Magic Quadrant for User Administration and Provisioning
User administration market growth peaked in 2011. Notable trends include continued convergence with identity and access governance products. Buyers continue to demonstrate regulatory compliance with UAP, while reducing project deployment times and costs.
This document was revised on 21 January 2013. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
Defining Identity and Access Management (IAM)
IAM is a set of processes that may use technologies to manage the following across multiple systems:
- Users' identities — each comprising an identifier and a set of attributes
- Users' access — interactions with information and other assets
The major functional categories of IAM technologies are:
- Authentication: Authentication technologies provide real-time corroboration of a person's claimed digital identity (authentication methods) to broker authentication over multiple systems (single sign-on) and to propagate authenticated identities (federation). Authentication methods embrace different kinds of authentication attributes and mechanisms — sometimes in combination with various physical form factors (for example, hardware tokens, smart cards or mobile phones). At the time of this writing, passwords are still the most commonly used method of authentication (see "A Taxonomy of Authentication Methods, Update").
- Authorization: IAM authorization technologies provide access control through enforcement, and are used to determine the specific scope of access to grant to an identity or application. They provide real-time access policy decisions and enforcement (based on identities, roles, rules, entitlements and attributes). Users should be able to access only what their job functions allow them to access. Web access management (WAM), externalized authorization management, identity-aware networks and digital rights management tools are examples of authorization technologies.
- Administration: IAM administration technologies perform identity-related administrative tasks (for instance, adding a user account to a specific system). In general, administration tools provide automation for performing identity-related work that would otherwise be performed by a human. Examples include tasks such as creating, updating or deleting identities (including credentials and attributes), and administering access policies (rules and entitlements). User provisioning is an IAM (that is, user) administration technology.
- Analytics: Identity and access analytics technologies collect, correlate and analyze data, as well as audit, report and support rule-based decision making based on identity and identity-related intelligence. This data helps organizations measure, manage and optimize performance to achieve security efficiency and effectiveness, and to deliver business value.
User administration and provisioning (UAP) is a combination of administration and analytics technologies that provide an effective foundation for authentication and authorization in the enterprise. Characterized in this way, user administration is a fundamental part of an overall IAM technology strategy and program.
IAM is based on a foundation of identity repository technologies that include enterprise Lightweight Directory Access Protocol (LDAP) directories, virtual directories, metadirectories, logs and relational databases. These repositories can be viewed as a virtual "identity data warehouse." A formal identity data and log model defines the relationship between the data elements found in these repositories, as well as the format, frequency of collection and data relationships of data found in the logging systems for these categories. An effective and properly supported data model is critical for the success of UAP.
While standard LDAP directories remain the identity repository of choice, there are complexity and performance requirements that dictate database participation. LDAP directories are optimized for speed, scale and authentication. Fine-grained authorization and detailed policy support require a database. UAP identity data and log models recognize both directories and databases as identity warehouse repositories working in concert.
Defining User Administration and Provisioning
UAP solutions are the main engine of identity administration activities. These tools have some or most of the following functions:
- Workflow and approval process automation
- Password management (with the ability to support self-service)
- Other credential management
- Role life cycle management (also part of identity and access governance [IAG])
- User access administration (with the ability to support self-service)
- Resource access administration (with the ability to support self-service)
- Basic identity analytics (excluding modeling, mining and detailed analytics found in IAG tools)
- Basic IAG features or the ability to support IAG functionality from another vendor
UAP solutions address enterprise requirements to create, modify, disable and delete identity objects across heterogeneous IT system infrastructures, including OSs, databases, directories, business applications and security systems. Those objects include:
- User accounts associated with each user
- Authentication attributes ("credentials") — typically for information system access, and then most often just passwords, but sometimes for physical access control
- Roles — business level, provisioning level and line-of-business level
- Application and data entitlements (for example, assigned via roles or groups, or explicitly assigned to the user ID at the target system level)
- Group membership or role assignments from which entitlements may flow
- Explicit entitlements
- Other user profile attributes (for example, name, address, phone number, title and department)
- Access policies or rule sets (for example, time-of-day restrictions, password management policies, how business relationships define users' access resources, and segregation of duties [SOD])
UAP products are a subset of identity administration, which is a subset of IAM (analytics, administration, authentication and authorization). All user administration products offer the following capabilities for heterogeneous IT infrastructures:
- Automated adds, changes or deletes of user IDs at the target system (that is, provisioning)
- Password management functionality — for example, simplified help desk password reset, self-service password reset and password synchronization, including bidirectional synchronization (which is sold as a separate product by some user provisioning vendors because they had their start there)
- Delegated administration of user provisioning
- Self-service request initiation
- Role-based provisioning through capabilities provided by role-based features or through IAG partners
- Workflow — provisioning and approval
- HR application support for workforce change triggers to the user provisioning product
- Reporting the roles assigned to each user and the entitlements that each user has
- Event logging for administrative activities
A comprehensive UAP solution has the following additional capabilities:
- SOD administration and reporting: Enterprises need to automate and manage application-level business policies and rules to identify SOD violations. They also need to quickly remove those violations from the application environment, and to ensure that new SOD violations are not introduced in the course of the ongoing management and identity administration of the application. Today, SOD tools exist primarily for ERP applications. ERP-specific, transaction-level knowledge is required to successfully enforce SOD in these environments. However, a generic SOD framework is required to address all SOD application needs in the enterprise. Typically, a role is used as the container to segregate conflicting business policies in the application environment. Many user provisioning vendors deliver capabilities for this heterogeneous framework. Having a generic role management function may not alleviate an ERP product's need for ERP-specific SOD tools because these tools have extensive integration with ERP applications. User provisioning vendors should continue to partner with ERP vendors to deliver complete SOD solutions.
- Role administration: Regulatory compliance initiatives are directing IAM efforts back to the beginning
for role development. Organizations long realized the importance of managing the entire
life cycle of user identities. In the same way, managing the life cycle of a role
is critical. Enterprises need the ability to automate processes to:
- Manage formal and informal business-level roles for any view of the enterprise (for example, location, department, country and functional responsibility), and to feed user provisioning products to ensure that the link is made between the business role and associated IT roles.
- Establish a process by which the new roles are created, and tie those new roles to a role administration function or an IAG product.
- Deliver a generic framework to address role administration. Most user administration vendors are partnering with role life cycle management vendors, acquiring them or building that expertise with user administration.
- Audit reporting: Meeting the regulatory compliance requirements of reporting on SOD, roles, "who has access to what," "who did what," and "who approved and reviewed what" (which is referred to as "the attestation process" in auditing terms) for all IT resources can be complex and expensive. Reporting tools need to be in place to leverage the user provisioning authoritative repository, and all other repositories that are used for the authentication and authorization process to produce reports on SOD, roles, "who has access to what," and "who approved and reviewed what," which include the entire enterprise's IT assets. In addition, centralized event logs for all identity management activities — those from the user administration and access management products, as well as all systems where authentication and authorization decisions are being made in real time — are needed to do a proper job of reporting who did what.
No UAP vendor (or suite vendor) provides all the capabilities noted above without some partnering. For most enterprises, additional products are required to round out the functionality set. Security information and event management (SIEM) tools can be used for "who did what" reporting at the event level, with granularity by time of day, geography, network port and other details; and we are seeing increased vendor interest in creating integration paths between core IAM products and SIEM (and other) analytics tools that generate intelligence. Data loss prevention (DLP) tools provide "content awareness" for accessing files and databases, and will play a significant role in delivering more-precise entitlement assignments in role administration (see "Introducing Content-Aware IAM" and "SIEM and IAM Technology Integration").
Magic Quadrant for UAP Evaluation Areas
The 2012 Magic Quadrant focuses on of ease of deployment, ongoing operations, and maintenance and vendor management as a sign of maturity. It also evaluates marketing vision and execution, and analyzes sales and advertising execution as part of the overall experience:
- How do the UAP vendors deliver core user-provisioning capabilities as an enterprise
management system in support of an ongoing, changing business environment? Similar
to the 2011 "Magic Quadrant for User Administration/Provisioning," in 2012, Gartner evaluated such capabilities as:
- Maintaining workflow and connectors, software services (scripts) and related functionality
- Ability to integrate user administration with the HR application
- Building authoritative repositories
- Because UAP is a maturing market, Gartner also evaluated the following for each vendor:
- Marketing and sales effectiveness in terms of market understanding, strategy, communications and execution
- Organizational effectiveness for such services
- Ability to change to reflect customer demands
- Overall success, as measured by customers
- Increased attention was given to:
- The vendor's strategy and vision related to IAG and role administration — particularly in terms of identity analytics, compliance reporting and remediation
- Compliance reporting, ease of use and the "attractiveness" of reporting to end users (via templates, applicable dashboards and so on)
- Adjacent technologies in governance, risk and compliance management (GRCM), SIEM, network access control (NAC) and DLP, and their ultimate impact on analytics for user administration and the early stages of service-architected user administration to prepare for service-based (that is, cloud-computing-based) requirements (early uses of large-scale user administration are already evident)
- How much (and how little) the products support large vendor-focused ecosystems (for example, SAP)
Source: Gartner (December 2012)
Atos offers DirX Identity Business or Pro Suite v.8.2B (November 2011).
In July 2011, Siemens IT Solutions and Services was acquired by Atos Origin, an IT consulting and managed service organization. The resulting company was renamed Atos. Atos' DirX business is headquartered in Germany because of its Siemens heritage; however, Atos is based in France. The DirX suite includes the Audit, Identity (provisioning and account management), Access, Directory and Biometrics product lines. With DirX having been developed by one of the world's largest multinational companies in government, manufacturing, healthcare and other industries, significant resources were available for IAM product development, management and delivery.
- DirX Identity is a product with a proud heritage. Despite its lack of name recognition in some circles, the many aspects of the DirX product line have been on the market since 2002 and are used by some of the world's largest companies.
- Many core aspects of IAG are included in DirX Identity.
- Atos enjoys a healthy stream of residual maintenance revenue from current customers. That revenue stream is enough to secure Atos' continued investment in the DirX suite.
- Atos has a good track record of managing very large IAM deployments, and having satisfied customers.
- Although Atos is committed to IAM, growth of this business line (new sales) has been somewhat stagnant.
- Many of Atos' UIs seem dated. Customers who expect rich drag-and-drop admin experiences and/or support for mobile devices will be disappointed.
- Many other vendors outpace Atos in innovation. Customers considering Atos are generally very large companies that are seeking a custom fit, and this is where Atos shines best.
Avatier offers Avatier Access Risk Management (June 2012).
Avatier is an identity management vendor that focuses on UAP, password management, audit and compliance reporting, and SOD/rule enforcement.
Avatier's focus is on creating products with clean interfaces that are simple and easy for end users and administrators to understand. The result is a very intuitive, graphical-user-interface-driven environment that is business-friendly. A positive benefit is that implementations generally are much shorter compared with most competitors.
- Avatier strives to be one of the most innovative vendors in the IAM market. It demonstrates consistent execution on its vision, as well as significant (large and notable) customer wins and quick turnaround times for deployments.
- Avatier's UIs, design principles and target delivery platforms (including mobile devices) are appealing to new-generation IAM buyers.
- Compared to many well-known IAM vendors, Avatier's customer comments stand out as reflecting extremely satisfied customers.
- Avatier competes against large IAM suite vendors, such as Oracle and IBM, and can have difficulty gaining the attention of decision makers at larger enterprises, where larger competitors enjoy more access and exposure.
- As a stand-alone provider, Avatier must partner with a shrinking number of partners to provide suite-style solutions to clients that want them.
- Avatier's products can appear to be more expensive than those of other vendors. However, customers should note that software cost is only one component of the total cost of ownership (TCO), and Avatier has a solid record of implementing more quickly and less expensively than many competitors.
CA Technologies offers CA IdentityMinder 12.6 (July 2012).
CA Technologies is a major vendor in the IAM market. It provides a suite of products that includes CA IdentityMinder, which is CA's user administration offering. CA Technologies has an ambitious, cloud-centric strategy, and has delivered cloud-based IAM services, including user administration (under the moniker CA CloudMinder Identity Management).
CA Technologies plays an active role in international identity and security standards (technical and process-centric) for user provisioning.
- CA Technologies provides one of the most comprehensive strategies for cloud-based IAM in the market today, recognizing the probable hybrid nature of such future implementations.
- CA Technologies' global presence and robust ecosystem of technology partners, resellers and system integrators (SIs) enable its products to be purchased and deployed throughout the world.
- Having been initially released in 2002, its IdentityMinder's features and functions have been honed based on customer demand, innovation and industry need over the past decade. The CA IdentityMinder product is mature and has been road-tested by many of the largest companies in the world.
- CA Technologies' user administration interface is improving, but equipping business users and IT administrators with user-friendly functionality can still be challenging.
- While CA Technologies' cloud strategy is extremely relevant in meeting market needs, its message and product have yet to gain significant market traction.
- CA Technologies lacks some of the enthusiastic customer testimonials and positive feedback that a number of other vendors enjoy.
Courion offers Courion Access Assurance Suite (July 2012), Access Risk Management Suite and CourionLive (May 2012).
Courion is a mature pure-play IAM vendor recognized as a significant competitor to larger IAM-suite-based alternatives. The company's earliest roots were in the password management market, and Courion has grown to provide viable full-service user administration and IAG experiences. Courion's focus for several years has been on delivering IAM solutions that are compliance-focused and business-friendly. Courion was one of the first vendors to focus on IAG.
To stay competitive with larger portfolio vendors (for example, Oracle, IBM Tivoli, CA and NetIQ), Courion leverages a product partnership model that includes (among others):
- RSA, The Security Division of EMC, for access management
- Imprivata for enterprise single sign-on (ESSO)
- Cyber-Ark Software for shared account/privileged account management
- Radiant Logic for virtual directory solutions
- Citrix for enabling Citrix XenApp provisioning
In May 2012, Courion released CourionLive, a cloud-based version of its suite.
- Courion offers a fixed-cost implementation option. It requires rigorous preproject scoping and customer interaction.
- Courion has the lowest ratio of product license cost to integrator cost (1-to-less-than-1) of any vendor in the Leaders quadrant. This is because of the ease of deployment, its large library of out-of-the-box connectors for target systems, and the fact that it is the only vendor to offer fixed-priced development of new connectors.
- Because Courion's IAM products were created in-house, rather than obtained through acquisition, Courion's products share the same code base and offer a plug-and-play integration experience with each other.
- Although Courion has many customers in the 25,000 to 100,000 user range, its average customer deal is smaller than its primary suite-based competitor.
- Courion still faces name recognition issues. Other larger and formidable brand names immediately come to mind when customers begin their IAM product searches. Thus, Courion may be inadvertently overlooked in an organization's RFI and/or RFP process.
- Early in 2012, a number of customers complained about Courion's ability to deliver professional services to meet the needs of new engagements. Courion has addressed this issue — but a surge of unexpected growth could make issues like this resurface. Courion needs to keep a close eye on its ability to deliver professional services and/or to bring on new SI partners.
Dell-Quest Software offers Dell Quest One Identity Manager 5.1 (March 2012).
Quest Software (now a part of Dell) moved from the Challengers quadrant to the Leaders quadrant this year because of its continued innovation, creation of a compelling IAM-related product set, execution of vision and significant customer wins.
With its acquisition of German IAM provider Voelcker Informatik in July 2010, Quest now offers a combined best-of-breed IAM solution backed by a global sales, service and development organization. Quest One Identity Manager expands Quest's IAM support significantly beyond the current Microsoft-centric audience, and provides an effective foundation for an identity data model as part of a user administration solution. Voelcker's ActiveEntry solution also provides Quest with extended functionality in IAG (see "Quest Software Acquires Voelcker Informatik: Standardizing Customization for IAM").
Additionally, Quest has been acquiring other interesting IAM technologies (BiTKOO for authorization management, Symlabs for virtual directory and eDMZ for shared account password management). Thus, it has been assembling a formidable collection of IAM-related tools.
In July 2012, Dell announced its intent to purchase Quest for $2.4 billion. That acquisition was completed on 28 September 2012.
- The combination of the acquired assets from Voelcker and Quest's other recent IAM-related acquisitions (described above) signals an aggressive move to build a full-featured, enterprise-class IAM portfolio, with Quest One Identity Manager serving as the core user administration solution.
- Quest is able to offer provisioning, full-featured IAG and other IAM functionality from a single vendor, but with the shorter implementation time frames normally associated with best-of-breed vendors.
- Quest One Identity Manager has a superior UI development capability and a mature workflow function and extensibility.
- The innovative nature of Quest One Identity Manager could be eroded if the company loses focus by taking on too many acquisitions or as a result of loss of focus related to Quest's acquisition by Dell.
- Quest's progress has been slow in being recognized as a viable competitor to major IAM suite vendors, particularly beyond the Microsoft-centric customer base. The acquisition by Dell adds some additional uncertainty in the short term.
- The current marketing and sales strategy for the consolidated Quest One Identity Manager is still evolving as acquisitions are converged, including Identity Manager's relationship with other Quest products. Dell needs to state a vision and road map for this product line soon.
Evidian offers Identity & Access Manager v.9, evolution 1 (June 2011).
Based in France, Evidian has a long history as a user administration vendor in Europe. With the recent release of its solution, Version 9, in June 2011, Evidian introduced a significant product update in terms of functionality (including backward compatibility), packaging and delivery.
- Evidian is a significant regional player within European markets, where its name recognition is strong.
- For those seeking a full IAM suite from a single vendor, but not wanting to purchase from one of the large vendors (for example, CA Technologies, IBM and Oracle), Evidian is a viable option (particularly for prospective buyers in Europe). Evidian has solutions for user administration, IAG, WAM, identity federation and ESSO.
- Evidian natively constructs the core systems of user provisioning, WAM and ESSO on a single architecture, resulting in an integrated look and feel to the suite, and an implementation experience with ease of integration among the suite components.
- Although Evidian is successfully growing revenue, the pace of growth over the past three years has been only modest.
- Evidian has a strong, healthy presence in Europe, but is having difficultly establishing itself in other regions. For instance, market share in North America fell from 12% in 2008 to 11% in 2009, to 7% in 2010 and to 7% in 2011.
- Evidian's reporting options are limited when compared to its major competitors.
Fischer International offers Fischer Identity as a Service (IaaS) as its software as a service (SaaS) version (November 2011) and Fischer Identity Suite as its on-premises version (November 2011).
Fischer International offers a scalable, multitenant, service-based architecture for user administration delivered as a SaaS or on-premises solution. The company also provides a hosted version itself and via its service provider partners, in addition to on-premises delivery. Fischer has been an innovator in cloud-based IAM architecture for several years. It has actually trademarked the phrase "identity as a service."
The technical product architecture is service-oriented-architecture-based and Java-based, has a small footprint, and (on average) has been delivered more quickly than equivalent competitor offerings. Fischer's customer base is small, but has been growing steadily as more potential clients consider cloud-based options for user administration.
- Fischer's technology is multitenant, and security is specified for each client organization and for the master organization (service provider).
- The company delivers a cross-domain framework that has high-reliability characteristics and consistent performance. It provides nonstop support for operations, fault tolerance, high-privilege account management and connector management, and Fischer's technology requires no scripting.
- Fischer has a number of highly satisfied clients with extremely large seat counts. This is particularly true in higher education.
- Fischer has successfully established an ecosystem of resellers, partners and integrators needed for large-scale success.
- Although Fischer was one of the first IAM vendors to develop and market IAM solutions as a service, it may suffer from being in the market before the market was ready. Thus, it has struggled to find its place. Fischer was operating in an identity as a service (IDaaS) model before doing so was popular. And Fischer was optimized for the cloud before that was popular. As a result, many people found Fischer interesting and visionary, but not relevant for their situation. Now the market is catching up, and a number of vendors with more established and recognized brand names are offering similar services, and Fischer may struggle to demonstrate competitive differentiation and value.
- Fischer lacks some of the compliance and audit features that highly regulated enterprise customers require.
- Fischer is a small company that depends significantly on its partner network for visibility and support.
Hitachi ID Systems offers Hitachi ID Identity Manager and Hitachi ID Access Certifier, which is bundled with Identity Manager (April 2012).
Hitachi ID Systems moves from the Challengers quadrant into the Leaders quadrant this year because of sustained customer success, innovation and its continued commitment to its IAM vision.
Originally founded in 1992 as M-Tech Information Technology and acquired by Hitachi in 2008, Hitachi ID Systems has a long heritage as an IAM vendor. Hitachi ID Identity Manager (first released in 2002) is one of three products in the Hitachi ID Management Suite — the other two being Hitachi ID Password Manager and Hitachi ID Privileged Access Manager. Identity Manager performs identity administration tasks, such as automated provisioning, self-service and delegated request portals, approval workflows, SOD and role-based access control (RBAC) policies, access certification, organization chart construction, and so on.
Hitachi ID Systems has an extensive professional services team to design and implement its products, and to train customers and partners regarding the configuration and management of their IAM systems. Hitachi ID Systems has system integration and consulting partnerships with KPMG, Hitachi Consulting, Atos, Hitachi Systems (Japan), Hitachi Information Systems (Shanghai), and a variety of boutique and regional integrators. Most integration is performed by Hitachi ID Systems' solution delivery team.
- Hitachi ID is dedicated to creating an extensible architectural platform that will aid in future growth. Among its key product strengths, (1) it has many built-in components that integrate their administration governance functions into a single solution; (2) the base price includes all connectors and unlimited servers; (3) user adoption is aided by a managed enrollment system and accessibility from Web browsers, PC login screens and mobile devices; and (4) it has multiple policy enforcement engines, including SOD detection and prevention, and RBAC enforcement with controlled scope.
- Hitachi ID Systems has a large number of reseller and channel partners, enabling global reach for sales and implementation. In addition, the Hitachi name is recognized across the globe.
- Hitachi ID Systems sells user administration and IAG as a single solution. Hitachi ID Access Certifier (Hitachi's IAG product) is included with the purchase of Hitachi ID Manager.
- Hitachi ID Systems has one of the lowest ratios of product cost to deployment cost (at about 1-to-1). Like a few other competitors, Hitachi ID Systems also offers fixed-cost implementations. This strategy usually leads to better preproject scoping and increased customer confidence. Hitachi ID Systems continues to focus on reducing the cost of services in deployments.
- Hitachi ID Systems manages a number of custom code branches to meet varied individual customer needs. Although this can be a plus for its clients, it could become a maintenance nightmare for Hitachi ID Systems.
- Hitachi ID Systems still faces some name recognition challenges with prospective IAM clients.
- Hitachi ID Systems' interfaces are clean, usable and customizable; however, in a number of ways, the interfaces trail a number of competitors in the overall look and feel.
IBM offers IBM Security Identity and Access Assurance, Security Identity Manager 5.1 (October 2011).
IBM Security Identity Manager (formerly IBM Tivoli Identity Manager) is one of the most highly recognized user administration offerings in the IAM market, and is part of an IAM suite solution found in midsize-to-large enterprises globally. Security Identity Manager has a comprehensive feature set typical of user administration products and a significant installed customer base using those features. The product's managed and hosted service offerings are offered via IBM Global Services and IBM's global partner network. SaaS options are offered by partners such as Lighthouse Computer Services, Ilantus Technologies and Logica.
In addition to Global Services, IBM has partnerships with global and regional SIs, which include Deloitte, Accenture, Unisys, Atos, TCS, Wipro and smaller partners.
- IBM sells identity administration and IAG as a single solution. IBM's Role and Policy Modeler (IBM's IAG solution) is bundled in with Security Identity Manager.
- IBM's experience and heritage in the user administration are unsurpassed. Identity Manager was first released in May 1999, and IBM has been a key vendor in literally thousands of IAM implementations across the globe.
- Policy simulation features in IBM SIM help users simulate role and/or user administration policy scenarios to determine their effects on production environments before deployment.
- Security Identity Manager's provisioning and approval workflow technologies are comprehensive. IBM Tivoli Directory Integrator, a development kit for unique connectors, is also included with the product, as are full runtime versions of DB2, WebSphere Application Server and IBM Tivoli Directory Server. Adapter or connector options for database, mail, OS and network systems are extensive.
- Customer feedback regarding Role and Policy Modeler is lackluster at best. However, the product is functional and, in many circumstances, good enough to help customers achieve their IAG goals.
- IBM's security and identity management divisions have been undergoing a number of reorganizations, specifically moving the capabilities out of Tivoli into a newly formed security division. This seems to have impacted its marketing and sales as well. Gartner has noticed a significant drop in the number of clients requesting information about IBM.
- Many IBM customer references express dissatisfaction at the complexity of their implementation experience; however, IBM is taking proactive steps to address this.
Ilex offers Meibo 5.0 (July 2012) and Meibo People Pack 2.3 (May 2012).
Based in Asnieres-sur-Seine, France, Ilex provides three major products: Sign&go (Web and ESSO), Meibo (workflow, basic provisioning and some role management) and Meibo People Pack (extended reporting and audit for provisioning). Founded in 1989, Ilex has accumulated a growing, solid customer base, predominantly in France. With features such as Service Provisioning Markup Language (SPML) support, a simple design and user-friendly interface, and good connector kits for provisioning and single sign-on (SSO), Ilex is able to effectively compete in a number of healthcare, banking and finance, telecommunications, and transportation industry segments against larger competitors.
- Ilex demonstrates continued, focused innovation in its product sets. Product UIs are clean and business-friendly. Compared with many IAM products, Meibo and Meibo People Pack are relatively simple and cost-effective to implement. As a result, Ilex has a number of satisfied customers.
- Ilex has demonstrated the ability to win clients facing highly sophisticated IAM needs (for instance, healthcare and government).
- In recent years, Ilex experienced very healthy growth in its target region (France).
- Ilex is a small vendor. That gives it the agility to innovate and support client needs as they arise. But its current size will be a limitation when it comes to fueling the sales, marketing and development efforts needed for larger-scale growth.
- It is almost solely focused on obtaining and serving customers in Europe (specifically, France). To truly compete against other IAM vendors, expansion is necessary.
- Ilex has established partners to support global expansion, but those partnerships have not yet generated significant results.
Microsoft offers Microsoft Forefront Identity Manager (FIM) 2010 r.2 (June 2012).
With Microsoft's release of FIM in early 2010 and the release of FIM 2010 r.2 in mid-2012, Microsoft has established a user administration offering that continues to evolve incrementally, with important core features such as improved password and credential management, expanded SharePoint and Active Directory support, and expanded connector options. Microsoft's asset acquisition of Netherlands-based Bhold in September 2011 was an early indicator of its interest in expanding IAG support in FIM as well. For Microsoft-centric enterprises, the depth of integration can be truly robust.
Customers can use Microsoft to simulate many aspects of a traditional IAM suite by combining FIM, Active Directory, Active Directory Federated Services (AD FS) 2.0, and Unified Access Gateway (UAG).
- Microsoft sells users administration and IAG as a single unit. Microsoft's IAG solution (Microsoft Bhold Suite) is bundled with FIM 2010 r.2.
- FIM is very reasonably priced compared with other major IAM vendors. List price is $15,000 per server and $18 per client access license (CAL). FIM has a server license for each server on which FIM components are installed. This gives the license holder the right to use FIM server software. A CAL is required for each user for whom the software issues or manages identity information. This includes managing smart cards, as well as issuing and managing user access to digital certificates. CALs are not required to synchronize identity information for users and administrators who are using only the FIM synchronization service.
- FIM 2010 r.2 brought Web-based password reset functionality for FIM and a number of reporting improvements, helping Microsoft get closer to the expected feature set of a robust IAM solution.
- The majority of FIM customers report that they are very satisfied with FIM.
- Microsoft continually lags behind the market when it comes to delivering IAM functionality. FIM 2010 was delivered approximately two years late. FIM 2010 r.2 didn't deliver significant innovation. The bundling in of Bhold with FIM 2010 r.2 is a welcome addition, but there was no real innovation to that product between the time that it was acquired (September 2011) and when it was released (June 2012).
- Microsoft is working to catch up with other vendors regarding the number of connectors offered out of the box. However, Microsoft has actually delivered a new connector framework for FIM 2010 and FIM 2010 r.2, and delivered new connectors from FIM to SAP, Oracle E-Business, Oracle PeopleSoft and IBM Lotus Notes (aka Domino). This new connector framework will enable Microsoft to deliver more connectors in the future that are out of band from major product releases.
NetIQ-Novell offers NetIQ Identity Manager 4.0.2 (June 2012) and NetIQ Access Governance Suite 6 (February 2012).
NetIQ continues to develop, market and support the identity-related and security-related assets it received from its parent organization's acquisition of Novell in April 2011. The company also continues the tradition of innovation that Novell has had in these markets. Its IAM portfolio of products is well-respected by industry experts, technology professionals, long-standing customers and enterprise users seeking a complete solution for provisioning. Significant new customer wins, such as Verizon's cloud-based security solution, and its strategic partnership with VMware, further illustrate the company's innovation by moving into cloud computing and IDaaS markets.
Relocation of Novell's IAM business within NetIQ seems to have been a good thing for these solutions and the company. Many potential clients that weren't interested in doing business with Novell are now more open-minded about NetIQ. As a result, NetIQ's IAM products have experienced very good year-over-year sales increases.
NetIQ addresses IAG via a combination of internal product developments integrated via a license agreement with SailPoint products. Improvements in resource recertification and attestation reporting, as well as tighter integration with SIEM logging and reporting via NetIQ's Sentinel product, provide forensic and monitoring capabilities to provisioning management.
- The Identity Manager 4 suite has significant compliance and analytics functionality, addressing unified policy needs through combined basic IAG functionality and SIEM product integration.
- Integration among NetIQ's core IAM products is homogeneous, and deployment times and customer experience are very good.
- NetIQ has established a good ecosystem of partners, resellers and integrators to help serve customers and deploy its products.
- Some customers report frustration with the perceived invasiveness of NetIQ licensing audits.
- Many prospective customers are still unaware of NetIQ's place in the IAM market. NetIQ needs to more effectively market its capabilities to gain greater relevance.
- NetIQ is still evolving its IAG strategy for a post-OEM IAG world, which will impact its UAP offering.
Omada offers Omada Identity Suite (OIS) 9.0 (June 2012).
Omada addresses compliance-centric user provisioning needs resulting in enterprise solutions that can manage advanced business scenarios across heterogeneous environments. Omada Identity Suite is built on Microsoft technologies, such as SQL and .NET C#. Omada has a strategic partnership with Microsoft, because OIS can use Microsoft's Sync engine (FIM 2010 Sync and ILM 2007 Sync as middleware for provisioning users to target applications). It also has a long history with SAP and recently enhanced its SAP integration capabilities, such as integrating with SAP BusinessObjects GRC.
Omada is also focused on providing business-centric GRCM solutions. This demonstrates its business-focused market approach, and its ability to provide products and services that are not purely based on its Microsoft relationship. In the past year, it has taken steps to enhance its GUI significantly, and to enhance its attestation and recertification offering with high-end risk management capabilities, such as risk assessment surveys. Omada has system integration and reseller partnerships that include Avanade, Logica and Traxion. A major part of Omada's staff is dedicated to consulting, integration and support. Solution support is offered directly to the customer or via partners. In addition to Omada's enterprise solution OIS, Omada provides add-on tools for the FIM 2010 portal product, such as its graphical workflow designer for FIM.
- Omada's pricing for OIS is competitive, reflecting lower-cost alternatives to other large user-provisioning offerings via Microsoft's embedded components in the enterprise (for example, Active Directory and SQL Server).
- Omada's ability to integrate seamlessly using, for example, FIM management agents as one out of several provisioning methods creates a competitive and relatively easy-to-deploy IAM system.
- Omada has invested heavily into its enterprise service bus (ESB) integration strategy via its provisioning broker strategy, enabling it to integrate through not only FIM Sync but also generic ESBs, such as SAP NetWeaver Process Integration and Tibco Software's ActiveMatrix.
- Although Omada is profitable, the company's revenue is relatively stagnant. Its customer base is larger in Europe than in the U.S. (although progress has been made in the past three years).
- The company is smaller and less known than many stack vendors, but its strong focus makes it relevant in the marketplace.
Oracle offers Oracle Identity and Access Management Suite and Oracle Identity Manager (OIM) 11g r.1 (May 2011).
Oracle clearly stands out as the leader in this year's study. The company continues to execute on a vision of an integrated IAM suite, and has expanded its vision of delivery methods to include cloud-computing-based alternatives in recent announcements. OIM provides a comprehensive feature set for user administration that is available as a stand-alone product, or it can be integrated with Oracle Identity and Access Management Suite. Oracle's acquisition of Sun Microsystems in 2010 expanded that suite in terms of components and features, and expanded Oracle's user administration customer base and market opportunity for OIM extensively. As of this writing, many former Sun Identity Manager customers are remaining with Oracle and taking their time to consider alternatives based on Oracle's timeline for user administration support through 2014. Sun Identity Manager is under Oracle's lifetime support policy (see www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf). Thus, Sun customers should note that they have support options beyond 2014. Existing Sun Identity Manager customers do not necessarily need to view 2014 as the end of the road for the IAM implementation. They can stay with their current implementation under sustaining support.
OIM provides user provisioning, password management and role administration as part of the broader suite, which includes IAG, WAM, ESSO, privileged account activity management, federation, directory and virtual directory, fraud prevention, authentication, and externalized authorization management. Other IAM-related needs (for example, SIEM) are addressed via partnerships. Oracle continues to demonstrate a commitment to improving integration among the products in its IAM portfolio. As of this writing, Oracle has released OIM 11g r.2 (August 2012); however, it is not specifically evaluated in this report.
- The release of Oracle Identity Management 11g is a competitive differentiator for Oracle, because it offers a truly integrated IAM platform that is based on internally developed and externally acquired software. Once integrator training and experience related to the deployment of the 11g increase, it is possible that deployment costs and time frames associated with implementing the 11g generation will be noticeably improved over previous versions.
- Oracle's access for user administration at all enterprise levels (business to IT) is pervasive and supported through its other product portfolios. The company uses that access for cross-selling opportunities with IAM.
- Oracle has an extensive set of partners for user administration, consulting and system integration, including (but not limited to) Deloitte, Accenture, KPMG, PwC and Wipro, as well as Oracle's consultancy and services in user administration.
- Oracle offers per-processor licensing ($180,000 per processor — list price) that bundles user provisioning, IAG, and Oracle's new privileged user management solutions. This makes licensing much easier to understand for large enterprises, and can offer significant savings over per-seat pricing.
- Despite many of the improvements in cross-product integration and the UI, many customers still experience significant difficulties in implementing the products. Oracle needs to expand its efforts in proactively helping clients scope their IAM program, assess their true needs and set expectations.
- Oracle's per-connector price can be overly expensive when compared to other competitors who are treating connectors as commodities.
- Although Oracle is developing and socializing an IAM cloud strategy, it is behind a number of competitors in this area. A lag in this area, even when the majority of customers are only "window shopping" could result in the perception that Oracle is not a significant thought leader.
SailPoint offers SailPoint IdentityIQ v.5.5 (November 2011).
SailPoint moved from the Visionaries quadrant to the Leaders quadrant largely because of the increased traction of its value proposition as a single vendor covering both IAG and user administration.
SailPoint is a long-standing player in the IAG market and serves compliance-focused organizations well. Its original offering augmented customers' user provisioning systems to meet needs in role and compliance management, and identity governance. Through the 2011 acquisition of BMC Software's IAM technology, SailPoint gained access to BMC connectors (to augment existing provisioning options) and BMC's Identity Manager customers. This is significant because BMC's service management and process-centric approach to provisioning are a good match for SailPoint's business-focused UI and ability to leverage help desk and third-party provisioning systems as fulfillment mechanisms.
SailPoint's IdentityIQ product provides user provisioning fulfillment and connector capabilities, IAG, self-service access request, and password management. The code base is a Java enterprise application that supports server containers from IBM WebSphere, Oracle-BEA Systems and open-source options, such as The Apache Software Foundation and Red Hat. SailPoint's identity warehouse uses relational data schemas from Oracle, IBM DB2, Microsoft and MySQL. IdentityIQ supports the breadth of technical standards for access, policy definition and the data formats normally required in an identity administration system.
- IdentityIQ provides a relatively comprehensive set of provisioning and IAG functionality, and a compelling road map.
- SailPoint continues to experience extremely rapid growth in its customer base in North America and in international markets. IdentityIQ clients report positive design and deployment experiences. The majority of BMC's legacy client base appears to be satisfied with SailPoint's ownership of the BMC assets.
- SailPoint offers a business-focused UI that is comprehensive and usable out of the box.
- SailPoint is a very late entrant into the user administration market, which is dominated by powerful competitors. Marketing differentiation remains a challenge. SailPoint's real value is always in the combined sale of provisioning and IAG — not stand-alone provisioning.
- Although it is an agile company, SailPoint will have to work hard to stay ahead of the competition, because a growing number of vendors now have a combined provisioning and IAG offer. SailPoint will need to find and articulate relevant points of differentiation and superiority.
SAP offers SAP NetWeaver Identity Management v.7.2 (December 2010).
SAP is a global leader in business management software. It enjoys strong name recognition and is deployed widely in many of the world's largest organizations. SAP NetWeaver Identity Management is its current UAP offering for managing identities. NetWeaver Identity Management does support some non-SAP application and infrastructure environments, but is optimally designed for providing UAP to SAP-centric enterprises.
NetWeaver Identity Management provides significant IAG features for role-based administration and auditing for SAP applications incorporated into UAP. Virtual directory functionality is also provided. Key updates to support federation and SSO have been introduced, as have improvements in the UI environment and integration with various SAP applications, such as Access Control and Business Warehouse for analytics improvements.
In August 2012, SAP released a "rapid deployment solution" of preconfigured product templates and professional services packaged into the license cost to improve implementation time, leveraging IAG features to speed deployment of the product. Implementation projects at customer premises can be led by SAP consultants or a selection of solution integrators.
- SAP's global reach and extensive customer base ensure that IAM practices can be captured and leveraged for IAM product improvements.
- SAP's Identity Services framework delivers a virtual directory technology and virtualization of target systems as part of connector management, and reflects a well-structured, application-driven approach to provisioning.
- SAP Access Control (for GRC management) is coupled with SAP NetWeaver Identity Management to augment the Identity Services framework, and to deliver user administration and SOD capabilities.
- SAP NetWeaver Identity Management is optimized for SAP customers. Although there is some support for other enterprise application environments, it is most effective in SAP-dominated environments.
- SAP is not well-known as a UAP provider, despite its global reach. More visibility is needed.
- Although positive steps have been taken to improve integration and deployment services, SAP lags competitors in expanding its consulting and system integration partner portfolio.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
- Ilex was added because of increased growth and maturity.
- Beta Systems was dropped because of its stated move to offer IAG as its strategic product offering.
Other Vendors of Note
Aveksa has deep roots in the IAM market. It has recently expanded its capabilities to include UAP. By combining UAP and IAG, Aveksa is able to manage the complete life cycle of user access to information resources through an automated, continuous process for access request, approval, fulfillment, review, certification and remediation.
Aveksa's UAP product, Access Fulfillment Express (AFX), employs an open-source ESB that is composed of public message definitions, interaction patterns and adapters. AFX's ESB model may resonate well with enterprise architects who are familiar with — and appreciate the flexibility associated with — an ESB.
Like other European IAM vendors, Germany-based Beta Systems has many of the access request and certification features included as part of its user provisioning offering. SAM Enterprise Identity Manager is notable for its business-process-centric approach to implementing workflow for IAG processes, and has IAG reporting and some intelligent analysis functionality. A recent partnership with Microsoft leverages that company's BI capabilities with Beta Systems' identity data warehouse, and Beta System's is poised to enter the IAG market in 2013. SAM Enterprise Identity Manager is being updated to include integrated discovery and analytics functionality for constructing an identity data and log model, and the company is on track to be considered an identity administration and governance provider in 2013.
Based in Munich, Germany, econet was founded in 1994. It entered the user provisioning market in early 2006 with cMatrix — a service management, service-oriented offering targeted at service providers primarily in EMEA. In many respects, econet's marketing and sales model is very similar to Fischer International's model. Early clients included Siemens and KPMG. The company continues to market to the IDaaS candidate — that is, the provider of such service or the client interested in developing a private IDaaS experience.
ForgeRock supports directory, user provisioning and WAM based on and extending Sun Microsystems' very capable open-source software products. Prior to Sun's acquisition by Oracle, Sun's IAM stack was widely deployed and well-regarded by its customers. Oracle made Sun's role life cycle management product strategic, and incorporated some elements of Sun's other IAM products into its established products. However, Oracle is expected to phase out the development of most of Sun's products over time.
ForgeRock has been able to attract former Sun developers, and has also created partnerships with established integrators that are experienced with Sun's products. ForgeRock has added and "road mapped" significant new features. These enhancements emphasize platform independence and the use of protocol and interface standards to support a world that is increasingly interconnected by services. ForgeRock is building its customer base and has already landed some large customers — most of which are not former Sun customers.
ForgeRock's user administration product, OpenIDM, may be interesting to many organizations seeking alternatives to large IAM vendors. The road map for OpenIDM is posted at https://wikis.forgerock.org/confluence/display/openidm/OpenIDM+Road map.
A Mountain View, California, company, Fox Technologies (FoxT) has products that focus primarily on access control and service account management. However, FoxT ApplicationControl addresses basic elements of password management, account administration (including basic provisioning) and audit reporting as part of an IAM package — including SOD enforcement, monitoring and reporting.
Institute for System-Management
Based in Rostock, Germany, Institute for System-Management (iSM) is a small company focused on German-speaking-country markets with its bi-Cube product for provisioning, SSO, and process and role administration. Privately funded, this 10-year-old enterprise takes a process-centric, business intelligence focus to deliver a series of preconfigured process and configuration modules ("cubes") that can be linked together to provide user provisioning and role administration functionality. It has a small customer base in Germany, Austria and Spain in large industries, such as telecommunications and insurance. iSM continues to refine the modules to form a more standardized user provisioning and process management product offering.
Lighthouse Computer Services
Headquartered in Lincoln, Rhode Island, Lighthouse Computer Services established its SaaS-based offering after building up experience developing a managed offering in the U.S. defense market. Lighthouse's offering is unique, because it has overlaid a common, easy-to-use graphical administration capability onto IBM Tivoli's core IAM products to deliver a relatively complete set of IAM functions as a multitenant, SaaS-based service.
Lighthouse's approach enables customers to take advantage of the feature sets of IBM Security's provisioning, WAM and federation products, while being shielded from many of those products' complexities. This provides integration hooks into many enterprise identity repositories for automated provisioning, and leverages these repositories as authentication and entitlement sources. Although extensive administrative and access control event data is logged, reporting is the customer's responsibility. Several SaaS target applications have been integrated with the service.
Headquartered in Cortlandt Manor, New York, OpenIAM has created an integrated suite of provisioning, access management and federation components offered in professional open-source and enterprise licensing models. These components use a common ESB for integration. OpenIAM's Identity Manager product provides the core capabilities found in other commercial products, such as self-service, password management and audit, and it includes SPML-based connectors to many commonly used targets.
The company's Access Manager product provides support for password-based and certificate-based authentication, coarse-grained and fine-grained authorization, XACML 2.0, and SAML identity provider and service provider federation. It also includes a security token service. OpenIAM has been fortunate to receive support from early government and SI customers, which have been pushing and funding OpenIAM to expand its capabilities. OpenIAM offers a very attractive support and pricing model.
The Dot Net Factory
The Dot Net Factory was founded in 2005 and is based in Dublin, Ohio. EmpowerID is a role-based identity and entitlement management system built on a business process automation platform to perform identity administration and IAG functions. The EmpowerID product line offers many IAM-related capabilities, including provisioning, role management, password management, file share management and SharePoint management. EmpowerID has been shown to scale extremely well, with an average customer deployment size in the 30,000-user range, and with a number of clients using EmpowerID to manage several hundred-thousand user objects.
EmpowerID has a reputation for delivering meaningful implementations significantly faster than many large and well-known UAP vendors because of the large number of precreated IAM workflows (more than 375) that are available out of the box.
Vendors must have met the following criteria to be included in the 2012 Magic Quadrant:
- Support for minimum, core user provisioning capabilities across a heterogeneous IT infrastructure
- Automated adds, changes and deletes of user IDs at the target system
- Password management functionality
- Delegated administration
- Self-service request initiation
- Role-based provisioning supported by role administration
- Basic identity analytics through analytics and reporting
- Workflow provisioning and approval
- HR application support for workforce change triggering to the user provisioning product
- Reporting the roles assigned to each user and the entitlements that each user has
- An event log for administrative activities
- Products deployed in customer production environments, and customer references
Vendors not included in the 2012 Magic Quadrant may have been excluded for one or more of the following reasons:
- They did not meet the inclusion criteria.
- They support user administration capabilities for only one specific target system (for example, Microsoft Active Directory and IBM iSeries).
- They had minimal or negligible apparent market share among Gartner clients or for currently available products.
- They were not the original manufacturers of a user provisioning product. This includes value-added resellers that repackage user administration products (which would qualify for their original manufacturers); other software vendors that sell IAM-related products, but don't have user administration products of their own; and external service providers that provide managed services (for example, data center operations outsourcing).
Gartner evaluates technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability to capitalize on their vision and to succeed in doing so. For user provisioning, the Ability to Execute hinges on key evaluation criteria.
Product/Service: This includes the core goods and services offered by the technology provider that compete in or serve the defined market. It also includes current product or service capabilities, quality, feature sets, skills and so on, whether offered natively, through OEM agreements or through partnerships, as defined in the market definition and detailed in the subcriteria. Specific subcriteria are:
- Password management, including individual user account, and shared account or service account password management support
- User account management or role-based provisioning
- Management of identities
- Workflow — persistent state, nested workflows, subworkflows, templates of common user provisioning activities and change management
- Identity auditing reports
- Connector management
- Integration with other IAM components
- Ability to configure, deploy and operate
- Role administration and IAG strategy
- Resource access administration
- Impact analysis modeling for change
- Support for current and/or emerging standards (for example, SPML 2.0 and SCIM)
Overall Viability (Business Unit, Financial, Strategy, Organization): This includes an assessment of the overall organization's financial health; the financial and practical success of the business unit; and the likelihood of the individual business unit to continue investing in the product, offering the product, and advancing the state of the art in the organization's portfolio of products. Specific subcriteria are:
- History of investment in the division
- Contribution of user provisioning to revenue growth
Sales Execution/Pricing: This is the technology provider's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Specific subcriteria are:
- Market share
- Additional purchases (for example, relational database management system, application server and Web server)
Market Responsiveness and Track Record: This is the ability to respond, change direction, be flexible, and achieve competitive success as opportunities develop, competitors act, customer needs evolve, and market dynamics change. This criterion also considers the provider's history of responsiveness. Specific subcriteria are:
- Product release cycle
- Competitive replacements
Marketing Execution: This is the clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the products or brands and the organization in buyers' minds. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word of mouth and sales activities. Specific subcriteria are:
- Integrated communications execution
- Customer perception measurement
Customer Experience: This includes the relationships, products, services and programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups and SLAs. Specific subcriteria are:
- Customer support programs
- Customer advisory board responses
Operations: This is the organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, such as skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Specific subcriteria are:
- Training and recruitment
- The number of major reorganizations during the past 12 months
Note: The criteria and weights of this axis remain the same from 2011 to 2012.
Source: Gartner (December 2012)
Gartner evaluates technology providers on their ability to convincingly articulate logical statements about current and future market directions, innovations, customer needs and competitive forces, and how well these map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunities for the provider. For user provisioning, Completeness of Vision hinges on key evaluation criteria.
Market Understanding: This is the ability of the technology provider to understand buyers' needs, and to translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those desires with their added vision. Specific subcriteria are:
- Market research delivery
- Product development
- Agility in responding to market changes
Marketing Strategy: This is a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Specific subcriteria are:
- Integrated communications planning
- Advertising planning
Sales Strategy: This is the strategy for selling products using the appropriate network of direct and indirect sales, marketing, service, and communications affiliates that extends the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Specific subcriteria are:
- Business development
- Partnerships with SIs
- Channel execution
Offering (Product) Strategy: This is a technology provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Specific subcriteria are:
- Product themes
- Foundational or platform differentiation
Business Model: This is the soundness and logic of a technology provider's underlying business proposition. Specific subcriteria are:
- Track record of growth
- Frequency of restructuring
- Consistency with other product lines
Vertical/Industry Strategy: This is the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Subcriteria are:
- SMB support
- Industry-specific support
Innovation: This is the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Specific subcriteria are:
- Distinct differentiation in features or services
- Synergy from multiple acquisitions or focused investments
- Role life cycle management (discovery, modeling, mining, maintenance, certification and reporting)
- Service-oriented provisioning
Geographic Strategy: This is the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Specific subcriteria are:
- Home market
- International distribution
Note: The criteria and weights of this axis remain the same from 2011 to 2012.
Source: Gartner (December 2012)
Leaders are high-momentum vendors (based on sales, world presence and mind share growth). They possess impressive track records in UAP use across most industry segments. Business investments position them well for the future. Leaders demonstrate balanced and exceptional progress and effort in the Ability to Execute and Completeness of Vision categories. They possess comprehensive feature sets and enjoy reasonable customer satisfaction. They can — and often do — change the course of the industry.
Leaders should not be the default choice for every buyer. Leaders may not offer the best product and relationship fit for every customer project. Leaders can have a higher TCO than competitors. Leaders provide solutions that offer relatively lower risk, and provide effective integration with their own solutions and with competitors' solutions. Every vendor included in the Leaders quadrant is there because it has met legitimate business or company needs.
Challengers have solid, reliable products that address the needs of the UAP market, with strong sales, visibility and clout. Challengers are good at winning contracts, by competing on established core product features, existing enterprise relationships, and their industry or geographic presence. Challengers are efficient and expedient choices for more focused UAP needs or for logical partnerships. Many clients consider Challengers to be good alternatives to Niche Players, or even Leaders, depending on the specific geography or industry. Challengers are not second-place vendors to Leaders and should not be considered as such in evaluations.
Challengers in this Magic Quadrant all have strong product capabilities, but typically have fewer production deployments than the Leaders do. Business models vary, as do overall product strength and breadth, marketing strategy, and business partnerships. This has kept some Challengers from moving into the Leaders quadrant.
Visionaries are distinguished by technical and/or product innovation, but have not yet achieved a record of execution in the UAP market to give them the high visibility of Leaders, or they lack the corporate resources of Challengers. Buyers should weigh long-term viability in any strategic reliance with these vendors. Visionaries can represent good acquisition candidates for other competitors. Challengers that may have neglected technology innovation and/or vendors in related markets are likely buyers of Visionaries.
Visionaries invest in the leading-edge features that will be significant in the next generation of products, and that will give buyers early access to state-of-the-art UAP capabilities. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver Challengers and Leaders. Clients pick Visionaries for best-of-breed features, and, in the case of small vendors, they may enjoy more personal attention.
Niche Players may offer viable and dependable solutions that meet the needs of buyers, especially in particular industry, geographic region or particular platform focus. However, they lack the comprehensive features of Leaders, or the market presence and/or resources of Challengers. Niche Players are less likely to appear on shortlists, but they fare well when given an opportunity. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders.
Niche Players may address subsets of the overall market, and often do so more efficiently than Leaders. Clients tend to pick Niche Players when stability and focus on a few important functions and features are more important than a "wide and long" road map. Customers that are aligned with the focus of Niche Players often find their offerings to be "best of need" solutions.
The moniker "user administration and provisioning" acknowledges that the "provisioning" market has always been broader than just provisioning. "Provisioning solutions" have traditionally consisted of a combination of provisioning, workflow, policy/rules, password management, some user self-service functionality and some reporting. Now there is also a certain amount of crossover with IAG functionality. The title change of this research, beginning in 2011, from "Magic Quadrant for User Provisioning" to "Magic Quadrant for User Administration and Provisioning" is in recognition of these facts.
The market of UAP solutions has continued to mature in function, capability and delivery methods, and has crossed previous feature boundaries with other administration tools. While many features (for example, workflow, password management and connector architectures) are the same across most vendors in this market, other features are expanding and serve as the new "battleground" for user administration. These include:
- IAG (access request, access certification, role mining and engineering, and audit/compliance reporting)
- Improved log management and analytics functions to participate with other security and access logging (for example, SIEM, DLP and NAC) with identity administration logging, and better GRCM integration
- Improved process management for workflows leveraging BPM capabilities
- Improved integration with IAM suite offerings between individual IAM components
- Improved integration with enterprise application and strategic platform environments (for example, SAP and Microsoft)
Although complex UAP projects still require experienced integrators and skilled project management for the enterprise, the growth in feature maturity and best practices has lessened the absolute dependence of success on integrators. Nevertheless, many UAP implementations still succeed or fail based on these integrators, and on the relationship between customers and vendors. IAM vendors realize that success in the SMB market requires simple deployments at the product level. Success rates for complex projects are improving, and "horror stories" related to failed implementations or poorly integrated replacements continue to decrease.
Key differentiators when selecting user administration solutions include, but are not limited to:
- Price, including the flexibility of pricing for deployment, maintenance and support programs
- Global scope, depth, availability and extent of partnerships with consultants and SIs to deliver the solution
- Consultant and SI performance, which remains vital to success; also vital are the level and extent of experience of industry segment vendors and integrators to deliver successful projects
- Time to value
- The ability to deliver subsidiary services that are not available in the core product
- Custom development
- Augmentation via partnerships or adjacent products or capabilities (for example, IAG, entitlement management or federated provisioning)
- Other customer experiences, including satisfaction with installed provisioning systems (that is, reference accounts)
- Strategy, road map and alignment with other product offerings, including strategies for addressing cloud computing and SaaS architectures
- Relevance in addressing identity-specific and access-specific requirements in BPM and business intelligence
- Application-specific integration with major enterprise application environments (for example, SAP authorization architecture)
There is no "one size fits all" UAP solution. These differentiators will vary in importance, given the specific organization, use cases, budget and business drivers.
For enterprises considering UAP, Gartner recommends the following:
- Prioritize your requirements, because you may not be able to do all of them in the first phase.
- Document the project scope, and seek outside review where possible.
- Avoid scope creep by itemizing the costs of such changes, providing impact analysis and establishing formal change processes.
- Implement rigorous project oversight to ensure that project scope integrity is maintained.
- Evaluate a suite versus buy decision based on corporate strategy, culture and relationship matching with the suite vendors considered.
Addressing these requirements in this way can help companies avoid failure. For additional help, see "Developing IAM Best Practices," "Q&A for IAM: Frequently Asked Questions," "Embrace Emerging IAM Administration Trends to Improve the Time to Value," the IAM Foundations series of research (starting with "IAM Foundations, Part 1: So You've Been Handed an IAM Program ... Now What?") and "How to Use 'Visioneering' Principles to Drive a Successful Identity and Access Management Program."
Gartner recognizes that many enterprises face challenges in distinguishing UAP requirements from IAG requirements. IAG enables an end user to request and certify access, deliver detailed and application-specific compliance reporting, and maintain the integrity of identity data. UAP is the fulfillment infrastructure that makes the changes to identity data where needed, and delivers IT administrator functionality to the fulfillment process. The feature lines between UAP and IAG have essentially disappeared as IAG tools assume significant UAP capability, and as large-scale UAP vendors integrate IAG features into their platforms (see "Magic Quadrant for Identity and Access Governance").
Gartner recommends that enterprises planning for a virtualization and cloud computing future include UAP in their planning, because it plays an important role for virtual machines (VMs) and for the propagation and management of user objects in the cloud. UAP provides the management of accounts and auditing for partitions, hypervisors and VM monitors, as well as the information needed to enforce SOD in that environment.
Gartner believes that organizations facing compliance burdens are realizing that traditional provisioning implementations (while still important and necessary for long-term compliance) can be increasingly addressed by "super IAG" or IAG + UAP products.
Many UAP vendors reported revenue increases in 2011 to 2012, thereby indicating continued growth in the market (see the Market Maturity section below). However, growth for user provisioning slowed, with peak growth year occurring in 2011 (see "Forecast: Information Security, Worldwide, 2010-2016, 3Q12 Update"). In 2010, user administration became a $1 billion market, and revenue in 2011 reached approximately $1.28 billion (see "Market Share: Security Software, Worldwide, 2011").
Gartner analysis of UAP revenue shows that 2009 (the height of the global economic crisis) was the slowest year for growth in this market, with revenue rebounding sharply in 2010 and continuing through 2011. Revenue is as follows:
- 2009 to 2010 compound annual growth rate (CAGR) of 13.5%
- 2010 to 2011 CAGR of 16.0%
- 2011 to 2012 estimated CAGR is 8.8%
As of this writing, current growth estimates from 2011 to 2012 indicate the following: North America revenue growth of 14.9%; Western Europe, ‒4.91%; Mature Asia/Pacific, 12.63%; Emerging Asia/Pacific, 21.13%; Greater China, 11.99%; and Latin America, 10.41%.
Global market share estimates for user provisioning at the end of 2012 are as follows: North America, 51.4%, Western Europe, 21.1%, Emerging Asia/Pacific, 2.2%, Mature Asia/Pacific, 13.6%, Greater China, 3.3%, and Latin America, 3.5%
Gartner believes that 2011 was the peak of growth for the UAP market. While overall revenue will increase over the next several years, growth will slow for provisioning-specific or provisioning-only solutions. IAG will eventually incorporate UAP, and the market growth from 2013 on will reflect combined IAG and UAP market figures.
UAP solutions have well-established vendors, well-defined products and a broad-based integrator market for implementing those products. UAP software has undergone multiple generations, and has a well-configured and well-structured core feature set.
Significant Changes From the 2011 Magic Quadrant
The most notable year-over-year changes include the following:
- Quest Software moved from the Challengers quadrant to the Leaders quadrant because of synergy from multiple product acquisitions and continued market traction. However, the impact from the acquisition of Quest Software by Dell largely remains to be seen.
- Hitachi ID moved from the Challengers quadrant to the Leaders quadrant because of increased market presence, significant customer wins, and continued innovation and execution.
- SailPoint moved from the Visionaries quadrant to the Leaders quadrant largely because of the increased traction of its value proposition as a single vendor covering IAG and user administration.
The Focus of UAP Continues to Shift to Include IAG and Analytics
From 2010 through 2012, Gartner has noticed a shift in the IAM market. IT needs for efficiency of operations are giving way to enterprise needs for accountability, transparency and control. Enterprise businesses are taking a more active role in using intelligence generated from analytics in critical business processes and decisions. IAG is increasingly required by the business for auditing and general compliance needs, analytics, forensics investigations, risk assessments and evaluations. Administration concerns that require elements of monitoring and control do not go away, but attention is now shared with new analytics results for the business.
Enterprises facing compliance burdens are realizing a benefit in de-emphasizing UAP implementations and in giving more attention to their IAG processes and technologies. Doing so ultimately improves the overall time to value (see "Embrace Emerging IAM Administration Trends to Improve the Time to Value").
The result of this trend in 2012 is that many of the largest and most recognized vendor brands (IBM, Microsoft and Oracle) are now packaging UAP and IAG together and selling them as a single SKU. Smaller IAG vendors are incorporating UAP features into their products as well.
Note: In recognition of this trend, and the interdependence between provisioning and IAG functions and processes, Gartner plans to create a combined UAP and IAG Magic Quadrant beginning in 2013.
Characteristics of Leading Vendors
Although the UAP market has matured, and vendors from any of the quadrants could address customer needs, particular characteristics of a good candidate vendor still exist:
- Price and service: A maturing market elevates the importance of price differentiation and pricing options. This pricing extends to preimplementation and postimplementation experience. A UAP leader is flexible in his or her pricing at all levels.
- Good partners: Good UAP vendors have good implementation partners — those with proven histories of performance and excellent requirements gathering skills that accommodate differences in business segment, region and size. Some vendors have direct integration experience, and industry expertise is a requirement.
- Coupling and uncoupling the suite: A world-class UAP vendor is able to sell user provisioning and the associated user functionality (including IAG, if available) services without requiring customers to buy the entire IAM suite it sells. Integration is a good thing, but not when the system is so tightly integrated that uncoupling it later on to implement a complementary third-party tool is impossible. This represents an aggressive competition strategy for pure-play user provisioning providers.
- Solution selling versus making it fit: A leading vendor provides UAP as part of a packaged solution that's tailored to the customer's stated requirements, rather than forcing the customer's requirements to fit the product. Customers must have a clear and comprehensive definition of requirements before conducting any formal evaluation of specific tools. Although there must always be some practical compromise, mature best-in-class solutions are able to look more like the customer's business requirements than a vendor's technical specifications.
- Modularity: Mature UAP products show an awareness of enterprise architectures and the role of the products within them. These products also have a quicker turnaround in feature and version release, because the product design allows for smoother updates and follows a secure system development methodology. Mature product vendors in user administration show an awareness of the requirements for service-oriented and service-centric infrastructures, and move to accommodate them with service-centric solutions where possible.
- Migration and upgrade: Leading UAP vendors exhibit a formal plan to migrate from a competitor's offering to their own, and are able to do so quickly and effectively. This also applies to a vendor's ability to provide quick and effective upgrades to its existing solutions.
- The postimplementation experience: UAP is a well-established market. Thus, user administration leaders demonstrate maturity. If customers are unhappy and seek replacement solutions and services, then there are serious issues with planning and requirements. The post-implementation experience for a new customer and an upgrade customer will characterize world-class UAP vendors in this market.
Although a single list cannot hope to capture all the nuances of what makes a leading vendor, it does help develop the mindset of what to look for. This is relatively independent of vendor size or industry range in the user provisioning market, and can provide an opportunity for even the smallest vendor to excel in a comparative view of the customer experience.
Before you select a UAP vendor or integrator, Gartner recommends the following research:
- "Q&A for IAM: Frequently Asked Questions"
- "Developing IAM Best Practices"
- "How to Use 'Visioneering' Principles to Drive a Successful Identity and Access Management Program"
- "IAM Foundations, Part 1: So You've Been Handed an IAM Program ... Now What?"
- "IAM Foundations, Part 6: Choosing an IAM Vendor"
UAP as Part of a Suite or Portfolio Versus a Pure-Play Product
Situations in which customers might choose a pure-play user provisioning vendor over a suite or portfolio vendor include:
- Policy-driven or IT concerns regarding vendor lock-in (that is, a "monoculture" for IAM solutions)
- Customers that already have solutions for access management or "point" identity management from a vendor whose user administration solution does not meet requirements
- Price, time of implementation or industry-specific options
- When the product is a better fit for customer needs
Situations in which customers might choose an IAM suite vendor over a point vendor include:
- Customers constrained by the number of vendors that they can choose, particularly for a multiple-tool IAM solution — of which, UAP is one
- An application or infrastructure requirement that specifies the product suite as optimal for integration with that application or infrastructure
- A licensing or cost advantage achieved by owning products or using services from the suite or portfolio vendor
- An agreement between a provider of outsourced services and a client in which a consolidated contract with a preferred vendor is more acceptable
- When the product is a better fit for customer needs
Increasingly, IAM suite vendors are using the relationship to the customer as a strategic advantage over a pure-play provider. Relationship is actually a code word for partnership and includes any existing contracts or provider agreements a customer may already have with that vendor, a desire to pursue a unified maintenance agreement, or a wholesale adoption of that vendor's architecture and road map that includes IAM. This inhibits pure-play providers from participating in such an environment, unless they serve as brokers of multiple partners of their own and provide a common face to the customer.
Selling component IAM products does not constitute integration. Instead, true user experience, workflow, and reporting and brokering functions, such as common architecture and implementation, constitute customer views of integration. For an in-depth discussion of the actual levels of integration within the major suite vendors, see "Comparing IAM Suites, Part 2: Heterogeneous Deployments," "IAM Foundations, Part 2: Tools and Technologies" and "Comparing IAM Suites, Part 1: Suite or Best of Breed?"
In 2011, the average ratio of product licensing to consulting/integration costs was approximately 1-to-2 (for every $1 in software costs, the customer would spend $2 on consulting/integration). For some vendors and implementations, the ratio was as high as 1-to-5, such as with large portfolio vendors (such as IBM and Oracle), but for others — particularly pure-play vendors (where the scope of effort may be smaller if user provisioning alone is addressed) — the ratio approached 1-to-1. The goal for most vendors (and integrators) is to have as low a ratio as possible. As the market continues to mature and more preconfigured packages become available, this is possible even for larger portfolio vendors.
By 2016, user administration/provisioning and identity and access governance products will converge, creating a new market for advanced identity analytics.
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships, as defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): An assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, SLAs and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.