Beruflich Dokumente
Kultur Dokumente
© 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form
without prior written permission is forbidden. The information contained herein has been obtained from sources believed to
be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although
Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors,
omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein
are subject to change without notice.
WHAT YOU NEED TO KNOW
This document was revised on 4 October 2010. For more information, see the Corrections
page on gartner.com.
User-provisioning solutions are maturing in function and capability, and the user-provisioning
market continues to consolidate. As some identity and access management (IAM) technologies
approach a commoditylike state, the boundaries between core IAM products, such as user
provisioning and companion product sets, are blurring.
Core provisioning functionalities are similar across most vendors (such as workflow engines,
approval processes, password management and "standard" connector sets). Therefore,
provisioning vendors seek to differentiate their product sets from those of competitors through
expanded IAM functionalities, such as:
Better integration with "adjacent" and relevant security technologies, such as security
information and event management (SIEM), data loss prevention (DLP), network access
control (NAC), and IT GRC management (GRCM) tools
Improved integration with other suite components or IAM offerings from other vendors
Large-scale user-provisioning projects remain complex, requiring experienced integrators and
skilled project management for the enterprise. Most provisioning implementations succeed or fail
based on these integrators and on the relationship between customers and vendors. Most IAM
vendors realize that penetrating midmarket accounts — for instance, small or midsize businesses
(SMBs) — requires simple deployments at the product level. While success rates for complex
and/or major user-provisioning initiatives are improving, "horror stories" related to "failed"
implementations or poorly integrated replacements still abound.
Key differentiators when selecting user-provisioning solutions include, but are not limited to:
Price, including flexibility of pricing for deployment, maintenance and support programs.
Global scope, depth, availability and extent of partnerships with consultants and system
integrators (SIs) to deliver the solution.
Consultant and SI performance, which remains vital to success. Also vital are the level
and extent of experience of industry segment vendors and integrators to deliver
successful projects.
Time to value.
The ability to deliver subsidiary services that are not available in the core product
through:
Integration with component IAM features (for example, common user experience
and reporting).
Strategy, road map and alignment with other product offerings, including strategies for
addressing future cloud-computing and software as a service (SaaS) architectures.
Prioritize the key issues to be resolved, and provide clarity to the project being
implemented.
Document the project scope thoroughly, and seek outside review where possible.
Choose the specific technologies required for the specific requirements — Do not allow
a project to expand scope without a documented rationale.
MAGIC QUADRANT
Market Overview
Market Growth
Most user-provisioning vendors reported revenue increases in 2009 to 2010, thereby indicating
continued growth in the market (see the Market Maturity section below). However, growth for user
provisioning is slowing. In "Forecast: Security Software Markets, Worldwide, 2009-2014, 2Q10
Update," Gartner Dataquest reported a compound annual growth rate (CAGR) of 4.4% for the
user-provisioning market. User provisioning is now an approximately $940 million market, and
should become a $1 billion market in 2010.
The global 2009 CAGR of 4.4% for user provisioning is down from 17.4% in 2008. The notable
decline in growth is for two reasons: (1) there are ripples from the recent economic downturn; and
(2) clients are realizing that they can pursue compliance initiatives via technologies that promise
shorter-term "wins" (such as IAI, privileged-account activity management [PAAM], and Active
Directory to Unix bridging). For now, enterprises are shifting spending to those areas.
Sun Microsystems is absent from the Magic Quadrant due to its acquisition by Oracle.
Sentillion was acquired by Microsoft and is now part of Microsoft Health Solutions
Group. Sentillion proVision and Microsoft Forefront Identity Manager are being rated as
separate products, because they are developed, marketed and sold as distinct products.
Many vendors in the Challengers, Niche Players and Visionaries quadrants are
beginning to "cluster" around the midpoint of the chart — a sign of overall market
maturity and commoditization of the core technologies being rated.
Microsoft made the most progress within the Challengers quadrant due to the release of
the long-awaited Forefront Identity Manager product, which improves the usability of its
BMC Software moved from the Challengers quadrant to the Niche Players quadrant,
primarily based on shifting internal priorities, which impact its go-to-market strategy. This
is reflected in an overall slowing of its growth.
Ilex was dropped from the study this year due to minimal market presence.
User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects
As discussed in the What You Need to Know section of this research, Gartner sees a subtle shift
in the IAM market. That leads us to offer the following Strategic Planning Assumption for both end
users and vendors:
Through 2013, notable identity and access management project failures will cause 50% of
all companies to shift their IAM efforts to intelligence rather than administration.
Without a more formal and effective approach to delivering IAM solutions, enterprises will
continue to experience challenges in delivery. More importantly, the shift away from IT needs for
efficiency of operations, to enterprise needs for accountability, transparency and reliability, is
taking place. The business is taking a much more active role in the use of identity management
for critical business processes. As such, demands are decidedly different — IAI will be
increasingly required by the business for auditing and general compliance needs, analytics,
forensics investigations, and risk assessments and evaluations. Administration concerns that
require elements of monitoring and control do not go away, but attention will now be shared with
new analytics results for the business.
The inherent length and complexity of user-provisioning programs, combined with implementation
"horror stories," is at the heart of a notable trend. Specifically, Gartner believes that organizations
facing compliance burdens are realizing that full provisioning implementations (while still
ultimately important and necessary for long-term compliance) can be postponed or de-
emphasized in the short term in favor of IAI solutions. The reasoning is as follows:
User provisioning performs update and control functions, not just analysis.
Administration projects are becoming mainstream, and vendors are supporting more
"out of the box" solutions.
Implementing IAI tools provides insight — but does not remove the long-term need for
more efficient and effective identity administration.
Other Key Trends for 2010
Role life cycle management, which defines, engineers, maintains and reports on
enterprise roles and rules as inputs to the provisioning process.
Total cost of ownership (TCO) and the time to value, which are of growing concern as
potential customers seek savings during times of economic uncertainty.
GRCM support, driven primarily by enterprise application providers (such as SAP and
Oracle) through ERP implementations, and by the need to support fine-grained
authorization as part of the user-provisioning process. There is also a desire to deliver
an overall IAM governance program that identifies and supports the role of user
provisioning, and links it to the information security policy and the establishment of
controls.
Developing a clear and compelling vision of the IAM program, "selling" that vision to key
stakeholders, and communicating project status and successes/issues throughout the
program (see "How to Use 'Visioneering' Principles to Drive a Successful Identity and
Access Management Program"). This will embrace far more than user-provisioning
implementation projects, of course.
Using a decision framework for planning IAM that includes identifying, prioritizing and
organizing key resources in the implementation process for user provisioning (see "A
Decision Framework for Initial Identity and Access Management Planning").
Selecting a proven program partner (that is, consultant or system integrator) to lead the
effort in a reasonable time frame — one that understands the business issues of user
provisioning and the technical implementation concerns required to be successful.
Addressing issues related to role life cycle management for effective user provisioning.
Although the user-provisioning market has matured and vendors from any of the quadrants could
potentially address customer needs, particular characteristics of a good candidate vendor still
exist:
Price and service: As the market continues to move to maturity, price differentiation
and pricing options become more important to the vendor as well as to the customer.
This pricing extends to preimplementation and postimplementation experience.
Solution selling vs. making it fit: A leading vendor will provide user provisioning as
part of a packaged solution that's tailored to the customer's stated requirements, rather
than forcing the customer's requirements to fit the product. The corollary of this is that
the customer must have a clear and comprehensive definition of requirements before
conducting any formal evaluation of specific tools. Although there must always be some
practical compromise, mature, best-in-class solutions are able to look more like the
customer's business requirements rather than a vendor's technical specifications.
Policy-driven or IT concerns regarding vendor lock-in (that is, a "monoculture" for IAM
solutions)
Customers that already have solutions for access management or "point" identity
management solutions from a vendor whose user-provisioning solution does not meet
requirements
Customers constrained by the number of vendors that they can choose, particularly for a
multitool IAM solution — of which user provisioning is one
A licensing or cost advantage achieved by owning products or using services from the
suite or portfolio vendor
IBM's marketing of and subsequent sunset of Tivoli Risk Manager. It was replaced via
the acquisition of Micromuse and Consul Risk Management.
CA, Novell and Siemens have all changed focus or strategies in the past. What does
this have to do with viability? It shows how invested the vendor is in the IAM strategy.
Customers really need to understand how IAM fits into the overall corporate strategy,
whether investments are self-serving or customer-driven, and how important it is to the
vendor's success.
This history shows there is no guarantee of viability at a vendor level or a product level. Gartner
believes some diversification may be a prudent course of action. In addition, customers should:
Market Definition/Description
Defining IAM
IAM is a set of processes and technologies to manage across multiple systems:
Authentication credentials — Typically for information system access, and then most
often just passwords, but sometimes for physical access control
Entitlements (for example, assigned via roles or groups or explicitly assigned to the user
ID at the target system level)
Managing group membership or role assignments, from which entitlements may flow
User profile attributes (for example, name, address, phone number, title and
department)
Reporting the roles assigned to each user and the entitlements that each user has
Role life cycle management: Regulatory compliance initiatives are directing IAM
efforts back to the drawing board for role development. The role becomes a very
important control point that enterprises need to manage in a life cycle manner — just as
they do an identity. Enterprises need the ability to automate processes to:
Manage formal and informal business-level roles for any view of the enterprise (for
example, location, department, country and functional responsibility), and to feed
user-provisioning products to ensure that the link is made between the business role
and associated IT roles.
Establish a process by which the development process for new roles in the
enterprise follows the same management process used for existing roles, and ties
those new roles to the automated role life cycle management solution.
Deliver a generic framework to address all role life cycle management needs. Most
user-provisioning vendors are partnering with role life cycle management vendors,
acquiring them or building that expertise with the user-provisioning solution.
Manage the role throughout its life cycle — role owner, role changes, role review,
role assignment, role retirement and role-based reporting options.
IAI audit reporting: Meeting the regulatory compliance requirements of reporting on
SOD, roles, "who has access to what," "who did what," and "who approved and
reviewed what" (referred to as "the attestation process" in auditing terms) for all IT
resources is complex and expensive in the heterogeneous IT infrastructure. Reporting
tools need to be in place to leverage the user-provisioning authoritative repository, and
all other repositories that are used for the authentication and authorization process to
produce reports on SOD, role, "who has access to what," and "who approved and
reviewed what," which include the entire enterprise's IT assets. In addition, centralized
event logs for all identity management activities — those from the user-provisioning and
access management products, as well as all systems where authentication and
authorization decisions are being made in real time — are needed to do a proper job of
reporting "who did what."
Increased attention was given to the vendor's role life cycle management vision, strategy
and road map — particularly in terms of IAI, compliance reporting and remediation.
We also increased attention on the IAI capabilities, their ease of use and their
"attractiveness" to end users (via relevant out-of-the-box reports, applicable dashboards
and so on).
Dominate sales and influence technology directions during the next one to two years.
Automated adds, changes and deletes of user IDs at the target system
They support user-provisioning capabilities for only one specific target system (for
example, Microsoft Windows and IBM iSeries).
They had minimal or negligible apparent market share among Gartner clients, or
currently available products.
They were not the original manufacturers of a user-provisioning product — This includes
value-added resellers (VARs) that repackage user-provisioning products (which would
qualify for their original manufacturers); other software vendors that sell IAM-related
products, but don't have user-provisioning products of their own; and external service
providers that provide managed services (for example, data center operations
outsourcing).
Added
No new vendors were added to this year's study.
Dropped
Ilex — Dropped due to minimal market share and minimal client mentions.
Sun Microsystems — Dropped due to its acquisition by Oracle (see "Oracle and Sun:
Managing IAM Under a Single Identity").
SailPoint is based in Austin, Texas, and serves the Global 1000, with customers that include
seven top-tier global banks, four of the world's largest property and casualty insurers, the largest
global telecommunications provider, two of the largest biotechnology manufacturers in the world,
and three of the top healthcare insurers. SailPoint originally entered the market as a technology
innovator, augmenting customers' existing provisioning systems in order to meet needs in role
and compliance management and identity governance. SailPoint now also sells an access
request-based user-provisioning solution that is a fully integrated component of the IdentityIQ
solution.
Evaluation Criteria
Ability to Execute
Gartner evaluates technology providers on the quality and efficacy of the processes, systems,
methods or procedures that enable IT provider performance to be competitive, efficient and
effective, and to positively impact revenue, retention and reputation. Ultimately, technology
providers are judged on their ability to capitalize on their vision and succeed doing so. For user
provisioning, the ability to execute hinges on key evaluation criteria:
Management of identities
Workflow — persistent state, nested workflows, subworkflows, templates of common
user-provisioning activities and change management
Connector management
Pricing
Market share
Additional purchases (for example, relational database management system, application
server and Web server)
Market Responsiveness and Track Record: This is the ability to respond, change direction, be
flexible and achieve competitive success as opportunities develop, competitors act, customer
Timing
Competitive replacements
Marketing Execution: This is the clarity, quality, creativity and efficacy of programs designed to
deliver the organization's message to influence the market, promote the brand and business,
increase awareness of the products, and establish a positive identification with the product or
brand and organization in buyers' minds. This "mind share" can be driven by a combination of
publicity, promotional, thought leadership, word-of-mouth and sales activities. Specific subcriteria
are:
Product development
Advertising planning
Sales Strategy: This is the strategy for selling products using the appropriate network of direct
and indirect sales, marketing, service, and communications affiliates that extend the scope and
depth of market reach, skills, expertise, technologies, services and the customer base. Specific
subcriteria are:
Business development
Product themes
Service-oriented provisioning
Geographic Strategy: This is the technology provider's strategy to direct resources, skills and
offerings to meet the specific needs of geographies outside the "home" or native geography,
directly or through partners, channels and subsidiaries, as appropriate for that geography and
market. Specific subcriteria are:
Home market
International distribution
Leaders
Leaders are high-momentum vendors (based on sales, world presence and mind share growth),
and they have evident track records in user provisioning across most, if not all, market segments.
Business investments position them well for the future. Leaders demonstrate balanced progress
and effort in the Execution and Vision categories. Their actions raise the competitive bar for all
products in the market. They can and often do change the course of the industry.
Leaders should not be the default choice for every buyer; rather, clients are warned not to
assume that they should buy only from the Leaders quadrant. Leaders may not necessarily offer
the best products for every customer project, and may even prove to have a higher TCO than
some nonleading vendors. Leaders provide solutions that offer relatively lower risk, and provide
effective integration with their own solutions as well as with competitors' solutions. Every vendor
Challengers
Challengers have solid, reliable products that address the needs of the user-provisioning market,
with strong sales, visibility and clout that add up to execution higher than that of Niche Players.
Challengers are good at winning contracts, but they do so by competing on basic functions or
geographic presence, rather than specifically on advanced features. Challengers are efficient and
expedient choices for more-focused access problems, or for logical partnerships. Many clients
consider Challengers to be good alternatives to Niche Players or, occasionally, even Leaders,
depending on the specific geography or industry. Challengers are not second-place vendors to
Leaders and should not be considered as such in evaluations.
Challengers in this Magic Quadrant all have strong product capabilities, but often have fewer
production deployments than Leaders do. Business models vary, as do overall product strength
and breadth, marketing strategy, and business partnerships. This has kept some Challengers
from moving into the Leaders quadrant.
Visionaries
Visionaries are distinguished by technical and/or product innovation, but have not yet achieved a
record of execution in the user-provisioning market to give them the high visibility of Leaders, or
they lack the corporate resources of Challengers. Buyers should be wary of a strategic reliance
on these vendors, and should closely monitor these vendors' viability. Given the maturity of this
market, Visionaries represent good acquisition candidates. Challengers that may have neglected
technology innovation and/or vendors in related markets are likely buyers of Visionary vendors.
As such, these vendors represent a higher risk of business disruption.
Visionaries invest in the leading-edge features that will be significant in the next generation of
products, and that will give buyers early access to improved security and management.
Visionaries can affect the course of technological developments in the market, but they lack the
execution influence to outmaneuver Challengers and Leaders. Clients pick Visionaries for best-of-
breed features, and in the case of small vendors, they may enjoy more personal attention.
Niche Players
Niche Players offer viable, dependable solutions that meet the needs of buyers, especially in a
particular industry, platform focus or geographic region. However, they sometimes lack the
comprehensive features of Leaders, or the market presence and/or resources of Challengers.
Niche Players are less likely to appear on shortlists, but they fare well when given a chance.
Although they generally lack the clout to change the course of the market, they should not be
regarded as merely following the Leaders.
Niche Players may address subsets of the overall market, and often do so more efficiently than
Leaders. Clients tend to pick Niche Players when stability and focus on a few important functions
and features are more important than a "wide and long" road map. Customers that are aligned
with the focus of Niche Players often find their offerings to be "best of need" solutions.
Strengths
Avatier demonstrates consistent execution on its innovative vision and significant
customer wins and satisfaction.
Avatier's roots are in password management, where it has traditionally picked up many
small and midsize enterprise customers; however, it also has a number of successful
large enterprise implementations and notable brand-name customers.
Avatier is directory-agnostic for its identity repository and supports multiple databases
for logging and other identity object storage.
Avatier's technology and subfunctions (such as its password policies) are developed
with service-oriented architecture (SOA) in mind, and can be accessed through Web
services. The client front end and target connectors also support SOA.
Avatier's deployment ratio is very good, estimated at 1-to-0.33, where for every $1 spent
on licensing, only $0.33 is spent on deployment.
Cautions
Avatier competes against large IAM suite vendors, such as Oracle and IBM Tivoli, and
has difficulty gaining the attention of decision makers at larger enterprises, where larger
competitors enjoy more access and exposure. As a pure-play provider, Avatier must
partner with a shrinking number of partners to provide suite-style solutions to clients who
want them.
Avatier's innovative approach of hiding IAM complexity (for example, its "shopping cart"
models for entitlements) doesn't always appeal to traditional "old school" technologists.
Beta Systems
SAM Enterprise Identity Manager v.1.1 (October 2009)
Strengths
SAM Enterprise's new interface for workflow creation focuses on simplifying IAM
concepts and process development for business users.
Beta Systems offers an entry package with fixed project prices for a defined function set.
SAM Enterprise is now platform-independent and supports multiple databases for its
identity repository and for the storage of other IAM-related data and objects.
Beta Systems showed early strength in the banking and financial services sector and is
attempting to expand in other industries. The new SAM Enterprise leverages mature
role-based design via its built-in role life cycle management support for unlimited role
hierarchies, dynamic roles, SOD and role mining.
Cautions
Customer growth due to organizational and road map changes from 2007 to 2009 was
marginal, with a temporary drop in 2008 revenue.
Audit and reporting analytics and presentation capabilities lag those of competitor
offerings.
Beta Systems' customer base remains 78% concentrated in Europe. North American
market presence remains small (approximately 22%). Beta Systems is attempting to
expand its U.S. market share and expand into Latin America.
Current customers have complained about the quality and thoroughness of Beta
Systems' documentation; this is being addressed via documentation updates.
BMC Software
BMC Identity Management Suite — BMC User Administration and Provisioning v.5.5 (December
2009)
BMC Software is a long-standing IAM provider, still with significant market share dating back
more than a decade with the original Control-SA product. BMC is one of the first companies to
have recognized and leveraged the value of process-centric IAM (user provisioning).
Strengths
BMC's Service Request Management module can be used as provisioning workflow by
customers, as an option to BMC Identity Management Suite's User Administration and
Provisioning workflow.
Integration with BMC's Business Service Management (BSM) offering gives BMC's
provisioning product some unique capabilities in the areas of self-service, help desk,
change management and asset management.
Cautions
BMC sells its user-provisioning solution as part of its BSM solution. There is reduced
marketing to audiences with specific IAM needs.
BMC's revenue from IAM has declined by nearly 20% from 2008 to 2009. This is likely
due to the change in IAM focus and active marketing of IAM. Customer concerns include
better user interfaces, slow response to support questions and inconsistent
postdeployment support.
CA Technologies
CA Identity Manager v.12.5 SP1, CA Role & Compliance Manager v.12.5 SP1, CA Enterprise Log
Manager v.12.5 SP1 (March 2010)
CA Technologies demonstrates customer momentum, a commitment to a role life cycle and
compliance management strategy (as evidenced by its Eurekify and IDFocus acquisitions, and
integration of these with CA Identity Manager), and audit and compliance reporting. CA Identity
Manager and CA Role & Compliance Manager are integral to CA's broader IAM content-aware
IAM strategy and delivering identity management to, for and from the cloud. CA Identity Manager
is based on IdentityMinder (from 2002) and eTrust Admin (from 2000), and has a long heritage in
the IAM business. Acquisitions and significant internal investment have accounted for expanded
capabilities, and CA continues to successfully pursue this strategy to fill out its IAM portfolio.
CA plays an active role in international identity and security standards (technical and process-
centric) for user provisioning.
CA Technologies has a cohesive and aggressive marketing, sales and integrator strategy. Major
integration and consulting partners include Deloitte, PricewaterhouseCoopers and Accenture.
Mycroft, Logic Trends, Northrop Grumman and Telecom Italia are key VARs.
Cautions
Administrative interfaces for CA's IAM products are well-suited to IT end users; however,
the overall richness of the interfaces for business-focused end users (such as those who
may be performing attestation and certification duties) is still maturing.
CA all but ignores the SMB market. While it actively markets to or solicits SMBs, feature
set messaging and support structures are generally tailored to larger accounts.
CA still needs to refine better presales scoping for fit, postsales implementation and
troubleshooting. Recent steps in CA's rapid deployment project strategy are showing
good signs that it is addressing postsales deployment issues.
Courion
Courion Access Assurance Suite v.8.0 (as of December 2009) — Courion AccountCourier,
RoleCourier, PasswordCourier, ComplianceCourier and CertificateCourier
Courion is the only pure-play IAM vendor in the Leaders quadrant. It continues to innovate and
grow, in spite of challenging economic conditions. Courion focuses on simplicity and enabling
business users. It consistently performs well in proofs of concept compared with larger IAM
players.
Courion's focus is on simplifying IAM and making it more business-friendly through its "access
assurance" messaging and the increasing number of IAI products and integration options that it
offers.
Strengths
Courion has a fixed-cost implementation strategy. It requires rigorous preproject scoping
and customer interaction, and Courion's track record is good.
Courion is innovating the provisioning connector market. Its fixed price per connector is
comparatively low, and it charges the same price for new custom connectors as it does
for already existing connectors.
Courion products are built with extensibility in mind, and they work well in complex,
heterogeneous environments.
Cautions
Courion's competitors continue to improve by adding many features similar to Courion's.
The competition is always a step or two behind, and maintaining innovation pace and
consistency in an increasingly commoditizing market will be challenging.
Courion still faces name recognition issues. Other larger and formative brand names
immediately come to mind when customers begin their IAM product searches. As such,
Courion may be inadvertently overlooked in an organization's RFI and/or RFP process.
Courion lacks the global reach of major competitors in terms of marketing, sales and
support, and it is increasingly dependent on a network of predeployment and
postdeployment partners outside of North America. Increased sales mean that Courion
will need to transfer its best-in-class planning and deployment skills to those partners.
Evidian
Evidian Identity & Access Manager (June 2010)
Based in France, Evidian has long been a respected provisioning vendor in Europe. With the
most recent release of its solution, version 9, in June 2010, Evidian introduces a major update in
terms of functionalities, packaging and deliveries. However, it remains compatible with its legacy
solution, which is a decade old. Evidian also offers a Web access management solution as part of
a broader IAM portfolio.
Evidian is a serious regional player within European markets, where its name
recognition has greatly improved in the past few years.
Evidian provides most of the key functions expected of user provisioning, and has
particular strengths in the simplicity of deployment and good reporting features.
Evidian is committed to role life cycle management, moving from needing a third-party
vendor to supply role-mining functionality, to now offering it within the Evidian Policy
Manager product.
Evidian uses its access management solutions as a primary means of introducing user
provisioning to the enterprise.
Cautions
For access reconciliation, Evidian Identity & Access Manager doesn't yet leverage the
core provisioning application's workflow as much as it could; future releases are
expected to address this.
Many features that customers expect in audit and compliance reporting systems are not
yet available; however, they are slated for release in 2011.
Evidian is having difficulty acquiring market share in North America, which fell from 12%
in 2008 to 11% in 2009.
Password management functionality is basic when used independently from the access
management solutions.
Fischer International
Fischer Identity v.4.1 (January 2010) — Fischer Role & Account Management, Automated Role &
Account Management
Fischer International remains in the Visionaries quadrant primarily due to its innovation as a
managed IAM service provider, and as an "IAM as a service" (IaaS) delivery model through
partners in the SaaS and cloud-computing markets. The company has a scalable, multitenant,
service-based architecture to enable SaaS and hosting by itself and its service provider partners
in addition to on-premises delivery. Fischer has been a visionary in cloud-based IAM architecture
for several years. As such, it has even placed a trademark on the phrase "Identity as a Service."
Fischer's technical architecture is a small-footprint, Java-based SOA framework that produces
rapid, configurable delivery. Fischer's customer base is small, and growth has been slow.
However, it has been growing in both cloud-based and on-premises deployments due to a
refocused sales strategy and increased marketing investments. Fischer has also expanded
outside North America by signing global and Europe-based providers and resellers.
Strengths
Fischer permits service providers (and enterprises) to offer user provisioning as a
service in several delivery models — on-premises, remotely managed, hosted and
cloud-based (SaaS) — including highly customized enterprise deployments.
Fischer delivers a simple cross-domain framework. It also provides nonstop support for
operations, fault tolerance, high-privilege account management and connector
management. The company has strong support for cross-industry standards, which has
resulted in interoperability across systems.
Fischer's customers consistently remark on: (1) Fischer's "ownership" of the success of
the project; and (2) the overall smoothness and swiftness of the implementation.
Fischer's cost model is created to be easily understood by current and potential clients.
For example, with the exception of custom connectors for homegrown applications, all
existing and new "custom" connectors are free (included in the overall product cost).
Customers like Fischer's adherence to open standards for heterogeneous platform and
application support, its flexibility of workflow development, and its support
responsiveness.
Cautions
Fischer's audit and reporting features are basic when compared with more-robust
dashboards and GRC-focused interfaces offered by other vendors. Currently, all
reporting data is stored in a database for retrieval, using auditor-recommended standard
reports as well as custom reports.
Fischer has limited out-of-the-box connectors, although most major systems are
represented. However, the solution allows new connectors to be constructed and
deployed at no cost to the client organization.
As the cloud-based model becomes more compelling and accepted, large vendors (such
as Oracle and IBM) will increasingly focus on SaaS models for identity management.
Fischer, like all small innovative vendors, risks being overtaken by those competitors.
Fischer is a small company. Its success depends on its partner network for visibility and
support, and on the ability of its product to continue to deliver satisfactorily for those
partners.
Hitachi ID Systems
Hitachi ID Identity Manager v.6.1.2 (February 2010), Hitachi ID Password Manager v.6.4.9 (June
2010)
In early 2008, Hitachi ID Systems acquired M-Tech Information Technology, a Canada-based,
privately owned IAM company founded in 1992. M-Tech was well-known first for its P-Synch
password management offering. M-Tech expanded into user provisioning, as well as other "point"
IAM products and compliance products over subsequent years.
Hitachi ID Identity Manager v.6.0 was a major rewrite, with a new back-end and automation
engine. The result is a substantially different product that doesn't sacrifice existing client upgrade
plans.
Hitachi ID Identity Manager performs general identity management tasks (that is, provisioning,
synchronization and deprovisioning), extending self-service access requests to business users. It
Strengths
Hitachi ID has reseller relationships with providers such as CompuCom Systems, Insight
Enterprises and IBM Global Services. It has close active partnerships with HP, CSC and
BMC Software, providing Hitachi ID channels and bandwidth for global reach for sales
and implementation.
Key product strengths include: (1) It has many built-in components, including request
screens, access certification, authorization processes, and autodiscovery of IDs and
entitlements; (2) the base price includes all connectors and unlimited servers; (3) user
adoption is aided by a managed enrollment system and accessibility from Web
browsers, PC login screens and phones; and (4) it has multiple policy enforcement
engines, including SOD detection and prevention and role-based access control (RBAC)
enforcement with controlled scope. The identity repository is SQL-based, normalized
and replicated across servers.
Hitachi ID's sales and support staff undergoes an extremely rigorous training period,
thereby making its technical savvy and customer support record differentiators.
Hitachi ID has one of the lowest ratios of product cost to deployment cost (at about 1-to-
1). Like a few other competitors, Hitachi ID also offers fixed-cost implementations. This
strategy leads to better preproject scoping and increased customer confidence.
Cautions
Even though Hitachi is a global brand, and M-Tech was recognized for solid password
management and provisioning solutions, Hitachi ID is still somewhat unknown.
Hitachi ID customers express concerns over the user interface, the need to use a
proprietary scripting language to accomplish customization, and a lack of robust audit-
reporting functions. Some of these concerns have been addressed in the current version
(6.1.3), and other versions are due for improvement in 2011.
IBM Tivoli
IBM Tivoli Identity Manager (IBM TIM) v.5.1 (June 2009)
Strengths
IBM TIM supports major platform environments for deployment, including the mainframe
(Linux on IBM System z).
Provisioning and approval workflow technologies are rich, with extensive connector
libraries. IBM Tivoli Directory Integrator, a development kit for unique connectors, is also
included with the product. Password management functions and delegated
administration are competitive. The base product includes full runtime versions of DB2,
WebSphere Application Server and IBM Directory Server. Also included are 20
infrastructure (database, mail, OS and network) adapters (connectors).
Policy simulation features in IBM TIM help users simulate role and/or provisioning policy
scenarios to determine their effects on production environments before deployment.
Operational role management capabilities are embedded in the core IBM TIM product,
including recertification (attestation), SOD checks, and hierarchical role provisioning for
extended role management functions such as role modeling and approval. IBM has
partnerships with several third-party role management vendors to help mine and model
roles. Examples of partner offerings that are integrated and certified with IBM TIM
include Aveksa, SailPoint and SecurIT. IBM also has integrations with Approva and SAP
NetWeaver for ERP SOD checking.
Cautions
IBM lags in role analytics and mining, trailing every other IAM vendor in the Leaders
quadrant. At the time of this writing, IBM is addressing this by providing its customers an
early technology preview tool called the "Role Modeling Assistant," while the production-
ready capability is under development.
IBM Tivoli's ability to address complex IAM issues for clients is challenged by its
complexity of solution offerings, despite early indications of improvements in IBM TIM
v.5.1.
IBM would do well to better understand customers' specific requirements and to help
customers better shape their vision and goals for IAM during the sales and
implementation cycle in order to focus deployment efforts and improve time to value for
customers.
Customers remain concerned about the complexity of the product in configuration and
deployment, the intensive prework that's necessary to accurately map workflows to
business processes, and the effects of version releases on established deployments.
Microsoft
Microsoft Forefront Identity Manager (FIM) 2010 (April 2010)
Microsoft released a long-awaited new version of its IAM offering in April 2010. It also rebranded
the offering. Instead of Identity Lifecycle Manager (ILM), the company has incorporated the
offering as part of its Forefront brand and has labeled the new solution as Forefront Identity
Manager. FIM has several updates to ILM that have improved the overall function of the offering.
Strengths
Microsoft has added an improved password and credential functionality for FIM,
resulting in a better delegation and reset ability, and bringing up the function set to
industry par.
Microsoft's use of SharePoint, Exchange and SQL Server provide a means for business
users to directly participate in FIM through the use of existing collaboration and office
tools.
New workflow functions based on the work Microsoft is doing in the Windows Workflow
Foundation (WWF) allow improved options for automating specific IAM processes.
Windows Server 2008 has added Active Directory Federation Services (AD FS) 2.0 as
an update, providing improved and expanded functionality in federation, including
expanded support for industry standards in federation, such as SAML. While not part of
FIM, this can be used with FIM in combined access and provisioning deployments.
Some new connector options are offered to improve heterogeneous support for
synchronization and joining.
Pricing for FIM has changed somewhat to a per-server and per-user client access
license (CAL) basis, potentially resulting in increased costs for the customer based on
need. If a customer is using the FIM synchronization service only to synchronize identity
information or to provision users, then CALs are not required. However, if users take
advantage of any of the new FIM management tools and technologies, then CALs are
required to provision and manage them. So, similar to ILM, if customers use it only for
synchronization, no CAL charge is triggered.
Novell
Novell Identity Manager Roles Based Provisioning Module v.3.7, password self-service for
Identity Manager v.3.7, Designer for Novell Identity Manager v.3.7, Novell Sentinel v.7, (February
2010); Novell Identity Audit v.1.0 (October 2008), Novell Access Governance Suite v.3.6.2 (May
2009)
Novell is a solid technology innovator. Its IAM portfolio of products is well-respected by industry
experts, technology professionals, long-standing customers and enterprise users seeking a
complete solution for provisioning. Significant new customer wins, such as Verizon's cloud-based
security solution, and Novell's strategic partnership with VMware, further illustrate Novell's
innovation by moving into cloud-computing and IAM-as-a-service markets.
Novell continues to improve in the Leaders quadrant. Although Novell's IAM sales declined
overall in 2009, primarily due to the economy and organizational changes, Novell continues to
succeed via:
Novell's market share within the financial services and government verticals has
improved due to an improved compliance management functionality.
Novell customers like the tight integration of the product for different provisioning
functions, designer capabilities for configuration, and the deployed solution's ease of use
and functionality.
Cautions
Novell continues to battle a negative market perception; this is Novell's biggest enemy in
2010.
More often than not, all vendors are evaluated not solely on the merits of their solutions
but also on vendors' wallet share with a customer or their executive relationships.
Customers who understand the value of Novell's technology leadership need to fight for
the inclusion of Novell as a viable vendor for it to be considered. An effective way to do
this is to request a proof of concept at the outset.
Customers wish for a simpler licensing structure. Novell will address this issue with the
upcoming Identity Manager release 4 due in the fourth quarter of 2010.
Novell does not have the same financial resources, partner network or visibility as its
larger competitors do, and is at a disadvantage in new-customer acquisition as a result.
Omada
Omada Identity Suite (OIS) v.7 (March 2010)
Omada addresses compliance-centric user-provisioning needs based on Microsoft technologies,
resulting in enterprise solutions that can manage advanced business scenarios across
heterogeneous environments. It has a strategic partnership with Microsoft to extend Microsoft
Forefront Identity Manager 2010 (and the older ILM 2007) capabilities for customers. Omada has
a long history with SAP and recently enhanced its SAP integration capabilities such as integrating
into SAP BusinessObjects GRC. Omada is also focused on providing business-centric GRC
management solutions. This demonstrates its business-focused market approach and its ability to
provide products and services that are not purely based on its Microsoft relationship. Omada has
recently taken steps to enhance its attestation and recertification offering with high-end risk
management capabilities, such as risk assessment surveys.
Omada has system integration and reseller partnerships that include Logica, Traxion and
Avanade. A major part of Omada's staff is dedicated to consulting, integration and support.
Solution support is offered directly to the customer or via partners.
Strengths
Omada is uniquely positioned to provide compliance modules for Microsoft Forefront
Identity Manager, such as attestation, role life cycle management and compliance
reporting.
Omada's pricing for OIS is competitive, reflecting lower-cost alternatives to larger user-
provisioning offerings via Microsoft's "embedded" components in the enterprise (for
example, Active Directory and SQL Server).
Customers like the emphasis on Microsoft IAM architecture, the expanded reporting
functionality for SharePoint, workflow improvements and good
preimplementation/postimplementation support.
Cautions
Omada uses Microsoft Forefront Identity Manager 2010 (and, for legacy customers, ILM
2007) as its foundation for delivering its functionality, thus underscoring Omada's
dependence on Microsoft's IAM direction.
While Omada does augment the functionality offered from Microsoft, it still does not
have the ability to offer role mining. Customers who desire that functionality will need to
integrate with another vendor, or wait until Omada realizes its plan to deliver role mining.
Omada's market penetration into North America and other non-European regions
continued to grow significantly in 2009, but at a slower rate than in 2008. More global
customers are needed before Omada can be considered a major contender in the IAM
marketplace. Early trends in its 2010 numbers indicate some growth in North America.
Oracle
Oracle Identity and Access Management Suite and Oracle Identity Manager v.9.1.0.2 BP10
(January 2010)
Oracle is the leader in this Magic Quadrant. It continues to execute on its vision of an integrated
and scalable IAM suite.
Strengths
Risk-based user self-service decision making is possible through application
programming interface integration with identity-proofing services. Oracle Identity
Manager can integrate with proofing services by native API integration or when
codeployed with Oracle Adaptive Access Manager.
Oracle's database back end, the identity repository, is scalable and proven.
Oracle's access at all enterprise levels (business to IT) is pervasive. The company uses
that access for cross-selling opportunities with IAM. Aggressive sales and marketing
strategies have resulted in a new-customer acquisition that is several times the rate of
the general provisioning market. Oracle has comprehensive training for its network of
global integration partners. These partners (system integrators, VARs and technical
partners) include Deloitte, Accenture, KPMG, PricewaterhouseCoopers and Wipro, as
well as Oracle's consultancy and services in user provisioning.
Oracle possesses a portfolio and a matching vision for IAM, including user provisioning.
The message has moved from an earlier strategy of "application-centric" provisioning,
which addresses provisioning, workflow and reporting needs for a multiapplication
environment, to including a "service-centric" view of IAM. Customers like Oracle's
aggressive IAM road map, access to Oracle's development teams for changes,
configurability during deployments, workflow and provisioning engine capabilities.
Cautions
Oracle's SIEM and compliance/audit integration and reporting are less mature than
those of competitors IBM Tivoli and Novell. The introduction of Oracle Identity Analytics,
while positive, is still not competitive with leading vendors in this area.
IAM-related reporting is accomplished via Oracle BI Publisher. While capable and full-
featured, it can produce overly complex IAM reports.
Quest Software
Quest ActiveRoles Server 6.5.0 (November 2009)
The most significant change Quest Software has made this year to its IAM solution ActiveRoles is
the acquisition in July of the German IAM provider Voelcker Informatik. Voelcker's ActiveEntry
solution provides Quest with extended functionality into the role management and IAI
management markets. Several feature updates to ActiveRoles have also occurred during this
period (see "Quest Software Acquires Voelcker Informatik: Standardizing Customization for
IAM").
Strengths
Quest's acquisition of Voelcker ActiveEntry signals a more aggressive move to engage
competitors and improve both the geographic reach and functionality of its offerings.
Cautions
Quest still has some issues with name recognition as a viable IAM competitor, especially
beyond the Microsoft Windows-centric customer population. This is starting to change,
but is still evident.
Quest connector options for IAM synchronization and joining of applications and
repositories are rudimentary.
The combined Quest-Voelcker offering has some concerns to resolve about overlapping
functionality for both new and existing customers.
SAP
SAP NetWeaver Identity Management v.7.1 (June 2009)
SAP is a global leader in business management software. It enjoys strong name recognition and
is deployed widely in many of the world's largest organizations.
SAP has been in the provisioning market for a relatively short amount of time; its acquisition of
MaXware in 2007 serves as a formal kickoff of SAP's IAM strategy to integrate IAM deeply into
the SAP ecosystem. SAP has been consistently making progress toward that goal, and due to the
out-of-the-box SAP integration possibilities, there are definite benefits to choosing SAP
NetWeaver in order to manage identities in SAP-centric environments.
Identity Provider for Web-based SSO and identity federation via SAML 2.0
Implementation projects at customer premises can be led by either SAP consultants or a
selection of solution integrators.
Strengths
The Identity Services framework of SAP delivers a virtual directory technology and
virtualization of target systems as part of connector management, and reflects a well-
structured, application-driven approach to provisioning.
SAP bundles Identity Provider with SAP NetWeaver Identity Management to allow for
Web-based SSO and identity federation via SAML 2.0. Identity Provider comes at no
additional cost.
SAP customers like the rapid implementation and customization capabilities of the
product, the basic role life cycle management integration with provisioning, the deep
integration with other SAP products via predefined scenarios, and the virtual directory
functionality.
Cautions
SAP's road map for user provisioning is targeted specifically at established SAP
customers, and is primarily for SAP application portfolio and integration needs. While
SAP customers may find this differentiating from other vendors, non-SAP customers will
not.
Sentillion (Microsoft)
Sentillion proVision v.3.5 (May 2010), proVision BridgeBuilder v.3.01 (May 2009)
Sentillion is solely focused on meeting the identity management needs of healthcare entities,
where it is a recognized brand name. Consistent innovation in healthcare provisioning needs,
continued customer growth and increasing name recognition within healthcare make Sentillion
the vendor to beat within the healthcare market.
Sentillion's strategy for user provisioning in a specialized, complex industry is built on the concept
of "purpose-built" healthcare, and addresses role-based and fine-grained provisioning. Although
many customers may be classified as SMBs by their user count, the complexity of healthcare role
environments ensures that planning and implementation remain challenging. Sentillion delivers
focused consulting and integration services, and has some integration partners to address these
challenges (CTG HealthCare Solutions, Vitalize Consulting Solutions and Logic Trends in North
America; E.Novation and VisionWare in Europe).
Sentillion leverages Active Directory as the identity repository to streamline the infrastructure
required to deploy its product.
At the end of 2009, Microsoft announced an intent to purchase Sentillion to combine the Sentillion
product line with its Amalga Unified Intelligence System (UIS) offering. The acquisition closed in
early 2010, and now Sentillion functions as part of the Microsoft Health Solutions Group.
Understandably, the Microsoft acquisition is a source of both excitement and uncertainty for
customers of each company (see "Sentillion Deal Will Bolster Microsoft's Healthcare Solutions").
Currently, Microsoft's intent is to keep the development of Sentillion and the Microsoft Forefront
Identity Manager solution separate. Sentillion will continue to focus on building solutions on its
own platform to meet the needs of the healthcare industry, and FIM will be Microsoft's premier
IAM solution. However, synergy between the two product lines is undeniable, and there will likely
be at least some sharing of knowledge and code logic between the two teams so that each can
more rapidly expand support to new systems.
Strengths
Sentillion has a fixed fee for implementation services so that customers know the
associated costs upfront. The fixed fee implementation is approximately a 1-to-1 ratio of
software to services, which is among the lowest of the provisioning vendors.
Because of Sentillion's healthcare focus, it provides more out-of-the box connector (that
is, "bridge" in Sentillion's nomenclature) support to healthcare-industry-specific systems
(for example, McKesson-Horizon, GE Healthcare and ChartMaxx products) than most of
its competitors do. In addition, Sentillion's industry focus gives it a strategic advantage
over its competition in areas where healthcare-specific industry policy, terminology or
use cases dominate the project or program needs.
Cautions
Focusing only on healthcare comes with a price — whether it is support for features or
standards. Sentillion is driven by its customers, and the product is a custom solution for
the healthcare industry. This concern will be mitigated if or when there is knowledge
sharing between the Sentillion and Microsoft FIM teams.
Several other vendors (large and small) are beginning to focus their sights on the
healthcare market. As these vendors win healthcare accounts, they are able to develop
and commoditize healthcare-focused provisioning connectors, reports and other related
solutions — thus eating away at Sentillion's competitive advantage. At this point, it is
unclear what Microsoft has planned to alleviate that threat.
Role life cycle management and GRC capabilities remain limited, although Sentillion's
capability is generally "good enough" for many customers. However, given the highly
regulated industry that it targets, coupled with the increasing general market demand for
role management and GRC-focused solutions, we expect that Sentillion will continue
innovation in this area as needed.
Siemens
Siemens DirX Identity Business Suite v.8.1B (January 2010), DirX Identity Pro Suite v.8.1B
(January 2010), DirX Audit v.2.0B (April 2010)
Siemens, with its business division Siemens IT Solutions and Services, is a long-standing and
well-respected IAM vendor based in Germany. It has a solid IAM solution and has consistently
demonstrated the ability to attract and acquire new customers. The Siemens DirX suite includes
Audit, Identity (provisioning and account management), Access, Directory and Biometrics product
lines.
Strengths
Siemens is one of the world's largest multinational companies in energy, healthcare,
communications and other industries, and it has significant resources available for IAM
product development, management and delivery.
Siemens' primary focus is on selling to its own customer base (which is large enough to
sustain steady growth of IAM sales). Siemens' DirX product line is worthy of
consideration in many circumstances, and Siemens will frequently win "net new"
accounts based solely on its IAM technology. However, more-aggressive sales and
marketing to non-Siemens customers are warranted.
Voelcker Informatik
Voelcker ActiveEntry 4.1 (February 2010)
Voelcker is a Berlin-based IAM provider that slowly built a reputation in Germany and Austria
during the past 13 years for a flexible service management and automation platform delivering
IAM functionality. In 2009 to 2010, the company enjoyed significant expansion, and in July 2010,
it was acquired by U.S.-based Quest Software (see "Quest Software Acquires Voelcker
Informatik: Standardizing Customization for IAM").
Strengths
Voelcker's ActiveEntry represents an advanced view of IAM as a customizable set of
service management and automation components, together with an advanced IAI
solution, resulting in a less painful deployment experience when compared with
competitor offerings.
Cautions
Until the Quest acquisition, Voelcker's name recognition and marketing remained
minimal, resulting in a slow but substantial growth rate.
ActiveEntry does not include a connector set in the same manner as competitors do.
ActiveEntry contains connectors for Active Directory, Exchange, SharePoint, Lotus
Notes, LDAP, SAP and FIM. It contains a "no coding required" wizard to build
connectors for XML-based protocols, as well as the ability to integrate with any
connector architecture.
ActiveEntry will undergo some changes in focus and direction due to its coexistence with
Quest's existing ActiveRoles offering.
RECOMMENDED READING
"Q&A for IAM: Frequently Asked Questions"
"Oracle/Sun Deal Is Not About IAM, but IAM Could Be Impacted"
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670