Magic Quadrant for Identity and Access Management as a Service · A vendor in the identity and...

G00260221

Magic Quadrant for Identity and AccessManagement as a ServicePublished: 2 June 2014

Analyst(s): Gregg Kreizman

The IDaaS market is still in its early days. Vendors come from distinctlydifferent backgrounds, and there are significant variances among providerswith regard to IAM functional depth and support provided for different usecases. Niche vendors may be the best for your needs.

Strategic Planning AssumptionBy the end of 2017, 20% of IAM purchases will use the IDaaS delivery model, up from less than10% in 2014.

Market Definition/DescriptionA vendor in the identity and access management as a service (IDaaS) market delivers apredominantly cloud-based service, in a multitenant or dedicated and hosted delivery model, thatbrokers core identity governance and administration, access and intelligence functions to targetsystems on customers' premises and in the cloud.

This Magic Quadrant rates vendors on their abilities to be global, general purpose identity andaccess management (IAM) service providers for multiple use cases. The vendors in this MagicQuadrant must provide some level of functionality in all of the following IAM functional areas.

■ Identity governance and administration (IGA): At minimum, the vendor's service is able toautomate synchronization (adds, changes and deletions) of identities held by the service orobtained from customers' identity repositories to target applications and other repositories. Thevendor must also provide a way for customers' administrators to administer identities directlythrough an IDaaS administrative interface. Vendors may also offer deeper functionality, such asidentity life cycle processes, automated provisioning of accounts among heterogeneoussystems, access requests (including self-service) and governance over user access to criticalsystems via workflows for policy enforcement, as well as for access certification processes.Additional capabilities may include role management, role and entitlements mining, identityanalytics, and reporting.

■ Access: Access includes user authentication, single sign-on (SSO) and authorizationenforcement. At a minimum, the vendor provides authentication and SSO to target applicationsusing Web proxies and federation standards. Vendors may also offer ways to vault and replaypasswords to get to SSO when federation standards are not supported by the applications.

■ Intelligence: At a minimum, intelligence means that the vendor logs IGA and access events,makes that log data available to customers for their own analysis, and also provides customerswith a reporting capability to answer the questions, "Who has been granted access to whichtarget systems and when?" and "Who has accessed those target systems and when?"

of 34 Gartner, Inc. | G00260221

Magic QuadrantFigure 1. Magic Quadrant for Identity and Access Management as a Service

Source: Gartner (June 2014)

Gartner, Inc. | G00260221 of 34

Vendor Strengths and Cautions

CA Technologies

CA Technologies delivers IDaaS under its CloudMinder brand. CA Technologies entered the IDaaSmarket when it acquired Arcot Systems in 2010. CloudMinder includes Web application SSO,adaptive authentication and identity administration. The service supports user provisioning to cloudand on-premises systems, including legacy applications. Self-service requests, approval workflowsand delegated administration are all supported. The services architecture can be deliveredcompletely from the cloud or in a hybrid model. CA has global regional partners that deliver theirown branded version of IDaaS that is underpinned by CA CloudMinder. CA Technologies is alsocovered in IGA, user authentication and Web access management (WAM) Magic Quadrants andMarketScopes.

Strengths

■ CloudMinder Identity provides greater functional depth for user administration than Web-centricproviders. Solid delegated administration and provisioning workflows are provided.

■ The Advanced Authentication service provides adaptive authentication options, and includesfunctions such as device fingerprinting.

■ CA's partnership programs are significant, and they will leverage global partners to supportbroad industry and geographic market penetration.

■ CA's extensive product and service portfolio, sales and support channels favor the company inthe Overall Viability criterion.

■ CA's portfolio of IAM software and IDaaS can be combined for complex functionality and usecase support, and CA has a broad set of user provisioning connectors to leverage for cloud andlegacy application support.

Cautions

■ CA moved slowly toward providing IDaaS, and had a late start in the market relative tocompetitors that are newer to the broader IAM market. Its customer acquisition is behind that ofmajor competitors, but CA has made decent customer gains in the past nine months.

■ CA's offering is geared toward large customers; smaller businesses will likely seek alternatives.

■ The service does not yet support password vaulting and forwarding for SSO for target systemsthat do not support federation standards. This feature is road-mapped.

■ The platform lacks language internationalization, and the interfaces are provided in English only.

Centrify

Centrify entered the IDaaS market in late 2012. Centrify sells IDaaS as part of its User Suite offeringthat includes mobile device and application management. The IDaaS portion of the offering


provides Web application SSO using federation standards or password vaulting and forwarding.User provisioning is provided for Microsoft Office 365, and other provisioning connectors are road-mapped. The integrated Centrify for Mobile capabilities provide many of the features of stand-aloneenterprise mobility management vendors. Notable features include security configuration andenforcement, device certificate issuance and renewal, remote device location and wiping, andapplication containerization.

Strengths

■ The enterprise mobility management features are unique in the market, and Centrify has astrong relationship with Samsung. Centrify hosts Samsung's own offering, and Centrifyleverages the Samsung Knox containerization capability.

■ Administrative interfaces are provided for Web browsers, mobile devices, and through ActiveDirectory Users and Computers interfaces.

■ The service has broad international language support.

■ The service and on-premises proxy bridge component can be configured to keep some or allidentity data on-premises in Active Directory and not replicate it to the cloud. Cloud identitystorage is optional.

■ Reporting and analysis features for all events handled by the service are wide-ranging andcustomizable.

Cautions

■ The number of SaaS application targets for user provisioning is very limited relative tocompetitors, and provisioning support is not provided for on-premises applications.

■ Active Directory is the only supported on-premises identity store.

■ Access management for on-premises applications requires the customer to have SAMLfederation capability.

■ Brand awareness in IDaaS has lagged; however, this is being addressed through enhancedmarketing efforts.

Covisint

Covisint is the longest-standing IDaaS vendor in the market. The company may not be well-knownamong prospects in some industries, geographies and small businesses due to its early focus onlarger enterprises. Moreover, Covisint's functionality is often "white-labeled" by its customers.Covisint got its start in the automotive industry and provided integration broker, portal and identityservices to support supply chain connectivity. The company has grown those lines of business intoother industries. Its work in the automotive industry and supporting vehicle identities has alsohelped it build foundation services that can be used in other Internet of Things applications.


Covisint's IDaaS features solid functional depth. The company also has a history of working throughtough integration issues with demanding customers.

Strengths

■ Covisint provides strong identity assurance features, with several ID proofing vendorintegrations and support for several authentication methods — its own and those from thirdparties.

■ The service includes user administration workflow capabilities and capable administrativedelegation, along with access certification features.

■ The vendor provides deep identity federation and provisioning integration functions usingstandards and proprietary techniques.

■ Covisint had its initial public offering in 2013 and has strong financial backing.

Cautions

■ Although it can support employee-to-SaaS scenarios, Covisint's focus on large customers withenterprise, B2B use cases will make it a less likely choice for small and midsize businesses(SMBs) looking only for support of the employee-to-SaaS use case.

■ Covisint's scenario pricing provided for this research was high compared with competitors.

■ Brand awareness is lacking outside of North America, but Covisint is working to address this.

Exostar

Exostar entered the market when it was formed by a community of aerospace and defensecompanies to support their IAM needs related to supply chain. Exostar also created a securecollaboration platform based on top of Microsoft SharePoint, and now delivers secure email, filetransfer and WebEx services. Exostar has broadened its industry support to include life science,finance and IT services companies, and is delivering similar sets of community-centric IAM andcollaboration functionality with an emphasis on this community's needs for intellectual propertyprotection. The company augments its core services with identity proofing through third parties, butalso provides a video "in person" identity proofing service using subjects' webcams for interviews.Exostar also delivers public-key infrastructure (PKI) and one-time password (OTP) credentialmanagement services. Exostar provides IAM that is fully cloud-based, or it can join communityparticipants to the hub via a gateway.

Strengths

■ Exostar is one of the few small IDaaS vendors that is profitable.

■ Exostar offers identity proofing and authentication methods to meet the high identity assurancerequirements of its customers. Because of its legacy in highly secure markets, Exostar has strictaudit requirements to ensure that requirements for security and industry compliance issues aremet.


■ Exostar can cross-sell its collaboration platform and IAM.

■ The company has strong customer relationships, and reference customers report that Exostar isa solid partner for implementation as well as for incorporating customer requirements intoExostar's road map.

■ Exostar has strong B2B federation and administration capabilities, and it can handle dataexchanges in support of complex business agreements for its established communities.

Cautions

■ Exostar has performed well in targeting industry communities with high identity assurancerequirements. However, the company and its offerings are not currently geared toward thebroader general purpose IAM market that would focus on enterprise users' access to SaaSapplications or consumer inbound access to enterprises' applications as primary use cases.Exostar's target market is large companies with cross-organizational collaborationrequirements. Exostar views IDaaS as a critical component of its offering, but primarily in thecontext of helping it deliver its overall business collaboration capabilities.

■ User provisioning approval workflow features are coarse-grained, with a limited number ofallowed approvers. Connector support to on-premises applications is limited to targets thatsupport LDAP and SOAP.

■ Authentication and SSO integration features are limited compared with vendors that supportgeneral purpose SSO use cases. Password vaulting and forwarding, and social registration andlogin are not supported.

■ Exostar provides IDaaS functions to users in multiple geographies, but these users and theircompanies are predominantly using the services at the behest of Exostar's anchor tenants inaerospace and defense and life sciences. There is not a strong international presence in termsof core customers, Exostar data centers and internalization support.

■ The company's scenario pricing was among the highest of all vendors.

Fischer International Identity

Fischer International Identity, a pure-play IAM provider, was one of the first vendors to deliverIDaaS. Fischer's capabilities are available in IDaaS, dedicated hosted, managed, or on-premisessoftware delivery models. Fischer's International Identity is also covered in "Magic Quadrant forIdentity Governance and Administration." Fischer provides feature depth in user administration andfulfillment, some governance functionality, privileged account management, and federated SSO.

Strengths

■ Fischer is one of the few small IDaaS vendors that is profitable.

■ Fischer's experience and technical capabilities enables it to support IAM functions to legacy on-premises applications in addition to SaaS applications.


■ User administration functionality is deep, with strong connector support to a variety ofdirectories, databases and applications.

■ Access certification features are included.

■ Fischer's scenario pricing is among the lowest, and references find their pricing to provide solidvalue for the money.

Cautions

■ Despite Fischer's long tenure in the IDaaS market and its solid customer growth, the company'sbrand recognition, market penetration and overall growth has been low compared with itscompetitors.

■ The focus of Fischer's marketing and sales on the U.S. geographic market and higher educationvertical has limited the company's growth in other geographies and verticals.

■ Access management is limited to single sign-on, without the coarse-grained authorizationenforcement found in other IDaaS access services.

■ OpenID Connect and OAuth support is not provided, and could hinder Fischer's ability tosupport native mobile and social use cases. However, these capabilities have been road-mapped by the company.

iWelcome

Netherlands-based iWelcome was spun off from system integration firm Everett. iWelcome's IDaaSoffering became generally available in 2012. iWelcome provides its IDaaS in a dedicated singletenant delivery model to allow for customization and customer branding. Its offering is heavilybased on open-source software and includes authentication, SSO, federation, self-serviceregistration, and user provisioning support for on-premises and SaaS applications.

Strengths

■ iWelcome is the only established IDaaS vendor with headquarters in continental Europe. As aresult it has early-mover advantage in that region.

■ Its services are underpinned by open-source technology, with strengths in access management— particularly in authentication method, federation protocol and identity repository support.

■ Early work with government and quasi-government organizations has pushed iWelcome toaddress high security requirements and to be certified against ISO 27001 and Dutchgovernment standards.

■ Most of iWelcome's functionalities are API-accessible.


Cautions

■ iWelcome lacks delegated administration. However, this feature set is road-mapped for sometime in 2014.

■ iWelcome lacks core identity governance features such as access certification andrecertification, and provisioning approval workflow capabilities are minimal. These features areroad-mapped for 2014.

■ The company's overall customer base is small compared with most competitors, althoughiWelcome picked up large customers early.

■ iWelcome's focus on the European market is a strength for the near term, but may be aweakness as other vendors deliver services within the region that meet data protection andprivacy requirements.

Lighthouse Security Group

Lighthouse Security Group delivers its Lighthouse Gateway service in a multitenant model.However, components of the service can be delivered in a dedicated model. Lighthouse's service isunderpinned by IBM's governance, administration and access management software. Lighthousehas overlaid IBM's technology with an extensive services layer designed to ease the implementationand ongoing administration of IBM's software for multiple clients.

Strengths

■ Lighthouse's functional offering is deep and aligns with the functionality provided by IBM'ssoftware deployed on-premises.

■ The company has won some very large customers and can demonstrate high scalability.

■ Lighthouse has an implementation methodology that is designed to bring customers on asrapidly as possible while working through a potentially complex set of design issues.

■ Lighthouse has aligned itself with IBM's Global Technology Services group as its partner.Lighthouse also uses IBM's SoftLayer infrastructure as a service (IaaS). Both of theserelationships should help Lighthouse expand outside of the U.S.

Cautions

■ Customers report that the service works well; however, it can take significant effort to go live.This is in part due to the complex nature of projects that Lighthouse takes on for largercustomers.

■ Lighthouse's current customers are U.S.-based, and the company is in the process ofestablishing its presence in other geographies.

■ Lighthouse's pricing for several use case scenarios was among the highest. Despite havingsome small customers in its portfolio, Lighthouse will have to develop reduced pricing and rapid


implementation for a core set of basic functionality to compete downmarket with other vendorsin this space.

Okta

Okta's IDaaS offering is delivered multitenant, with lightweight on-premises components forrepository and target systems connectors. The service was developed entirely by Okta and wasgenerally available in 2010. IDaaS is Okta's core business. Okta delivers basic identityadministration and synchronization capabilities, access management for Web-architectedapplications using federation or password vaulting and forwarding, and reporting. Okta has investedin technology that will provide mobile native application support and other mobile security features.

Strengths

■ Okta has demonstrated its ability to rapidly onboard customers from proof of concept toproduction.

■ The company's marketing and sales strategies have been effective, demonstrated by brandrecognition and an increased volume of customers.

■ Okta has made the majority of its functions available through RESTful APIs to supportintegrations with customers' applications and workflows.

■ References have been numerous, and they indicate high customer satisfaction.

■ Okta has a large number of preconnected applications.

Cautions

■ Okta can synchronize identities from enterprise directories, but the vendor does not have userprovisioning approval workflow beyond one level, nor does it have identity governance features.

■ Okta captures essential log data for administration and access, and exposes this data forcustomers to use for reporting. However, the service's canned and custom reportingcapabilities are limited.

■ Okta does not yet support the use of social identities for registration and logon.

■ Okta's current customer base is predominantly located in the U.S. Administrative interfaces willneed to be internationalized and sales and support channels will need to grow to support theseregions. Okta also requires use of the cloud to store some identity attributes.

OneLogin

OneLogin's IDaaS service has been available since 2010. The service's architecture is multitenant,and lightweight integration components are used for on-premises connections. The service wasdeveloped entirely by OneLogin, and IDaaS is OneLogin's core business. OneLogin also markets afederated search capability that allows customers to search for content across connectedapplications and to be authenticated automatically when search results are returned and selected.


Strengths

■ OneLogin has a large number of preconnected applications.

■ They support multiple authentication methods, including out-of-band push modes of OTP andX.509 authentication based on OneLogin's supplied public-key infrastructure (PKI).

■ OneLogin has made good inroads into Europe and Asia/Pacific by virtue of its partner networkand ability to host customer data in geographically acceptable data centers.

■ OneLogin has built customer relationship capital through its "freemium" customer offerings andSAML toolkit for service providers.

■ References were solid and appreciated the support they received from OneLogin.

■ OneLogin's scenario pricing was among the lowest compared with competitors.

Cautions

■ OneLogin has trailed its closest competitors in brand recognition and, therefore, customeracquisition.

■ OneLogin has secured a recent round of venture funding that will help it expand. However, ithas taken on less venture capital than its nearest competitors.

■ OneLogin lacks its own deep user administration and provisioning and identity governancefunctionality. However, it partners with RSA Identity Management and Governance (formerlyknown as RSA Aveksa) for this functionality.

■ While the log data and reporting functions are capable and customizable, references report thatimprovement is needed with regard to ease of customization.

Ping Identity

The PingOne service became available in 2011. The service is multitenant and based predominantlyon the vendor's own intellectual property. However, the company also leverages OEM partnershipsfor identity intelligence, and it recently acquired mobile authentication vendor accells to provideenhanced authentication capabilities. Ping Identity provides a lightweight self-service bridgecomponent to integrate a customer's Active Directory to the service, and also uses the well-established PingFederate product as the underpinning of the on-premises bridge component forcustomers when broad protocol and directory support are needed.

Strengths

■ By leveraging the PingFederate technology for the bridge component, Ping can offer extensiveintegration capabilities with a variety of identity repositories, existing customer accessmanagement systems and target application systems.


■ Ping Identity has demonstrated support for multiple workforce and external identity use cases,as well as strong service provider support.

■ Ping has shown strong leadership in identity standards development, as well as openness inworking with customers and competitors to evolve the standards.

■ Ping's established customer base has been leveraged to enhance and grow the PingOne IdaaSbusiness, and Ping Identity has broad vertical and geographic market penetration through itsvalue added reseller (VAR) and system integrator (SI) partner networks.

■ Its acquisition of accells will help Ping Identity respond to the heightened need for adaptivemobile access.

Cautions

■ PingOne is one of the services with strong access features, but very lightweight IGAcapabilities. Provisioning workflow and most identity governance features are missing.

■ Ping Identity is playing catch-up with other vendors in API-enabling their service foradministration and intelligence features, but does include APIs for SaaS SSO integration, newuser registration, provisioning, native mobile SSO and log retrieval.

■ Reporting capabilities are weak compared with competitors.

■ Language internationalization features for the administrative and user interfaces are lackingrelative to competitors.

SailPoint

SailPoint IdentityNow is the newest IDaaS offering covered in this research; the service becamegenerally available in October 2013. It was developed in-house and features access request andprovisioning, access certification, password management, and SSO service elements. Thearchitecture is multitenant and can deliver services completely in the cloud or can be bridged toenterprise environments. SailPoint provides the option to host its traditional on-premises IdentityIQproduct in the cloud.

Strengths

■ SailPoint's legacy of providing strong on-premises IGA has helped the company deliver asubset of the functionality from the IdentityIQ product in IdentityNow. The more full-featuredIdentityIQ can be cloud-delivered as an alternative.

■ SailPoint's full complement of provisioning connectors provides fulfillment capabilities to a widevariety of identity repositories and target systems.

■ SailPoint provides the full set of SSO options that include federated SSO and password vaultingand forwarding.

■ SailPoint has broad geographic presence for sales and support as a foundation for selling itsIDaaS.


■ The company is profitable.

Cautions

■ Because SailPoint's offering is relatively new to the market, it has a small customer base, withseveral implementations just beginning.

■ IdentityNow does not support OAuth or OpenID Connect and social identity use cases.

■ IdentityNow is limited in its abilities to support delegated administration.

■ SailPoint has a strong VAR and system integration partner set, but it has not yet been broughtto bear to help sell the new offering.

Simeio Solutions

Simeio Solutions began delivering its Business Ready Cloud IdaaS in 2010. The vendor provides amixture of dedicated hosted and on-premises managed service offerings. Its services areunderpinned by products from other well-established IAM software vendors, which allows Simeio toprovide WAM, identity administration, access request, role and compliance, risk intelligence and ITgovernance, risk and compliance (GRC), and directory services.

Strengths

■ Simeio's use of major IAM stack vendors' technologies provides it with an arsenal of productsthat provides deep functional support for Web and legacy applications. Simeio's IdentityIntelligence Center provides actionable insight into patterns of usage among users that mayexist across multiple vendor identity sources and other security systems.

■ The same vendor partnerships provide referrals to Simeio for customer acquisitions.

■ Simeio's history as an integrator has given it the experience to help customers plan, design andintegrate their IDaaS offerings. A significant portion of Simeio's staff serve in professionalservice roles.

■ Simeio's service-based roots have enabled it to have a positive cash flow since its inception.

■ Simeio has a good spread in its vertical industry representation.

Cautions

■ Simeio has a customer with a very large consumer-facing implementation and high volume ofusers. However, Simeio's overall customer base is small relative to its competitors.

■ Simeio's use of OEM software requires the incorporation of these third-party vendors' softwarelicensing costs in its offering. This tends to make Simeio's pricing high, even for pure Webapplication use cases.


■ Simeio is relatively unknown in the IDaaS marketplace, and is slowly building its customer baseand brand awareness based on vendor partners, some of which are also competitors.

■ Simeio's references consider it a very good partner. However, there are often complexcustomer business and technical requirements, and these requirements can drive highcomplexity in the implementations and increase time to implement, which can diminishcustomer perceptions of value for money.

Symplified

Symplified entered the IDaaS market in 2008. It provides WAM, including federated SSO and SSOusing password vaulting and forwarding, user provisioning, and reporting functions. Symplified'sarchitecture is weighted toward on-premises components. Administrative functions are performedin the cloud, but policy decisions and enforcement actions are handled in the on-premises-basedIdentity Router. However, the Identity Router can be hosted on Amazon Web Services. Symplified'sIDaaS is based on its own intellectual property.

Strengths

■ The Identity Router's architecture and features have allowed customers to overcome somecomplex on-premises Web application integrations that could not be done with competitors'offerings.

■ Symplified's architecture keeps personal data local to the customer and not on the cloudplatform.

■ Symplified's Identity Router uses a proxy architecture that allows it to capture detailed data onall user interactions with target systems.

■ Symplified's overall pricing was among the lowest compared with its competitors.

Cautions

■ Despite Symplified's early entry into the market and aggressive initial marketing campaigns, thecompany's focus shifted downmarket and it lost momentum and brand recognition relative toits competitors.

■ Symplified's customer base is small compared with its competitors.

■ Symplified's user provisioning functionality is shallow, and the number of SaaS targetsintegrated with their service is relatively low when compared with its competitors.

■ Despite the ability to collect very detailed data on user-to-application interactions, customershave found the reporting capability to be lacking.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as marketschange. As a result of these adjustments, the mix of vendors in any Magic Quadrant or


MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScopeone year and not the next does not necessarily indicate that we have changed our opinion of thatvendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria,or of a change of focus by that vendor.

Because this is a new Magic Quadrant, no vendors have been added or dropped.

Other Vendors of Note

Two vendors, salesforce.com and Microsoft, did not meet the inclusion criteria for this MagicQuadrant. Salesforce.com was not able to provide user provisioning connections to target systemsin time to meet the IGA functional requirements, and Microsoft did not have a generally availableand separately priced IDaaS offering until April 2014, well after the December 2013 deadline set forthis Magic Quadrant. (See the Inclusion and Exclusion Criteria section.)

Gartner believes that both of these vendors have the potential to significantly impact the IDaaSmarket. They will be the subject of future Gartner research.

There has been some Gartner client interest in two vendors that specialize in social identityintegration — Gigya and Janrain. However, neither one met the IAM functional inclusion criteria forthis Magic Quadrant, notably in the IGA functional areas. These vendors specialize in IAM forconsumer-facing implementations. As IDaaS vendors add social identity registration and loginfunctions to their offerings, Gigya and Janrain's social registration and login functionality may be inless demand. However, these vendors provide value for other consumer marketing functions, suchas gamification (in Gigya's case) and analytics. Retail and media companies, in particular, maystrongly consider Gigya and Janrain for their consumer-facing needs.

Ilantus Technologies, Pirean and Wipro did not meet the financial or market penetration criteria forthis Magic Quadrant. However, these vendors have functionally deep IAM offerings, and also haveinternational headquarters, which may help them to be considered as alternatives to U.S.-basedcompanies.

Inclusion and Exclusion CriteriaThe vendor must provide a minimum level of functionality in all of the following IAM functional areasoutlined in the Market Definition/Description section.

Vendors that deliver only one or two of these core IAM functions as a service, such asauthentication only, were not covered as part of this research. The following additional inclusioncriteria were used.

■ Longevity of offering: Each IDaaS offering has been generally available since at leastNovember 2013 and is in use in multiple customer production environments.

■ Origination of offering: The offering is manufactured and operated by the vendor, or is asignificantly modified version obtained through an OEM relationship. (We discount any service


offering that has merely been obtained without significant functional modification through alicensing agreement from another vendor — for example, as part of a reseller/partner or service-provider agreement.)

■ Number of customers and end users (including customers of third-party service providersand their end users): As of 31 December 2013, the vendor had:

■ More than 20 different active customer organizations using the vendor's IDaaS offerings ina production environment.

■ Revenue attributed to fees for IDaaS service usage that is greater than $4,000,000 for theyear ending 31 December 2013.

■ Verifiability: Customer references must be available.

Evaluation Criteria

Ability to Execute

Table 1. Ability to Execute Evaluation Criteria

Criteria Weight

Product or Service High

Overall Viability Medium

Sales Execution/Pricing High

Market Responsiveness/Record Medium

Marketing Execution Medium

Customer Experience High

Operations Low


Product or Service■ The service's overall architecture, with emphasis on the service's global availability and

resiliency features, and its flexibility to support on-premises identity repositories and cloud-onlyimplementations. The level of support and expertise required by customers to help maintain thecomponents. The extent to which a service's functions are exposed via APIs for customers'system integration.


■ Security and privacy — The physical and logical controls implemented by the vendor and anyunderpinning infrastructure as a service provider, security for on-premises bridge componentsand connections between the bridge and the IDaaS, controls for data security — particularlyregarding personal information — and vendors' third party certifications received for theservices.

■ The variety of on-premises identity repositories that can be supported, and the quality ofintegration with same.

■ The depth and breadth of IGA functionality:

■ Access request

■ Access approval workflow depth and functionality

■ Access certification

■ Attribute discovery and administration

■ Administrative access enforcement — for example, to identify, alert and preventinappropriate access

■ Provisioning create, read, update and delete (CRUD) user identities and entitlements totarget systems

■ Configuring target system connectors

■ The depth and breadth of access functionality:

■ User authentication methods supported

■ Breadth of SSO support for target systems

■ Federation standards

■ Support for mobile endpoints and native mobile application integration

■ Authorization enforcement

■ The depth and breadth of identity intelligence:

■ Canned reporting

■ Customized reporting

■ Data export to on-premises systems

■ Analytics

■ Integration with Microsoft Office 365, Microsoft SharePoint, customer's on-premises VPNs andWAM systems.


■ Deployment requirements such as speed of proof of concept and deployment, customerstaffing requirements and factors that add complexity and may affect speed to deployment andstaffing.

Overall Viability■ Overall financial health.

■ Success in the IDaaS market in terms of number and size of customer implementations. Thisaspect is heavily weighted.

■ The vendor's likely continued presence in the IDaaS market.

Sales Execution/Pricing■ The vendor's capabilities in such areas as deal management, presales support, and the overall

effectiveness of the sales channel, including value-added resellers and integrators.

■ The vendor's track record in competitive wins and business retention.

■ Pricing over a number of different scenarios. This aspect is heavily weighted.

Market Responsiveness/Record■ The vendor's demonstrated ability to respond, change direction, be flexible and achieve

competitive success as opportunities develop, competitors act, and market dynamics change.

■ How the vendor can meet customers' evolving IDaaS needs over a variety of use cases.

■ How the vendor has embraced standards initiatives in the IDaaS and adjacent market segmentsand responded to relevant regulation and legislation.

Marketing Execution■ The clarity, quality, creativity and efficacy of programs designed to deliver the vendor's

message to influence the market, promote the brand and business, increase awareness of theproducts, and establish a positive identification with the product/brand and organization in theminds of buyers. This mind share can be driven by a combination of publicity, promotionalinitiatives, thought leadership, word-of-mouth and sales activities.

■ Marketing activities and messaging

■ Visibility in the press, social media and other outlets

■ Vendor's appearance in vendor selection exercises based on Gartner client interactions

■ Brand depth and equity

Customer Experience■ Customer relationship and services.


■ Customer satisfaction program.

■ Customer references — This evaluation subcriterion was weighted heavily and included inputfrom vendor supplied references, as well as unsolicited feedback from Gartner clientinteractions.

Operations■ People — The size of organization and track record of key staff.

■ Quality and security processes.

Completeness of Vision

Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding Medium

Marketing Strategy Medium

Sales Strategy Medium

Offering (Product) Strategy High

Business Model Medium

Vertical/Industry Strategy Low

Innovation High

Geographic Strategy Low


Market Understanding■ Understanding customer needs — Methods, and the effects of the Nexus of Forces (cloud,

mobile, social and information).

■ The future of IDaaS and the vendor's place in the market. Vendors' views on top technological,nontechnological and regulatory changes in the market.

Marketing Strategy■ Communication and brand awareness — The clarity, differentiation and performance

management of the vendor's marketing messages and campaigns.


■ The appropriateness of the vendor's use of events, social media, other online media andtraditional media as part of its marketing efforts.

Sales Strategy■ The vendor's strategy for selling its IDaaS offerings that uses the appropriate network of direct

and indirect sales, marketing, service and communication affiliates that extend the scope anddepth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy■ The vendor's approach to developing and delivering its IDaaS offerings that meet customers'

and prospects' needs with respect to their key selection criteria, the needs created by theNexus of Forces, and other market dynamics. The vendor's ability to exploit the Nexus ofForces to improve its IDaaS products and services.

■ The strength of the vendor's road map and how the vendor will increase the competitivedifferentiation of its IDaaS and ancillary services.

Business Model■ The soundness and logic of the vendor's underlying business proposition.

■ Vendor's views of key strengths and weaknesses relative to competitors

■ Recent company milestones

■ Path chosen for future growth

Vertical/Industry Strategy■ Customer breadth and penetration in various industries and sizes of customer organizations.

■ Views of industry trends and special needs.

■ Strategy for expanding IDaaS adoption in different industries.

Innovation■ Foundational technological and nontechnological innovations.

■ Recent and planned innovations.

■ Organizational culture and how it affects innovation.

Geographic Strategy■ Global geographic reach of customer base and trends.

■ Strategy for expanded geographic customer acquisition.


■ Global nature of technical support and professional services and language internationalizationfor administrative and user interfaces.

Quadrant Descriptions

Leaders

Leaders in the IDaaS market have generally made strong customer gains. They provide feature setsthat are appropriate for current customer use case needs. Leaders also show evidence of superiorvision and execution for anticipated requirements related to technology, methodology or means ofdelivery. Leaders typically demonstrate solid customer satisfaction with overall IDaaS capabilitiesand/or related service and support.

Challengers

Challengers also show strong execution, and have significant sales and brand presence. However,they have not shown Completeness of Vision for IDaaS that Leaders have. Rather, their vision andexecution for technology, methodology and/or means of delivery tend to be more focused orrestricted to specific platforms, geographies or services. The clients of Challengers are relativelysatisfied, but ask for additional IGA and intelligence features as the vendors mature.

Visionaries

Vendors in the Visionaries quadrant provide products that meet many IDaaS client requirements,but may not have the market penetration to execute as Leaders do. Visionaries are noted for theirinnovative approach to IDaaS technology, methodology and/or means of delivery. They often mayhave unique features, and may be focused on a specific industry or specific set of use cases, andthey have a strong vision for the future of the market and their places in it.

Niche Players

Niche Players provide IDaaS technology that is a good match for specific uses, cases ormethodology. They may focus on specific industries or have a geographically limited footprint, butthey can actually outperform many competitors. Vendors in this quadrant often have relatively fewercustomers than competitors, but may have large customers and have a strong IDaaS feature set.Pricing might be considered too high for the value provided by some vendors. Inclusion in thisquadrant, however, does not reflect negatively on the vendor's value in the more narrowly focusedservice spectrum. Niche solutions can be very effective in their area of focus.

ContextVendors rated in this Magic Quadrant come from distinctly different backgrounds. Vendors'pedigrees vary greatly, as do their abilities to provide IAM functional depth and support for different


use cases. Their aspirations for servicing customers by geography, industry and customer sizesegmentation also vary.

Clients are strongly cautioned not to use vendors' positions in the Magic Quadrant graphic as thesole source for determining a shortlist of vendors to consider. Vendors were evaluated with regardto their abilities to provide a general set of IAM functionalities across multiple use cases, and inmultiple geographies and industries, and to do so by providing solid value for money as perceivedby their customers. All vendors covered in this Magic Quadrant have succeeded in providingcustomers with services that meet their needs. However, client requirements, particularly those forIAM functional depth, speed to implementation, geographic coverage and price will most likelystrongly affect the choice for a shortlist.

1. Clients focused on Web-architected application targets, employee-to-SaaS and consumer-facing needs should strongly consider Centrify, Okta, OneLogin, Ping Identity and Symplified.These vendors also have experience with small and midsize businesses (SMBs), even as thesevendors aspire to move upmarket to serve larger clients and have begun to do so. Note thatthese vendors currently have limited IGA abilities. They tend to lack multilevel provisioningapproval workflows and, in most cases, delegated administration, as well as identitygovernance features such as access certification, segregation of duties violation detection, orrole engineering and certification. These vendors' provisioning connectors for legacy applicationtargets will also be lacking.

2. Clients with needs for more functional depth in IGA, legacy on-premises application targetsshould strongly consider CA Technologies, Covisint, Fischer International Identity, LighthouseSecurity Group, Simeio Solutions and SailPoint. European clients may especially be interestedin iWelcome. More of these vendors also provide dedicated hosted instances of their offeringsas options.

3. Clients who have needs for IAM served as part of a community of interest or industryconsortium should strongly consider Covisint and Exostar. These vendors have a history ofproviding IAM in a hub configuration designed to support collaboration among participants or toserve the community's common business partners for access to a set of community ownedapplications. Exostar is also recommended for clients with needs for secure collaborationservices on top of IDaaS.

Clients should generally expect more complex, time-consuming and costly implementations whenthey have requirements for IGA functional depth, and legacy (non-Web-architected) on-premisesapplication targets. These requirements generally indicate a stronger need for IAM process anddata modeling and target system integration functions, such as connector development andconfiguration. System integrators have been needed when clients implemented traditional IAMsoftware suites with these types of requirements. Several of the vendors in listed above in item No.2 come from system integration backgrounds. IDaaS customers should expect best practices andoperational excellence from these companies due to their familiarity with the software componentsthat underlie the solutions. There should be some deployment and integration efficiency gainsrelative to do-it-yourself approaches. Dedicated per-client IAM infrastructure also drives up the costof the offering relative to multitenant offerings. The cost of underlying IAM third-party softwarelicenses may also drive up the overall costs of the implementation.


Security

Gartner clients rightly express concerns with regard to data security and protection of enterpriseusers' passwords when IDaaS is being considered. The following are generally true for IDaaSsecurity practices, with some exceptions:

■ Some user identity data will be held in the cloud. Most commonly, this data includes first andlast name and email address. Some vendors, such as Centrify and Symplified, require no userattributes to be held in the cloud, with the assumption that all data needed for provisioningusers to SaaS application targets are held in the on-premises directory and can be accessed bythe vendors' bridge components. Centrify offers on-premises-only or hybrid cloudimplementation, and the hybrid implementation requires some identity data to reside in thecloud. Ping Identity's solution works similarly. Generally, as the number of attributes needed toprovision users' accounts grows, that data must minimally pass through vendors' IDaaSservices to be provisioned to SaaS targets. A cloud-only implementation of IDaaS will have tohold all of these attributes.

■ Data is encrypted in transit over networks. However, one exception is that passwords are sentin the clear when being transmitted to target systems when federation is not supported andSecure Sockets Layer (SSL) is not used between browser and target system. This is essentiallythe same as when a user's browser interacts directly with an application without IDaaScontrolling the access. Also, SSL is usually used for SaaS sign-on flows whether an IDaaS isbrokering the access or not.

■ Identity data in the vendor's cloud is encrypted at rest. Vendors have different strategies formanaging encryption keys. Most vendors generate different encryption key pairs for eachcustomer's instance of the service, and there is variance in how those keys are managed. Thekeys may be technically under the customer's strict control, or the vendors' operations staffmay control the keys. In the latter case, these vendors claim that their personnel will have othercontrols in place to ensure that there is no inappropriate use of these keys.

■ On-premises bridge components will use SSL/Transport Layer Security (TLS) to communicatewith the service, and many of the vendors will require no inbound firewall port to be opened tosupport this. Communications are initiated outbound from the bridge.

■ Almost all providers use infrastructure as a service (IaaS) providers, rather than their ownoperations centers, to host their offerings. All vendors maintain some type of third-party securitycertification, as do the IaaS providers that host the IDaaS. SSAE 16 SOC 1 or SOC 2 arecommon. ISO 27001 is rare, but some vendors have stated plans to achieve ISO/IEC 27001certification.

Availability

The use of IDaaS may introduce a single point of failure. IDaaS vendors have generally taken care toarchitect their services with network and system redundancy features, and to host their services onIaaS that has been provisioned with sufficient redundancy to guarantee adherence to the IDaaS


vendor's service-level agreements. IDaaS vendors have also generally architected their on-premisesbridge components to be implemented redundantly if the customers choose to do so.

Nevertheless, a major system failure with the IDaaS can potentially leave customers temporarilywithout access to the applications that IDaaS serves. Organizations face similar risks when theymanage their own IAM services, and components such as federation servers fail.

Clients that choose to accept the risks of using IDaaS should have emergency business continuityprocess in place that includes these steps:

■ Bring up any available in-house federation technology and federate to key target systems ifpossible.

■ If federation services are not available, then temporarily turn off federation at target systems tofall back to password-based authentication.

■ Issue temporary passwords for all target application accounts that can support passwordauthentication.

■ Fall back to manual user provisioning processes.

Data Residency

Most of the vendors covered in this research are U.S.-based. Gartner clients from other countriesmay have concerns about employees', business partners' and customers' personal data that couldbe held in the cloud. Despite the use of local or regional data centers to host services and data,international clients may still be concerned about the U.S. government's ability get access to thedata. This is currently a risk that clients must evaluate and determine if it is acceptable or not. Werecommend the following for clients who intend to use IDaaS, but have concerns about U.S.providers.

■ Have the vendor prove Safe Harbor certification or, preferably, require the vendor to sign theEU's model contracts on privacy.

■ Require your sole ownership of encryption keys if possible, and evaluate the controlsassociated with the development and operations staff and their access to the keys.

If these recommendations do not provide enough comfort, then Gartner recommends evaluation ofIDaaS providers in suitable jurisdictions.

Pricing

Gartner asked vendors to provide "street" price quotes for several use case and volume usagescenarios. Vendors were cautioned against providing list prices. Vendors were asked to provide allcosts, including startup costs, over a three-year subscription period. Three of the most commonlyrequired scenarios are included below, with range of costs and averages.


Scenarios 1 and 2: 1,000- and 10,000-Employee Workforces, Web-Architected Applications

■ Number of users: 1,000 in the workforce ("any" staff), who use the service several times daily.

■ Endpoints: Company-owned PCs; approximately 60% Windows Active Directory and 10% MacOS X, 30% mix of Apple and Android tablets and smartphones.

■ User location: Could be anywhere — a mix of on-premises corporate LAN and external usecases.

■ All identities and attribute data held in Active Directory.

■ Support to: Five externally hosted (SaaS) applications and five internal Web applicationstargets.

■ Allow the company's administrator to directly administer users' identities, and provision these toActive Directory. Subsequently and automatically provision accounts to the five SaaSapplications, with the assumption that there is an available provisioning API for all five, and thatthe vendor has already created provisioning connectors for three of the five applications. Two ofthe applications need connectors created for the customer.

■ User self-service application access request, administrator approval, and subsequentprovisioning as described above, and user self-service password reset.

■ User authentication to the service and SSO to all target applications, three using SAMLfederation and two using password vaulting and forwarding, support for identity providerinitiated federated SSO to your service based on an Active Directory authentication, andservice-provider-initiated redirect authentication for an externally located user who connects toSaaS first and to support authentication against your service and corporate Active Directory.

■ Reporting for all administrative and access events.

We requested pricing for two variants. Scenario 1 included support of the above requirements for1,000 internal users. Scenario 2 included support of the above requirements for 10,000 users andwith the added requirement that 5,000 of those users be provided with SMS or voice-based one-time password authentication.

The average three-year cost for the 1,000-user scenario was $151,149.

The average three-year cost of the 10,000-user scenario was $571,879.

In both scenarios, vendors who had significant gaps in the required functionality were removed fromthe average calculation, as were the high pricing and low pricing that were significantly out of linewith the other vendors' pricing.

Scenario 3 — 100,000-User Consumer- and Business-Facing Implementation

■ 100,000 external consumers (50,000 individual consumer users and 50,000 business partners'users from 100 companies).


■ Average usage: Once per month per user.

■ Endpoints: Any endpoint with a Web browser from any location.

■ Access to three internal on-premises Web applications, and two SaaS applications.

■ Identity data for the on-premises applications to use will be held in an on-premises LDAP-exposed directory.

■ Self-service user administration and password reset.

■ Delegated user administration for business partner administrators to administer to their ownusers. Administrators can grant or deny access for their users to any of the five applications.

■ Automated user provisioning to any approved application with the assumption that all targetshave a provisioning API available and the vendor has not yet created a connector for any ofthese applications.

■ User authentication and SSO for all users to all applications.

■ Acceptance of Facebook and LinkedIn identities for initial consumer registration, accountlinking, and subsequent login to the service and subsequent SSO to a customer's applications.

■ Five of the largest business partners must have support for federated authentication to yourapplications using SAML and be based on user authentication at the business partner's owninternal identity provider.

■ Reporting for all administration and access events.

There was wide variance in the pricing for this scenario. The average among all vendors was$1,111,043 over three years. However, there was wide disparity between two groups of vendors.There was a group of eight vendors that could deliver the functionality for an average price of$389,863. The higher priced group of five vendors averaged a price of $2,409,167. Pricing forconsumer-facing implementations is in its early days, and vendors are at various stages of maturityin responding realistically to these requests from customers.

In all cases, clients are strongly encouraged to understand their own total costs of ownership formanaging the same IAM functions in-house so that these costs can be compared with IDaaSpricing. Gartner also collected pricing data for other scenarios, including those requiring more in-depth IGA functionality and legacy on-premises application support. Pricing was highly variable forthese implementations. Clients interested in these scenarios should contact Gartner for moreinformation.

Trends

What key trends are shaping the IDaaS market and how will the market evolve?

Shallow Gets Deeper, Slow Gets Faster

Web-centric IDaaS vendors have made solid gains at the lower ends of the market, and forsupporting the employee-to-cloud use case. As these vendors have moved upmarket, they find that


larger organizations tend to have existing IAM software solutions in place. These prospects, whichmay wish to extend their current implementation with IDaaS, or which are hoping to replace theiron-premises solution, tend to have needs for deeper IGA functionality than the Web-centric vendorstypically provide. These prospects also tend to require integration with legacy architected systemsand a variety of directories and databases. This is forcing shallow-function, Web-centric IDaaSvendors to add deeper functionality and integration capabilities to their road maps.

Conversely, the IDaaS vendors with deeper IAM functionality and integration capabilities tendtoward implementations that are larger and more complex, and do not have their offerings price-tuned for rapid handling of the downmarket Web-centric use cases. These vendors will need toprovide a streamlined, rapidly deployable offering for these use cases if they wish to gain a piece ofthe SMB markets.

Mobile Support Gets Better

IDaaS vendors' native mobile application support is a frontier capability, particularly forauthentication and SSO. Several IDaaS vendors support a portal-like interface on mobile devices forWeb applications that are under IDaaS management. IDaaS vendors' support for customers' andthird-party native apps is nascent. IDaaS vendors began supporting customers' mobile apps byoffering software development kits (SDKs). With these SDKs, customers can develop their appsusing the IDaaS vendor's SDK, which will provide authentication to the IDaaS vendor's service.

Centrify provides this approach, but it also supports a containerization approach and providesMDM features as part of its offering. Okta has invested in technology that will provide mobile nativeapplication support and other mobile security features. Ping Identity acquired accells to providepush out-of-band authentication as part of its service. However, Ping Identity is also one of thevendors leading the efforts at the OpenID Connect Native Applications (NAPPS) Working Group todevelop a standards-based approach to supporting authentication and SSO for multiple nativeapps. OneLogin and Symplified are also participating in this working group, and other vendors haveshown interest. If this working group is successful, then customers should have a standardizedapproach for getting authentication and SSO functions for native mobile apps, and should haveeasier portability for these apps in terms of switching IDaaS vendors or even moving to on-premisesaccess managers that support the standards. Containerization approaches will remain proprietarybut will offer customers security protections beyond authentication and SSO, such as data security,jailbreak detection and security policy enforcement.

IDaaS Becomes Part of Other Services

Salesforce.com and Microsoft have entered the IDaaS market and are positioning their IDaaSofferings as components of their broader PaaS portfolio. Intermedia, a relatively smaller provider ofhosted Microsoft products and unified communications services, acquired IDaaS vendor SaaSID in2013. Intermedia has incorporated the acquired functionality into a service that can be purchasedstand-alone or with other Intermedia services.


IDaaS vendors are in various stages of maturity in providing API-based access to their services. Weare also noting that several IDaaS vendors are beginning to tout their services' directory integrationwith other sources of identity, such as salesforce.com, Google, Microsoft and Workday.

Thus, IDaaS has a future of supporting traditional enterprise needs as well as supporting service-to-service needs — for example, use cases where enterprise CRM systems call an IDaaS to create anidentity and then provision that identity to several systems within the enterprise and on SaaSapplications ("See Provisioning User Accounts to Cloud Applications"). Several IAM functions willcommoditize. SSO is well on its way to commoditization, and IGA and intelligence functions willtake a bumpy and winding road to commoditization. User self-service access request and profilemanagement, password reset, access approvals and account provisioning to Web centric targets,and canned and customized reporting will commoditize first. More advanced IGA and analyticsfeatures will take longer. Clients should expect overall downward pricing pressure in the market forthe next three years.

On-Premises Replacement

Wholesale replacement of traditional on-premises IAM software stacks that are serving multiple usecases for large enterprises has been relatively rare. These on-premises implementations arelongstanding, tend to be well-staffed, and have been deployed to support legacy architectedsystems — not just Web-architected and SaaS apps. Nevertheless, there are vendors who cansupport multiple use cases and have software with deep functionality that can be cloud-deliveredand are capable of replacing legacy on-premises IAM tools. These vendors have beenconservatively building businesses to do just that, and more customers are starting to use them.However, these kinds of deals are an order of magnitude less in number than the more popular andeasy-to-deliver Web-centric IDaaS deals. Full-featured IDaaS implementations that support legacyapplications can be deployed more rapidly and can remove some of the complexity of traditionalsoftware deployments. Integration with legacy systems, multistep approval workflows, accesscertification and other IGA functions prevalent in mature IAM implementations still take time to plan,design and implement, and they add costs to implementations. Decisions to outsource complexIAM implementations aren't made easily.

Therefore, enterprises considering a build or extend versus outsource decision should focus on twokey areas.

1. Inhibitors to successful on-premises IAM adoption or issues with the current implementationthat would potentially be alleviated or circumvented by the move to IDaaS, such as:

■ Inappropriate staffing levels or skills

■ Organizational battles over duplicative IAM implementations, obtained through mergers,acquisitions or independent organizational buying decisions

■ Insufficient planning prior to tool selection and implementation

■ Project scope creep

■ Poor operational efficiency by IAM, resulting in too much time taken for IAM functions


■ Poor operational effectiveness by IAM, resulting in audit findings for access violations

With the exception of inappropriate staffing levels or skills, these inhibitors will not beautomatically resolved by switching to IDaaS. There are often root causes for these inhibitorsthat have nothing to do with the delivery model for IAM, and these issues must be addressedwith solid IAM program governance. IDaaS may simply help go around the problems or alleviatesome of them.

2. Total cost of ownership. There is no free lunch. Clients who judge IDaaS as too expensive maynot have done their homework in terms of understanding the full costs of managing on-premises IAM. These costs include:

■ Fully burdened staff costs for implementers, operations staff and a portion of the help deskpersonnel

■ Software investment costs and ongoing maintenance

■ Estimated patch and upgrade costs

■ Infrastructure and operations for resilient implementations and business continuity

Both of these areas will be explored more fully in future Gartner research.

Market OverviewGartner's inaugural Magic Quadrant for Identity Access Management as a Service underscores amarket in its early days that is largely driven by Web application use cases. The IDaaS market wasoriginally fueled by SMBs that made SaaS the predominant applications delivery model. Most oftheir applications were already in the cloud, and they preferred to buy rather than buildinfrastructure. In turn, SaaS applications became new identity silos — each with their ownadministration, authentication and event-logging capabilities.

IDaaS vendors can create connections one time to SaaS vendors for purposes of authentication,SSO and account management (when SaaS vendors provide APIs to allow this). These connectionscan then be reused for new clients. This relieves the IDaaS customers of having to create theseconnections themselves. IDaaS vendors can also bridge to customers' on-premises identity andauthentication services, and use data held or removed from there (such as directory group ororganizational unit membership) to provision and deprovision accounts on SaaS targets. Thisautomation saves the effort of manually provisioning and deprovisioning accounts, and can alsohelp with avoiding orphaned and active accounts on SaaS that can leave enterprises vulnerable andpaying for unused accounts.

In the last few years, vendors that can broker all the functions between enterprise users and SaaShave become appealing to organizations of all sizes. Cloud security and data residency concerns,however, are often key factors in evaluating IDaaS vendors. The growth of the IDaaS market hasbeen driven by the following factors:


■ The need to instill IAM disciplines for SaaS applications

■ The need to gain faster time to value over traditional on-premises software

■ The desire to avoid IAM implementation failures

■ The desire to reduce IAM talent costs in design, implementation and support

Gartner estimates the market size at year-end 2013 to be $215 million. This is slightly lower than ourmid-2013 forecast of $230 million. Gartner believes the data collected in 2013 indicated higherrevenue for some vendors that inappropriately allocated revenue from other parts of theirbusinesses to IDaaS. The 2013 estimate does not include revenue from vendors that provide singlefunction IDaaS offerings — for example, authentication-as-a-service vendors. However, revenuefrom authentication-as-a-service vendors was believed to be approximately $220 million in 2013 —that is, 10% of a $2.2 billion user authentication market. Authentication as a service is a simplefunction to deliver compared with multifunction IDaaS. The latter will take longer to grow as apercentage of the overall IAM market. Gartner predicts that multifunction IDaaS will be the preferreddelivery model for IAM for 20% of IAM purchases by the end of 2017, up from less than 10% in2014.

Over the past few years, Web-centric IDaaS vendors have made solid gains at the lower ends of themarket, supporting the employee-to-cloud use case. As these vendors have moved upmarket, theyfind larger organizations tend to have IAM solutions in place and have deeper IGA functionalityneeds than Web-centric vendors can provide. These prospects also require integration with legacyarchitected systems. This is forcing shallow-function, Web-centric IDaaS vendors to add deeperfunctionality and integration capabilities to their road maps. Conversely, IDaaS vendors with deeperIAM functionality and integration capabilities tend toward larger, complex implementations, and donot have price-tuned offerings for rapid handling of Web-centric use cases. These vendors will needto provide a streamlined, rapidly deployable offering for these use cases if they wish to gain a pieceof the SMB market.

The employee-to-cloud use case drove growth in the early IDaaS market, and this use case stillpredominates. Some larger organizations are also "peeling off" the part of their IAM needs that areserved by IDaaS, even when those organizations may own IGA and access tools that could beextended to the cloud. For this use case, IDaaS is being viewed as a quick win, and sometimes as away to standardize a solution for one part of the enterprise IAM problem space. However, use caseneeds are changing, and vendors are being asked to take on more than the employee-to-cloudscenario. More customers are driving IDaaS vendors to support consumer inbound access toenterprise and consumer-facing systems — a use case that has traditionally been supported by on-premises user self-service registration and WAM tools. Consequently, some IDaaS vendors arefinding it necessary to implement consumer- and B2B-friendly pricing and prove they can scale tohigh volumes of users.

Other key trends include better mobile support and IDaaS as part of other services such as PaaSofferings (see the Context section of this research for a deeper analysis of mobile and PaaS trends,a closer look at security and data residency concerns, and information on pricing).


Gartner Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"How Gartner Evaluates Vendors and Markets in Magic Quadrants and MarketScopes"

"Magic Quadrant for User Authentication"

"Magic Quadrant for Identity Governance and Administration"

"MarketScope for Web Access Management"

"Provisioning User Accounts to Cloud Applications"

"How to Get to Single Sign-On, 2014 Update"

Evidence

The following sources were used in the creation of this research:

■ Gartner client interactions

■ Phone interviews and online surveys for vendor-provided references

■ A comprehensive vendor survey that aligned with the evaluation criteria

■ Secondary research services to support the overall viability evaluation criteria

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the definedmarket. This includes current product/service capabilities, quality, feature sets, skillsand so on, whether offered natively or through OEM agreements/partnerships asdefined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financialhealth, the financial and practical success of the business unit, and the likelihood thatthe individual business unit will continue investing in the product, will continue offeringthe product and will advance the state of the art within the organization's portfolio ofproducts.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and thestructure that supports them. This includes deal management, pricing and negotiation,presales support, and the overall effectiveness of the sales channel.


Market Responsiveness/Record: Ability to respond, change direction, be flexible andachieve competitive success as opportunities develop, competitors act, customerneeds evolve and market dynamics change. This criterion also considers the vendor'shistory of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designedto deliver the organization's message to influence the market, promote the brand andbusiness, increase awareness of the products, and establish a positive identificationwith the product/brand and organization in the minds of buyers. This "mind share" canbe driven by a combination of publicity, promotional initiatives, thought leadership,word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enableclients to be successful with the products evaluated. Specifically, this includes the wayscustomers receive technical support or account support. This can also include ancillarytools, customer support programs (and the quality thereof), availability of user groups,service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factorsinclude the quality of the organizational structure, including skills, experiences,programs, systems and other vehicles that enable the organization to operateeffectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needsand to translate those into products and services. Vendors that show the highestdegree of vision listen to and understand buyers' wants and needs, and can shape orenhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistentlycommunicated throughout the organization and externalized through the website,advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network ofdirect and indirect sales, marketing, service, and communication affiliates that extendthe scope and depth of market reach, skills, expertise, technologies, services and thecustomer base.

Offering (Product) Strategy: The vendor's approach to product development anddelivery that emphasizes differentiation, functionality, methodology and feature sets asthey map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying businessproposition.


Vertical/Industry Strategy: The vendor's strategy to direct resources, skills andofferings to meet the specific needs of individual market segments, including verticalmarkets.

Innovation: Direct, related, complementary and synergistic layouts of resources,expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings tomeet the specific needs of geographies outside the "home" or native geography, eitherdirectly or through partners, channels and subsidiaries as appropriate for thatgeography and market.


GARTNER HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Regional HeadquartersAUSTRALIABRAZILJAPANUNITED KINGDOM

For a complete list of worldwide locations,visit http://www.gartner.com/technology/about.jsp

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to accessthis publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information containedin this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Thispublication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinionsexpressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity.”


http://www.gartner.com/technology/about.jsp

http://www.gartner.com/technology/about/policies/usage_guidelines.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

Magic Quadrant for Identity and Access Management as a Service · A vendor in the identity and...

Documents

Transcript of Magic Quadrant for Identity and Access Management as a Service · A vendor in the identity and...