The IDaaS market is still in its early days. Vendors come from distinctly different backgrounds, and there are significant variances among providers with regard to IAM functional depth and support provided for different use cases. This Magic Quadrant identifies the leaders, challengers, niche players and visionaries in the IAM market.
Download this white paper to gain insight into vendor performance based on the evaluation of key criteria
27/6/2014 Magic Quadrant for Identity and Access Management as a Service LICENSED FOR DISTRIBUTION Gartner Magic Quadrant for Identity and Access Management as a Service 2 June 2014 ID:G00260221 Analyst(s): Gregg Kreizman VIEW SUMMARY The IDaaS market is still in its early days. Vendors come from distinctly different backgrounds, and there are significant variances among providers with regard to IAM functional depth and support provided for different use cases. Niche vendors may be the best for your needs. Market Definition/Description A vendor in the identity and access management as a service (IDaaS) market delivers a predominantly cloud-based service, in a multitenant or dedicated and hosted delivery model, that brokers core identity governance and administration, access and intelligence functions to target systems on customers' premises and in the cloud. This Magic Quadrant rates vendors on their abilities to be global, general purpose identity and access management (IAM) service providers for multiple use cases. The vendors in this Magic Quadrant must provide some level of functionality in a//of the following IAM functional areas. Identity governance and administration (IGA): At minimum, the vendor's service is able to automate synchronization (adds, changes and deletions) of identities held by the service or obtained from customers' identity repositories to target applications and other repositories. The vendor must also provide a way for customers' administrators to administer identities directly through an IDaaS administrative interface. Vendors may also offer deeper functionality, such as identity life cycle processes, automated provisioning of accounts among heterogeneous systems, access requests (including self-service) and governance over user access to critical systems via workflows for policy enforcement, as well as for access certification processes. Additional capabilities may include role management, role and entitlements mining, identity analytics, and reporting. Access: Access includes user authentication, single sign-on (SSO) and authorization enforcement. At a minimum, the vendor provides authentication and SSO to target applications using Web proxies and federation standards. Vendors may also offer ways to vault and replay passwords to get to SSO when federation standards are not supported by the applications. Intelligence: At a minimum, intelligence means that the vendor logs IGA and access events, makes that log data available to customers fortheirown analysis,and also provides customers with a reporting capability to answerthe questions, "Who has been granted access to which target systems and when?" and "Who has accessed those target systems and when?" Return to Top Magic Quadrant Figure 1. Magic Quadrant for Identity and Access Management as a Service Learn how Gartner can help you succeed mc a Client now I STRATEGIC PLANNING ASSUMPTION By the end of 2017, 20% of IAM purchases will use the IDaaS delivery model, up from less than 10% in 2014. EVIDENCE The following sources were used in the creation of this research: Gartner client interactions Phone interviews and online surveys for vendor-provided references A comprehensive vendor survey that aligned with the evaluation criteria Secondary research services to support the overall viability evaluation criteria EVALUATION CRITERIA DEFINITIONS Ability to Execute Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision file:///C:/Users/Natalie%20Bim 1/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service CHALLENGERS LEADERS OneLoginQ jTji Ping Identity Fischer International Identity £ Cengfy ^cATftchnologies Symplifed# 0 Welcome Exostar Q SailPoirrt Simeio Solutions £ Lighthouse Security Grpup NICHE PLAYERS VISIONARIES listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. COMPLETENESS OF VISION Source: Gartner (June 2014) As of June 2014 Return to Top Vendor Strengths and Cautions CA Technologies CA Technologies delivers IDaaS under its CloudMinder brand. CA Technologies entered the IDaaS market when it acquired Arcot Systems in 2010. CloudMinder includes Web application SSO, adaptive authentication and identity administration. The service supports user provisioning to cloud and on-premises systems, including legacy applications. Self-service requests, approval workflows and delegated administration are all supported. The services architecture can be delivered completely from the cloud or in a hybrid model. CA has global regional partners that deliver their own branded version of IDaaS that is underpinned by CA CloudMinder. CA Technologies is also covered in IGA, user authentication and Web access management (WAM) Magic Quadrants and MarketScopes. Strengths CloudMinder Identity provides greater functional depth for user administration than Web- centric providers. Solid delegated administration and provisioning workflows are provided. The Advanced Authentication service provides adaptive authentication options, and includes functions such as device fingerprinting. CA's partnership programs are significant, and they will leverage global partners to support broad industry and geographic market penetration. CA's extensive product and service portfolio, sales and support channels favorthe company in the Overall Viability criterion. CA's portfolio of IAM software and IDaaS can be combined for complex functionality and use case support, and CA has a broad set of user provisioning connectors to leverage for cloud and legacy application support. Cautions CA moved slowly toward providing IDaaS, and had a late start in the market relative to competitors that are newer to the broader IAM market. Its customer acquisition is behind that of major competitors, but CA has made decent customer gains in the past nine months. CA's offering is geared toward large customers; smaller businesses will likely seek alternatives. The service does not yet support password vaulting and forwarding for SSO for target systems that do not support federation standards. This feature is road-mapped. The platform lacks language internationalization, and the interfaces are provided in English only. Return to Top Centrify Centrify entered the IDaaS market in late 2012. Centrify sells IDaaS as part of its User Suite offering that includes mobile device and application management. The IDaaS portion of the offering provides Web application SSO using federation standards or password vaulting and forwarding. nie:///C:/Users/Natalie%20Binns/AppData/Local/Micro^ 2/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service User provisioning is provided for Microsoft Office 365, and other provisioning connectors are road- mapped. The integrated Centrify for Mobile capabilities provide many of the features of stand-alone enterprise mobility management vendors. Notable features include security configuration and enforcement, device certificate issuance and renewal, remote device location and wiping, and application containerization. Strengths The enterprise mobility management features are unique in the market, and Centrify has a strong relationship with Samsung. Centrify hosts Samsung's own offering, and Centrify leverages the Samsung Knox containerization capability. Administrative interfaces are provided for Web browsers, mobile devices, and through Active Directory Users and Computers interfaces. The service has broad international language support. The service and on-premises proxy bridge component can be configured to keep some or all identity data on-premises in Active Directory and not replicate it to the cloud. Cloud identity storage is optional. Reporting and analysis features for all events handled by the service are wide-ranging and customizable. Cautions The number of SaaS application targets for user provisioning is very limited relative to competitors, and provisioning support is not provided for on-premises applications. Active Directory is the only supported on-premises identity store. Access management for on-premises applications requires the customerto have SAML federation capability. Brand awareness in IDaaS has lagged; however, this is being addressed through enhanced marketing efforts. Return to Top Covisint Covisint is the longest-standing IDaaS vendor in the market. The company may not be well-known among prospects in some industries, geographies and small businesses due to its early focus on larger enterprises. Moreover, Covisint's functionality is often "white-labeled" by its customers. Covisint got its start in the automotive industry and provided integration broker, portal and identity services to support supply chain connectivity. The company has grown those lines of business into other industries. Its work in the automotive industry and supporting vehicle identities has also helped it build foundation services that can be used in other Internet of Things applications. Covisint's IDaaS features solid functional depth. The company also has a history of working through tough integration issues with demanding customers. Strengths Covisint provides strong identity assurance features, with several ID proofing vendor integrations and support for several authentication methods — its own and those from third parties. The service includes user administration workflow capabilities and capable administrative delegation, along with access certification features. The vendor provides deep identity federation and provisioning integration functions using standards and proprietary techniques. Covisint had its initial public offering in 2013 and has strong financial backing. Cautions Although it can support employee-to-SaaS scenarios, Covisint's focus on large customers with enterprise, B2B use cases will make it a less likely choice for small and midsize businesses (SMBs) looking only for support of the employee-to-SaaS use case. Covisint's scenario pricing provided for this research was high compared with competitors. Brand awareness is lacking outside of North America, but Covisint is working to address this. Return to Top Exostar Exostar entered the market when it was formed by a community of aerospace and defense companies to support their IAM needs related to supply chain. Exostar also created a secure collaboration platform based on top of Microsoft SharePoint, and now delivers secure email, file transfer and WebEx services. Exostar has broadened its industry support to include life science, finance and IT services companies, and is delivering similar sets of community-centric IAM and collaboration functionality with an emphasis on this community's needs for intellectual property protection. The company augments its core services with identity proofing through third parties, but also provides a video "in person" identity proofing service using subjects' webcams for interviews. Exostar also delivers public-key infrastructure (PKI) and one-time password (OTP) credential management services. Exostar provides IAM that is fully cloud-based, or it can join community participants to the hub via a gateway. Strengths Exostar is one of the few small IDaaS vendors that is profitable. Exostar offers identity proofing and authentication methods to meet the high identity assurance requirements of its customers. Because of its legacy in highly secure markets, Exostar has strict audit requirements to ensure that requirements for security and industry compliance issues are met. Exostar can cross-sell its collaboration platform and IAM. The company has strong customer relationships, and reference customers report that Exostar file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 3/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service is a solid partner for implementation as well as for incorporating customer requirements into Exostar's road map. Exostar has strong B2B federation and administration capabilities, and it can handle data exchanges in support of complex business agreements for its established communities. Cautions Exostar has performed well in targeting industry communities with high identity assurance requirements. However, the company and its offerings are not currently geared toward the broader general purpose IAM market that would focus on enterprise users' access to SaaS applications or consumer inbound access to enterprises' applications as primary use cases. Exostar's target market is large companies with cross-organizational collaboration requirements. Exostar views IDaaS as a critical component of its offering, but primarily in the context of helping it deliver its overall business collaboration capabilities. User provisioning approval workflow features are coarse-grained, with a limited number of allowed approvers. Connector support to on-premises applications is limited to targets that support LDAP and SOAP. Authentication and SSO integration features are limited compared with vendors that support general purpose SSO use cases. Password vaulting and forwarding, and social registration and login are not supported. Exostar provides IDaaS functions to users in multiple geographies, but these users and their companies are predominantly using the services at the behest of Exostar's anchortenants in aerospace and defense and life sciences. There is not a strong international presence in terms of core customers, Exostar data centers and internalization support. The company's scenario pricing was among the highest of all vendors. Return to Top Fischer International Identity Fischer International Identity, a pure-play IAM provider, was one of the first vendors to deliver IDaaS. Fischer's capabilities are available in IDaaS, dedicated hosted, managed, or on-premises software delivery models. Fischer's International Identity is also covered in "Magic Quadrant for Identity Governance and Administration." Fischer provides feature depth in user administration and fulfillment, some governance functionality, privileged account management, and federated SSO. Strengths Fischer is one of the few small IDaaS vendors that is profitable. Fischer's experience and technical capabilities enables it to support IAM functions to legacy on- premises applications in addition to SaaS applications. User administration functionality is deep, with strong connector support to a variety of directories, databases and applications. Access certification features are included. Fischer's scenario pricing is among the lowest, and references find their pricing to provide solid value for the money. Cautions Despite Fischer's long tenure in the IDaaS market and its solid customer growth, the company's brand recognition, market penetration and overall growth has been low compared with its competitors. The focus of Fischer's marketing and sales on the U.S. geographic market and higher education vertical has limited the company's growth in other geographies and verticals. Access management is limited to single sign-on, without the coarse-grained authorization enforcement found in other IDaaS access services. OpenID Connect and OAuth support is not provided, and could hinder Fischer's ability to support native mobile and social use cases. However, these capabilities have been road- mapped by the company. Return to Top iWelcome Netherlands-based iWelcome was spun off from system integration firm Everett. iWelcome's IDaaS offering became generally available in 2012. iWelcome provides its IDaaS in a dedicated single tenant delivery model to allow for customization and customer branding. Its offering is heavily based on open-source software and includes authentication, SSO, federation, self-service registration, and user provisioning support for on-premises and SaaS applications. Strengths iWelcome is the only established IDaaS vendor with headquarters in continental Europe. As a result it has early-mover advantage in that region. Its services are underpinned by open-source technology, with strengths in access management — particularly in authentication method, federation protocol and identity repository support. Early work with government and quasi-government organizations has pushed iWelcome to address high security requirements and to be certified against ISO 27001 and Dutch government standards. Most of iWelcome's functionalities are API-accessible. Cautions iWelcome lacks delegated administration. However, this feature set is road-mapped for some time in 2014. iWelcome lacks core identity governance features such as access certification and file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 4/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service recertification, and provisioning approval workflow capabilities are minimal. These features are road-mapped for 2014. The company's overall customer base is small compared with most competitors, although iWelcome picked up large customers early. iWelcome's focus on the European market is a strength for the near term, but may be a weakness as other vendors deliver services within the region that meet data protection and privacy requirements. Return to Top Lighthouse SecurityGroup Lighthouse Security Group delivers its Lighthouse Gateway service in a multitenant model. However, components of the service can be delivered in a dedicated model. Lighthouse's service is underpinned by IBM's governance, administration and access management software. Lighthouse has overlaid IBM's technology with an extensive services layer designed to ease the implementation and ongoing administration of IBM's software for multiple clients. Strengths Lighthouse's functional offering is deep and aligns with the functionality provided by IBM's software deployed on-premises. The company has won some very large customers and can demonstrate high scalability. Lighthouse has an implementation methodology that is designed to bring customers on as rapidly as possible while working through a potentially complex set of design issues. Lighthouse has aligned itself with IBM's Global Technology Services group as its partner. Lighthouse also uses IBM's SoftLayer infrastructure as a service (IaaS). Both of these relationships should help Lighthouse expand outside of the U.S. Cautions Customers report that the service works well; however, it can take significant effort to go live. This is in part due to the complex nature of projects that Lighthouse takes on for larger customers. Lighthouse's current customers are U.S.-based, and the company is in the process of establishing its presence in other geographies. Lighthouse's pricing for several use case scenarios was among the highest. Despite having some small customers in its portfolio, Lighthouse will have to develop reduced pricing and rapid implementation for a core set of basic functionality to compete downmarket with other vendors in this space. Return to Top Okta Okta's IDaaS offering is delivered multitenant, with lightweight on-premises components for repository and target systems connectors. The service was developed entirely by Okta and was generally available in 2010. IDaaS is Okta's core business. Okta delivers basic identity administration and synchronization capabilities, access management for Web-architected applications using federation or password vaulting and forwarding, and reporting. Okta has invested in technology that will provide mobile native application support and other mobile security features. Strengths Okta has demonstrated its ability to rapidly onboard customers from proof of concept to production. The company's marketing and sales strategies have been effective, demonstrated by brand recognition and an increased volume of customers. Okta has made the majority of its functions available through RESTful APIs to support integrations with customers' applications and workflows. References have been numerous, and they indicate high customer satisfaction. Okta has a large number of preconnected applications. Cautions Okta can synchronize identities from enterprise directories, but the vendor does not have user provisioning approval workflow beyond one level, nor does it have identity governance features. Okta captures essential log data for administration and access, and exposes this data for customers to use for reporting. However, the service's canned and custom reporting capabilities are limited. Okta does not yet support the use of social identities for registration and logon. Okta's current customer base is predominantly located in the U.S. Administrative interfaces will need to be internationalized and sales and support channels will need to grow to support these regions. Okta also requires use of the cloud to store some identity attributes. Return to Top OneLogin OneLogin's IDaaS service has been available since 2010. The service's architecture is multitenant, and lightweight integration components are used for on-premises connections. The service was developed entirely by OneLogin, and IDaaS is OneLogin's core business. OneLogin also markets a federated search capability that allows customers to search for content across connected applications and to be authenticated automatically when search results are returned and selected. file:///C:/Users/Natalie%20Binns/AppData/Local/Microso 5/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service Strengths OneLogin has a large number of preconnected applications. They support multiple authentication methods, including out-of-band push modes of OTP and X.509 authentication based on OneLogin's supplied public-key infrastructure (PKI). OneLogin has made good inroads into Europe and Asia/Pacific by virtue of its partner network and ability to host customer data in geographically acceptable data centers. OneLogin has built customer relationship capital through its "freemium" customer offerings and SAML toolkit for service providers. References were solid and appreciated the support they received from OneLogin. OneLogin's scenario pricing was among the lowest compared with competitors. Cautions OneLogin has trailed its closest competitors in brand recognition and, therefore, customer acquisition. OneLogin has secured a recent round of venture funding that will help it expand. However, it has taken on less venture capital than its nearest competitors. OneLogin lacks its own deep user administration and provisioning and identity governance functionality. However, it partners with RSA Identity Management and Governance (formerly known as RSA Aveksa) for this functionality. While the log data and reporting functions are capable and customizable, references report that improvement is needed with regard to ease of customization. Return to Top Ping Identity The PingOne service became available in 2011. The service is multitenant and based predominantly on the vendor's own intellectual property. However, the company also leverages OEM partnerships for identity intelligence, and it recently acquired mobile authentication vendor accells to provide enhanced authentication capabilities. Ping Identity provides a lightweight self-service bridge component to integrate a customer's Active Directory to the service, and also uses the well- established PingFederate product as the underpinning of the on-premises bridge component for customers when broad protocol and directory support are needed. Strengths By leveraging the PingFederate technology for the bridge component, Ping can offer extensive integration capabilities with a variety of identity repositories, existing customer access management systems and target application systems. Ping Identity has demonstrated support for multiple workforce and external identity use cases, as well as strong service provider support. Ping has shown strong leadership in identity standards development, as well as openness in working with customers and competitors to evolve the standards. Ping's established customer base has been leveraged to enhance and grow the PingOne IdaaS business, and Ping Identity has broad vertical and geographic market penetration through its value added reseller (VAR) and system integrator (SI) partner networks. Its acquisition of accells will help Ping Identity respond to the heightened need for adaptive mobile access. Cautions PingOne is one of the services with strong access features, but very lightweight IGA capabilities. Provisioning workflow and most identity governance features are missing. Ping Identity is playing catch-up with other vendors in API-enabling their service for administration and intelligence features, but does include APIs for SaaS SSO integration, new user registration, provisioning, native mobile SSO and log retrieval. Reporting capabilities are weak compared with competitors. Language internationalization features for the administrative and user interfaces are lacking relative to competitors. Return to Top SailPoint SailPoint IdentityNow is the newest IDaaS offering covered in this research; the service became generally available in October 2013. It was developed in-house and features access request and provisioning, access certification, password management, and SSO service elements. The architecture is multitenant and can deliver services completely in the cloud or can be bridged to enterprise environments. SailPoint provides the option to host its traditional on-premises IdentitylQ product in the cloud. Strengths SailPoint's legacy of providing strong on-premises IGA has helped the company deliver a subset of the functionality from the IdentitylQ product in IdentityNow. The more full-featured IdentitylQ can be cloud-delivered as an alternative. SailPoint's full complement of provisioning connectors provides fulfillment capabilities to a wide variety of identity repositories and target systems. SailPoint provides the full set of SSO options that include federated SSO and password vaulting and forwarding. SailPoint has broad geographic presence for sales and support as a foundation for selling its IDaaS. The company is profitable. file:///C:/Users/Natalie%20Binns/AppData/Local/M^ 6/16 27/6/2014 Cautions Magic Quadrant for Identity and Access Management as a Service Because SailPoint's offering is relatively new to the market, it has a small customer base, with several implementations just beginning. IdentityNow does not support OAuth or OpenID Connect and social identity use cases. IdentityNow is limited in its abilities to support delegated administration. SailPoint has a strong VARand system integration partner set, but it has not yet been brought to bearto help sell the new offering. Return to Top Simeio Solutions Simeio Solutions began delivering its Business Ready Cloud IdaaS in 2010. The vendor provides a mixture of dedicated hosted and on-premises managed service offerings. Its services are underpinned by products from other well-established IAM software vendors, which allows Simeio to provide WAM, identity administration, access request, role and compliance, risk intelligence and IT governance, risk and compliance (GRC), and directory services. Strengths Simeio's use of major IAM stack vendors' technologies provides it with an arsenal of products that provides deep functional support for Web and legacy applications. Simeio's Identity Intelligence Center provides actionable insight into patterns of usage among users that may exist across multiple vendor identity sources and other security systems. The same vendor partnerships provide referrals to Simeio for customer acquisitions. Simeio's history as an integrator has given it the experience to help customers plan, design and integrate their IDaaS offerings. A significant portion of Simeio's staff serve in professional service roles. Simeio's service-based roots have enabled it to have a positive cash flow since its inception. Simeio has a good spread in its vertical industry representation. Cautions Simeio has a customer with a very large consumer-facing implementation and high volume of users. However, Simeio's overall customer base is small relative to its competitors. Simeio's use of OEM software requires the incorporation of these third-party vendors' software licensing costs in its offering. This tends to make Simeio's pricing high, even for pure Web application use cases. Simeio is relatively unknown in the IDaaS marketplace, and is slowly building its customer base and brand awareness based on vendor partners, some of which are also competitors. Simeio's references consider it a very good partner. However, there are often complex customer business and technical requirements, and these requirements can drive high complexity in the implementations and increase time to implement, which can diminish customer perceptions of value for money. Return to Top Symplified Symplified entered the IDaaS market in 2008. It provides WAM, including federated SSO and SSO using password vaulting and forwarding, user provisioning, and reporting functions. Symplified's architecture is weighted toward on-premises components. Administrative functions are performed in the cloud, but policy decisions and enforcement actions are handled in the on-premises-based Identity Router. However, the Identity Router can be hosted on Amazon Web Services. Symplified's IDaaS is based on its own intellectual property. Strengths The Identity Router's architecture and features have allowed customers to overcome some complex on-premises Web application integrations that could not be done with competitors' offerings. Symplified's architecture keeps personal data local to the customer and not on the cloud platform. Symplified's Identity Router uses a proxy architecture that allows it to capture detailed data on all user interactions with target systems. Symplified's overall pricing was among the lowest compared with its competitors. Cautions Despite Symplified's early entry into the market and aggressive initial marketing campaigns, the company's focus shifted downmarket and it lost momentum and brand recognition relative to its competitors. Symplified's customer base is small compared with its competitors. Symplified's user provisioning functionality is shallow, and the number of SaaS targets integrated with their service is relatively low when compared with its competitors. Despite the ability to collect very detailed data on user-to-application interactions, customers have found the reporting capability to be lacking. Return to Top Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 7/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, orof a change of focus by that vendor. Because this is a new Magic Quadrant, no vendors have been added or dropped. Return to Top Other Vendors of Note Two vendors, salesforce.com and Microsoft, did not meet the inclusion criteria for this Magic Quadrant. Salesforce.com was not able to provide user provisioning connections to target systems in time to meet the IGA functional requirements, and Microsoft did not have a generally available and separately priced IDaaS offering until April 2014, well after the December 2013 deadline set for this Magic Quadrant. (See the Inclusion and Exclusion Criteria section.) Gartner believes that both of these vendors have the potential to significantly impact the IDaaS market. They will be the subject of future Gartner research. There has been some Gartner client interest in two vendors that specialize in social identity integration — Gigya and Janrain. However, neither one met the IAM functional inclusion criteria for this Magic Quadrant, notably in the IGA functional areas. These vendors specialize in IAM for consumer-facing implementations. As IDaaS vendors add social identity registration and login functions to their offerings, Gigya and Janrain's social registration and login functionality may be in less demand. However, these vendors provide value for other consumer marketing functions, such as gamification (in Gigya's case) and analytics. Retail and media companies, in particular, may strongly consider Gigya and Janrain for their consumer-facing needs. Ilantus Technologies, Pirean and Wipro did not meet the financial or market penetration criteria for this Magic Quadrant. However, these vendors have functionally deep IAM offerings, and also have international headquarters, which may help them to be considered as alternatives to U.S.-based companies. Return to Top Inclusion and Exclusion Criteria The vendor must provide a minimum level of functionality in all of the following IAM functional areas outlined in the Market Definition/Description section. Vendors that deliver only one or two of these core IAM functions as a service, such as authentication only, were not covered as part of this research. The following additional inclusion criteria were used. Longevity of offering: Each IDaaS offering has been generally available since at least November 2013 and is in use in multiple customer production environments. Origination of offering: The offering is manufactured and operated by the vendor, or is a significantly modified version obtained through an OEM relationship. (We discount any service offering that has merely been obtained without significant functional modification through a licensing agreement from another vendor — for example, as part of a reseller/partner or service-provider agreement.) Number of customers and end users (including customers of third-party service providers and their end users): As of 31 December 2013, the vendor had: More than 20 different active customer organizations using the vendor's IDaaS offerings in a production environment. Revenue attributed to fees for IDaaS service usage that is greater than $4,000,000 for the year ending 31 December 2013. Verifiability: Customer references must be available. Return to Top Evaluation Criteria Ability to Execute Table 1. Ability to Execute Evaluation Criteria Criteria Weight Product or Service High Overall Viability Medium Sales Execution/Pricing High Market Responsiveness/Record Medium Marketing Execution Medium Customer Experience High Operations Low Source: Gartner (June 2014) Return to Top Product or Service file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 8/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service The service's overall architecture, with emphasis on the service's global availability and resiliency features, and its flexibility to support on-premises identity repositories and cloud- only implementations. The level of support and expertise required by customers to help maintain the components. The extent to which a service's functions are exposed via APIs for customers' system integration. Security and privacy — The physical and logical controls implemented by the vendor and any underpinning infrastructure as a service provider, security for on-premises bridge components and connections between the bridge and the IDaaS, controls for data security — particularly regarding personal information — and vendors'third party certifications received for the services. The variety of on-premises identity repositories that can be supported, and the quality of integration with same. The depth and breadth of IGA functionality: Access request Access approval workflow depth and functionality Access certification Attribute discovery and administration Administrative access enforcement — for example, to identify, alert and prevent inappropriate access Provisioning create, read, update and delete (CRUD) user identities and entitlements to target systems Configuring target system connectors The depth and breadth of access functionality: User authentication methods supported Breadth of SSO support for target systems Federation standards Support for mobile endpoints and native mobile application integration Authorization enforcement The depth and breadth of identity intelligence: Canned reporting Customized reporting Data export to on-premises systems Analytics Integration with Microsoft Office 365, Microsoft SharePoint, customer's on-premises VPNs and WAM systems. Deployment requirements such as speed of proof of concept and deployment, customer staffing requirements and factors that add complexity and may affect speed to deployment and staffing. Return to Top Overall Viability Overall financial health. Success in the IDaaS market in terms of numberand size of customer implementations. This aspect is heavily weighted. The vendor's likely continued presence in the IDaaS market. Return to Top Sales Execution/Pricing The vendor's capabilities in such areas as deal management, presales support, and the overall effectiveness of the sales channel, including value-added resellers and integrators. The vendor's track record in competitive wins and business retention. Pricing over a number of different scenarios. This aspect is heavily weighted. Return to Top Market Responsiveness/Record The vendor's demonstrated ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and market dynamics change. How the vendor can meet customers' evolving IDaaS needs over a variety of use cases. How the vendor has embraced standards initiatives in the IDaaS and adjacent market segments and responded to relevant regulation and legislation. Return to Top Marketing Execution The clarity, quality, creativity and efficacy of programs designed to deliver the vendor's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities. Marketing activities and messaging Visibility in the press, social media and other outlets Vendor's appearance in vendor selection exercises based on Gartner client interactions Brand depth and equity file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 9/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service Return to Top Customer Experience Customer relationship and services. Customer satisfaction program. Customer references — This evaluation subcriterion was weighted heavily and included input from vendor supplied references, as well as unsolicited feedback from Gartner client interactions. Return to Top Operations People — The size of organization and track record of key staff. Quality and security processes. Return to Top Completeness of Vision Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding Medium Marketing Strategy Medium Sales Strategy Medium Offering (Product) Strategy High Business Model Medium Vertical/Industry Strategy Low Innovation High Geographic Strategy Low Source: Gartner (June 2014) Return to Top Market Understanding Understanding customer needs — Methods, and the effects of the Nexus of Forces (cloud, mobile, social and information). The future of IDaaS and the vendor's place in the market. Vendors' views on top technological, nontechnological and regulatory changes in the market. Return to Top Marketing Strategy Communication and brand awareness — The clarity, differentiation and performance management of the vendor's marketing messages and campaigns. The appropriateness of the vendor's use of events, social media, other online media and traditional media as part of its marketing efforts. Return to Top Sales Strategy The vendor's strategy for selling its IDaaS offerings that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Return to Top Offering (Product) Strategy The vendor's approach to developing and delivering its IDaaS offerings that meet customers' and prospects' needs with respect to their key selection criteria, the needs created by the Nexus of Forces, and other market dynamics. The vendor's ability to exploit the Nexus of Forces to improve its IDaaS products and services. The strength of the vendor's road map and how the vendor will increase the competitive differentiation of its IDaaS and ancillary services. Return to Top Business Model The soundness and logic of the vendor's underlying business proposition. Vendor's views of key strengths and weaknesses relative to competitors Recent company milestones file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft/VV1ndo\fls/Temporary%20lnternet%20Files/Content.Outlo 10/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service Path chosen for future growth Return to Top Vertical/Industry Strategy Customer breadth and penetration in various industries and sizes of customer organizations. Views of industry trends and special needs. Strategy for expanding IDaaS adoption in different industries. Return to Top Innovation Foundational technological and nontechnological innovations. Recent and planned innovations. Organizational culture and how it affects innovation. Return to Top Geographic Strategy Global geographic reach of customer base and trends. Strategy for expanded geographic customer acquisition. Global nature of technical support and professional services and language internationalization for administrative and user interfaces. Return to Top Quadrant Descriptions Leaders Leaders in the IDaaS market have generally made strong customer gains. They provide feature sets that are appropriate for current customer use case needs. Leaders also show evidence of superior vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically demonstrate solid customer satisfaction with overall IDaaS capabilities and/or related service and support. Return to Top Challengers Challengers also show strong execution, and have significant sales and brand presence. However, they have not shown Completeness of Vision for IDaaS that Leaders have. Rather, their vision and execution for technology, methodology and/or means of delivery tend to be more focused or restricted to specific platforms, geographies or services. The clients of Challengers are relatively satisfied, but ask for additional IGA and intelligence features as the vendors mature. Return to Top Visionaries Vendors in the Visionaries quadrant provide products that meet many IDaaS client requirements, but may not have the market penetration to execute as Leaders do. Visionaries are noted for their innovative approach to IDaaS technology, methodology and/or means of delivery. They often may have unique features, and may be focused on a specific industry or specific set of use cases, and they have a strong vision for the future of the market and their places in it. Return to Top Niche Players Niche Players provide IDaaS technology that is a good match for specific uses, cases or methodology. They may focus on specific industries or have a geographically limited footprint, but they can actually outperform many competitors. Vendors in this quadrant often have relatively fewer customers than competitors, but may have large customers and have a strong IDaaS feature set. Pricing might be considered too high for the value provided by some vendors. Inclusion in this quadrant, however, does not reflect negatively on the vendor's value in the more narrowly focused service spectrum. Niche solutions can be very effective in their area of focus. Return to Top Context Vendors rated in this Magic Quadrant come from distinctly different backgrounds. Vendors' pedigrees vary greatly, as do their abilities to provide IAM functional depth and support for different use cases. Their aspirations for servicing customers by geography, industry and customer size segmentation also vary. Clients are strongly cautioned not to use vendors' positions in the Magic Quadrant graphic as the sole source for determining a shortlist of vendors to consider. Vendors were evaluated with regard to their abilities to provide a general set of IAM functionalities across multiple use cases, and in multiple geographies and industries, and to do so by providing solid value for money as perceived by their customers. All vendors covered in this Magic Quadrant have succeeded in providing customers with services that meet their needs. However, client requirements, particularly those for IAM functional depth, speed to implementation, geographic coverage and price will most likely strongly affect the choice for a shortlist. file:///C:/Users/Natalie%20Binns/AppData/Local/Mi 11/16 Magic Quadrant for Identity and Access Management as a Service Clients focused on Web-architected application targets, employee-to-SaaS and consumer- facing needs should strongly consider Centrify, Okta, OneLogin, Ping Identity and Symplified. These vendors also have experience with small and midsize businesses (SMBs), even as these vendors aspire to move upmarket to serve larger clients and have begun to do so. Note that these vendors currently have limited IGA abilities. They tend to lack multilevel provisioning approval workflows and, in most cases, delegated administration, as well as identity governance features such as access certification, segregation of duties violation detection, or role engineering and certification. These vendors' provisioning connectors for legacy application targets will also be lacking. Clients with needs for more functional depth in IGA, legacy on-premises application targets should strongly consider CA Technologies, Covisint, Fischer International Identity, Lighthouse Security Group, Simeio Solutions and SailPoint. European clients may especially be interested in iWelcome. More of these vendors also provide dedicated hosted instances of their offerings as options. Clients who have needs for IAM served as part of a community of interest or industry consortium should strongly consider Covisint and Exostar. These vendors have a history of providing IAM in a hub configuration designed to support collaboration among participants or to serve the community's common business partners for access to a set of community owned applications. Exostar is also recommended for clients with needs for secure collaboration services on top of IDaaS. Clients should generally expect more complex, time-consuming and costly implementations when they have requirements for IGA functional depth, and legacy (non-Web-architected) on-premises application targets. These requirements generally indicate a stronger need for IAM process and data modeling and target system integration functions, such as connector development and configuration. System integrators have been needed when clients implemented traditional IAM software suites with these types of requirements. Several of the vendors in listed above in item No. 2 come from system integration backgrounds. IDaaS customers should expect best practices and operational excellence from these companies due to their familiarity with the software components that underlie the solutions. There should be some deployment and integration efficiency gains relative to do-it-yourself approaches. Dedicated per-client IAM infrastructure also drives up the cost of the offering relative to multitenant offerings. The cost of underlying IAM third-party software licenses may also drive up the overall costs of the implementation. Return to Top Security Gartner clients rightly express concerns with regard to data security and protection of enterprise users' passwords when IDaaS is being considered. The following are generally true for IDaaS security practices, with some exceptions: Some user identity data will be held in the cloud. Most commonly, this data includes first and last name and email address. Some vendors, such as Centrify and Symplified, require no user attributes to be held in the cloud, with the assumption that all data needed for provisioning users to SaaS application targets are held in the on-premises directory and can be accessed by the vendors' bridge components. Centrify offers on-premises-only or hybrid cloud implementation, and the hybrid implementation requires some identity data to reside in the cloud. Ping Identity's solution works similarly. Generally, as the number of attributes needed to provision users' accounts grows, that data must minimally pass through vendors' IDaaS services to be provisioned to SaaS targets. A cloud-only implementation of IDaaS will have to hold all of these attributes. Data is encrypted in transit over networks. However, one exception is that passwords are sent in the clear when being transmitted to target systems when federation is not supported and Secure Sockets Layer (SSL) is not used between browser and target system. This is essentially the same as when a user's browser interacts directly with an application without IDaaS controlling the access. Also, SSL is usually used for SaaS sign-on flows whether an IDaaS is brokering the access or not. Identity data in the vendor's cloud is encrypted at rest. Vendors have different strategies for managing encryption keys. Most vendors generate different encryption key pairs for each customer's instance of the service, and there is variance in how those keys are managed. The keys may be technically under the customer's strict control, or the vendors' operations staff may control the keys. In the latter case, these vendors claim that their personnel will have other controls in place to ensure that there is no inappropriate use of these keys. On-premises bridge components will use SSL/Transport Layer Security (TLS)to communicate with the service, and many of the vendors will require no inbound firewall port to be opened to support this. Communications are initiated outbound from the bridge. Almost all providers use infrastructure as a service (IaaS) providers, rather than their own operations centers, to host their offerings. All vendors maintain some type of third-party security certification, as do the IaaS providers that host the IDaaS. SSAE 16 SOC 1 or SOC 2 are common. ISO 27001 is rare, but some vendors have stated plans to achieve ISO/IEC 27001 certification. Return to Top Availability The use of IDaaS may introduce a single point of failure. IDaaS vendors have generally taken care to architect their services with network and system redundancy features, and to host their services on IaaS that has been provisioned with sufficient redundancy to guarantee adherence to the IDaaS vendor's service-level agreements. IDaaS vendors have also generally architected their on- premises bridge components to be implemented redundantly if the customers choose to do so. Nevertheless, a major system failure with the IDaaS can potentially leave customers temporarily without access to the applications that IDaaS serves. Organizations face similar risks when they manage their own IAM services, and components such as federation servers fail. Clients that choose to accept the risks of using IDaaS should have emergency business continuity file:///C:/Users/Natalie%20Binns/AppData/Local/Micro^ 12/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service process in place that includes these steps: Bring up any available in-house federation technology and federate to key target systems if possible. If federation services are not available, then temporarily turn off federation at target systems to fall back to password-based authentication. Issue temporary passwords for all target application accounts that can support password authentication. Fall back to manual user provisioning processes. Return to Top Data Residency Most of the vendors covered in this research are U.S.-based. Gartner clients from other countries may have concerns about employees', business partners' and customers' personal data that could be held in the cloud. Despite the use of local or regional data centers to host services and data, international clients may still be concerned about the U.S. government's ability get access to the data. This is currently a risk that clients must evaluate and determine if it is acceptable or not. We recommend the following for clients who intend to use IDaaS, but have concerns about U.S. providers. Have the vendor prove Safe Harbor certification or, preferably, require the vendor to sign the EU's model contracts on privacy. Require yoursole ownership of encryption keys if possible, and evaluate the controls associated with the development and operations staff and their access to the keys. If these recommendations do not provide enough comfort, then Gartner recommends evaluation of IDaaS providers in suitable jurisdictions. Return to Top Pricing Gartner asked vendors to provide "street" price quotes for several use case and volume usage scenarios. Vendors were cautioned against providing list prices. Vendors were asked to provide all costs, including startup costs, over a three-year subscription period. Three of the most commonly required scenarios are included below, with range of costs and averages. Scenarios 1 and 2: 1,000- and 10,000-Employee Workforces, Web-Architected Applications Number of users: 1,000 in the workforce ("any" staff), who use the service several times daily. Endpoints: Company-owned PCs; approximately 60% Windows Active Directory and 10% Mac OS X, 30% mix of Apple and Android tablets and smartphones. User location: Could be anywhere — a mix of on-premises corporate LAN and external use cases. All identities and attribute data held in Active Directory. Support to: Five externally hosted (SaaS) applications and five internal Web applications targets. Allow the company's administrator to directly administer users' identities, and provision these to Active Directory. Subsequently and automatically provision accounts to the five SaaS applications, with the assumption that there is an available provisioning API for all five, and that the vendor has already created provisioning connectors for three of the five applications. Two of the applications need connectors created forthe customer. User self-service application access request, administrator approval, and subsequent provisioning as described above, and user self-service password reset. User authentication to the service and SSO to all target applications, three using SAML federation and two using password vaulting and forwarding, support for identity provider initiated federated SSO to your service based on an Active Directory authentication, and service-provider-initiated redirect authentication for an externally located user who connects to SaaS first and to support authentication against your service and corporate Active Directory. Reporting for all administrative and access events. We requested pricing for two variants. Scenario 1 included support of the above requirements for 1,000 internal users. Scenario 2 included support of the above requirements for 10,000 users and with the added requirement that 5,000 of those users be provided with SMS or voice-based one- time password authentication. The average three-year cost for the 1,000-user scenario was $151,149. The average three-year cost of the 10,000-user scenario was $571,879. In both scenarios, vendors who had significant gaps in the required functionality were removed from the average calculation, as were the high pricing and low pricing that were significantly out of line with the other vendors' pricing. Scenario 3 — 100,000-User Consumer- and Business-Facing Implementation 100,000 external consumers (50,000 individual consumer users and 50,000 business partners' users from 100 companies). Average usage: Once per month peruser. Endpoints: Any endpoint with a Web browser from any location. Access to three internal on-premises Web applications, and two SaaS applications. Identity data forthe on-premises applications to use will be held in an on-premises LDAP- exposed directory. file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 13/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service Self-service user administration and password reset. Delegated user administration for business partner administrators to administer to their own users. Administrators can grant or deny access for their users to any of the five applications. Automated user provisioning to any approved application with the assumption that all targets have a provisioning API available and the vendor has not yet created a connector for any of these applications. User authentication and SSO for all users to all applications. Acceptance of Facebook and Linkedln identities for initial consumer registration, account linking, and subsequent login to the service and subsequent SSO to a customer's applications. Five of the largest business partners must have support for federated authentication to your applications using SAML and be based on user authentication at the business partner's own internal identity provider. Reporting for all administration and access events. There was wide variance in the pricing for this scenario. The average among all vendors was $1,111,043 overthree years. However, there was wide disparity between two groups of vendors. There was a group of eight vendors that could deliver the functionality for an average price of $389,863. The higher priced group of five vendors averaged a price of $2,409,167. Pricing for consumer-facing implementations is in its early days, and vendors are at various stages of maturity in responding realistically to these requests from customers. In all cases, clients are strongly encouraged to understand their own total costs of ownership for managing the same IAM functions in-house so that these costs can be compared with IDaaS pricing. Gartner also collected pricing data for other scenarios, including those requiring more in- depth IGA functionality and legacy on-premises application support. Pricing was highly variable for these implementations. Clients interested in these scenarios should contact Gartner for more information. Return to Top Trends What key trends are shaping the IDaaS market and how will the market evolve? Shallow Gets Deeper, Slow Gets Faster Web-centric IDaaS vendors have made solid gains at the lower ends of the market, and for supporting the employee-to-cloud use case. As these vendors have moved upmarket, they find that larger organizations tend to have existing IAM software solutions in place. These prospects, which may wish to extend their current implementation with IDaaS, or which are hoping to replace their on-premises solution, tend to have needs for deeper IGA functionality than the Web-centric vendors typically provide. These prospects also tend to require integration with legacy architected systems and a variety of directories and databases. This is forcing shallow-function, Web-centric IDaaS vendors to add deeper functionality and integration capabilities to their road maps. Conversely, the IDaaS vendors with deeper IAM functionality and integration capabilities tend toward implementations that are larger and more complex, and do not have their offerings price- tuned for rapid handling of the downmarket Web-centric use cases. These vendors will need to provide a streamlined, rapidly deployable offering forthese use cases if they wish to gain a piece of the SMB markets. Mobile Support Gets Better IDaaS vendors' native mobile application support is a frontier capability, particularly for authentication and SSO. Several IDaaS vendors support a portal-like interface on mobile devices for Web applications that are under IDaaS management. IDaaS vendors' support for customers' and third-party native apps is nascent. IDaaS vendors began supporting customers' mobile apps by offering software development kits (SDKs). With these SDKs, customers can develop their apps using the IDaaS vendor's SDK, which will provide authentication to the IDaaS vendor's service. Centrify provides this approach, but it also supports a containerization approach and provides MDM features as part of its offering. Okta has invested in technology that will provide mobile native application support and other mobile security features. Ping Identity acquired accells to provide push out-of-band authentication as part of its service. However, Ping Identity is also one of the vendors leading the efforts at the OpenID Connect Native Applications (NAPPS) Working Group to develop a standards-based approach to supporting authentication and SSO for multiple native apps. OneLogin and Symplified are also participating in this working group, and other vendors have shown interest. If this working group is successful, then customers should have a standardized approach forgetting authentication and SSO functions for native mobile apps, and should have easier portability forthese apps in terms of switching IDaaS vendors or even moving to on- premises access managers that support the standards. Containerization approaches will remain proprietary but will offer customers security protections beyond authentication and SSO, such as data security, jailbreak detection and security policy enforcement. IDaaS Becomes Part of Other Services Salesforce.com and Microsoft have entered the IDaaS market and are positioning their IDaaS offerings as components of their broader PaaS portfolio. Intermedia, a relatively smaller provider of hosted Microsoft products and unified communications services, acquired IDaaS vendor SaaSID in 2013. Intermedia has incorporated the acquired functionality into a service that can be purchased stand-alone or with other Intermedia services. IDaaS vendors are in various stages of maturity in providing API-based access to their services. We are also noting that several IDaaS vendors are beginning to tout their services' directory integration with other sources of identity, such as salesforce.com, Google, Microsoft and Workday. Thus, IDaaS has a future of supporting traditional enterprise needs as well as supporting service- to-service needs — for example, use cases where enterprise CRM systems call an IDaaS to create file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 14/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service an identity and then provision that identity to several systems within the enterprise and on SaaS applications ("See Provisioning User Accounts to Cloud Applications"). Several IAM functions will commoditize. SSO is well on its way to commoditization, and IGA and intelligence functions will take a bumpy and winding road to commoditization. User self-service access request and profile management, password reset, access approvals and account provisioning to Web centric targets, and canned and customized reporting will commoditize first. More advanced IGA and analytics features will take longer. Clients should expect overall downward pricing pressure in the market for the next three years. Return to Top On-Premises Replacement Wholesale replacement of traditional on-premises IAM software stacks that are serving multiple use cases for large enterprises has been relatively rare. These on-premises implementations are longstanding, tend to be well-staffed, and have been deployed to support legacy architected systems — not just Web-architected and SaaS apps. Nevertheless, there are vendors who can support multiple use cases and have software with deep functionality that can be cloud-delivered and are capable of replacing legacy on-premises IAM tools. These vendors have been conservatively building businesses to do just that, and more customers are starting to use them. However, these kinds of deals are an order of magnitude less in number than the more popular and easy-to-deliver Web-centric IDaaS deals. Full-featured IDaaS implementations that support legacy applications can be deployed more rapidly and can remove some of the complexity of traditional software deployments. Integration with legacy systems, multistep approval workflows, access certification and other IGA functions prevalent in mature IAM implementations still take time to plan, design and implement, and they add costs to implementations. Decisions to outsource complex IAM implementations aren't made easily. Therefore, enterprises considering a build or extend versus outsource decision should focus on two key areas. 1. Inhibitors to successful on-premises IAM adoption or issues with the current implementation that would potentially be alleviated or circumvented by the move to IDaaS, such as: Inappropriate staffing levels or skills Organizational battles over duplicative IAM implementations, obtained through mergers, acquisitions or independent organizational buying decisions Insufficient planning prior to tool selection and implementation Project scope creep Poor operational efficiency by IAM, resulting in too much time taken forlAM functions Poor operational effectiveness by IAM, resulting in audit findings for access violations With the exception of inappropriate staffing levels or skills, these inhibitors will not be automatically resolved by switching to IDaaS. There are often root causes for these inhibitors that have nothing to do with the delivery model for IAM, and these issues must be addressed with solid IAM program governance. IDaaS may simply help go around the problems or alleviate some of them. 2. Total cost of ownership. There is no free lunch. Clients who judge IDaaS as too expensive may not have done their homework in terms of understanding the full costs of managing on- premises IAM. These costs include: Fully burdened staff costs for implementers, operations staff and a portion of the help desk personnel Software investment costs and ongoing maintenance Estimated patch and upgrade costs Infrastructure and operations for resilient implementations and business continuity Both of these areas will be explored more fully in future Gartner research. Return to Top Market Overview Gartner's inaugural Magic Quadrant for Identity Access Management as a Service underscores a market in its early days that is largely driven by Web application use cases. The IDaaS market was originally fueled by SMBs that made SaaS the predominant applications delivery model. Most of their applications were already in the cloud, and they preferred to buy rather than build infrastructure. In turn, SaaS applications became new identity silos — each with their own administration, authentication and event-logging capabilities. IDaaS vendors can create connections one time to SaaS vendors for purposes of authentication, SSO and account management (when SaaS vendors provide APIs to allow this). These connections can then be reused for new clients. This relieves the IDaaS customers of having to create these connections themselves. IDaaS vendors can also bridge to customers' on-premises identity and authentication services, and use data held or removed from there (such as directory group or organizational unit membership) to provision and deprovision accounts on SaaS targets. This automation saves the effort of manually provisioning and deprovisioning accounts, and can also help with avoiding orphaned and active accounts on SaaS that can leave enterprises vulnerable and paying for unused accounts. In the last few years, vendors that can broker all the functions between enterprise users and SaaS have become appealing to organizations of all sizes. Cloud security and data residency concerns, however, are often key factors in evaluating IDaaS vendors. The growth of the IDaaS market has been driven by the following factors: The need to instill IAM disciplines for SaaS applications The need to gain faster time to value overtraditional on-premises software file:///C:/Users/Natalie%20Binns/AppData/Local/Micro^ 15/16 27/6/2014 Magic Quadrant for Identity and Access Management as a Service The desire to avoid IAM implementation failures The desire to reduce IAM talent costs in design, implementation and support Gartner estimates the market size at year-end 2013 to be $215 million. This is slightly lowerthan our mid-2013 forecast of $230 million. Gartner believes the data collected in 2013 indicated higher revenue for some vendors that inappropriately allocated revenue from other parts of their businesses to IDaaS. The 2013 estimate does not include revenue from vendors that provide single function IDaaS offerings — for example, authentication-as-a-service vendors. However, revenue from authentication-as-a-service vendors was believed to be approximately $220 million in 2013 — that is, 10% of a $2.2 billion user authentication market. Authentication as a service is a simple function to deliver compared with multifunction IDaaS. The latterwill take longerto grow as a percentage of the overall IAM market. Gartner predicts that multifunction IDaaS will be the preferred delivery model for IAM for 20% of IAM purchases by the end of 2017, up from less than 10% in 2014. Overthe past few years, Web-centric IDaaS vendors have made solid gains at the lower ends of the market, supporting the employee-to-cloud use case. As these vendors have moved upmarket, they find larger organizations tend to have IAM solutions in place and have deeper IGA functionality needs than Web-centric vendors can provide. These prospects also require integration with legacy architected systems. This is forcing shallow-function, Web-centric IDaaS vendors to add deeper functionality and integration capabilities to their road maps. Conversely, IDaaS vendors with deeper IAM functionality and integration capabilities tend toward larger, complex implementations, and do not have price-tuned offerings for rapid handling of Web-centric use cases. These vendors will need to provide a streamlined, rapidly deployable offering for these use cases if they wish to gain a piece of the SMB market. The employee-to-cloud use case drove growth in the early IDaaS market, and this use case still predominates. Some larger organizations are also "peeling off' the part of their IAM needs that are served by IDaaS, even when those organizations may own IGA and access tools that could be extended to the cloud. For this use case, IDaaS is being viewed as a quick win, and sometimes as a way to standardize a solution for one part of the enterprise IAM problem space. However, use case needs are changing, and vendors are being asked to take on more than the employee-to-cloud scenario. More customers are driving IDaaS vendors to support consumer inbound access to enterprise and consumer-facing systems — a use case that has traditionally been supported by on- premises user self-service registration and WAM tools. Consequently, some IDaaS vendors are finding it necessary to implement consumer- and B2B-friendly pricing and prove they can scale to high volumes of users. Other key trends include better mobile support and IDaaS as part of other services such as PaaS offerings (see the Context section of this research for a deeper analysis of mobile and PaaS trends, a closer look at security and data residency concerns, and information on pricing). Return to Top © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies n such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide lega advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research s produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the ndependence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity." About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner file:///C:/Users/Natalie%20Binns/AppData/Local/Microsoft^ 16/16