Several segments of the identity and access management (IAM) market continue to experience significant innovation in technology, product and service offerings. Chief information security officers and other security professionals should familiarize themselves with Gartner's 2011 Cool Vendors in IAM, and with the potential business benefits they offer.

• Startups and other niche vendors, rather than established major players, continue to drive much of the innovation in the IAM market. These aggressive, newer vendors offer innovative and enhanced technologies, but the usual concerns about new market entrants' capabilities and viability may limit enterprises' willingness to commit to their offerings.

• Consider innovative products and services — including those from Gartner's 2011 Cool Vendors — when evaluating products and services to address IAM requirements. However, recognize that these offerings are not appropriate for all enterprises or all implementations. They are likely to be more suitable for Type-A Gartner clients (technologically sophisticated early adopters) than for more risk-averse Type-B or Type-C clients.

• Choose IAM products or services for their real-world workability, vendor capabilities and viability, as well as for their technological innovation.

This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner has once again identified a set of very strong Cool Vendors in IAM. These up-and-coming technology providers offer IAM products and services based on a broad range of technological approaches and delivery models. One trend that is clearly identifiable throughout their offerings is a serious attempt to deliver IAM components that enhance the user experience to support mission-critical business decisions. These vendors' highly innovative technologies and business models may not be suitable for every enterprise's needs — all enterprise must deal with the usual challenges when facing new market entrants and new technologies — but their offerings are well worth evaluating. For assessments of Cool Vendors in three other important security market segments, see "Cool Vendors in Cloud Security Services, 2011," "Cool Vendors in Infrastructure Protection, 2011" and "Cool Vendors in User and Data Security, 2011."

Miami, Florida (www.authenware.com)

Analysis by Ant Allan and John Girard

Why Cool: AuthenWare offers a practicable, behavioral, biometric authentication technology based on typing rhythm (also known as keystroke dynamics) — i.e., the cadence of a user's typing. This technique is rather attractive because the keyboard is a ubiquitous capture device and requires minimal change in user behavior. Other vendors offer this authentication method, but AuthenWare Technology is differentiated by being simple to implement (scalable AuthenWare claims more than 75 million users) and robust (for example, it has a built-in defense against software "mimic" attacks, it evaluates additional user behavior, as well as contextual information, and it is the only typing rhythm product that can claim Common Criteria certification at Evaluation Assurance Level 2+), as well as providing good user experience (it is transportable across different endpoints, which extends its sampling techniques to touchscreen interactions on smartphones and tablets, and it offers a low false nonmatch rate).

Although it is a U.S. company, AuthenWare began building its market in Europe, where it has gained several clients, notably the multinational telecommunications carrier Telefonica and two Spanish government agencies. It has also expanded internationally, with government, media and banking clients in South Africa and Latin America. It has been increasingly active in marketing and sales in the Americas through 2010. The management team has substantial experience in technology markets (with backgrounds in companies such as BEA Systems, Citrix Systems, Fuego and Plumtree Software). Many Gartner clients report that they have a positive view of AuthenWare.

Challenges: AuthenWare's biometric authentication method adds a true second authentication factor to an existing legacy password, without adding another device or agent, and without adversely impacting user experience. Nonetheless, it remains unclear whether it provides the high level of assurance that some enterprises will need in some high-risk use cases. An enterprise could layer AuthenWare Technology with another vendor's method to increase assurance, but that would add cost and complexity and would erode the user experience. However, like other biometric authentication methods, AuthenWare's approach hinders account sharing and, thus, provides a higher level of accountability than, for example, personal-identification-number-protected smart cards with public-key infrastructure credentials. AuthenWare is one of more than a hundred authentication vendors that focus on a single class of authentication method. Such "pure play" vendors face the challenges of competing with established vendors that offer a broad portfolio of authentication methods to meet varied needs. A partnership with such an established vendor — which would typically lack a biometric authentication offering — could be fruitful for AuthenWare. If the company wishes to target financial services and adjacent markets, then it will also need to establish partnerships with Web fraud detection vendors. AuthenWare must also pursue an agent-based solution to the client-side interaction to ultimately become part of the login defense for mobile devices, because without an agent, its use will remain limited to online services.

Who Should Care: Information security and IAM leaders may want to evaluate AuthenWare as an alternative to traditional medium-assurance authentication methods for Web applications and Secure Sockets Layer virtual private networks. AuthenWare is of particular interest in use cases where user experience is particularly important and intrusive authentication methods are a problem for users — especially across varied endpoint devices — and where the costs of acquiring and distributing tokens would be prohibitive. Another potential benefit is that AuthenWare Technology can, in "silent" mode, provide additional input to the dynamic risk assessment used in Web fraud detection and other misuse management tools.

Oslo, Norway (www.forgerock.com)

Analysis by Gregg Kreizman

Why Cool: ForgeRock supports directory, user provisioning, Web access management (WAM) and portal products based on and extending Sun Microsystems' very capable open-source software products. Prior to Sun's acquisition by Oracle, Sun's IAM stack was widely deployed and well-regarded by its customers. Oracle made Sun's role life cycle management product strategic, and incorporated some elements of Sun's other IAM products into its established products. However, Oracle is expected to phase out development of most of Sun's products over time.

ForgeRock has been able to attract former Sun developers, and has also created partnerships with established integrators who are experienced with Sun's products. The company has added and "road mapped" significant new features. These enhancements emphasize platform independence and the use of protocol and interface standards to support a world that is increasingly interconnected by services. ForgeRock is building its customer base, and has already landed some large customers — most of which are not former Sun customers.

Challenges: ForgeRock offers a mostly complete open-source IAM software stack, including WAM, federation, security token service, user provisioning, directory and virtual directory products. However, almost all this functionality is also available from other vendors with mature product offerings. ForgeRock also faces competition from open-source point solutions, and from OpenIAM for user provisioning, WAM and federation capability. "Open source" is not synonymous with "free," and most enterprises will need support, particularly if they choose to use commercial versions of the products that ForgeRock extends with new functionality. Sun's products were full-featured, but also complex to deploy. ForgeRock's marketing and sales have been focused on a technical audience, and this message will need to be adapted to resonate with CIOs, as well as personnel in enterprise lines of business, who increasingly influence IAM decisions.

Who Should Care: IAM leaders who are planning new initiatives, and who work within a corporate culture with a preference for open-source software, may wish to consider ForgeRock. They should pay particular attention to support pricing, and the potential hidden costs of customization and integration with established enterprise systems.

Austin, Texas (www.unboundid.com)

Analysis by Perry Carpenter

Why Cool: Traditional directory environments are built on the assumption that they should support a large number of "read" transactions, but a relatively low number of "writes." In many cases, this assumption is valid, but in large environments, the number of authentication attempts — and even the demand related to synchronization of attribute-level changes — can cause the directory to become sluggish or contain unreliable ("stale") data. This problem can impact enterprises and their customers in a number of ways. For example:

• Sluggishness may cause customer-facing application login attempts to be unacceptably slow.

• Sluggishness in "real time" look ups to determine security authorizations to application features may make the application seem slow or time out in some circumstances.

• Stale data may cause customer preference settings to be inaccurate.

• Stale data may impact regulatory compliance, if latency allows a user to access data after permission for that data was supposed to be removed.

UnboundID creates reasonably priced next-generation directory service (LDAP, proxy and synchronization) products built from the ground up, with massive scalability, security and high performance in mind, and is especially suited to the growing identity and personalization demands of Web-based, cloud-based and mobile computing backbones. UnboundID's offering is specifically built to support multitenancy, advanced replication/synchronization options, SQL-like "join" functionality, granular logging and tracking, as well as advanced options for data security and privacy.

Challenges: UnboundID faces two main obstacles:

• Convincing customers to choose a "best-of-breed" (or "off brand") directory server to meet their identity repository needs. Since many IAM solutions include their own LDAP directories or have preferred directories, some customers may never consider a vendor such as UnboundID.

• While UnboundID has already attained a respectable client base (13 companies comprising 350 million licenses) and impressive year-over-year growth (400% from 2009 to 2010), it focuses only on directory services, rather than on a broad range of IAM-related products and services, and this may limit its number of prospective customers.

To be truly successful, UnboundID needs to be seen as the "Rolls-Royce of directories" — but within the price range of a Kia and with the service reputation of a Honda.

Who Should Care: Enterprises or service providers that need to break traditional paradigms related to LDAP should consider UnboundID. This is especially important for enterprises with large-scale, transaction-heavy, customer-facing applications. For this reason, UnboundID is particularly well-suited for telecommunications, e-commerce, software-as-a-service (SaaS) and cloud environments.

Los Altos, California (www.veriphyr.com)

Analysis by Earl Perkins

Why Cool: IAM systems need intelligence to function and to be relevant to the enterprise. This intelligence must be derived from the many disparate sources of IAM information — from directories and policy repositories to event and information logs generated by access and administration activities. If it is properly gathered and analyzed, then information can provide the answers required for a compliance audit, or prevent a disastrous access breach. Unfortunately, most enterprises have neither the time nor the resources to devote to the detailed data cleansing, collating, correlation, aggregation and analytics necessary to derive these benefits. This is where Veriphyr steps in.

Veriphyr isn't cool because it is an identity and access intelligence (IAI) provider, but rather because it delivers IAI using a SaaS model. A client delivers specific identity information to Veriphyr based on its reporting and analysis needs, and Veriphyr responds with a set of reports and analyses on topics ranging from dormant, orphaned and underused accounts to shared logins, and from patterns of activity behavior that imply common roles for groups of users to correlations of users to their many IDs. Veriphyr's premise is that users are what they do (that is, their activities and accesses), not what their managers think they do. Combining activity and access information from IAM and other systems makes it possible to discern patterns and make decisions based on the maximum intelligence possible. Many IAM vendors are able to offer parts of these capabilities, but Veriphyr's approach as a service-based intelligence provider — with a pay-for-use pricing model — is currently unique in the market.

Challenges: Veriphyr depends on the information it receives from its clients. That information must be available, and the client is assisted in extracting it and sending it. Initially, that assistance is minimal, but it can grow based on client needs. The process of preparing the data for analysis can sometimes reveal "gaps" that Veriphyr analysis must accommodate. Other types of analysis done by the company are performed by humans, rather than by analytics software, so scalability concerns will emerge as the company grows, and also if customer requirements become more complex. Veriphyr also faces the challenge of clients that are reluctant to allow sensitive identity-based information to be sent to an "outside agent" for analysis.

Who Should Care: Audit and compliance reporting providers in the enterprise are particularly interested in the nature and type of analysis and reporting provided by Veriphyr. Program managers engaged in large-scale merger-and-acquisition efforts find the quick turnaround time of service-based analysis valuable in consolidating the access profiles of employees. IT security architects and planners are also interested in tools that help to build access profiles based on actual activities, not just on the access as it has been defined.

Albuquerque, New Mexico (www.lumidigm.com)

Analysis by Ant Allan

Why Cool: In 2004, Gartner profiled Lumidigm in "Cool Vendors in Security and Privacy" and identified it as a Cool Vendor in authentication because of its novel biometric technique of skin spectroscopy, based on the discovery that every human being's skin has unique optical characteristics. We noted then that Lumidigm's challenge would be to gain credibility for its unique biometric technology in a market dominated by fingerprint, face topography and iris structure technologies.

Where Are They Now? Lumidigm reports that, before it could gain market traction, it repurposed its technology — at the request of a U.S. government agency — to develop a new kind of fingerprint sensor (capture device) using multispectral imaging. The claimed advantages of this technique are that it captures superior images quickly, on all people, in all environmental conditions. According to Lumidigm, unlike other common sensor types, performance isn't affected by moisture, dry or dirty skin, or bright ambient light. Unlike some other sensor types, multispectral imaging captures surface and subsurface ridge patterns, and analyzes the spectroscopic characteristics of the surface, thereby making it less vulnerable to facsimile attacks.

Who Should Care: A client told Gartner that one particular advantage of the Lumidigm technology is its ability to capture a fingerprint image through a medical glove. Ultrasound sensors can also do this, but they are far bulkier and more expensive, which should make Lumidigm sensors appealing to healthcare delivery organizations. Other enterprises selecting fingerprint biometric authentication also may benefit from Lumidigm's ostensibly superior performance.