Magic Quadrant for Identity and Access Management as a Service · PDF file A vendor in the...
Embed Size (px)
Transcript of Magic Quadrant for Identity and Access Management as a Service · PDF file A vendor in the...
Magic Quadrant for Identity and Access Management as a Service Published: 2 June 2014
Analyst(s): Gregg Kreizman
The IDaaS market is still in its early days. Vendors come from distinctly different backgrounds, and there are significant variances among providers with regard to IAM functional depth and support provided for different use cases. Niche vendors may be the best for your needs.
Strategic Planning Assumption By the end of 2017, 20% of IAM purchases will use the IDaaS delivery model, up from less than 10% in 2014.
Market Definition/Description A vendor in the identity and access management as a service (IDaaS) market delivers a predominantly cloud-based service, in a multitenant or dedicated and hosted delivery model, that brokers core identity governance and administration, access and intelligence functions to target systems on customers' premises and in the cloud.
This Magic Quadrant rates vendors on their abilities to be global, general purpose identity and access management (IAM) service providers for multiple use cases. The vendors in this Magic Quadrant must provide some level of functionality in all of the following IAM functional areas.
■ Identity governance and administration (IGA): At minimum, the vendor's service is able to automate synchronization (adds, changes and deletions) of identities held by the service or obtained from customers' identity repositories to target applications and other repositories. The vendor must also provide a way for customers' administrators to administer identities directly through an IDaaS administrative interface. Vendors may also offer deeper functionality, such as identity life cycle processes, automated provisioning of accounts among heterogeneous systems, access requests (including self-service) and governance over user access to critical systems via workflows for policy enforcement, as well as for access certification processes. Additional capabilities may include role management, role and entitlements mining, identity analytics, and reporting.
■ Access: Access includes user authentication, single sign-on (SSO) and authorization enforcement. At a minimum, the vendor provides authentication and SSO to target applications using Web proxies and federation standards. Vendors may also offer ways to vault and replay passwords to get to SSO when federation standards are not supported by the applications.
■ Intelligence: At a minimum, intelligence means that the vendor logs IGA and access events, makes that log data available to customers for their own analysis, and also provides customers with a reporting capability to answer the questions, "Who has been granted access to which target systems and when?" and "Who has accessed those target systems and when?"
Page 2 of 34 Gartner, Inc. | G00260221
Magic Quadrant Figure 1. Magic Quadrant for Identity and Access Management as a Service
Source: Gartner (June 2014)
Gartner, Inc. | G00260221 Page 3 of 34
Vendor Strengths and Cautions
CA Technologies delivers IDaaS under its CloudMinder brand. CA Technologies entered the IDaaS market when it acquired Arcot Systems in 2010. CloudMinder includes Web application SSO, adaptive authentication and identity administration. The service supports user provisioning to cloud and on-premises systems, including legacy applications. Self-service requests, approval workflows and delegated administration are all supported. The services architecture can be delivered completely from the cloud or in a hybrid model. CA has global regional partners that deliver their own branded version of IDaaS that is underpinned by CA CloudMinder. CA Technologies is also covered in IGA, user authentication and Web access management (WAM) Magic Quadrants and MarketScopes.
■ CloudMinder Identity provides greater functional depth for user administration than Web-centric providers. Solid delegated administration and provisioning workflows are provided.
■ The Advanced Authentication service provides adaptive authentication options, and includes functions such as device fingerprinting.
■ CA's partnership programs are significant, and they will leverage global partners to support broad industry and geographic market penetration.
■ CA's extensive product and service portfolio, sales and support channels favor the company in the Overall Viability criterion.
■ CA's portfolio of IAM software and IDaaS can be combined for complex functionality and use case support, and CA has a broad set of user provisioning connectors to leverage for cloud and legacy application support.
■ CA moved slowly toward providing IDaaS, and had a late start in the market relative to competitors that are newer to the broader IAM market. Its customer acquisition is behind that of major competitors, but CA has made decent customer gains in the past nine months.
■ CA's offering is geared toward large customers; smaller businesses will likely seek alternatives.
■ The service does not yet support password vaulting and forwarding for SSO for target systems that do not support federation standards. This feature is road-mapped.
■ The platform lacks language internationalization, and the interfaces are provided in English only.
Centrify entered the IDaaS market in late 2012. Centrify sells IDaaS as part of its User Suite offering that includes mobile device and application management. The IDaaS portion of the offering
Page 4 of 34 Gartner, Inc. | G00260221
provides Web application SSO using federation standards or password vaulting and forwarding. User provisioning is provided for Microsoft Office 365, and other provisioning connectors are road- mapped. The integrated Centrify for Mobile capabilities provide many of the features of stand-alone enterprise mobility management vendors. Notable features include security configuration and enforcement, device certificate issuance and renewal, remote device location and wiping, and application containerization.
■ The enterprise mobility management features are unique in the market, and Centrify has a strong relationship with Samsung. Centrify hosts Samsung's own offering, and Centrify leverages the Samsung Knox containerization capability.
■ Administrative interfaces are provided for Web browsers, mobile devices, and through Active Directory Users and Computers interfaces.
■ The service has broad international language support.
■ The service and on-premises proxy bridge component can be configured to keep some or all identity data on-premises in Active Directory and not replicate it to the cloud. Cloud identity storage is optional.
■ Reporting and analysis features for all events handled by the service are wide-ranging and customizable.
■ The number of SaaS application targets for user provisioning is very limited relative to competitors, and provisioning support is not provided for on-premises applications.
■ Active Directory is the only supported on-premises identity store.
■ Access management for on-premises applications requires the customer to have SAML federation capability.
■ Brand awareness in IDaaS has lagged; however, this is being addressed through enhanced marketing efforts.
Covisint is the longest-standing IDaaS vendor in the market. The company may not be well-known among prospects in some industries, geographies and small businesses due to its early focus on larger enterprises. Moreover, Covisint's functionality is often "white-labeled" by its customers. Covisint got its start in the automotive industry and provided integration broker, portal and identity services to support supply chain connectivity. The company has grown those lines of business into other industries. Its work in the automotive industry and supporting vehicle identities has also helped it build foundation services that can be used in other Internet of Things applications.
Gartner, Inc. | G00260221 Page 5 of 34
Covisint's IDaaS features solid functional depth. The company also has a history of working through tough integration issues with demanding customers.
■ Covisint provides strong identity assurance features, with several ID proofing vendor integrations and support for several authentication methods — its own and those from third parties.
■ The service includes user administration workflow capabilities and capable administrative delegation, along with access certification features.
■ The vendor provides deep identity federation and provisioning integration functions using standards and proprietary techniques.
■ Covisint had its initial public offering in 2013 and has strong financial backing.
■ Although it can support employee-to-SaaS scenarios, Covisint's focus on large customers with enterprise, B2B use cases will make it a less likely choice for small and midsize businesses (SMBs) looking only for support of the employee-to-SaaS use case.
■ Covisint's scenario pricing provided for this research was high compared with competitors.
■ Brand awareness is lacking outside of North America, but Covisint is working to address this.
Exostar entered the market when it was formed by a community of aerospace and defense companies to support their IAM needs related to supply chain. Exostar also created a secure collaboration platform based on top of Microsoft SharePoint, and now delivers secure email, file transfer and W