • Engaging proactively in the open identity community
  • Delivering a road map for deploying Sun Identity Manager as a set of consumable Web services and policy abstraction capabilities
• Sun Partner Advantage Program remains a model for covering consulting, system integration, VAR and ISV needs for user-provisioning offerings, particularly for large-scale vendors. Seventy percent of Sun deployments are with customers that have 50,000 users or more, thereby making Sun one of the most-experienced vendors in delivering solutions for large enterprises.
• Customers like:
  • The improved compliance reporting
  • The availability of role life cycle management as part of the portfolio
  • Robust customer support programs
  • The pragmatic technical foundation of the product

• Due to the looming acquisition by Oracle, Sun is somewhat of a "lame duck." While the products are sound, uncertainty remains regarding their future, despite Gartner's relatively upbeat projection of little change in the near term. Customer confidence (for existing and potential customers) is low, and many potential customers are not readily including Sun on their shortlists of vendors to evaluate.
• Sun's competitors are swarming in a "feeding frenzy like" fervor, hoping to take a chunk out of Sun's sizable customer base. Expect many major competitors to offer migration kits and migration services to woo fearful existing and potential customers away from Sun.
• As the provisioning market continues to mature, compelling differentiators are necessary to help customers choose a solution. Although Sun continues to demonstrate good vision, its current differentiators in vision are not enough to overcome the negative perceptions and fears regarding the future of the products.
• Mainframe-centric and Microsoft-Windows-centric integration by Sun have improved, but are perceived by customers as "lightweight" in configurability and capability when compared with some competitors.
• Sun's Ability to Execute rating has decreased significantly from the previous study due to customer unease, uncertainty about the future of the product line and some missed sales opportunities.

Volcker ActiveEntry v.4.0 (May 2009)

• Volcker Informatik remains in the Visionaries quadrant, moving up in its ability to execute due to its expanded partnership efforts, continued innovation in feature sets for user experience, IAM intelligence, a refined development environment, and improved integration with Microsoft infrastructure (particularly ILM) and applications.
• Improvements in product vision are evident, particularly in innovations for access to applications, rapid development, role life cycle, a refined and layered architectural model, and expanded compliance reporting.
• A life cycle IAM approach that emphasizes process automation, compliance automation, role management and workflow is coupled with a multilayered namespace that abstracts key IT control functions from specific IAM provisioning functions for ease of upgrade and maintenance.
• Volcker's partner model has been significantly expanded, with new integrators regionally (e.g., Computacenter, Devoteam Group, Devoteam Danet) and globally (e.g., Logica, CSC, Fujitsu Technology Services).
• Low turnover and relatively flexible architecture, combined with an experienced engineering and technical team, have resulted in an expanded multisector customer base (more than 500,000 new customer licenses), despite economic challenges.

• While Volcker has made substantive strides in marketing and visibility, it remains challenging to gain the attention of mainstream decision makers, which prefer branded solutions from larger, established firms to smaller firms.
• Significant scalability improvements have occurred with ActiveEntry 4.0; however, experience with clients that desire very large-scale implementations (more than 500,000 users) is lacking. Wholesale testing and validation by such clients is still required, using the performance and scalability lab provided by Volcker.
• ActiveEntry remains a solution that is highly effective and innovative in developer hands, but training and education on structural design changes and improvements remain necessary as customer implementations grow and partner developers have complex development support needs.