Magic Quadrant for User Provisioning

Gartner RAS Core Research Note G00206614, Perry Carpenter, Earl Perkins, 30 September 2010
User provisioning manages identities across systems,
applications and resources. Compliance remains the main driver
of uptake, and identity and access intelligence and role life cycle
management are increasingly top-of-mind issues.
WHAT YOU NEED TO KNOW
This document was revised on 4 October 2010. For more information, see the
Corrections page on gartner.com.
User-provisioning solutions are maturing in function and capability, and the user-provisioning
market continues to consolidate. As some identity and access management (IAM)
technologies approach a commoditylike state, the boundaries between core IAM products,
such as user provisioning and companion product sets, are blurring.
Core provisioning functionalities are similar across most vendors (such as workflow engines,
approval processes, password management and standard connector sets). Therefore,
provisioning vendors seek to differentiate their product sets from those of competitors
through expanded IAM functionalities, such as:
Role life cycle management
Identity and access intelligence (IAI that is, audit, log correlation and management,
analytics, monitoring, and reporting)
Improved workflow options to improve business process management (BPM) and general
governance, risk and compliance (GRC) integration
Better integration with adjacent and relevant security technologies, such as security
information and event management (SIEM), data loss prevention (DLP), network access
control (NAC), and IT GRC management (GRCM) tools
Improved integration with other suite components or IAM offerings from other vendors
2
Large-scale user-provisioning projects remain
complex, requiring experienced integrators
and skilled project management for the
enterprise. Most provisioning implementations
succeed or fail based on these integrators
and on the relationship between customers
and vendors. Most IAM vendors realize
that penetrating midmarket accounts
for instance, small or midsize businesses
(SMBs) requires simple deployments at
the product level. While success rates for
complex and/or major user-provisioning
initiatives are improving, horror stories
related to failed implementations or poorly
integrated replacements still abound.
Key differentiators when selecting user-
provisioning solutions include, but are not
limited to:
Price, including flexibility of pricing for
deployment, maintenance and support
programs.
Global scope, depth, availability and
extent of partnerships with consultants
and system integrators (SIs) to deliver the
solution.
Consultant and SI performance, which
remains vital to success. Also vital are the
level and extent of experience of industry
segment vendors and integrators to
deliver successful projects.
Time to value.
The ability to deliver subsidiary services that are not available in
the core product through:
Integration with component IAM features (for example,
common user experience and reporting).
Custom development.
Augmentation via partnerships or adjacent products or
capabilities (for example, role life cycle management,
entitlement management, federated provisioning or IAI).
Other customer experiences, including satisfaction with installed
provisioning systems (that is, reference accounts).
Strategy, road map and alignment with other product offerings,
including strategies for addressing future cloud-computing and
software as a service (SaaS) architectures.
Relevance in addressing identity-and-access-specific
requirements in BPM and business intelligence.
There is no one size fits all provisioning solution; as such,
these differentiators will vary in importance, given the specific
organization, use cases, budget and business drivers.
Gartner recommends enterprises embarking on user-provisioning
initiatives to:
Prioritize the key issues to be resolved, and provide clarity to
the project being implemented.
2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution
of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be
reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal
issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used
as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions
expressed herein are subject to change without notice.
Figure 1. Magic Quadrant for User Provisioning
Source: Gartner (September 2010)
challengers leaders
niche players visionaries
completeness of vision
a
b
i
l
i
t
y

t
o

e
x
e
c
u
t
e


As of September 2010
IBM Tivoli
CA Technologies
Novell
Courion
Sentillion (Microsoft)
Voelcker Informatik
Fischer International
Hitachi ID Systems
Microsoft
Siemens
Beta Systems
Omada
Avatier
BMC Software
Quest Software
Evidian

SAP
Oracle
3
Document the project scope thoroughly, and seek outside
review where possible.
Choose the specific technologies required for the specific
requirements Do not allow a project to expand scope
without a documented rationale.
Implement rigorous project oversight to ensure project scope
integrity is maintained.
Establish a formal change process to bound project scope
where possible.
Addressing these questions early can help companies avoid failure.
Role life cycle management is increasingly viewed as a prerequisite
(or, in more complex initiatives, a parallel effort) for many new
user-provisioning initiatives. Many enterprises that have deployed
user-provisioning systems have discovered that the access request
process, such as that provided by role life cycle management,
is a missing element. Customers will find that user provisioning
and access request management are intricately connected, and
planning for provisioning will reflect that.
Gartner also recommends that enterprises planning for a
virtualization architecture include user-provisioning planning,
because it plays an important role for virtual machines (VMs). User
provisioning provides the management of accounts and auditing
for partitions, hypervisors and VM monitors, as well as enforcing
segregation of duties (SOD) for that environment.
Gartner believes that organizations facing compliance burdens are
realizing that full provisioning implementations (while still ultimately
important and necessary for long-term compliance) can actually
be postponed or de-emphasized in the short term in favor of IAI
solutions. For more detail, see User Provisioning Is (in the Short
Term) Giving Way to Other, Easier Projects.
STRATEGIC PLANNING ASSUMPTION
Through 2013, notable identity and access management project
failures will cause 50% of all companies to shift their IAM efforts to
intelligence rather than administration.
MAGIC QUADRANT
Market Overview
Market Growth
Most user-provisioning vendors reported revenue increases in
2009 to 2010, thereby indicating continued growth in the market
(see the Market Maturity section below). However, growth for user
provisioning is slowing. In Forecast: Security Software Markets,
Worldwide, 2009-2014, 2Q10 Update, Gartner Dataquest reported
a compound annual growth rate (CAGR) of 4.4% for the user-
provisioning market. User provisioning is now an approximately
$940 million market, and should become a $1 billion market in
2010.
The global 2009 CAGR of 4.4% for user provisioning is down from
17.4% in 2008. The notable decline in growth is for two reasons:
(1) there are ripples from the recent economic downturn; and (2)
clients are realizing that they can pursue compliance initiatives
via technologies that promise shorter-term wins (such as IAI,
privileged-account activity management [PAAM], and Active
Directory to Unix bridging). For now, enterprises are shifting
spending to those areas.
North America exhibited revenue growth of 4.2%; Western
Europe, 4.0%; Asia/Pacific, 9.4%; and Latin America, 5.0%
down significantly from 2008 across most regions. North America
accounted for 47.5% of 2009 market share; Western Europe,
28.1%; Asia/Pacific, 8.7%; and Latin America, 3.1%.
Gartner expects user-provisioning revenue opportunities to
continue growing through the end of 2010 as the market
matures and consolidates, rebounding with a 9% CAGR in 2011.
However, Gartner believes that this will be the peak. Growth for
the provisioning market will drop over the next several years as
enterprises deploy new-generation solutions and upgrade existing
deployments.
User-provisioning technologies and processes continue to mature,
with well-established vendors, well-defined IAM suites and a broad-
based integrator market for them. Third-generation releases are
now available, with most basic capabilities well-structured and well-
configured. Gartner estimates that, as of mid-2010, approximately
30% to 35% of midsize to large enterprises worldwide, across
all industries and sectors, had implemented some form of user
provisioning. An additional 20% to 25% of them are evaluating
potential solutions.
Significant Changes From Last Years Magic Quadrant
The most notable year-over-year changes include the following:
Oracle clearly stands out in both vision and execution within the
Leaders quadrant. This is due to its rapid acquisition of new
customers, internal innovation and improvements of its IAM
offerings, the acquisition of Sun Microsystems (which helps
augment some of its IAM capabilities), and a compelling road
map.
Sun Microsystems is absent from the Magic Quadrant due to its
acquisition by Oracle.
Since publication of the 2009 user-provisioning Magic
Quadrant, Quest Software acquired Voelcker Informatik.
Both companies receive individual ratings in the 2010 Magic
Quadrant, due to the recency of the acquisition, and because
Quest intends to keep Quests ActiveRoles product and
Voelckers ActiveEntry product as separate entities, selling one
or the other based on specific customer use-case requirements.
Sentillion was acquired by Microsoft and is now part of
Microsoft Health Solutions Group. Sentillion proVision and
4
Microsoft Forefront Identity Manager are being rated as
separate products, because they are developed, marketed and
sold as distinct products.
All Leaders continued to improve (horizontally, vertically or both),
based on:
Past velocity and trajectory
A continued commitment to meet road map commitments
A continued commitment to meeting customer needs
proactively via innovative road maps and/or reactively
via partnerships, internal development or acquisitions
Many vendors in the Challengers, Niche Players and Visionaries
quadrants are beginning to cluster around the midpoint of the
chart a sign of overall market maturity and commoditization
of the core technologies being rated.
Microsoft made the most progress within the Challengers
quadrant due to the release of the long-awaited Forefront
Identity Manager product, which improves the usability of its
provisioning solution, adds deep integration into many important
Microsoft components, and much improves the experience for
both administrators and end users.
BMC Software moved from the Challengers quadrant to the
Niche Players quadrant, primarily based on shifting internal
priorities, which impact its go-to-market strategy. This is
reflected in an overall slowing of its growth.
Ilex was dropped from the study this year due to minimal
market presence.
User Provisioning Is (in the Short Term) Giving Way to Other,
Easier Projects
As discussed in the What You Need to Know section of this
research, Gartner sees a subtle shift in the IAM market. That leads
us to offer the following Strategic Planning Assumption for both end
users and vendors:
Through 2013, notable identity and access management project
failures will cause 50% of all companies to shift their IAM efforts
to intelligence rather than administration.
Without a more formal and effective approach to delivering IAM
solutions, enterprises will continue to experience challenges
in delivery. More importantly, the shift away from IT needs for
efficiency of operations, to enterprise needs for accountability,
transparency and reliability, is taking place. The business is taking a
much more active role in the use of identity management for critical
business processes. As such, demands are decidedly different
IAI will be increasingly required by the business for auditing
and general compliance needs, analytics, forensics investigations,
and risk assessments and evaluations. Administration concerns
that require elements of monitoring and control do not go away,
but attention will now be shared with new analytics results for the
business.
The inherent length and complexity of user-provisioning programs,
combined with implementation horror stories, is at the heart of
a notable trend. Specifically, Gartner believes that organizations
facing compliance burdens are realizing that full provisioning
implementations (while still ultimately important and necessary for
long-term compliance) can be postponed or de-emphasized in the
short term in favor of IAI solutions. The reasoning is as follows:
Intelligence projects focus on auditing, log management and
correlation, monitoring, manual remediation, and analytics.
Implementing IAI tools is simpler compared with provisioning.
IAI tools deliver business value faster than provisioning does.
IAI tools more easily span all users and systems.
While real benefits can be realized with IAI, user provisioning cannot
be delayed for a long time. Consider the following:
User provisioning performs update and control functions, not
just analysis.
Administration projects are becoming mainstream, and vendors
are supporting more out of the box solutions.
Implementing IAI tools provides insight but does not remove
the long-term need for more efficient and effective identity
administration.
Other Key Trends for 2010
Compliance continues to be a significant driver among global
corporations for user provisioning, although this depends on the
relative size of the enterprise, the market segment and geography.
Security efficiency for cost containment and service-level targeting
remains a strong driver worldwide, and is being used to justify the
expense for projects that may, in fact, be compliance-driven. The
most notable growth regions for provisioning are Western Europe,
Asia/Pacific and Latin America. Growth has slowed significantly in
North America.
Significant contributors to the user-provisioning decision process in
2010 include:
Identity audit and reporting (that is, the ability to report fully
and accurately on the effects of user provisioning across the
enterprise).
Role life cycle management, which defines, engineers, maintains
and reports on enterprise roles and rules as inputs to the
provisioning process.
5
Total cost of ownership (TCO) and the time to value, which are
of growing concern as potential customers seek savings during
times of economic uncertainty.
Specific industry segment size strategies (for example, SMB
targeting).
Specific industry vertical strategies (for example, healthcare
user-provisioning differentiation).
GRCM support, driven primarily by enterprise application
providers (such as SAP and Oracle) through ERP
implementations, and by the need to support fine-grained
authorization as part of the user-provisioning process. There is
also a desire to deliver an overall IAM governance program that
identifies and supports the role of user provisioning, and links
it to the information security policy and the establishment of
controls.
SI and/or consultant selection for project or program
implementation.
Privacy controls to ensure that what is provisioned is adequately
protected from technical and regulatory perspectives.
Provisioning for card management tools as part of a security
management environment.
Many customers, especially large enterprises, continue to evaluate
user-provisioning solutions as part of a broader IAM suite or
portfolio, depending on their specific requirements. This creates
additional challenges for user-provisioning vendors that do not
offer a portfolio solution. Nonsuite user-provisioning vendors still
offer sufficient innovation and differentiation to compete effectively
with portfolio vendors, and still address customer needs that
are not aggressively pursued by portfolio vendors (for example,
SMBs, specifically in industries such as healthcare). Continued
differentiation, agility and partnerships are critical for any nonsuite
vendor to remain viable in the long term. Differentiation, especially
with regard to price (for example, fixed-cost engagements), rapid
deployment, prepackaged (that is, quick and proven) solutions,
and ease of use, will be key.
At present, four vendors are recognized as single providers of
suites or portfolios defined as having at least directory services,
user provisioning and Web access management. They are Oracle,
IBM Tivoli, Novell and CA Technologies, and all are in the Leaders
quadrant. Many other vendors, such as Courion, Siemens, Evidian
and Quest, offer partial suites; they and many point vendors are
expanding their offerings to full suites through partnerships.
Nonsuite provisioning vendors typically partner with other
vendors that offer other IAM component products, and they
offer comprehensive licensing with customers and partners as
competitive leverage to create relationships and opportunities,
particularly in displacement strategies. This has as great an impact
on the future of the user-provisioning market as product features or
SI partnerships do.
Some of the user-provisioning vendors sell solutions to managed or
hosted service providers, illustrating a design and configuration that
would allow a managed or Internet-based service offering for user
provisioning. Early indicators show that evaluations, particularly for
SMBs, of user provisioning as part of a broader SaaS offering, are
occurring in major service provider firms.
Although technical improvements in user provisioning continue,
project complexity for large implementations remains a challenge
for customers, and could result in long planning and deployment
periods. Structured and formal methods of planning and
implementing user-provisioning solutions in enterprises have
improved, but are still evolving. Most IAM project failures are related
to issues in vision, governance and the project scoping/definition
phase. Customers embarking on an IAM initiative must spend time
properly defining and prioritizing specific business challenges and
use cases that user provisioning must address. Success practices
include, but are not limited to:
Developing a clear and compelling vision of the IAM program,
selling that vision to key stakeholders, and communicating
project status and successes/issues throughout the
program. This will embrace far more than user-provisioning
implementation projects, of course.
Using a decision framework for planning IAM that includes
identifying, prioritizing and organizing key resources in the
implementation process for user provisioning.
Selecting a proven program partner (that is, consultant or
system integrator) to lead the effort in a reasonable time
frame one that understands the business issues of user
provisioning and the technical implementation concerns
required to be successful.
Addressing issues related to role life cycle management for
effective user provisioning.
Addressing critical issues in post-implementation customer
environments related to fixes, integration or expansion.
Before you select an IAM vendor or system integrator, we
recommend that you review Q&A for IAM: Frequently Asked
Questions, Developing IAM Best Practices, How to Use
Visioneering Principles to Drive a Successful Identity and Access
Management Program, IAM Foundations, Part 1: So Youve Been
Handed an IAM Program ... Now What? and related research.
Further Trends
The role of IAI, SIEM and DLP continue to grow in user-provisioning
solutions as security and network events are correlated with identity
and access events to provide a full picture of the network.
Commoditization of some aspects of IAM is evident, with smaller
vendors offering appliance-based solutions for low-volume, simple
provisioning needs. In addition, traditional networking and platform
vendors (large and small) that provide such solutions will begin
6
entering the provisioning market, offering simple, basic provisioning
for interested audiences and use cases.
While in its early stages, IAM as a service will expand to include
provisioning for some clients, although a significant market
adoption is unlikely before 2012. Early predictions of IAM as a
service have been impacted by economic conditions interest is
high, but deployment is not.
Market Maturity
User provisioning can be considered a horizontal function in
the enterprise. Enterprises consist of vertical functions, such as
accounting, finance, human resources and functions specific to
that enterprise. Provisioning has an impact on all of them if they
are part of the integrated IAM solution. Failure to address this
functional concept well inhibits success, and successful vendors
and integrators have learned this painful lesson.
A comprehensive process for assigning and tracking entitlements
within an enterprise can be a key criterion in user provisioning. Role
life cycle management actually provides two primary functions. One
builds the necessary infrastructure of an access request system by
discovering existing entitlements and candidate roles and creating
repositories for them. The other provides an administration and
reporting system for the access request process. Special tools can
also provide an experienced analyst with modeling and analytics
tools for reporting on the process to those who need such reports
for example, compliance and audit teams.
The market for role life cycle management consists of component
solutions that are part of the major vendor IAM suites (for example,
Oracle and CA) and component stand-alone solutions (for example,
Aveksa and SailPoint). The use of such tools can reduce the
manual workload related to role discovery and mapping by 40% to
55%. However, the complexity of role life cycle management efforts
can rival those of user provisioning, particularly in enterprises with
complex IT systems. As with user-provisioning initiatives, rigorous
planning and process work are vital to success.
A third area of growing maturity is IAI. As compliance and
regulatory needs become more specific and are better defined,
identity analytics, data correlation and audit reporting are evolving
as products and product functions to address specific enterprise
needs. Although this remains an ongoing process, many vendors
offer compliance dashboards, identity and access log management,
or canned reports to address these needs as part of such IAI
solutions, or as input into GRCM vendor solutions.
Characteristics of Leading Vendors
Although the user-provisioning market has matured and vendors
from any of the quadrants could potentially address customer
needs, particular characteristics of a good candidate vendor still
exist:
Price and service: As the market continues to move to
maturity, price differentiation and pricing options become
more important to the vendor as well as to the customer. This
pricing extends to preimplementation and postimplementation
experience.
Good partners: Good user-provisioning vendors have good
implementation partners those with proven histories of
performance, and the ability to understand and address
customer industry requirements that are affected by differences
in business segment, region and size. Some vendors have
direct integration experience, and industry expertise is a
requirement.
The ability to define deliverables, phases of the project,
metrics and an end state: When embarking on an initiative
as potentially complex as user provisioning, customers must
ensure that the program is defined with metrics that can be
measured, and with projects that have an end. Many earlier
user-provisioning experiences lasted for years because of the
inability to know when the end has been reached (or even what
the goal of Phase 1 is). There must be an end to a business-
critical implementation project (such as user provisioning), or at
least those phases of technology and process implementation,
to enable the ongoing program to continue.
Coupling and uncoupling the suite: A world-class user-
provisioning vendor should be able to sell user provisioning and
the associated user-provisioning services (for example, identity
audit and reporting, or workflow) without requiring customers to
buy the entire IAM suite that it sells. Integration is a good thing,
but not when the system is so tightly integrated that uncoupling
it later on to implement a complementary third-party tool is
impossible. This represents an aggressive competition strategy
for pure-play, user-provisioning providers.
Solution selling vs. making it fit: A leading vendor will provide
user provisioning as part of a packaged solution thats tailored
to the customers stated requirements, rather than forcing the
customers requirements to fit the product. The corollary of
this is that the customer must have a clear and comprehensive
definition of requirements before conducting any formal
evaluation of specific tools. Although there must always be
some practical compromise, mature, best-in-class solutions are
able to look more like the customers business requirements
rather than a vendors technical specifications.
Modularity: Mature user-provisioning products show an
awareness of enterprise architectures and the role of the
products within them. These products also have a quicker
turnaround in feature and version release, because the product
design allows for smoother updates and follows a secure
system development methodology. Mature product vendors in
user provisioning show an awareness of the requirements for
service-oriented and service-centric infrastructures, and move
to accommodate them with service-centric solutions, where
possible.
7
Migration and upgrade: User-provisioning vendors should
exhibit a formal plan for migrating from a competitors offering
to their own, and be able to do so quickly and effectively. This
also applies to a vendors ability to provide quick and effective
upgrades to their existing solutions.
The postimplementation experience: User provisioning is a
well-established market. As such, user-provisioning products
(and integrators) should demonstrate signs of maturity. If
customers are unhappy and seek replacement solutions and
services, then there are serious issues with planning and
requirements. The postimplementation experience for a new
customer and an upgrade customer will say a lot about world-
class user-provisioning vendors in this market.
While a single list cannot hope to capture all of the nuances of
what makes a leading vendor, it does help develop the mind-set
of what to look for. This is relatively independent of vendor size or
industry range in the user-provisioning market, and can provide an
opportunity for even the smallest vendor to excel in a comparative
view of customer experience.
User Provisioning as Part of a Suite or Portfolio vs. Pure-Play
Product
Situations in which customers might choose a pure-play user-
provisioning vendor over a suite or portfolio vendor include:
Policy-driven or IT concerns regarding vendor lock-in (that is, a
monoculture for IAM solutions)
Customers that already have solutions for access management
or point identity management solutions from a vendor whose
user-provisioning solution does not meet requirements
Price, time of implementation or industry-specific options
The product being just a better fit for customer needs
Situations in which customers might choose an IAM suite vendor
over a point vendor include:
Customers constrained by the number of vendors that they can
choose, particularly for a multitool IAM solution of which user
provisioning is one
An application or infrastructure requirement that specifies the
product suite as optimal for integration with that application or
infrastructure
A licensing or cost advantage achieved by owning products or
using services from the suite or portfolio vendor
An agreement between a provider of outsourced services and a
client in which a consolidated contract with a preferred vendor
is more acceptable
The product being just a better fit for customer needs
Increasingly, IAM suite vendors are using the relationship to the
customer as a strategic advantage over a pure-play provider.
Relationship includes any existing contracts or provider agreements
a customer may already have with that vendor, a desire to pursue
a unified maintenance agreement, or a wholesale adoption of
that vendors architecture and road map that includes IAM. This
constrains pure-play providers from participating in such an
environment.
It is important to note that selling component IAM products
does not constitute integration. Instead, true user experience,
workflow, and reporting and brokering functions, such as common
architecture and implementation, constitute customer views
of integration. For an in-depth discussion of the actual levels
of integration within the major suite vendors, see Comparing
IAM Suites, Part 1: Suite or Best of Breed? and Comparing
IAM Suites, Part 2: Heterogeneous Deployments and IAM
Foundations, Part 2: Tools and Technologies.
Addressing the Vendor Viability Question
There is a perception that, if a vendor is small, then its long-term
viability is questionable; conversely, there is the perception that
large vendors are a better bet because they should be around for a
long time.
This line of thinking, while somewhat reasonable, is fatally flawed.
Reality intrudes on these innocent perceptions. For example,
in 2008, HP exited the IAM market; and in early 2010, Oracle
acquired Sun Microsystems. Further, BMCs focus has shifted its
IAM strategy significantly from being a mainstream IAM competitor
to mostly being interested in selling to existing BMC customers
under its Business Service Management strategy. Other, less
notable, examples exist as well. As a result, choosing a large IAM
vendor is not as safe as one might believe.
However, even with the above-mentioned facts, customers may
begin to think something along the following lines, Well, I should
just choose the largest company possible, and Ill be safe. As
such, many potential IAM purchasers begin to narrow their scope
to vendors such as IBM and Oracle. There is still another fatal flaw
in that rationale namely, these large companies cannot promise
product-level viability. Product-level viability is ultimately what
customers are interested in. Consider the following brief sampling
of the history related to the lack of product-level viability from large
vendors:
IBMs discontinuance of Tivoli User Manager in favor of
Access360 enRole, which became Tivoli Identity Manager.
IBMs OEM (February 2006) and subsequent removal of
Passlogix for enterprise single sign-on (ESSO). It was replaced
by acquiring ESSO vendor Encentuate in March 2008).
IBMs marketing of and subsequent sunset of Tivoli Privacy
Manager. No full replacement strategy ever existed.
8
IBMs marketing of and subsequent sunset of Tivoli Risk
Manager. It was replaced via the acquisition of Micromuse and
Consul Risk Management.
Oracles acquisition of Bridgestream for role management.
Subsequently, it was sunset and replaced by the functionality
offered by Sun Role Manager (previously Vaau).
Quests purchase of PassGo and sunset of its own SSO tool.
CA, Novell and Siemens have all changed focus or strategies
in the past. What does this have to do with viability? It shows
how invested the vendor is in the IAM strategy. Customers
really need to understand how IAM fits into the overall corporate
strategy, whether investments are self-serving or customer-
driven, and how important it is to the vendors success.
This history shows there is no guarantee of viability at a vendor
level or a product level. Gartner believes some diversification may
be a prudent course of action. In addition, customers should:
Aggressively negotiate contracts related to long-term support.
Require proactive measures, such as source codes escrow.
Review the vendors history related to acquisitions.
Review the vendors financial situation.
Acquire products that are based on well-understood standards
and protocols.
Create detailed documentation of the processes that a
product automates that way, if forced to change products,
a customer will have a pre-established list of functional
requirements stating what the product must do.
Deployment Costs
In 2009, the average ratio of product licensing to consulting/
integration costs was approximately 1-to-3 (for every $1 in software
costs, the customer would spend $3 on consulting/integration).
For some vendors and implementations, it was as high as 1-to-5,
but for others particularly pure-play vendors (where the scope
of effort may be smaller if user provisioning alone is addressed)
the ratio approached 1-to-2 or even 1-to-1. The goal for most
vendors (and integrators) is to have as low a ratio as possible. As
the market continues to mature and more preconfigured packages
become available, this is possible even for larger portfolio vendors.
Market Definition/Description
Defining IAM
IAM is a set of processes and technologies to manage across
multiple systems:
Users identities Each comprising an identifier and a set of
attributes
Users access Interactions with information and other assets
User provisioning is a fundamental part of an overall IAM
technology offering. The four major categories of IAM are:
Intelligence: IAI is essentially business intelligence for IAM.
IAM intelligence technologies provide the means of collecting,
analyzing, auditing, reporting and supporting rule-based
decision making based on identity and identity-related data.
This data helps organizations measure, manage and optimize
performance to achieve security efficiency and effectiveness
and to deliver business value.
Administration: IAM administration technologies offer a means
of performing identity-related tasks (for instance, adding a user
account to a specific system). In general, administration tools
provide an automated means of performing identity-related
work that would otherwise be performed by a human; examples
include tasks such as creating, updating or deleting identities
(including credentials and attributes), and administering access
policies (rules and entitlements). User provisioning is an IAM
administration technology.
Authentication: IAM authentication technologies are deployed
to provide real-time assurance that a person is who he or she
claims to be to broker authentication over multiple systems
and to propagate authenticated identities. Authentication
methods embrace many different kinds of credentials and
mechanisms, often in combination with various form factors
(for instance, hardware tokens or smart cards). At the time of
this writing, passwords are still the most often used method of
authentication.
Authorization: IAM authorization technologies are a form of
access control used to determine the specific scope of access
to grant to an identity; they provide real-time access policy
decision and enforcement (based on identities, attributes, roles,
rules, entitlements and so on). Users should be able to access
only what their job functions allow them to access. For instance,
if a person is a manager, he or she is granted the access
necessary to create or edit a performance review; if a person
is not a manager, then he or she should be able to review only
his or her own performance review and only at a specific stage
of the review cycle. Web access management, entitlement
management, identity-aware networks and digital rights
management tools are examples of authorization management
technologies.
These categories are based on a foundation of identity repository
technologies that include enterprise Lightweight Directory Access
Protocol (LDAP) directories, virtual directories, metadirectories,
and (increasingly) relational databases. While standard LDAP
directories remain the identity repository of choice, limitations
inherent in these directories relative to fine-grained authorization
and policy implementation may require database participation.
LDAP directories are optimized for fast reads and are optimal for
9
large environments. However, there are limits, because in these
large-scale environments (that is, more than 500,000 users), there
are significant changes requiring replication or writes. Traditional
LDAP directories can experience performance problems during
synchronization events, resulting in stale or unreliable data.
Defining User Provisioning
User-provisioning solutions are the main engine of identity
administration activities. User-provisioning tools have some or most
of the following functions:
Workflow and approval processes
Password management (with the ability to support self-service)
Other credential management
Role life cycle management
User access administration (with the ability to support self-
service)
Resource access administration (with the ability to support self-
service)
Basic IAI (analytics, auditing and reporting), including SOD
support
User-provisioning solutions address an enterprises need to create,
modify, disable and delete identity objects across heterogeneous
IT system infrastructures, including operating systems, databases,
directories, business applications and security systems. Those
objects include:
User accounts associated with each user
Authentication credentials Typically for information system
access, and then most often just passwords, but sometimes for
physical access control
Roles Business level, provisioning level and line-of-business
level
Entitlements (for example, assigned via roles or groups or
explicitly assigned to the user ID at the target system level)
Managing group membership or role assignments, from which
entitlements may flow
Managing explicit entitlements
User profile attributes (for example, name, address, phone
number, title and department)
Access policies or rule sets (for example, time-of-day
restrictions, password management policies, how business
relationships define users access resources and SOD)
User-provisioning products are a subset of identity administration
products, which are a subset of the broader IAM landscape
(intelligence, administration, authentication and authorization).
All user-provisioning products offer the following capabilities for
heterogeneous IT infrastructures:
Automated adds, changes or deletes of user IDs at the target
system
Password management functionality For example,
simplified help desk password reset, self-service password
reset and password synchronization, including bidirectional
synchronization (sold as a separate product by some user-
provisioning vendors because they had their start there)
Delegated administration of the user-provisioning system
Self-service request initiation
Role-based provisioning through capabilities provided by role
life cycle management features or partners
Workflow Provisioning and approval
HR application support for workforce change triggers to the
user-provisioning product
Reporting the roles assigned to each user and the entitlements
that each user has
Event logging for administrative activities
A comprehensive user-provisioning solution has the following
additional capabilities:
SOD administration and reporting: Enterprises need to
automate and manage application-level business policies and
rules to identify SOD violations. They also need to quickly
remove those violations from the application environment,
and ensure that new SOD violations are not introduced in the
course of the ongoing management and identity administration
of the application. Today, SOD tools exist primarily for ERP
applications ERP-specific, transaction-level knowledge is
required to successfully enforce SOD in these environments.
However, a generic SOD framework is required to address
all SOD application needs in the enterprise. Typically, a role
is used as the container to segregate conflicting business
policies in the application environment. Many user-provisioning
vendors deliver capabilities for this heterogeneous framework.
It does not alleviate an ERP products need for SOD, because
these tools have extensive integration with ERP applications.
User-provisioning vendors should continue to partner with ERP
vendors to deliver complete SOD solutions.
10
Role life cycle management: Regulatory compliance initiatives
are directing IAM efforts back to the drawing board for role
development. The role becomes a very important control point
that enterprises need to manage in a life cycle manner just
as they do an identity. Enterprises need the ability to automate
processes to:
Define existing roles through role-mining automation.
Manage formal and informal business-level roles for any view of
the enterprise (for example, location, department, country and
functional responsibility), and to feed user-provisioning products
to ensure that the link is made between the business role and
associated IT roles.
Establish a process by which the development process for
new roles in the enterprise follows the same management
process used for existing roles, and ties those new roles to the
automated role life cycle management solution.
Deliver a generic framework to address all role life cycle
management needs. Most user-provisioning vendors are
partnering with role life cycle management vendors, acquiring
them or building that expertise with the user-provisioning
solution.
Manage the role throughout its life cycle role owner, role
changes, role review, role assignment, role retirement and role-
based reporting options.
IAI audit reporting: Meeting the regulatory compliance
requirements of reporting on SOD, roles, who has access to
what, who did what, and who approved and reviewed what
(referred to as the attestation process in auditing terms) for all
IT resources is complex and expensive in the heterogeneous
IT infrastructure. Reporting tools need to be in place to
leverage the user-provisioning authoritative repository, and
all other repositories that are used for the authentication and
authorization process to produce reports on SOD, role, who
has access to what, and who approved and reviewed what,
which include the entire enterprises IT assets. In addition,
centralized event logs for all identity management activities
those from the user-provisioning and access management
products, as well as all systems where authentication and
authorization decisions are being made in real time are
needed to do a proper job of reporting who did what.
No user-provisioning vendor (or suite vendor) provides all identity
management capabilities noted above without some partnering.
For most enterprises, additional products are required to round out
the functionality set. Security information and event management
(SIEM) tools can be used for who did what reporting at the event
level, with granularity by time of day, geography, network port
and other details; and we are seeing increased vendor interest
in creating integration paths between core IAM products and
SIEM (and other) intelligence or analytics tools. DLP tools provide
content awareness for accessing files and databases, and
will play a significant role in delivering more-precise entitlement
assignments.
The 2010 Magic Quadrant focuses on vendor delivery of ease of
deployment, ongoing operations, and maintenance and vendor
management as a sign of maturity. The research also emphasizes
marketing vision and execution, and evaluates sales and advertising
execution as part of the overall experience:
How do the user-provisioning vendors deliver core user-
provisioning capabilities as an enterprise management system in
support of an ongoing, changing business environment? Similar
to the 2009 Magic Quadrant, in 2010, we evaluated how easy
it is to change and maintain workflow and connectors, but we
also evaluated software services (scripts) and other functionality,
such as integrating the user-provisioning product with the HR
application and building the authoritative repository.
Because user provisioning is a maturing market, we also
evaluated vendors marketing and sales effectiveness in terms
of market understanding, strategy, communications and
execution. We evaluated each vendors organization for such
services, its ability to change to reflect customer demands and
its overall success as measured by customers.
Increased attention was given to the vendors role life cycle
management vision, strategy and road map particularly in
terms of IAI, compliance reporting and remediation.
We also increased attention on the IAI capabilities, their ease of
use and their attractiveness to end users (via relevant out-of-
the-box reports, applicable dashboards and so on).
Increased attention was given to adjacent technologies in
GRCM, SIEM, network access control (NAC) and DLP, and their
ultimate impact on IAI functionality for provisioning.
We focused on the early stages of service-architected
user provisioning to prepare for large-scale, large-volume
provisioning requirements. Early uses of large-scale provisioning
are already evident.
Gartner ranks vendors in the Magic Quadrant based partly on
product capability, market performance, customer experience and
overall vision to determine which vendors are likely to:
Dominate sales and influence technology directions during the
next one to two years.
Be visible among clients through several marketing and sales
channels.
Generate the greatest number of information requests and
contract reviews.
Have the newest and most-updated installations.
Be the visionaries and standard bearers for the market.
11
Inclusion and Exclusion Criteria
The following criteria must be met for vendors to be included in the
user-provisioning Magic Quadrant:
Support for minimum, core user-provisioning capabilities across
a heterogeneous IT infrastructure
Automated adds, changes and deletes of user IDs at the target
system
Password management functionality
Delegated administration
Self-service request initiation
Role-based provisioning supported by role life cycle
management
IAI
Workflow provisioning and approval
HR application support for workforce change triggering to the
user-provisioning product
Reporting the roles assigned to each user and the entitlements
that each user has
An event log for administrative activities
Products deployed in customer production environments, and
customer references
Vendors not included in the 2010 Magic Quadrant may have been
excluded for one or more of the following reasons:
They did not meet the inclusion criteria.
They support user-provisioning capabilities for only one specific
target system (for example, Microsoft Windows and IBM
iSeries).
They had minimal or negligible apparent market share among
Gartner clients, or currently available products.
They were not the original manufacturers of a user-provisioning
product This includes value-added resellers (VARs) that
repackage user-provisioning products (which would qualify
for their original manufacturers); other software vendors that
sell IAM-related products, but dont have user-provisioning
products of their own; and external service providers that
provide managed services (for example, data center operations
outsourcing).
Added
No new vendors were added to this years study.
Dropped
Ilex Dropped due to minimal market share and minimal client
mentions.
Sun Microsystems Dropped due to its acquisition by Oracle.
Other Vendors of Note
econet (www.econet.de/english/default.htm)
Based in Munich, Germany, and founded in 1994, econet has,
since early 2006, entered the user-provisioning market with cMatrix
a service management, service-oriented offering targeted at
service providers primarily in EMEA. In many respects, econets
marketing and sales model is very similar to Fischer Internationals.
Early clients include Siemens and KPMG. econet continues to
market to the IAM-as-a-service candidate either the provider of
such services or the client interested in developing a private IAM-
as-a-service experience.
Fox Technologies (www.foxt.com)
A Mountain View, California, company, FoxT has products
that focus primarily on access control and service account
management. However, FoxT ApplicationControl addresses basic
elements of password management, account administration
(including basic provisioning), and audit reporting as part of an IAM
package including SOD enforcement, monitoring and reporting.
Ilex (www.ilex.fr/en)
Based in Asnires-sur-Seine, France, near Paris, Ilex provides
three major products: Sign&go (Web and ESSO), Meibo (workflow,
basic provisioning and some role management), and Meibo People
Pack (extended reporting and audit for provisioning). Founded
in 1989, Ilex has accumulated a small, yet solid customer base,
predominantly in France. With features such as Service Provisioning
Markup Language (SPML) support, a simple design and user-
friendly interface, and good connector kits for provisioning and
SSO, Ilex is able to effectively compete in a number of banking and
finance, telecommunications, and transportation industry segments
against larger competitors.
Imanami (www.imanami.com)
Based in Livermore, California, Imanami is a lesser-known
company, but it has some notable clients. Imanamis GroupID
Synchronize serves as a data synchronization engine for an
Active Directory environment through custom scripting, enabling
Microsoft-centric enterprises to leverage their infrastructures to
some extent. AT&T (formerly, Cingular Wireless) is a client.
12
Institute for System-Management (www.secu-sys.com)
Based in Rostock, Germany, near Berlin, iSM is a small company
focused on German-speaking-country markets with its bi-Cube
product for provisioning, SSO, and process and role life cycle
management. Privately funded, this 10-year-old enterprise takes
a process-centric, business intelligence focus to deliver a series
of preconfigured process and configuration modules (cubes)
that can be linked together to provide user-provisioning and
role life cycle management functionality. It has a small customer
base in Germany, Austria and Spain, in large industries, such
as telecommunications and insurance. iSM continues to refine
the modules to form a more standardized user-provisioning and
process management product offering.
Lighthouse Security Group (www.discoverlighthousegateway.
com)
Headquartered in Lincoln, Rhode Island, Lighthouse Security Group
established its SaaS-based offering after building up experience
developing a managed offering in the U.S. defense market.
Lighthouses offering is unique, in that it has overlaid a common,
easy-to-use graphical administration capability onto IBM Tivolis
core IAM products to deliver a relatively complete set of IAM
functions as a multitenant, SaaS-based service.
Lighthouses approach allows customers to take advantage of the
multifaceted feature set of IBM Tivolis provisioning, Web access
management and federation products, while being shielded from
many of those products complexities. This provides integration
hooks into many enterprise identity repositories for automated
provisioning and leverages these repositories as authentication
and entitlement sources. While extensive administrative and
access control event data is logged, reporting is the customers
responsibility. Several SaaS target applications have been
integrated with the service.
NetIQ (www.netiq.com)
NetIQ, a global enterprise software vendor headquartered
in Houston, Texas, is perhaps best known for its operations
management and monitoring technologies and security monitoring
technologies. However, many organizations are unaware that
NetIQ has also been quietly growing a respectable IAM portfolio
and a solid customer base for those tools. NetIQ is best suited
for organizations that have selected Active Directory as their core
or one of their core directories. The IAM solution components
available from NetIQ include user provisioning (via NetIQ Directory
and Resource Administrator, Advanced Edition), compliance and
audit management, privileged-account activity management, Active
Directory-Unix bridge (OEM of Centrify), and user self-service
(including password reset) capabilities.
OpenIAM (www.openiam.com [commercial] and www.openiam.org
[open source])
Headquartered in Cortlandt Manor, New York, OpenIAM has
created an integrated suite of provisioning, access management
and federation components, offered in professional open-source
and enterprise licensing models. Components use a common
enterprise service bus for integration. OpenIAMs Identity Manager
product provides core capabilities found in other commercial
products, such as self-service, password management and audit,
and it includes SPML-based connectors to many commonly used
targets.
The companys Access Manager product provides support for
password- and certificate-based authentication, coarse- and fine-
grained authorization, XACML 2.0 support, and SAML identity
provider and service provider federation support, and it includes
a security token service. OpenIAM has been fortunate to receive
support from early government and SI customers, who have been
pushing and funding OpenIAM to expand its capabilities. OpenIAM
offers a very attractive support and pricing model.
SailPoint (www.sailpoint.com)
SailPoint is based in Austin, Texas, and serves the Global 1000,
with customers that include seven top-tier global banks, four of the
worlds largest property and casualty insurers, the largest global
telecommunications provider, two of the largest biotechnology
manufacturers in the world, and three of the top healthcare
insurers. SailPoint originally entered the market as a technology
innovator, augmenting customers existing provisioning systems
in order to meet needs in role and compliance management
and identity governance. SailPoint now also sells an access
request-based user-provisioning solution that is a fully integrated
component of the IdentityIQ solution.
Evaluation Criteria
Ability to Execute
Gartner evaluates technology providers on the quality and efficacy
of the processes, systems, methods or procedures that enable IT
provider performance to be competitive, efficient and effective, and
to positively impact revenue, retention and reputation. Ultimately,
technology providers are judged on their ability to capitalize on their
vision and succeed doing so. For user provisioning, the ability to
execute hinges on key evaluation criteria:
Product/Service: These are core goods and services offered
by the technology provider that compete in or serve the defined
market. This includes current product or service capabilities,
quality, feature sets, skills and so on, whether offered natively or
through OEM agreements or partnerships, as defined in the market
definition and detailed in the subcriteria. Specific subcriteria are:
Password management, including shared account or service
account password management support
User account management or role-based provisioning
Management of identities
Workflow persistent state, nested workflows, subworkflows,
templates of common user-provisioning activities and change
management
Identity auditing reports
Connector management
13
Integration with other IAM components
User interfaces
Ability to configure, deploy and operate
Role life cycle management
Resource access administration
Impact analysis modeling for change
SPML 2.0 support
Overall Viability (Business Unit, Financial, Strategy,
Organization): This includes an assessment of the overall
organizations financial health; the financial and practical success
of the business unit; and the likelihood of the individual business
unit to continue investing in the product, offering the product and
advancing the state of the art in the organizations portfolio of
products. Specific subcriteria are:
History of investment in the division
Contribution of user provisioning to revenue growth
Sales Execution/Pricing: This is the technology providers
capabilities in all presales activities and the structure that supports
them. This includes deal management, pricing and negotiation,
presales support, and the overall effectiveness of the sales channel.
Specific subcriteria are:
Pricing
Market share
Additional purchases (for example, relational database
management system, application server and Web server)
Market Responsiveness and Track Record: This is the ability
to respond, change direction, be flexible and achieve competitive
success as opportunities develop, competitors act, customer needs
evolve and market dynamics change. This criterion also considers
the providers history of responsiveness. Specific subcriteria are:
Product release cycle
Timing
Competitive replacements
Marketing Execution: This is the clarity, quality, creativity and
efficacy of programs designed to deliver the organizations
message to influence the market, promote the brand and business,
increase awareness of the products, and establish a positive
identification with the product or brand and organization in buyers
minds. This mind share can be driven by a combination of
publicity, promotional, thought leadership, word-of-mouth and sales
activities. Specific subcriteria are:
Integrated communications execution
Customer perception measurement
Customer Experience: This is the relationships, products, and
services or programs that enable clients to be successful with
the products evaluated. Specifically, this includes the ways that
customers receive technical support or account support. This can
also include ancillary tools, customer support programs (and the
quality thereof), the availability of user groups, SLAs, and so on.
Specific subcriteria are:
Customer support programs
SLAs
Operations: This is the organizations ability to meet its goals and
commitments. Factors include the quality of the organizational
structure, such as skills, experiences, programs, systems and other
vehicles that enable the organization to operate effectively and
efficiently on an ongoing basis. Specific subcriteria are:
Training and recruitment
Number of major reorganizations during the past 12 months
Evaluation Criteria Weighting
Product/Service High
Overall Viability (Business
Unit, Financial, Strategy,
Organization)
Standard
Sales Execution/Pricing Standard
Market Responsiveness and
Track Record
High
Marketing Execution High
Customer Experience High
Operations Standard
Source: Gartner (September 2010)
Table 1. Ability to Execute Evaluation Criteria
14
Completeness of Vision
Gartner evaluates technology providers on the ability to
convincingly articulate logical statements about current and future
market directions, innovations, customer needs, and competitive
forces, and how well these map to the Gartner position. Ultimately,
technology providers are rated on their understanding of how
market forces can be exploited to create opportunities for the
provider. For user provisioning, completeness of vision hinges on
key evaluation criteria:
Market Understanding: This is the ability of the technology
provider to understand buyers needs and translate them into
products and services. Vendors that show the highest degree of
vision listen to and understand buyers wants and needs, and can
shape or enhance those desires with their added vision. Specific
subcriteria are:
Market research delivery
Product development
Agility in responding to market changes
Marketing Strategy: This is a clear, differentiated set of messages
that is consistently communicated throughout the organization and
externalized through the website, advertising, customer programs
and positioning statements. Specific subcriteria are:
Integrated communications planning
Advertising planning
Sales Strategy: This is the strategy for selling products using the
appropriate network of direct and indirect sales, marketing, service,
and communications affiliates that extend the scope and depth
of market reach, skills, expertise, technologies, services and the
customer base. Specific subcriteria are:
Business development
Partnerships with system integrators
Channel execution
Offering (Product) Strategy: This is a technology providers
approach to product development and delivery that emphasizes
differentiation, functionality, methodology and feature set as they
map to current and future requirements. Specific subcriteria are:
Product themes
Foundational or platform differentiation
Business Model: This is the soundness and logic of a technology
providers underlying business proposition. Specific subcriteria are:
Track record of growth
Frequency of restructuring
Consistency with other product lines
Vertical/Industry Strategy: This is the technology providers
strategy to direct resources, skills and offerings to meet the specific
needs of individual market segments, including vertical markets.
Subcriteria are:
SMB support
Industry-specific support
Innovation: This is the direct, related, complementary and
synergistic layouts of resources, expertise or capital for investment,
consolidation, defensive or pre-emptive purposes. Specific
subcriteria are:
Distinct differentiation in features or services
Synergy from multiple acquisitions or focused investments
Role life cycle management (discovery, modeling, mining,
maintenance, certification and reporting)
Service-oriented provisioning
Geographic Strategy: This is the technology providers strategy
to direct resources, skills and offerings to meet the specific needs
of geographies outside the home or native geography, directly or
through partners, channels and subsidiaries, as appropriate for that
geography and market. Specific subcriteria are:
Home market
International distribution
Evaluation Criteria Weighting
Market Understanding Standard
Marketing Strategy High
Sales Strategy High
Offering (Product) Strategy Standard
Business Model Standard
Vertical/Industry Strategy High
Innovation High
Geographic Strategy Standard
Source: Gartner (September 2010)
Table 2. Completeness of Vision Evaluation Criteria
15
Leaders
Leaders are high-momentum vendors (based on sales, world
presence and mind share growth), and they have evident track
records in user provisioning across most, if not all, market
segments. Business investments position them well for the future.
Leaders demonstrate balanced progress and effort in the Execution
and Vision categories. Their actions raise the competitive bar for all
products in the market. They can and often do change the course
of the industry.
Leaders should not be the default choice for every buyer; rather,
clients are warned not to assume that they should buy only from
the Leaders quadrant. Leaders may not necessarily offer the best
products for every customer project, and may even prove to have
a higher TCO than some nonleading vendors. Leaders provide
solutions that offer relatively lower risk, and provide effective
integration with their own solutions as well as with competitors
solutions. Every vendor included in the Leaders quadrant is there
because it meets legitimate business or company needs.
Challengers
Challengers have solid, reliable products that address the needs
of the user-provisioning market, with strong sales, visibility and
clout that add up to execution higher than that of Niche Players.
Challengers are good at winning contracts, but they do so by
competing on basic functions or geographic presence, rather
than specifically on advanced features. Challengers are efficient
and expedient choices for more-focused access problems, or
for logical partnerships. Many clients consider Challengers to be
good alternatives to Niche Players or, occasionally, even Leaders,
depending on the specific geography or industry. Challengers
are not second-place vendors to Leaders and should not be
considered as such in evaluations.
Challengers in this Magic Quadrant all have strong product
capabilities, but often have fewer production deployments than
Leaders do. Business models vary, as do overall product strength
and breadth, marketing strategy, and business partnerships. This
has kept some Challengers from moving into the Leaders quadrant.
Visionaries
Visionaries are distinguished by technical and/or product
innovation, but have not yet achieved a record of execution in the
user-provisioning market to give them the high visibility of Leaders,
or they lack the corporate resources of Challengers. Buyers should
be wary of a strategic reliance on these vendors, and should closely
monitor these vendors viability. Given the maturity of this market,
Visionaries represent good acquisition candidates. Challengers
that may have neglected technology innovation and/or vendors in
related markets are likely buyers of Visionary vendors. As such,
these vendors represent a higher risk of business disruption.
Visionaries invest in the leading-edge features that will be significant
in the next generation of products, and that will give buyers early
access to improved security and management. Visionaries can
affect the course of technological developments in the market, but
they lack the execution influence to outmaneuver Challengers and
Leaders. Clients pick Visionaries for best-of-breed features, and in
the case of small vendors, they may enjoy more personal attention.
Niche Players
Niche Players offer viable, dependable solutions that meet the
needs of buyers, especially in a particular industry, platform
focus or geographic region. However, they sometimes lack the
comprehensive features of Leaders, or the market presence and/
or resources of Challengers. Niche Players are less likely to appear
on shortlists, but they fare well when given a chance. Although they
generally lack the clout to change the course of the market, they
should not be regarded as merely following the Leaders.
Niche Players may address subsets of the overall market, and often
do so more efficiently than Leaders. Clients tend to pick Niche
Players when stability and focus on a few important functions and
features are more important than a wide and long road map.
Customers that are aligned with the focus of Niche Players often
find their offerings to be best of need solutions.
Vendor Strengths and Cautions
Avatier
Avatier Identity Management Suite (AIMS) v.8 (July 2009) Avatier
Account Creator, Avatier Account Terminator, Avatier Identity
Enforcer, Avatier Identity Analyzer, Avatier Password Station, Avatier
Compliance Auditor
Avatier is a pure-play identity management vendor focusing on
user provisioning, password management, audit and compliance
reporting, and SOD/rule enforcement. It features an innovative
Web services connector architecture for heterogeneous integration
across different platform environments.
In the U.S., most Avatier sales are direct. Internationally, Avatier
is sold through an expanding number of midtier services and
consulting partners.
Avatiers focus is on creating identity management products
that are simple and easy to understand for end users and
administrators. The result is a very intuitive, graphical-user-
interface-driven environment that is understandable even by people
with modest technical skills; a resulting positive benefit is that
implementations generally are extremely quick compared with most
competitors.
Strengths
Avatier demonstrates consistent execution on its innovative
vision and significant customer wins and satisfaction.
Avatiers roots are in password management, where it has
traditionally picked up many small and midsize enterprise
customers; however, it also has a number of successful large
enterprise implementations and notable brand-name customers.
Avatier is directory-agnostic for its identity repository and
supports multiple databases for logging and other identity
object storage.
16
Avatiers technology and subfunctions (such as its password
policies) are developed with service-oriented architecture (SOA)
in mind, and can be accessed through Web services. The client
front end and target connectors also support SOA.
Avatiers deployment ratio is very good, estimated at 1-to-0.33,
where for every $1 spent on licensing, only $0.33 is spent on
deployment.
Cautions
Avatier competes against large IAM suite vendors, such as
Oracle and IBM Tivoli, and has difficulty gaining the attention of
decision makers at larger enterprises, where larger competitors
enjoy more access and exposure. As a pure-play provider,
Avatier must partner with a shrinking number of partners to
provide suite-style solutions to clients who want them.
Avatiers innovative approach of hiding IAM complexity (for
example, its shopping cart models for entitlements) doesnt
always appeal to traditional old school technologists.
Beta Systems
SAM Enterprise Identity Manager v.1.1 (October 2009)
SAM Enterprise Identity Manager is Beta Systems new next
generation identity-provisioning system. It replaces the older SAM
Jupiter product, while retaining rich feature support for both the
mainframe and other systems. The user interface is also greatly
improved from previous versions. SAM Enterprise is one of the
longest-lived role-based IAM solutions on the market.
Although most of its sales remain direct, partnerships and reseller
agreements exist. Integrator partnerships with providers such
as T-Systems, IBM Global Services and Accenture also ensure
implementation options for customers. Beta Systems also has
Europe-based VARs, and offers a managed/hosted service for SAM
Enterprise.
Beta Systems is, at present, undergoing a significant organizational
and road map realignment for IAM to position itself for better
competitiveness in the market.
Strengths
SAM Enterprises new interface for workflow creation focuses
on simplifying IAM concepts and process development for
business users.
Beta Systems offers an entry package with fixed project prices
for a defined function set.
SAM Enterprise is now platform-independent and supports
multiple databases for its identity repository and for the storage
of other IAM-related data and objects.
Beta Systems showed early strength in the banking and
financial services sector and is attempting to expand in other
industries. The new SAM Enterprise leverages mature role-
based design via its built-in role life cycle management support
for unlimited role hierarchies, dynamic roles, SOD and role
mining.
Beta Systems offers customers more-flexible pricing options
such as fixed-cost implementations.
Cautions
Customer growth due to organizational and road map changes
from 2007 to 2009 was marginal, with a temporary drop in
2008 revenue.
Audit and reporting analytics and presentation capabilities lag
those of competitor offerings.
Beta Systems customer base remains 78% concentrated
in Europe. North American market presence remains small
(approximately 22%). Beta Systems is attempting to expand its
U.S. market share and expand into Latin America.
Current customers have complained about the quality and
thoroughness of Beta Systems documentation; this is being
addressed via documentation updates.
BMC Software
BMC Identity Management Suite BMC User Administration and
Provisioning v.5.5 (December 2009)
BMC Software is a long-standing IAM provider, still with significant
market share dating back more than a decade with the original
Control-SA product. BMC is one of the first companies to have
recognized and leveraged the value of process-centric IAM (user
provisioning).
BMC has relationships with technology partners to deliver IAM
suite options, such as reduced sign-on (Hitachi ID Systems), role
engineering (SailPoint) and Web access management (Symphony
Services).
BMCs key system integration and consulting partners include
Eclipse, Ilantus Technologies, Logic Trends and Wipro
Technologies. BMCs VAR channel partners include Accenture and
Capgemini, particularly in Europe.
Strengths
BMCs Service Request Management module can be used
as provisioning workflow by customers, as an option to
BMC Identity Management Suites User Administration and
Provisioning workflow.
Integration with BMCs Business Service Management (BSM)
offering gives BMCs provisioning product some unique
capabilities in the areas of self-service, help desk, change
management and asset management.
17
BMCs BSM message and approach to provisioning, which is
based on IT Infrastructure Library (ITIL), is innovative and is a
differentiator, for existing BMC customers as well as new ones.
Cautions
BMC sells its user-provisioning solution as part of its BSM
solution. There is reduced marketing to audiences with specific
IAM needs.
BMC has less-extensive SI partnerships than leading vendors
do.
BMCs revenue from IAM has declined by nearly 20% from
2008 to 2009. This is likely due to the change in IAM focus and
active marketing of IAM. Customer concerns include better user
interfaces, slow response to support questions and inconsistent
postdeployment support.
CA Technologies
CA Identity Manager v.12.5 SP1, CA Role & Compliance Manager
v.12.5 SP1, CA Enterprise Log Manager v.12.5 SP1 (March 2010)
CA Technologies demonstrates customer momentum, a
commitment to a role life cycle and compliance management
strategy (as evidenced by its Eurekify and IDFocus acquisitions,
and integration of these with CA Identity Manager), and audit
and compliance reporting. CA Identity Manager and CA Role &
Compliance Manager are integral to CAs broader IAM content-
aware IAM strategy and delivering identity management to, for and
from the cloud. CA Identity Manager is based on IdentityMinder
(from 2002) and eTrust Admin (from 2000), and has a long heritage
in the IAM business. Acquisitions and significant internal investment
have accounted for expanded capabilities, and CA continues to
successfully pursue this strategy to fill out its IAM portfolio.
CA plays an active role in international identity and security
standards (technical and process-centric) for user provisioning.
CA Technologies has a cohesive and aggressive marketing, sales
and integrator strategy. Major integration and consulting partners
include Deloitte, PricewaterhouseCoopers and Accenture. Mycroft,
Logic Trends, Northrop Grumman and Telecom Italia are key VARs.
Strengths
Since entering the Leaders quadrant in 2008, CA Technologies
has consistently demonstrated a strong IAM commitment,
overcoming many past negative market perceptions, and
delivering competitive IAM solutions. CA has significantly
increased license revenue growth for its IAM products in the
past year.
CA is demonstrating a commitment to simplifying IAM
deployments and offering rapid deployment strategies (based
on a thorough scoping of customer needs) and fixed-cost
implementations.
CA Identity Manager has comprehensive features for policy
modeling, integration capabilities, delegated administration,
Web services, multiple-connector design and entitlement
certification capabilities. CA Identity Managers use with key
components of its broad IAM portfolio (CA Role & Compliance
Manager, CA Enterprise Log Manager, CA DLP, CA SiteMinder
and CA Access Control) is a differentiator. Additionally, a
recently expanded relationship incorporates CAs monitoring of
IT risk and compliance metrics into SAPs business process risk
management.
CAs acquisition of Eurekify is significant. Eurekify is generally
regarded as an effective product for statistical role mining and
analysis. Customers like CA Identity Managers ease of use
postimplementation, broad functionality (particularly for workflow
needs) and integration capabilities with service management.
Cautions
Administrative interfaces for CAs IAM products are well-suited
to IT end users; however, the overall richness of the interfaces
for business-focused end users (such as those who may be
performing attestation and certification duties) is still maturing.
CA all but ignores the SMB market. While it actively markets to
or solicits SMBs, feature set messaging and support structures
are generally tailored to larger accounts.
CA still needs to refine better presales scoping for fit, postsales
implementation and troubleshooting. Recent steps in CAs rapid
deployment project strategy are showing good signs that it is
addressing postsales deployment issues.
Integrating multiple acquisitions takes time, and CA is
committed to creating meaningful integration; however, some
customers still feel and comment on the disconnect between
products.
Courion
Courion Access Assurance Suite v.8.0 (as of December 2009)
Courion AccountCourier, RoleCourier, PasswordCourier,
ComplianceCourier and CertificateCourier
Courion is the only pure-play IAM vendor in the Leaders quadrant.
It continues to innovate and grow, in spite of challenging economic
conditions. Courion focuses on simplicity and enabling business
users. It consistently performs well in proofs of concept compared
with larger IAM players.
Courions focus is on simplifying IAM and making it more business-
friendly through its access assurance messaging and the
increasing number of IAI products and integration options that it
offers.
While approximately 75% of its customers are those with less than
25,000 users, Courion has delivered solutions for larger customers,
scaling to over 1 million production users. To stay competitive
with large portfolio vendors (that is, Oracle, IBM, CA and Novell),
Courion leverages a partnership model that includes RSA, The
18
Security Division of EMC, for access management; Imprivata
for ESSO; Cyber-Ark Software for shared account/privileged
account management; Citrix Systems for enabling Citrix XenApp
provisioning; and others. Courion has extended its integration
capabilities to include data loss prevention and user activity
management (SIEM and log analysis) products from companies like
RSA and Symantec. Courion continues to expand its relationship
with EMC and is adding new resellers worldwide. Courions
solutions work with cloud-based applications, and it participates in
SaaS with its partners Identropy and Accenture, showing continued
innovation.
Strengths
Courion has a fixed-cost implementation strategy. It requires
rigorous preproject scoping and customer interaction, and
Courions track record is good.
Courion usually demonstrates a low ratio of product cost to
deployment cost generally in the 1-to-1 range. It has the
lowest ratio of any vendor in the Leaders quadrant.
Courion is innovating the provisioning connector market. Its
fixed price per connector is comparatively low, and it charges
the same price for new custom connectors as it does for
already existing connectors.
Courion is one of the few vendors in the study to deliver an
in-house-architected solution. As a result, Courion customers
are able to achieve out of the box integration for many use
cases.
Courion products are built with extensibility in mind, and they
work well in complex, heterogeneous environments.
Cautions
Courions competitors continue to improve by adding many
features similar to Courions. The competition is always a
step or two behind, and maintaining innovation pace and
consistency in an increasingly commoditizing market will be
challenging.
Courion still faces name recognition issues. Other larger and
formative brand names immediately come to mind when
customers begin their IAM product searches. As such, Courion
may be inadvertently overlooked in an organizations RFI and/or
RFP process.
Courion lacks the global reach of major competitors in terms of
marketing, sales and support, and it is increasingly dependent
on a network of predeployment and postdeployment partners
outside of North America. Increased sales mean that Courion
will need to transfer its best-in-class planning and deployment
skills to those partners.
Evidian
Evidian Identity & Access Manager (June 2010)
Based in France, Evidian has long been a respected provisioning
vendor in Europe. With the most recent release of its solution,
version 9, in June 2010, Evidian introduces a major update in
terms of functionalities, packaging and deliveries. However, it
remains compatible with its legacy solution, which is a decade old.
Evidian also offers a Web access management solution as part of a
broader IAM portfolio.
Strengths
Evidian is one of the few vendors in the user IAM market that
natively constructs the core systems of user provisioning, which
are then integrated on a single architecture that includes ESSO
and Web access management.
Evidian is a serious regional player within European markets,
where its name recognition has greatly improved in the past few
years.
Evidian provides most of the key functions expected of user
provisioning, and has particular strengths in the simplicity of
deployment and good reporting features.
Evidian is committed to role life cycle management, moving
from needing a third-party vendor to supply role-mining
functionality, to now offering it within the Evidian Policy Manager
product.
Evidian uses its access management solutions as a primary
means of introducing user provisioning to the enterprise.
Cautions
For access reconciliation, Evidian Identity & Access Manager
doesnt yet leverage the core provisioning applications
workflow as much as it could; future releases are expected to
address this.
Many features that customers expect in audit and compliance
reporting systems are not yet available; however, they are slated
for release in 2011.
Evidian is having difficulty acquiring market share in North
America, which fell from 12% in 2008 to 11% in 2009.
Password management functionality is basic when used
independently from the access management solutions.
19
Fischer International
Fischer Identity v.4.1 (January 2010) Fischer Role & Account
Management, Automated Role & Account Management
Fischer International remains in the Visionaries quadrant primarily
due to its innovation as a managed IAM service provider, and
as an IAM as a service (IaaS) delivery model through partners
in the SaaS and cloud-computing markets. The company has a
scalable, multitenant, service-based architecture to enable SaaS
and hosting by itself and its service provider partners in addition to
on-premises delivery. Fischer has been a visionary in cloud-based
IAM architecture for several years. As such, it has even placed a
trademark on the phrase Identity as a Service.
Fischers technical architecture is a small-footprint, Java-based
SOA framework that produces rapid, configurable delivery.
Fischers customer base is small, and growth has been
slow. However, it has been growing in both cloud-based and
on-premises deployments due to a refocused sales strategy and
increased marketing investments. Fischer has also expanded
outside North America by signing global and Europe-based
providers and resellers.
Strengths
Fischer permits service providers (and enterprises) to offer
user provisioning as a service in several delivery models
on-premises, remotely managed, hosted and cloud-based
(SaaS) including highly customized enterprise deployments.
Fischers technology is multitenant, and security is specified for
each client organization as well as for the master organization
(service provider). As a result, only specified people or roles
are permitted to manage each component or process for each
individual client organization or the master organization.
Fischer delivers a simple cross-domain framework. It also
provides nonstop support for operations, fault tolerance, high-
privilege account management and connector management.
The company has strong support for cross-industry standards,
which has resulted in interoperability across systems.
Fischers customers consistently remark on: (1) Fischers
ownership of the success of the project; and (2) the overall
smoothness and swiftness of the implementation.
Fischers cost model is created to be easily understood by
current and potential clients. For example, with the exception
of custom connectors for homegrown applications, all existing
and new custom connectors are free (included in the overall
product cost).
Customers like Fischers adherence to open standards for
heterogeneous platform and application support, its flexibility of
workflow development, and its support responsiveness.
Cautions
Fischers audit and reporting features are basic when compared
with more-robust dashboards and GRC-focused interfaces
offered by other vendors. Currently, all reporting data is
stored in a database for retrieval, using auditor-recommended
standard reports as well as custom reports.
Fischer has limited out-of-the-box connectors, although most
major systems are represented. However, the solution allows
new connectors to be constructed and deployed at no cost to
the client organization.
As the cloud-based model becomes more compelling and
accepted, large vendors (such as Oracle and IBM) will
increasingly focus on SaaS models for identity management.
Fischer, like all small innovative vendors, risks being overtaken
by those competitors.
Fischer is a small company. Its success depends on its partner
network for visibility and support, and on the ability of its
product to continue to deliver satisfactorily for those partners.
Hitachi ID Systems
Hitachi ID Identity Manager v.6.1.2 (February 2010), Hitachi ID
Password Manager v.6.4.9 (June 2010)
In early 2008, Hitachi ID Systems acquired M-Tech Information
Technology, a Canada-based, privately owned IAM company
founded in 1992. M-Tech was well-known first for its P-Synch
password management offering. M-Tech expanded into user
provisioning, as well as other point IAM products and compliance
products over subsequent years.
Hitachi ID Identity Manager v.6.0 was a major rewrite, with a new
back-end and automation engine. The result is a substantially
different product that doesnt sacrifice existing client upgrade plans.
Hitachi ID Identity Manager performs general identity management
tasks (that is, provisioning, synchronization and deprovisioning),
extending self-service access requests to business users. It also
directly manages authorizations (entitlements) with built-in workflow.
Other components include Hitachi ID Org Manager (business
process automation for organization chart maintenance), Hitachi
ID Access Certifier (for audit and compliance attestation reporting),
Hitachi ID Group Manager (for request-based, self-service Active
Directory group management), and Hitachi ID Privileged Password
Manager (providing shared-account password management
capabilities).
Hitachi ID has an extensive professional service team to design and
implement its products, and to train customers on their use and
maintenance. It has system integration and consulting partnerships
with KPMG, HCC Consulting and ACS, although most integration is
done by Hitachi IDs service team.
20
Strengths
Hitachi ID has reseller relationships with providers such as
CompuCom Systems, Insight Enterprises and IBM Global
Services. It has close active partnerships with HP, CSC and
BMC Software, providing Hitachi ID channels and bandwidth for
global reach for sales and implementation.
Key product strengths include: (1) It has many built-in
components, including request screens, access certification,
authorization processes, and autodiscovery of IDs and
entitlements; (2) the base price includes all connectors and
unlimited servers; (3) user adoption is aided by a managed
enrollment system and accessibility from Web browsers,
PC login screens and phones; and (4) it has multiple policy
enforcement engines, including SOD detection and prevention
and role-based access control (RBAC) enforcement with
controlled scope. The identity repository is SQL-based,
normalized and replicated across servers.
Hitachi IDs sales and support staff undergoes an extremely
rigorous training period, thereby making its technical savvy and
customer support record differentiators.
Hitachi ID has one of the lowest ratios of product cost
to deployment cost (at about 1-to-1). Like a few other
competitors, Hitachi ID also offers fixed-cost implementations.
This strategy leads to better preproject scoping and increased
customer confidence.
Cautions
Even though Hitachi is a global brand, and M-Tech was
recognized for solid password management and provisioning
solutions, Hitachi ID is still somewhat unknown.
Hitachi ID currently lacks robust role-mining capabilities.
Hitachi ID must compete with larger suite vendors for deals in
which the customer is seeking a broad range of products. To
compete effectively, Hitachi ID must partner with a shrinking
number of best-of-breed vendors.
Hitachi ID customers express concerns over the user interface,
the need to use a proprietary scripting language to accomplish
customization, and a lack of robust audit-reporting functions.
Some of these concerns have been addressed in the current
version (6.1.3), and other versions are due for improvement in
2011.
IBM Tivoli
IBM Tivoli Identity Manager (IBM TIM) v.5.1 (June 2009)
IBM Tivoli is a global player in IT management (for example, service
management and security management), and has over a decade of
IAM experience. For large organizations, IBM is frequently a default
shortlist choice. Its global reach, name recognition and staying
power are formidable.
IBM expands its IAM offerings via acquisitions as needed, based on
market demands or to help meet an IAM vision. IBM Tivoli acquired
Consul, a major z/OS security administration and audit vendor, and
rebranded it as Tivoli zSecure suite and Tivoli Security Information
and Event Manager. This improved its identity audit solution
for addressing compliance and audit needs. The acquisition of
Encentuate extended IBMs ability to provide enterprise single sign-
on and privileged-identity management capabilities. The acquisition
of MRO Software provided the ability to integrate with physical
asset provisioning and service catalogs. Additional acquisitions (for
example, Internet Security Systems) provided integration of IBM
TIMs provisioning, workflow, audit and reporting capabilities to the
security event, application development and business intelligence
environment. Managed services are offered via IBM Global Services
and IBMs global partner network. SaaS options are offered by
partners such as Lighthouse Security Group and Logica.
IBM has partnerships with global and regional system integrators
around the world, such as IBM Global Technology Services,
Deloitte, Accenture, Unisys, Atos Origin, Saudi Business Machines,
SecurIT, Tata Consultancy Services, Wipro Technologies,
Advanced Integrated Solutions, Vicom Computer Services, Insight
Enterprises, Softchoice, Forsythe Solutions Group, Arrow Enterprise
Computing Solutions, Sirius Computer Solutions, MSI Systems
Integrators, Insight UK, Pirean, Tectrade and Logicalis.
New development for IBMs user-provisioning tools has been
slow during the past year (as evidenced by the June 2009 release
date for IBM TIM v.5.1), likely due to the market shift in priorities
that is, moving from administration to compliance and IAI.
However, IBM is providing its customers with early access to new
role management and modeling tools, prior to expected general
availability next year.
Strengths
IBM TIM supports major platform environments for deployment,
including the mainframe (Linux on IBM System z).
Provisioning and approval workflow technologies are rich, with
extensive connector libraries. IBM Tivoli Directory Integrator, a
development kit for unique connectors, is also included with
the product. Password management functions and delegated
administration are competitive. The base product includes
full runtime versions of DB2, WebSphere Application Server
and IBM Directory Server. Also included are 20 infrastructure
(database, mail, OS and network) adapters (connectors).
Policy simulation features in IBM TIM help users simulate role
and/or provisioning policy scenarios to determine their effects
on production environments before deployment.
Operational role management capabilities are embedded in
the core IBM TIM product, including recertification (attestation),
SOD checks, and hierarchical role provisioning for extended role
management functions such as role modeling and approval.
IBM has partnerships with several third-party role management
vendors to help mine and model roles. Examples of partner
offerings that are integrated and certified with IBM TIM include
Aveksa, SailPoint and SecurIT. IBM also has integrations with
Approva and SAP NetWeaver for ERP SOD checking.
21
Additional compliance capabilities are provided in the form of
integration with the Tivoli SIEM product for closed-loop access
reporting and auditing.
Cautions
IBM lags in role analytics and mining, trailing every other IAM
vendor in the Leaders quadrant. At the time of this writing,
IBM is addressing this by providing its customers an early
technology preview tool called the Role Modeling Assistant,
while the production-ready capability is under development.
IBM Tivolis ability to address complex IAM issues for clients is
challenged by its complexity of solution offerings, despite early
indications of improvements in IBM TIM v.5.1.
IBM would do well to better understand customers specific
requirements and to help customers better shape their vision
and goals for IAM during the sales and implementation cycle in
order to focus deployment efforts and improve time to value for
customers.
Customers remain concerned about the complexity of the
product in configuration and deployment, the intensive prework
thats necessary to accurately map workflows to business
processes, and the effects of version releases on established
deployments.
Microsoft
Microsoft Forefront Identity Manager (FIM) 2010 (April 2010)
Microsoft released a long-awaited new version of its IAM offering
in April 2010. It also rebranded the offering. Instead of Identity
Lifecycle Manager (ILM), the company has incorporated the offering
as part of its Forefront brand and has labeled the new solution as
Forefront Identity Manager. FIM has several updates to ILM that
have improved the overall function of the offering.
Strengths
Microsoft has added an improved password and credential
functionality for FIM, resulting in a better delegation and reset
ability, and bringing up the function set to industry par.
Microsofts use of SharePoint, Exchange and SQL Server
provide a means for business users to directly participate in FIM
through the use of existing collaboration and office tools.
New workflow functions based on the work Microsoft is doing
in the Windows Workflow Foundation (WWF) allow improved
options for automating specific IAM processes.
Windows Server 2008 has added Active Directory Federation
Services (AD FS) 2.0 as an update, providing improved and
expanded functionality in federation, including expanded
support for industry standards in federation, such as SAML.
While not part of FIM, this can be used with FIM in combined
access and provisioning deployments.
Some new connector options are offered to improve
heterogeneous support for synchronization and joining.
Cautions
While improved, Microsofts connector architecture still does
not have options that best-in-class competitors possess.
Workflow in FIM has rudimentary functionalities, compared with
those of best-in-class competitors.
Pricing for FIM has changed somewhat to a per-server and per-
user client access license (CAL) basis, potentially resulting in
increased costs for the customer based on need. If a customer
is using the FIM synchronization service only to synchronize
identity information or to provision users, then CALs are not
required. However, if users take advantage of any of the new
FIM management tools and technologies, then CALs are
required to provision and manage them. So, similar to ILM, if
customers use it only for synchronization, no CAL charge is
triggered.
Novell
Novell Identity Manager Roles Based Provisioning Module v.3.7,
password self-service for Identity Manager v.3.7, Designer for
Novell Identity Manager v.3.7, Novell Sentinel v.7, (February
2010); Novell Identity Audit v.1.0 (October 2008), Novell Access
Governance Suite v.3.6.2 (May 2009)
Novell is a solid technology innovator. Its IAM portfolio of products
is well-respected by industry experts, technology professionals,
long-standing customers and enterprise users seeking a complete
solution for provisioning. Significant new customer wins, such as
Verizons cloud-based security solution, and Novells strategic
partnership with VMware, further illustrate Novells innovation by
moving into cloud-computing and IAM-as-a-service markets.
Novell continues to improve in the Leaders quadrant. Although
Novells IAM sales declined overall in 2009, primarily due to the
economy and organizational changes, Novell continues to succeed
via:
Innovative, enterprise-class products, and significant customer
wins
Continued focus on partnerships, sales and marketing
Competitive countermoves and replacements
Gartner has seen a noticeable increase of customer interest in
Novell during 2010. Some of this is attributed to former Sun
customers who are evaluating options, and some to a renewed
focus following organizational shifts and acquisition challenges.
Although Novell had previously experienced a drag on its business
due to customers past associations with its NetWare business, this
increased interest indicates that many customers have moved past
these perceptions. The market should not count out Novell.
22
Novell addresses role life cycle management via a combination of
internal Novell development integrated via license agreement with
Aveksas products. Improvements in resource recertification and
attestation reporting, and tighter integration with SIEM logging and
reporting via its Sentinel product, provide forensic and monitoring
capabilities to provisioning management.
Novells network of smaller, region-based integration and consulting
continues to grow through established integration providers such
as Atos Origin, Deloitte and Wipro Technologies, as well as global
alliance partners such as HP and SAP.
Strengths
Novells suite has significant compliance and intelligence
functionality, addressing unified policy needs through its
combined role life cycle management and SIEM solutions.
Novells market share within the financial services and
government verticals has improved due to an improved
compliance management functionality.
Integration among Novells IAM portfolio products is
homogeneous, and deployment times and customer experience
are improving.
Novell is an active participant in an open-source identity
framework that includes provisioning through its membership in
the Eclipse Higgins project. Novell is also active in international
standards work with the role it plays in Linux, security and
identity standards. Novell Identity Manager supports SPML.
Novell customers like the tight integration of the product
for different provisioning functions, designer capabilities for
configuration, and the deployed solutions ease of use and
functionality.
Cautions
Novell continues to battle a negative market perception; this is
Novells biggest enemy in 2010.
More often than not, all vendors are evaluated not solely on the
merits of their solutions but also on vendors wallet share with
a customer or their executive relationships. Customers who
understand the value of Novells technology leadership need
to fight for the inclusion of Novell as a viable vendor for it to be
considered. An effective way to do this is to request a proof of
concept at the outset.
Customers wish for a simpler licensing structure. Novell will
address this issue with the upcoming Identity Manager release
4 due in the fourth quarter of 2010.
Novell does not have the same financial resources, partner
network or visibility as its larger competitors do, and is at a
disadvantage in new-customer acquisition as a result.
Omada
Omada Identity Suite (OIS) v.7 (March 2010)
Omada addresses compliance-centric user-provisioning
needs based on Microsoft technologies, resulting in enterprise
solutions that can manage advanced business scenarios across
heterogeneous environments. It has a strategic partnership with
Microsoft to extend Microsoft Forefront Identity Manager 2010
(and the older ILM 2007) capabilities for customers. Omada has a
long history with SAP and recently enhanced its SAP integration
capabilities such as integrating into SAP BusinessObjects GRC.
Omada is also focused on providing business-centric GRC
management solutions. This demonstrates its business-focused
market approach and its ability to provide products and services
that are not purely based on its Microsoft relationship. Omada has
recently taken steps to enhance its attestation and recertification
offering with high-end risk management capabilities, such as risk
assessment surveys.
Omada has system integration and reseller partnerships that
include Logica, Traxion and Avanade. A major part of Omadas
staff is dedicated to consulting, integration and support. Solution
support is offered directly to the customer or via partners.
OIS addresses attestation and recertification, compliance reporting,
and SOD management workflows (and the ability to provide
auditable approval paths to override SOD violations). It performs
role life cycle management capabilities with its advanced RBAC
module, applying roles over heterogeneous repository and access
infrastructures via FIM management agents, which are supplied out
of the box from Microsoft, Omada and partners custom builds.
Strengths
Omada is uniquely positioned to provide compliance modules
for Microsoft Forefront Identity Manager, such as attestation,
role life cycle management and compliance reporting.
Omada has introduced a SharePoint Governance Manager
offering in conjunction with FIM to apply RBAC functionality to
SharePoint and deliver compliance reporting for SharePoint.
Omada provides granular role-based integration with SAP.
Omadas pricing for OIS is competitive, reflecting lower-cost
alternatives to larger user-provisioning offerings via Microsofts
embedded components in the enterprise (for example, Active
Directory and SQL Server).
While Omada is really an augmentation of Microsofts user-
provisioning functionality, it integrates well into the FIM
portal environment, providing an intuitive and natural work
environment for administrators and end users.
Customers like the emphasis on Microsoft IAM architecture,
the expanded reporting functionality for SharePoint, workflow
improvements and good preimplementation/postimplementation
support.
23
Cautions
Omada uses Microsoft Forefront Identity Manager 2010 (and,
for legacy customers, ILM 2007) as its foundation for delivering
its functionality, thus underscoring Omadas dependence on
Microsofts IAM direction.
While Omada does augment the functionality offered from
Microsoft, it still does not have the ability to offer role mining.
Customers who desire that functionality will need to integrate
with another vendor, or wait until Omada realizes its plan to
deliver role mining.
Omadas market penetration into North America and other non-
European regions continued to grow significantly in 2009, but at
a slower rate than in 2008. More global customers are needed
before Omada can be considered a major contender in the IAM
marketplace. Early trends in its 2010 numbers indicate some
growth in North America.
Omada is dependent on Microsoft continuing its investments
in making Microsoft Forefront Identity Manager an attractive
provisioning platform with enterprise-ready performance and
scalability.
Oracle
Oracle Identity and Access Management Suite and Oracle Identity
Manager v.9.1.0.2 BP10 (January 2010)
Oracle is the leader in this Magic Quadrant. It continues to execute
on its vision of an integrated and scalable IAM suite.
Via its acquisition of Sun, Oracle accomplished two things: (1)
the obvious takeout of a competitor; and (2) the acquisition and
subsequent integration of many of Suns competitive technology
differentiators for example, Sun Role Manager, now Oracle
Identity Analytics. (For more-detailed analysis of the Sun acquisition,
see Oracle and Sun: Managing IAM Under a Single Identity.)
Some uncertainty is still felt by Sun customers; possibly, migrating
from Sun to Oracle is not welcome. Much hinges on the manner in
which Oracle manages this transition.
Oracle is committed to delivering comprehensive IAM. While Oracle
Identity Management 11g is not rated in this Magic Quadrant due
to its recent release, it should be stated that it (if it is delivered as
described) will be another competitive differentiator for Oracle.
Oracles IAM can run on two different databases, seven different
OSs, four different application servers and multiple Java
Development Kit vendors. The company continues to acquire
other companies as needed. It is also expanding a global network
of resellers and implementation partnerships. The Sun acquisition
adds even more options.
Oracles IAM portfolio provides solutions for user provisioning,
password management, role life cycle management, Web
access management, federation, IAI, reporting, directory and
virtual directory, fraud prevention and authentication, entitlement
management, and GRC capabilities. Other IAM-related needs (for
example, ESSO and SIEM) are addressed via partnerships. Oracle
continues to demonstrate a commitment to improving integration
among the products in its IAM portfolio.
Strengths
Risk-based user self-service decision making is possible
through application programming interface integration with
identity-proofing services. Oracle Identity Manager can integrate
with proofing services by native API integration or when
codeployed with Oracle Adaptive Access Manager.
Oracles database back end, the identity repository, is scalable
and proven.
Oracles access at all enterprise levels (business to IT) is
pervasive. The company uses that access for cross-selling
opportunities with IAM. Aggressive sales and marketing
strategies have resulted in a new-customer acquisition that
is several times the rate of the general provisioning market.
Oracle has comprehensive training for its network of global
integration partners. These partners (system integrators, VARs
and technical partners) include Deloitte, Accenture, KPMG,
PricewaterhouseCoopers and Wipro, as well as Oracles
consultancy and services in user provisioning.
Oracle possesses a portfolio and a matching vision for IAM,
including user provisioning. The message has moved from
an earlier strategy of application-centric provisioning, which
addresses provisioning, workflow and reporting needs for a
multiapplication environment, to including a service-centric
view of IAM. Customers like Oracles aggressive IAM road
map, access to Oracles development teams for changes,
configurability during deployments, workflow and provisioning
engine capabilities.
Cautions
Oracles SIEM and compliance/audit integration and reporting
are less mature than those of competitors IBM Tivoli and Novell.
The introduction of Oracle Identity Analytics, while positive, is
still not competitive with leading vendors in this area.
IAM-related reporting is accomplished via Oracle BI Publisher.
While capable and full-featured, it can produce overly complex
IAM reports.
Recent acquisitions and new product additions have caused
confusion among some current and new customers when
comparing the pricing models for earlier software packages with
what is currently available.
There continues to be mixed reviews for Oracle integration and
deployment experiences, which is attributed to uneven training
and experience of consultants and system integrators for the
product.
24
Quest Software
Quest ActiveRoles Server 6.5.0 (November 2009)
The most significant change Quest Software has made this year
to its IAM solution ActiveRoles is the acquisition in July of the
German IAM provider Voelcker Informatik. Voelckers ActiveEntry
solution provides Quest with extended functionality into the role
management and IAI management markets. Several feature
updates to ActiveRoles have also occurred during this period.
Strengths
Quests acquisition of Voelcker ActiveEntry signals a more
aggressive move to engage competitors and improve both the
geographic reach and functionality of its offerings.
Quests reputation in the Windows administration and
management markets is enhanced by new offerings in role and
IAI management through the Voelcker acquisition.
Quest has taken some steps to improve its partnerships with
IAM integrators by providing expanded services for its offerings.
Cautions
Quest still has some issues with name recognition as a viable
IAM competitor, especially beyond the Microsoft Windows-
centric customer population. This is starting to change, but is
still evident.
Quest connector options for IAM synchronization and joining of
applications and repositories are rudimentary.
The combined Quest-Voelcker offering has some concerns to
resolve about overlapping functionality for both new and existing
customers.
SAP
SAP NetWeaver Identity Management v.7.1 (June 2009)
SAP is a global leader in business management software. It enjoys
strong name recognition and is deployed widely in many of the
worlds largest organizations.
SAP has been in the provisioning market for a relatively short
amount of time; its acquisition of MaXware in 2007 serves as a
formal kickoff of SAPs IAM strategy to integrate IAM deeply into
the SAP ecosystem. SAP has been consistently making progress
toward that goal, and due to the out-of-the-box SAP integration
possibilities, there are definite benefits to choosing SAP NetWeaver
in order to manage identities in SAP-centric environments.
It should be noted, however, that SAP customers who use
NetWeaver to manage their SAP environment will typically end
up deploying two provisioning systems: NetWeaver for granular
management of SAP, and then another vendor to manage the rest
of their heterogeneous ecosystem.
Key features of SAP NetWeaver Identity Management include:
User interface and management console
Runtime components (linked to external repositories via virtual
directory)
An Identity Center database for logs, configuration and identity
stores
Provisioning and workflow functionality
User self-service and password management
Reporting via SAP NetWeaver Business Warehouse
Metadirectory and identity store
Identity Provider for Web-based SSO and identity federation via
SAML 2.0
Implementation projects at customer premises can be led by either
SAP consultants or a selection of solution integrators.
Strengths
The Identity Services framework of SAP delivers a virtual
directory technology and virtualization of target systems as
part of connector management, and reflects a well-structured,
application-driven approach to provisioning.
SAPs GRCM solution, BusinessObjects Access Control, is
coupled with SAP NetWeaver Identity Management to augment
the Identity Services framework, and to deliver provisioning and
SOD capabilities.
SAP views NetWeaver Identity Management as a significant
contributor to the evolution of SAP applications to a common
process layer for management. The process modeling layer
delivered via SAP NetWeaver Business Process Management
leverages a common Identity Management layer to deliver
security and context to business process.
SAP bundles Identity Provider with SAP NetWeaver Identity
Management to allow for Web-based SSO and identity
federation via SAML 2.0. Identity Provider comes at no
additional cost.
SAP customers like the rapid implementation and customization
capabilities of the product, the basic role life cycle management
integration with provisioning, the deep integration with other
SAP products via predefined scenarios, and the virtual directory
functionality.
25
Cautions
SAPs road map for user provisioning is targeted specifically at
established SAP customers, and is primarily for SAP application
portfolio and integration needs. While SAP customers may find
this differentiating from other vendors, non-SAP customers will
not.
SAP views NetWeaver Identity Management as vital for
counteracting efforts by Oracle to introduce Oracle solutions
into a predominantly SAP customer environment via an Oracle
IAM solution. Such a defensive approach may protect SAP
assets, but adds little for the customer.
NetWeaver Identity Managements reporting and compliance
capability is robust; however, the interface is geared more
toward technical administrators rather than to business users.
Sentillion (Microsoft)
Sentillion proVision v.3.5 (May 2010), proVision BridgeBuilder
v.3.01 (May 2009)
Sentillion is solely focused on meeting the identity management
needs of healthcare entities, where it is a recognized brand name.
Consistent innovation in healthcare provisioning needs, continued
customer growth and increasing name recognition within healthcare
make Sentillion the vendor to beat within the healthcare market.
Sentillions strategy for user provisioning in a specialized, complex
industry is built on the concept of purpose-built healthcare, and
addresses role-based and fine-grained provisioning. Although many
customers may be classified as SMBs by their user count, the
complexity of healthcare role environments ensures that planning
and implementation remain challenging. Sentillion delivers focused
consulting and integration services, and has some integration
partners to address these challenges (CTG HealthCare Solutions,
Vitalize Consulting Solutions and Logic Trends in North America;
E.Novation and VisionWare in Europe).
Sentillion leverages Active Directory as the identity repository to
streamline the infrastructure required to deploy its product.
At the end of 2009, Microsoft announced an intent to purchase
Sentillion to combine the Sentillion product line with its Amalga
Unified Intelligence System (UIS) offering. The acquisition closed in
early 2010, and now Sentillion functions as part of the Microsoft
Health Solutions Group. Understandably, the Microsoft acquisition
is a source of both excitement and uncertainty for customers of
each company.
Currently, Microsofts intent is to keep the development of Sentillion
and the Microsoft Forefront Identity Manager solution separate.
Sentillion will continue to focus on building solutions on its own
platform to meet the needs of the healthcare industry, and FIM will
be Microsofts premier IAM solution. However, synergy between
the two product lines is undeniable, and there will likely be at least
some sharing of knowledge and code logic between the two teams
so that each can more rapidly expand support to new systems.
Strengths
Sentillion has a fixed fee for implementation services so that
customers know the associated costs upfront. The fixed fee
implementation is approximately a 1-to-1 ratio of software
to services, which is among the lowest of the provisioning
vendors.
Because of Sentillions healthcare focus, it provides more
out-of-the box connector (that is, bridge in Sentillions
nomenclature) support to healthcare-industry-specific
systems (for example, McKesson-Horizon, GE Healthcare
and ChartMaxx products) than most of its competitors do.
In addition, Sentillions industry focus gives it a strategic
advantage over its competition in areas where healthcare-
specific industry policy, terminology or use cases dominate the
project or program needs.
Customers gain access to Sentillions online open-source
community IdMPOWER which allows customers to share
custom-built provisioning software adapters for clinical and
nonclinical applications.
Customers like the industry-specific focus, the personalized
predeployment customer support during planning and
implementation, and the companys quick response to new
customer needs.
Cautions
Focusing only on healthcare comes with a price whether
it is support for features or standards. Sentillion is driven by
its customers, and the product is a custom solution for the
healthcare industry. This concern will be mitigated if or when
there is knowledge sharing between the Sentillion and Microsoft
FIM teams.
Several other vendors (large and small) are beginning to focus
their sights on the healthcare market. As these vendors win
healthcare accounts, they are able to develop and commoditize
healthcare-focused provisioning connectors, reports and other
related solutions thus eating away at Sentillions competitive
advantage. At this point, it is unclear what Microsoft has
planned to alleviate that threat.
Role life cycle management and GRC capabilities remain
limited, although Sentillions capability is generally good
enough for many customers. However, given the highly
regulated industry that it targets, coupled with the increasing
general market demand for role management and GRC-focused
solutions, we expect that Sentillion will continue innovation in
this area as needed.
26
Siemens
Siemens DirX Identity Business Suite v.8.1B (January 2010), DirX
Identity Pro Suite v.8.1B (January 2010), DirX Audit v.2.0B (April
2010)
Siemens, with its business division Siemens IT Solutions and
Services, is a long-standing and well-respected IAM vendor based
in Germany. It has a solid IAM solution and has consistently
demonstrated the ability to attract and acquire new customers.
The Siemens DirX suite includes Audit, Identity (provisioning and
account management), Access, Directory and Biometrics product
lines.
Strengths
Siemens is one of the worlds largest multinational companies
in energy, healthcare, communications and other industries,
and it has significant resources available for IAM product
development, management and delivery.
Siemens has a well-thought-through road map, which
demonstrates a sound market understanding and a
commitment to ongoing investment in the DirX product line.
Siemens is a veteran at role-based provisioning. Role life cycle
management (for example, administration, certification and
reporting) is part of DirX Identity, based on the RBAC standard,
and has been available since 2002. While role discovery is
available in the base product, business analytics as a result of
discovery are provided via third-party partnerships.
Siemens provides user-provisioning solutions with good role
management functionality, and a partnership model that
provides predeployment and postdeployment coverage.
Cautions
While the DirX road map is comprehensive, some of the
components, which are becoming standard across many
vendors (for instance, compliance dashboarding), are slated for
release in late 2011. This lags behind market need, and may
reflect negatively on Siemens in proof-of-concept environments.
Siemens primary focus is on selling to its own customer base
(which is large enough to sustain steady growth of IAM sales).
Siemens DirX product line is worthy of consideration in many
circumstances, and Siemens will frequently win net new
accounts based solely on its IAM technology. However, more-
aggressive sales and marketing to non-Siemens customers are
warranted.
Voelcker Informatik
Voelcker ActiveEntry 4.1 (February 2010)
Voelcker is a Berlin-based IAM provider that slowly built a
reputation in Germany and Austria during the past 13 years for a
flexible service management and automation platform delivering
IAM functionality. In 2009 to 2010, the company enjoyed significant
expansion, and in July 2010, it was acquired by U.S.-based Quest
Software.
Strengths
Voelckers ActiveEntry represents an advanced view of IAM
as a customizable set of service management and automation
components, together with an advanced IAI solution, resulting
in a less painful deployment experience when compared with
competitor offerings.
ActiveEntry is a service-oriented-based solution using an
object-oriented approach to IAM data, resulting in a combined
provisioning and role management capability where needed.
Voelcker expanded its partner network to provide additional
geographic availability, expanding also to the U.S. prior to its
acquisition by Quest.
Cautions
Until the Quest acquisition, Voelckers name recognition and
marketing remained minimal, resulting in a slow but substantial
growth rate.
ActiveEntry does not include a connector set in the same
manner as competitors do. ActiveEntry contains connectors for
Active Directory, Exchange, SharePoint, Lotus Notes, LDAP,
SAP and FIM. It contains a no coding required wizard to build
connectors for XML-based protocols, as well as the ability to
integrate with any connector architecture.
ActiveEntry will undergo some changes in focus and direction
due to its coexistence with Quests existing ActiveRoles
offering.
27
Acronym Key and Glossary Terms
AIMS Avatier Identity Management Suite
API application programming interface
BSM BMC Softwares Business Service Management
EMEA Europe, the Middle East and Africa
ESSO enterprise single sign-on
GRC governance, risk and compliance
GRCM GRC management
IAI identity and access intelligence
IAM identity and access management
ILM Microsoft Identity Lifecycle Manager
ITIL IT Infrastructure Library
NAC network access control
OIM Omada Identity Manager
PAAM privileged account activity management
RACF Resource Access Control Facility
RBAC role-based access control
RFI request for information
RFP request for proposal
SaaS software as a service
SI system integrator
SIEM security information and event management
SLA service-level agreement
SMB small or midsize business
SOA service-oriented architecture
SOD segregation of duties
SPML Service Provisioning Markup Language
SSO single sign-on
VAR value-added reseller
VM virtual machine
Vendors Added or Dropped
We review and adjust our inclusion criteria for Magic Quadrants
and MarketScopes as markets change. As a result of these
adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor appearing in a
Magic Quadrant or MarketScope one year and not the next does
not necessarily indicate that we have changed our opinion of that
vendor. This may be a reflection of a change in the market and,
therefore, changed evaluation criteria, or a change of focus by a
vendor.
28
Evaluation Criteria Definitions
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current
product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as
defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organizations
financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to
continue investing in the product, to continue offering the product and to advance the state of the art within the organizations
portfolio of products.
Sales Execution/Pricing: The vendors capabilities in all pre-sales activities and the structure that supports them. This includes
deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success
as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the
vendors history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organizations message in
order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive
identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of
publicity, promotional, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products
evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include
ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational
structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and
efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers wants and needs and to translate those into products and
services. Vendors that show the highest degree of vision listen and understand buyers wants and needs, and can shape or
enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and
externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service
and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the
customer base.
Offering (Product) Strategy: The vendors approach to product development and delivery that emphasizes differentiation,
functionality, methodology and feature set as they map to current and future requirements.
Business Model: The soundness and logic of the vendors underlying business proposition.
Vertical/Industry Strategy: The vendors strategy to direct resources, skills and offerings to meet the specific needs of individual
market segments, including verticals.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation,
defensive or pre-emptive purposes.
Geographic Strategy: The vendors strategy to direct resources, skills and offerings to meet the specific needs of geographies
outside the home or native geography, either directly or through partners, channels and subsidiaries as appropriate for that
geography and market.