Magic Quadrant for User Provisioning

Magic Quadrant for User Provisioning

Gartner RAS Core Research Note G00206614, Perry Carpenter, Earl Perkins, 30 September 2010, RA1 03302011

User provisioning manages identities across systems,

applications and resources. Compliance remains the main driver

of uptake, and identity and access intelligence and role life cycle

management are increasingly top-of-mind issues.

WHAT YOU NEED TO KNOW

This document was revised on 4 October 2010. For more information, see the Corrections page on gartner.com.

User-provisioning solutions are maturing in function and capability, and the user-provisioning market continues to consolidate. As some identity and access management (IAM)

technologies approach a commoditylike state, the boundaries between core IAM products, such as user provisioning and companion product sets, are blurring.

Core provisioning functionalities are similar across most vendors (such as workflow engines, approval processes, password management and “standard” connector sets). Therefore, provisioning vendors seek to differentiate their product sets from those of competitors through expanded IAM functionalities, such as:

• Role life cycle management

• Identity and access intelligence (IAI — that is, audit, log correlation and management, analytics, monitoring, and reporting)

• Improved workflow options to improve business process management (BPM) and general governance, risk and compliance (GRC) integration

• Better integration with “adjacent” and relevant security technologies, such as security information and event management (SIEM), data loss prevention (DLP), network access control (NAC), and IT GRC management (GRCM) tools

Large-scale user-provisioning projects remain complex, requiring experienced integrators and skilled project management for the enterprise. Most provisioning implementations succeed or fail based on these integrators and on the relationship between customers and vendors. Most IAM vendors realize that penetrating midmarket accounts — for instance, small or midsize businesses (SMBs) — requires simple deployments at the product level. While success rates for complex and/or major user-provisioning initiatives are improving, “horror stories” related to “failed” implementations or poorly integrated replacements still abound. Key differentiators when selecting user-provisioning solutions include, but are not limited to:

• Price, including flexibility of pricing for deployment, maintenance and support programs.

• Global scope, depth, availability and extent of partnerships with consultants and system integrators (SIs) to deliver the solution.

• Consultant and SI performance, which remains vital to success. Also vital are the level and extent of experience of industry segment vendors and integrators to deliver successful projects.

• Time to value.

• The ability to deliver subsidiary services that are not available in the core product through:

• Integration with component IAM features (for example, common user experience and reporting).

• Custom development.

• Augmentation via partnerships or adjacent products or capabilities (for example, role life cycle management, entitlement management, federated provisioning or IAI). • Other customer experiences, including satisfaction with installed

provisioning systems (that is, reference accounts).

• Strategy, road map and alignment with other product offerings, including strategies for addressing future cloud-computing and software as a service (SaaS) architectures.

• Relevance in addressing identity-and-access-specific requirements in BPM and business intelligence.

There is no “one size fits all” provisioning solution; as such, these differentiators will vary in importance, given the specific organization, use cases, budget and business drivers.

Gartner recommends enterprises embarking on user-provisioning initiatives to:

• Prioritize the key issues to be resolved, and provide clarity to the project being implemented.

© 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner’s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Figure 1. Magic Quadrant for User Provisioning

Source: Gartner (September 2010)

challengers

leaders

niche players

visionaries

completeness of vision

ability to execute

As of September 2010 IBM Tivoli CA Technologies Novell Courion Sentillion (Microsoft) Voelcker Informatik Fischer International Hitachi ID Systems Microsoft Siemens Beta Systems Omada Avatier BMC Software Quest Software Evidian SAP Oracle

• Document the project scope thoroughly, and seek outside review where possible.

• Choose the specific technologies required for the specific requirements — Do not allow a project to expand scope without a documented rationale.

• Implement rigorous project oversight to ensure project scope integrity is maintained.

• Establish a formal change process to bound project scope where possible.

Addressing these questions early can help companies avoid failure. Role life cycle management is increasingly viewed as a prerequisite (or, in more complex initiatives, a parallel effort) for many new user-provisioning initiatives. Many enterprises that have deployed user-provisioning systems have discovered that the access request process, such as that provided by role life cycle management, is a missing element. Customers will find that user provisioning and access request management are intricately connected, and planning for provisioning will reflect that.

Gartner also recommends that enterprises planning for a virtualization architecture include user-provisioning planning, because it plays an important role for virtual machines (VMs). User provisioning provides the management of accounts and auditing for partitions, hypervisors and VM monitors, as well as enforcing segregation of duties (SOD) for that environment.

Gartner believes that organizations facing compliance burdens are realizing that full provisioning implementations (while still ultimately important and necessary for long-term compliance) can actually be postponed or de-emphasized in the short term in favor of IAI solutions. For more detail, see User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects.

STRATEGIC PLANNING ASSUMPTION

Through 2013, notable identity and access management project failures will cause 50% of all companies to shift their IAM efforts to intelligence rather than administration.

MAGIC QUADRANT

Market Overview

Market Growth

Most user-provisioning vendors reported revenue increases in 2009 to 2010, thereby indicating continued growth in the market (see the Market Maturity section below). However, growth for user provisioning is slowing. In “Forecast: Security Software Markets, Worldwide, 2009-2014, 2Q10 Update,” Gartner Dataquest reported a compound annual growth rate (CAGR) of 4.4% for the user-provisioning market. User user-provisioning is now an approximately $940 million market, and should become a $1 billion market in 2010.

The global 2009 CAGR of 4.4% for user provisioning is down from 17.4% in 2008. The notable decline in growth is for two reasons: (1) there are ripples from the recent economic downturn; and (2) clients are realizing that they can pursue compliance initiatives via technologies that promise shorter-term “wins” (such as IAI, privileged-account activity management [PAAM], and Active Directory to Unix bridging). For now, enterprises are shifting spending to those areas.

North America exhibited revenue growth of 4.2%; Western Europe, 4.0%; Asia/Pacific, 9.4%; and Latin America, 5.0% — down significantly from 2008 across most regions. North America accounted for 47.5% of 2009 market share; Western Europe, 28.1%; Asia/Pacific, 8.7%; and Latin America, 3.1%.

Gartner expects user-provisioning revenue opportunities to continue growing through the end of 2010 as the market matures and consolidates, rebounding with a 9% CAGR in 2011. However, Gartner believes that this will be the peak. Growth for the provisioning market will drop over the next several years as enterprises deploy new-generation solutions and upgrade existing deployments.

User-provisioning technologies and processes continue to mature, with well-established vendors, well-defined IAM suites and a broad-based integrator market for them. Third-generation releases are now available, with most basic capabilities structured and well-configured. Gartner estimates that, as of mid-2010, approximately 30% to 35% of midsize to large enterprises worldwide, across all industries and sectors, had implemented some form of user provisioning. An additional 20% to 25% of them are evaluating potential solutions.

Significant Changes From Last Year’s Magic Quadrant The most notable year-over-year changes include the following: • Oracle clearly stands out in both vision and execution within the

Leaders quadrant. This is due to its rapid acquisition of new customers, internal innovation and improvements of its IAM offerings, the acquisition of Sun Microsystems (which helps augment some of its IAM capabilities), and a compelling road map.

• Sun Microsystems is absent from the Magic Quadrant due to its acquisition by Oracle.

• Since publication of the 2009 user-provisioning Magic Quadrant, Quest Software acquired Voelcker Informatik. Both companies receive individual ratings in the 2010 Magic Quadrant, due to the recency of the acquisition, and because Quest intends to keep Quest’s ActiveRoles product and Voelcker’s ActiveEntry product as separate entities, selling one or the other based on specific customer use-case requirements. • Sentillion was acquired by Microsoft and is now part of

Microsoft Forefront Identity Manager are being rated as separate products, because they are developed, marketed and sold as distinct products.

• All Leaders continued to improve (horizontally, vertically or both), based on:

• Past velocity and trajectory

• A continued commitment to meet road map commitments • A continued commitment to meeting customer needs

proactively — via innovative road maps — and/or reactively — via partnerships, internal development or acquisitions • Many vendors in the Challengers, Niche Players and Visionaries

quadrants are beginning to “cluster” around the midpoint of the chart — a sign of overall market maturity and commoditization of the core technologies being rated.

• Microsoft made the most progress within the Challengers quadrant due to the release of the long-awaited Forefront Identity Manager product, which improves the usability of its provisioning solution, adds deep integration into many important Microsoft components, and much improves the experience for both administrators and end users.

• BMC Software moved from the Challengers quadrant to the Niche Players quadrant, primarily based on shifting internal priorities, which impact its go-to-market strategy. This is reflected in an overall slowing of its growth.

• Ilex was dropped from the study this year due to minimal market presence.

User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects

As discussed in the What You Need to Know section of this research, Gartner sees a subtle shift in the IAM market. That leads us to offer the following Strategic Planning Assumption for both end users and vendors:

Through 2013, notable identity and access management project failures will cause 50% of all companies to shift their IAM efforts to intelligence rather than administration.

Without a more formal and effective approach to delivering IAM solutions, enterprises will continue to experience challenges in delivery. More importantly, the shift away from IT needs for efficiency of operations, to enterprise needs for accountability, transparency and reliability, is taking place. The business is taking a much more active role in the use of identity management for critical business processes. As such, demands are decidedly different — IAI will be increasingly required by the business for auditing and general compliance needs, analytics, forensics investigations, and risk assessments and evaluations. Administration concerns

that require elements of monitoring and control do not go away, but attention will now be shared with new analytics results for the business.

The inherent length and complexity of user-provisioning programs, combined with implementation “horror stories,” is at the heart of a notable trend. Specifically, Gartner believes that organizations facing compliance burdens are realizing that full provisioning implementations (while still ultimately important and necessary for long-term compliance) can be postponed or de-emphasized in the short term in favor of IAI solutions. The reasoning is as follows: • Intelligence projects focus on auditing, log management and

correlation, monitoring, manual remediation, and analytics. • Implementing IAI tools is simpler compared with provisioning. • IAI tools deliver business value faster than provisioning does. • IAI tools more easily span all users and systems.

While real benefits can be realized with IAI, user provisioning cannot be delayed for a long time. Consider the following:

• User provisioning performs update and control functions, not just analysis.

• Administration projects are becoming mainstream, and vendors are supporting more “out of the box” solutions.

• Implementing IAI tools provides insight — but does not remove the long-term need for more efficient and effective identity administration.

Other Key Trends for 2010

Compliance continues to be a significant driver among global corporations for user provisioning, although this depends on the relative size of the enterprise, the market segment and geography. Security efficiency for cost containment and service-level targeting remains a strong driver worldwide, and is being used to justify the expense for projects that may, in fact, be compliance-driven. The most notable growth regions for provisioning are Western Europe, Asia/Pacific and Latin America. Growth has slowed significantly in North America.

Significant contributors to the user-provisioning decision process in 2010 include:

• Identity audit and reporting (that is, the ability to report fully and accurately on the effects of user provisioning across the enterprise).

• Role life cycle management, which defines, engineers, maintains and reports on enterprise roles and rules as inputs to the provisioning process.

• Total cost of ownership (TCO) and the time to value, which are of growing concern as potential customers seek savings during times of economic uncertainty.

• Specific industry segment size strategies (for example, SMB targeting).

• Specific industry vertical strategies (for example, healthcare user-provisioning differentiation).

• GRCM support, driven primarily by enterprise application providers (such as SAP and Oracle) through ERP implementations, and by the need to support fine-grained authorization as part of the user-provisioning process. There is also a desire to deliver an overall IAM governance program that identifies and supports the role of user provisioning, and links it to the information security policy and the establishment of controls.

• SI and/or consultant selection for project or program implementation.

• Privacy controls to ensure that what is provisioned is adequately protected from technical and regulatory perspectives.

• Provisioning for card management tools as part of a security management environment.

Many customers, especially large enterprises, continue to evaluate user-provisioning solutions as part of a broader IAM suite or portfolio, depending on their specific requirements. This creates additional challenges for user-provisioning vendors that do not offer a portfolio solution. Nonsuite user-provisioning vendors still offer sufficient innovation and differentiation to compete effectively with portfolio vendors, and still address customer needs that are not aggressively pursued by portfolio vendors (for example, SMBs, specifically in industries such as healthcare). Continued differentiation, agility and partnerships are critical for any nonsuite vendor to remain viable in the long term. Differentiation, especially with regard to price (for example, fixed-cost engagements), rapid deployment, “prepackaged” (that is, quick and proven) solutions, and ease of use, will be key.

At present, four vendors are recognized as single providers of suites or portfolios — defined as having at least directory services, user provisioning and Web access management. They are Oracle, IBM Tivoli, Novell and CA Technologies, and all are in the Leaders quadrant. Many other vendors, such as Courion, Siemens, Evidian and Quest, offer partial suites; they and many point vendors are expanding their offerings to full suites through partnerships. Nonsuite provisioning vendors typically partner with other vendors that offer other IAM component products, and they offer comprehensive licensing with customers and partners as competitive leverage to create relationships and opportunities, particularly in displacement strategies. This has as great an impact on the future of the user-provisioning market as product features or SI partnerships do.

Some of the user-provisioning vendors sell solutions to managed or hosted service providers, illustrating a design and configuration that would allow a managed or Internet-based service offering for user provisioning. Early indicators show that evaluations, particularly for SMBs, of user provisioning as part of a broader SaaS offering, are occurring in major service provider firms.

Although technical improvements in user provisioning continue, project complexity for large implementations remains a challenge for customers, and could result in long planning and deployment periods. Structured and formal methods of planning and implementing user-provisioning solutions in enterprises have improved, but are still evolving. Most IAM project failures are related to issues in vision, governance and the project scoping/definition phase. Customers embarking on an IAM initiative must spend time properly defining and prioritizing specific business challenges and use cases that user provisioning must address. Success practices include, but are not limited to:

• Developing a clear and compelling vision of the IAM program, “selling” that vision to key stakeholders, and communicating project status and successes/issues throughout the program. This will embrace far more than user-provisioning implementation projects, of course.

• Using a decision framework for planning IAM that includes identifying, prioritizing and organizing key resources in the implementation process for user provisioning.

• Selecting a proven program partner (that is, consultant or system integrator) to lead the effort in a reasonable time frame — one that understands the business issues of user provisioning and the technical implementation concerns required to be successful.

• Addressing issues related to role life cycle management for effective user provisioning.

• Addressing critical issues in post-implementation customer environments related to fixes, integration or expansion. Before you select an IAM vendor or system integrator, we recommend that you review “Q&A for IAM: Frequently Asked Questions,” “Developing IAM Best Practices,” “How to Use ‘Visioneering’ Principles to Drive a Successful Identity and Access Management Program,” “IAM Foundations, Part 1: So You’ve Been Handed an IAM Program ... Now What?” and related research. Further Trends

The role of IAI, SIEM and DLP continue to grow in user-provisioning solutions as security and network events are correlated with identity and access events to provide a full picture of the network.

Commoditization of some aspects of IAM is evident, with smaller vendors offering appliance-based solutions for low-volume, simple provisioning needs. In addition, traditional networking and platform vendors (large and small) that provide such solutions will begin

entering the provisioning market, offering simple, basic provisioning for interested audiences and use cases.

While in its early stages, IAM as a service will expand to include provisioning for some clients, although a significant market adoption is unlikely before 2012. Early predictions of IAM as a service have been impacted by economic conditions — interest is high, but deployment is not.

Market Maturity

User provisioning can be considered a “horizontal” function in the enterprise. Enterprises consist of vertical functions, such as accounting, finance, human resources and functions specific to that enterprise. Provisioning has an impact on all of them if they are part of the integrated IAM solution. Failure to address this functional concept well inhibits success, and successful vendors and integrators have learned this painful lesson.

A comprehensive process for assigning and tracking entitlements within an enterprise can be a key criterion in user provisioning. Role life cycle management actually provides two primary functions. One builds the necessary infrastructure of an access request system by discovering existing entitlements and candidate roles and creating repositories for them. The other provides an administration and reporting system for the access request process. Special tools can also provide an experienced analyst with modeling and analytics tools for reporting on the process to those who need such reports — for example, compliance and audit teams.

The market for role life cycle management consists of component solutions that are part of the major vendor IAM suites (for example, Oracle and CA) and component stand-alone solutions (for example, Aveksa and SailPoint). The use of such tools can reduce the manual workload related to role discovery and mapping by 40% to 55%. However, the complexity of role life cycle management efforts can rival those of user provisioning, particularly in enterprises with complex IT systems. As with user-provisioning initiatives, rigorous planning and process work are vital to success.

A third area of growing maturity is IAI. As compliance and regulatory needs become more specific and are better defined, identity analytics, data correlation and audit reporting are evolving as products and product functions to address specific enterprise needs. Although this remains an ongoing process, many vendors offer compliance dashboards, identity and access log management, or “canned” reports to address these needs as part of such IAI solutions, or as input into GRCM vendor solutions.

Characteristics of Leading Vendors

Although the user-provisioning market has matured and vendors from any of the quadrants could potentially address customer needs, particular characteristics of a good candidate vendor still exist:

• Price and service: As the market continues to move to maturity, price differentiation and pricing options become more important to the vendor as well as to the customer. This

pricing extends to preimplementation and postimplementation experience.

• Good partners: Good user-provisioning vendors have good implementation partners — those with proven histories of performance, and the ability to understand and address customer industry requirements that are affected by differences in business segment, region and size. Some vendors have direct integration experience, and industry expertise is a requirement.

• The ability to define deliverables, phases of the project, metrics and an “end state”: When embarking on an initiative as potentially complex as user provisioning, customers must ensure that the program is defined with metrics that can be measured, and with projects that have an end. Many earlier user-provisioning experiences lasted for years because of the inability to know when the end has been reached (or even what the goal of Phase 1 is). There must be an end to a business-critical implementation project (such as user provisioning), or at least those phases of technology and process implementation, to enable the ongoing program to continue.

• Coupling and uncoupling the suite: A world-class user-provisioning vendor should be able to sell user user-provisioning and the associated user-provisioning services (for example, identity audit and reporting, or workflow) without requiring customers to buy the entire IAM suite that it sells. Integration is a good thing, but not when the system is so tightly integrated that uncoupling it later on to implement a complementary third-party tool is impossible. This represents an aggressive competition strategy for pure-play, user-provisioning providers.

• Solution selling vs. making it fit: A leading vendor will provide user provisioning as part of a packaged solution that’s tailored to the customer’s stated requirements, rather than forcing the customer’s requirements to fit the product. The corollary of this is that the customer must have a clear and comprehensive definition of requirements before conducting any formal evaluation of specific tools. Although there must always be some practical compromise, mature, best-in-class solutions are able to look more like the customer’s business requirements rather than a vendor’s technical specifications.

• Modularity: Mature user-provisioning products show an awareness of enterprise architectures and the role of the products within them. These products also have a quicker turnaround in feature and version release, because the product design allows for smoother updates and follows a secure system development methodology. Mature product vendors in user provisioning show an awareness of the requirements for service-oriented and service-centric infrastructures, and move to accommodate them with service-centric solutions, where possible.

• Migration and upgrade: User-provisioning vendors should exhibit a formal plan for migrating from a competitor’s offering to their own, and be able to do so quickly and effectively. This also applies to a vendor’s ability to provide quick and effective upgrades to their existing solutions.

• The postimplementation experience: User provisioning is a well-established market. As such, user-provisioning products (and integrators) should demonstrate signs of maturity. If customers are unhappy and seek replacement solutions and services, then there are serious issues with planning and requirements. The postimplementation experience for a new customer and an upgrade customer will say a lot about world-class user-provisioning vendors in this market.

While a single list cannot hope to capture all of the nuances of what makes a “leading vendor,” it does help develop the mind-set of what to look for. This is relatively independent of vendor size or industry range in the user-provisioning market, and can provide an opportunity for even the smallest vendor to excel in a comparative view of customer experience.

User Provisioning as Part of a Suite or Portfolio vs. Pure-Play Product

Situations in which customers might choose a pure-play user-provisioning vendor over a suite or portfolio vendor include: • Policy-driven or IT concerns regarding vendor lock-in (that is, a

“monoculture” for IAM solutions)

• Customers that already have solutions for access management or “point” identity management solutions from a vendor whose user-provisioning solution does not meet requirements

• Price, time of implementation or industry-specific options • The product being just a better fit for customer needs Situations in which customers might choose an IAM suite vendor over a point vendor include:

• Customers constrained by the number of vendors that they can choose, particularly for a multitool IAM solution — of which user provisioning is one

• An application or infrastructure requirement that specifies the product suite as optimal for integration with that application or infrastructure

• A licensing or cost advantage achieved by owning products or using services from the suite or portfolio vendor

• An agreement between a provider of outsourced services and a client in which a consolidated contract with a preferred vendor is more acceptable

• The product being just a better fit for customer needs Increasingly, IAM suite vendors are using the “relationship” to the customer as a strategic advantage over a pure-play provider. Relationship includes any existing contracts or provider agreements a customer may already have with that vendor, a desire to pursue a unified maintenance agreement, or a wholesale adoption of that vendor’s architecture and road map that includes IAM. This constrains pure-play providers from participating in such an environment.

It is important to note that selling component IAM products does not constitute integration. Instead, true user experience, workflow, and reporting and brokering functions, such as common architecture and implementation, constitute customer views of integration. For an in-depth discussion of the actual levels of integration within the major suite vendors, see “Comparing IAM Suites, Part 1: Suite or Best of Breed?” and “Comparing IAM Suites, Part 2: Heterogeneous Deployments” and “IAM Foundations, Part 2: Tools and Technologies.”

Addressing the Vendor Viability Question

There is a perception that, if a vendor is small, then its long-term viability is questionable; conversely, there is the perception that large vendors are a better bet because they should be around for a long time.

This line of thinking, while somewhat reasonable, is fatally flawed. Reality intrudes on these innocent perceptions. For example, in 2008, HP exited the IAM market; and in early 2010, Oracle acquired Sun Microsystems. Further, BMC’s focus has shifted its IAM strategy significantly from being a mainstream IAM competitor to mostly being interested in selling to existing BMC customers under its Business Service Management strategy. Other, less notable, examples exist as well. As a result, choosing a large IAM vendor is not as “safe” as one might believe.

However, even with the above-mentioned facts, customers may begin to think something along the following lines, “Well, I should just choose the largest company possible, and I’ll be safe.” As such, many potential IAM purchasers begin to narrow their scope to vendors such as IBM and Oracle. There is still another fatal flaw in that rationale — namely, these large companies cannot promise product-level viability. Product-level viability is ultimately what customers are interested in. Consider the following brief sampling of the history related to the lack of product-level viability from large vendors:

• IBM’s discontinuance of Tivoli User Manager in favor of Access360 enRole, which became Tivoli Identity Manager. • IBM’s OEM (February 2006) and subsequent removal of

Passlogix for enterprise single sign-on (ESSO). It was replaced by acquiring ESSO vendor Encentuate in March 2008). • IBM’s marketing of and subsequent sunset of Tivoli Privacy

• IBM’s marketing of and subsequent sunset of Tivoli Risk Manager. It was replaced via the acquisition of Micromuse and Consul Risk Management.

• Oracle’s acquisition of Bridgestream for role management. Subsequently, it was sunset and replaced by the functionality offered by Sun Role Manager (previously Vaau).

• Quest’s purchase of PassGo and sunset of its own SSO tool. • CA, Novell and Siemens have all changed focus or strategies in the past. What does this have to do with viability? It shows how invested the vendor is in the IAM strategy. Customers really need to understand how IAM fits into the overall corporate strategy, whether investments are self-serving or customer-driven, and how important it is to the vendor’s success. This history shows there is no guarantee of viability at a vendor level or a product level. Gartner believes some diversification may be a prudent course of action. In addition, customers should: • Aggressively negotiate contracts related to long-term support. • Require proactive measures, such as source codes’ escrow. • Review the vendor’s history related to acquisitions.

• Review the vendor’s financial situation.

• Acquire products that are based on well-understood standards and protocols.

• Create detailed documentation of the processes that a product automates — that way, if forced to change products, a customer will have a pre-established list of functional requirements stating what the product must do. Deployment Costs

In 2009, the average ratio of product licensing to consulting/ integration costs was approximately 1-to-3 (for every $1 in software costs, the customer would spend $3 on consulting/integration). For some vendors and implementations, it was as high as 1-to-5, but for others — particularly pure-play vendors (where the scope of effort may be smaller if user provisioning alone is addressed) — the ratio approached 1-to-2 or even 1-to-1. The goal for most vendors (and integrators) is to have as low a ratio as possible. As the market continues to mature and more preconfigured packages become available, this is possible even for larger portfolio vendors.

Market Definition/Description

Defining IAM

IAM is a set of processes and technologies to manage across multiple systems:

• Users’ identities — Each comprising an identifier and a set of attributes

• Users’ access — Interactions with information and other assets User provisioning is a fundamental part of an overall IAM

technology offering. The four major categories of IAM are: • Intelligence: IAI is essentially business intelligence for IAM.

IAM intelligence technologies provide the means of collecting, analyzing, auditing, reporting and supporting rule-based decision making based on identity and identity-related data. This data helps organizations measure, manage and optimize performance to achieve security efficiency and effectiveness and to deliver business value.

• Administration: IAM administration technologies offer a means of performing identity-related tasks (for instance, adding a user account to a specific system). In general, administration tools provide an automated means of performing identity-related work that would otherwise be performed by a human; examples include tasks such as creating, updating or deleting identities (including credentials and attributes), and administering access policies (rules and entitlements). User provisioning is an IAM administration technology.

• Authentication: IAM authentication technologies are deployed to provide real-time assurance that a person is who he or she claims to be to broker authentication over multiple systems and to propagate authenticated identities. Authentication methods embrace many different kinds of credentials and mechanisms, often in combination with various form factors (for instance, hardware tokens or smart cards). At the time of this writing, passwords are still the most often used method of authentication.

• Authorization: IAM authorization technologies are a form of access control used to determine the specific scope of access to grant to an identity; they provide real-time access policy decision and enforcement (based on identities, attributes, roles, rules, entitlements and so on). Users should be able to access only what their job functions allow them to access. For instance, if a person is a “manager,” he or she is granted the access necessary to create or edit a performance review; if a person is not a manager, then he or she should be able to review only his or her own performance review and only at a specific stage of the review cycle. Web access management, entitlement management, identity-aware networks and digital rights management tools are examples of authorization management technologies.

These categories are based on a foundation of identity repository technologies that include enterprise Lightweight Directory Access Protocol (LDAP) directories, virtual directories, metadirectories, and (increasingly) relational databases. While standard LDAP directories remain the identity repository of choice, limitations inherent in these directories relative to “fine-grained” authorization and policy implementation may require database participation. LDAP directories are optimized for fast reads and are optimal for

large environments. However, there are limits, because in these large-scale environments (that is, more than 500,000 users), there are significant changes requiring replication or “writes.” Traditional LDAP directories can experience performance problems during synchronization events, resulting in “stale” or unreliable data. Defining User Provisioning

User-provisioning solutions are the main engine of identity

administration activities. User-provisioning tools have some or most of the following functions:

• Workflow and approval processes

• Password management (with the ability to support self-service) • Other credential management

• Role life cycle management

• User access administration (with the ability to support self-service)

• Resource access administration (with the ability to support self-service)

• Basic IAI (analytics, auditing and reporting), including SOD support

User-provisioning solutions address an enterprise’s need to create, modify, disable and delete identity objects across heterogeneous IT system infrastructures, including operating systems, databases, directories, business applications and security systems. Those objects include:

• User accounts associated with each user

• Authentication credentials — Typically for information system access, and then most often just passwords, but sometimes for physical access control

• Roles — Business level, provisioning level and line-of-business level

• Entitlements (for example, assigned via roles or groups or explicitly assigned to the user ID at the target system level) • Managing group membership or role assignments, from which

entitlements may flow • Managing explicit entitlements

• User profile attributes (for example, name, address, phone number, title and department)

• Access policies or rule sets (for example, time-of-day restrictions, password management policies, how business relationships define users’ access resources and SOD) User-provisioning products are a subset of identity administration products, which are a subset of the broader IAM landscape (intelligence, administration, authentication and authorization). All user-provisioning products offer the following capabilities for heterogeneous IT infrastructures:

• Automated adds, changes or deletes of user IDs at the target system

• Password management functionality — For example, simplified help desk password reset, self-service password reset and password synchronization, including bidirectional synchronization (sold as a separate product by some user-provisioning vendors because they had their start there) • Delegated administration of the user-provisioning system • Self-service request initiation

• Role-based provisioning through capabilities provided by role life cycle management features or partners

• Workflow — Provisioning and approval

• HR application support for workforce change triggers to the user-provisioning product

• Reporting the roles assigned to each user and the entitlements that each user has

• Event logging for administrative activities

A comprehensive user-provisioning solution has the following additional capabilities:

• SOD administration and reporting: Enterprises need to automate and manage application-level business policies and rules to identify SOD violations. They also need to quickly remove those violations from the application environment, and ensure that new SOD violations are not introduced in the course of the ongoing management and identity administration of the application. Today, SOD tools exist primarily for ERP applications — ERP-specific, transaction-level knowledge is required to successfully enforce SOD in these environments. However, a generic SOD framework is required to address all SOD application needs in the enterprise. Typically, a role is used as the container to segregate conflicting business policies in the application environment. Many user-provisioning vendors deliver capabilities for this heterogeneous framework. It does not alleviate an ERP product’s need for SOD, because these tools have extensive integration with ERP applications. User-provisioning vendors should continue to partner with ERP vendors to deliver complete SOD solutions.

• Role life cycle management: Regulatory compliance initiatives are directing IAM efforts back to the drawing board for role development. The role becomes a very important control point that enterprises need to manage in a life cycle manner — just as they do an identity. Enterprises need the ability to automate processes to:

• Define existing roles through role-mining automation.

• Manage formal and informal business-level roles for any view of the enterprise (for example, location, department, country and functional responsibility), and to feed user-provisioning products to ensure that the link is made between the business role and associated IT roles.

• Establish a process by which the development process for new roles in the enterprise follows the same management process used for existing roles, and ties those new roles to the automated role life cycle management solution.

• Deliver a generic framework to address all role life cycle management needs. Most user-provisioning vendors are partnering with role life cycle management vendors, acquiring them or building that expertise with the user-provisioning solution.

• Manage the role throughout its life cycle — role owner, role changes, role review, role assignment, role retirement and role-based reporting options.

• IAI audit reporting: Meeting the regulatory compliance requirements of reporting on SOD, roles, “who has access to what,” “who did what,” and “who approved and reviewed what” (referred to as “the attestation process” in auditing terms) for all IT resources is complex and expensive in the heterogeneous IT infrastructure. Reporting tools need to be in place to leverage the user-provisioning authoritative repository, and all other repositories that are used for the authentication and authorization process to produce reports on SOD, role, “who has access to what,” and “who approved and reviewed what,” which include the entire enterprise’s IT assets. In addition, centralized event logs for all identity management activities — those from the user-provisioning and access management products, as well as all systems where authentication and authorization decisions are being made in real time — are needed to do a proper job of reporting “who did what.” No user-provisioning vendor (or suite vendor) provides all identity management capabilities noted above without some partnering. For most enterprises, additional products are required to round out the functionality set. Security information and event management (SIEM) tools can be used for “who did what” reporting at the event level, with granularity by time of day, geography, network port and other details; and we are seeing increased vendor interest in creating integration paths between “core” IAM products and SIEM (and other) intelligence or analytics tools. DLP tools provide “content awareness” for accessing files and databases, and will play a significant role in delivering more-precise entitlement assignments.

The 2010 Magic Quadrant focuses on vendor delivery of ease of deployment, ongoing operations, and maintenance and vendor management as a sign of maturity. The research also emphasizes marketing vision and execution, and evaluates sales and advertising execution as part of the overall experience:

• How do the provisioning vendors deliver core

user-provisioning capabilities as an enterprise management system in support of an ongoing, changing business environment? Similar to the 2009 Magic Quadrant, in 2010, we evaluated how easy it is to change and maintain workflow and connectors, but we also evaluated software services (scripts) and other functionality, such as integrating the user-provisioning product with the HR application and building the authoritative repository.

• Because user provisioning is a maturing market, we also evaluated vendors’ marketing and sales effectiveness in terms of market understanding, strategy, communications and execution. We evaluated each vendor’s organization for such services, its ability to change to reflect customer demands and its overall success as measured by customers.

• Increased attention was given to the vendor’s role life cycle management vision, strategy and road map — particularly in terms of IAI, compliance reporting and remediation.

• We also increased attention on the IAI capabilities, their ease of use and their “attractiveness” to end users (via relevant out-of-the-box reports, applicable dashboards and so on).

• Increased attention was given to “adjacent” technologies in GRCM, SIEM, network access control (NAC) and DLP, and their ultimate impact on IAI functionality for provisioning.

• We focused on the early stages of “service-architected” user provisioning to prepare for large-scale, large-volume provisioning requirements. Early uses of large-scale provisioning are already evident.

Gartner ranks vendors in the Magic Quadrant based partly on product capability, market performance, customer experience and overall vision to determine which vendors are likely to:

• Dominate sales and influence technology directions during the next one to two years.

• Be visible among clients through several marketing and sales channels.

• Generate the greatest number of information requests and contract reviews.

• Have the newest and most-updated installations. • Be the visionaries and standard bearers for the market.

Inclusion and Exclusion Criteria

The following criteria must be met for vendors to be included in the user-provisioning Magic Quadrant:

• Support for minimum, core user-provisioning capabilities across a heterogeneous IT infrastructure

• Automated adds, changes and deletes of user IDs at the target system

• Password management functionality • Delegated administration

• Self-service request initiation

• Role-based provisioning supported by role life cycle management

• IAI

• Workflow provisioning and approval

• HR application support for workforce change triggering to the user-provisioning product

• Reporting the roles assigned to each user and the entitlements that each user has

• An event log for administrative activities

• Products deployed in customer production environments, and customer references

Vendors not included in the 2010 Magic Quadrant may have been excluded for one or more of the following reasons:

• They did not meet the inclusion criteria.

• They support user-provisioning capabilities for only one specific target system (for example, Microsoft Windows and IBM iSeries).

• They had minimal or negligible apparent market share among Gartner clients, or currently available products.

• They were not the original manufacturers of a user-provisioning product — This includes value-added resellers (VARs) that repackage user-provisioning products (which would qualify for their original manufacturers); other software vendors that sell IAM-related products, but don’t have user-provisioning products of their own; and external service providers that provide managed services (for example, data center operations outsourcing).

Added

• No new vendors were added to this year’s study.

Dropped

• Ilex — Dropped due to minimal market share and minimal client mentions.

• Sun Microsystems — Dropped due to its acquisition by Oracle. Other Vendors of Note

econet (www.econet.de/english/default.htm)

Based in Munich, Germany, and founded in 1994, econet has, since early 2006, entered the user-provisioning market with cMatrix — a service management, service-oriented offering targeted at service providers primarily in EMEA. In many respects, econet’s marketing and sales model is very similar to Fischer International’s. Early clients include Siemens and KPMG. econet continues to market to the IAM-as-a-service candidate — either the provider of such services or the client interested in developing a private IAM-as-a-service experience.

Fox Technologies (www.foxt.com)

A Mountain View, California, company, FoxT has products that focus primarily on access control and service account management. However, FoxT ApplicationControl addresses basic elements of password management, account administration (including basic provisioning), and audit reporting as part of an IAM package — including SOD enforcement, monitoring and reporting. Ilex (www.ilex.fr/en)

Based in Asnières-sur-Seine, France, near Paris, Ilex provides three major products: Sign&go (Web and ESSO), Meibo (workflow, basic provisioning and some role management), and Meibo People Pack (extended reporting and audit for provisioning). Founded in 1989, Ilex has accumulated a small, yet solid customer base, predominantly in France. With features such as Service Provisioning Markup Language (SPML) support, a simple design and user-friendly interface, and good connector kits for provisioning and SSO, Ilex is able to effectively compete in a number of banking and finance, telecommunications, and transportation industry segments against larger competitors.

Imanami (www.imanami.com)

Based in Livermore, California, Imanami is a lesser-known company, but it has some notable clients. Imanami’s GroupID Synchronize serves as a data synchronization engine for an Active Directory environment through custom scripting, enabling Microsoft-centric enterprises to leverage their infrastructures to some extent. AT&T (formerly, Cingular Wireless) is a client.

Institute for System-Management (www.secu-sys.com) Based in Rostock, Germany, near Berlin, iSM is a small company focused on German-speaking-country markets with its bi-Cube product for provisioning, SSO, and process and role life cycle management. Privately funded, this 10-year-old enterprise takes a process-centric, business intelligence focus to deliver a series of preconfigured process and configuration modules (“cubes”) that can be linked together to provide user-provisioning and role life cycle management functionality. It has a small customer base in Germany, Austria and Spain, in large industries, such as telecommunications and insurance. iSM continues to refine the modules to form a more standardized user-provisioning and process management product offering.

Lighthouse Security Group (www.discoverlighthousegateway. com)

Headquartered in Lincoln, Rhode Island, Lighthouse Security Group established its SaaS-based offering after building up experience developing a managed offering in the U.S. defense market. Lighthouse’s offering is unique, in that it has overlaid a common, easy-to-use graphical administration capability onto IBM Tivoli’s core IAM products to deliver a relatively complete set of IAM functions as a multitenant, SaaS-based service.

Lighthouse’s approach allows customers to take advantage of the multifaceted feature set of IBM Tivoli’s provisioning, Web access management and federation products, while being shielded from many of those products’ complexities. This provides integration hooks into many enterprise identity repositories for automated provisioning and leverages these repositories as authentication and entitlement sources. While extensive administrative and access control event data is logged, reporting is the customer’s responsibility. Several SaaS target applications have been integrated with the service.

NetIQ (www.netiq.com)

NetIQ, a global enterprise software vendor headquartered in Houston, Texas, is perhaps best known for its operations management and monitoring technologies and security monitoring technologies. However, many organizations are unaware that NetIQ has also been quietly growing a respectable IAM portfolio and a solid customer base for those tools. NetIQ is best suited for organizations that have selected Active Directory as their core or one of their core directories. The IAM solution components available from NetIQ include user provisioning (via NetIQ Directory and Resource Administrator, Advanced Edition), compliance and audit management, privileged-account activity management, Active Directory-Unix bridge (OEM of Centrify), and user self-service (including password reset) capabilities.

OpenIAM (www.openiam.com [commercial] and www.openiam.org [open source])

Headquartered in Cortlandt Manor, New York, OpenIAM has created an integrated suite of provisioning, access management and federation components, offered in professional open-source and enterprise licensing models. Components use a common enterprise service bus for integration. OpenIAM’s Identity Manager product provides core capabilities found in other commercial

products, such as self-service, password management and audit, and it includes SPML-based connectors to many commonly used targets.

The company’s Access Manager product provides support for password- and certificate-based authentication, coarse- and fine-grained authorization, XACML 2.0 support, and SAML identity provider and service provider federation support, and it includes a security token service. OpenIAM has been fortunate to receive support from early government and SI customers, who have been pushing and funding OpenIAM to expand its capabilities. OpenIAM offers a very attractive support and pricing model.

SailPoint (www.sailpoint.com)

SailPoint is based in Austin, Texas, and serves the Global 1000, with customers that include seven top-tier global banks, four of the world’s largest property and casualty insurers, the largest global telecommunications provider, two of the largest biotechnology manufacturers in the world, and three of the top healthcare insurers. SailPoint originally entered the market as a technology innovator, augmenting customers’ existing provisioning systems in order to meet needs in role and compliance management and identity governance. SailPoint now also sells an access request-based user-provisioning solution that is a fully integrated component of the IdentityIQ solution.

Evaluation Criteria

Ability to Execute

Gartner evaluates technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability to capitalize on their vision and succeed doing so. For user provisioning, the ability to execute hinges on key evaluation criteria:

Product/Service: These are core goods and services offered by the technology provider that compete in or serve the defined market. This includes current product or service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements or partnerships, as defined in the market definition and detailed in the subcriteria. Specific subcriteria are: • Password management, including shared account or service

account password management support

• User account management or role-based provisioning • Management of identities

• Workflow — persistent state, nested workflows, subworkflows, templates of common user-provisioning activities and change management

• Identity auditing reports • Connector management

• Integration with other IAM components • User interfaces

• Ability to configure, deploy and operate • Role life cycle management

• Resource access administration • Impact analysis modeling for change • SPML 2.0 support

Overall Viability (Business Unit, Financial, Strategy, Organization): This includes an assessment of the overall organization’s financial health; the financial and practical success of the business unit; and the likelihood of the individual business unit to continue investing in the product, offering the product and advancing the state of the art in the organization’s portfolio of products. Specific subcriteria are:

• History of investment in the division

• Contribution of user provisioning to revenue growth Sales Execution/Pricing: This is the technology provider’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Specific subcriteria are:

• Pricing • Market share

• Additional purchases (for example, relational database management system, application server and Web server) Market Responsiveness and Track Record: This is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider’s history of responsiveness. Specific subcriteria are: • Product release cycle

• Timing

• Competitive replacements

Marketing Execution: This is the clarity, quality, creativity and efficacy of programs designed to deliver the organization’s

message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product or brand and organization in buyers’ minds. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Specific subcriteria are:

• Integrated communications execution • Customer perception measurement

Customer Experience: This is the relationships, products, and services or programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways that customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, SLAs, and so on. Specific subcriteria are:

• Customer support programs • SLAs

Operations: This is the organization’s ability to meet its goals and commitments. Factors include the quality of the organizational structure, such as skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Specific subcriteria are: • Training and recruitment

• Number of major reorganizations during the past 12 months

Evaluation Criteria Weighting

Product/Service High

Overall Viability (Business Unit, Financial, Strategy, Organization)

Standard

Sales Execution/Pricing Standard Market Responsiveness and

Track Record High

Marketing Execution High

Customer Experience High

Operations Standard

Source: Gartner (September 2010)

Completeness of Vision

Gartner evaluates technology providers on the ability to

convincingly articulate logical statements about current and future market directions, innovations, customer needs, and competitive forces, and how well these map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunities for the provider. For user provisioning, completeness of vision hinges on key evaluation criteria:

Market Understanding: This is the ability of the technology provider to understand buyers’ needs and translate them into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those desires with their added vision. Specific subcriteria are:

• Market research delivery • Product development

• Agility in responding to market changes

Marketing Strategy: This is a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Specific subcriteria are:

• Integrated communications planning • Advertising planning

Sales Strategy: This is the strategy for selling products using the appropriate network of direct and indirect sales, marketing, service, and communications affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Specific subcriteria are:

• Business development

• Partnerships with system integrators • Channel execution

Offering (Product) Strategy: This is a technology provider’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Specific subcriteria are: • Product themes

• Foundational or platform differentiation

Business Model: This is the soundness and logic of a technology provider’s underlying business proposition. Specific subcriteria are:

• Track record of growth • Frequency of restructuring

• Consistency with other product lines

Vertical/Industry Strategy: This is the technology provider’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Subcriteria are:

• SMB support

• Industry-specific support

Innovation: This is the direct, related, complementary and

synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Specific subcriteria are:

• Distinct differentiation in features or services

• Synergy from multiple acquisitions or focused investments • Role life cycle management (discovery, modeling, mining,

maintenance, certification and reporting) • Service-oriented provisioning

Geographic Strategy: This is the technology provider’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Specific subcriteria are:

• Home market

• International distribution

Evaluation Criteria Weighting Market Understanding Standard

Marketing Strategy High

Sales Strategy High

Offering (Product) Strategy Standard

Business Model Standard

Vertical/Industry Strategy High

Innovation High

Geographic Strategy Standard

Source: Gartner (September 2010)

Leaders

Leaders are high-momentum vendors (based on sales, world presence and mind share growth), and they have evident track records in user provisioning across most, if not all, market segments. Business investments position them well for the future. Leaders demonstrate balanced progress and effort in the Execution and Vision categories. Their actions raise the competitive bar for all products in the market. They can and often do change the course of the industry.

Leaders should not be the default choice for every buyer; rather, clients are warned not to assume that they should buy only from the Leaders quadrant. Leaders may not necessarily offer the best products for every customer project, and may even prove to have a higher TCO than some nonleading vendors. Leaders provide solutions that offer relatively lower risk, and provide effective integration with their own solutions as well as with competitors’ solutions. Every vendor included in the Leaders quadrant is there because it meets legitimate business or company needs.

Challengers

Challengers have solid, reliable products that address the needs of the user-provisioning market, with strong sales, visibility and clout that add up to execution higher than that of Niche Players. Challengers are good at winning contracts, but they do so by competing on basic functions or geographic presence, rather than specifically on advanced features. Challengers are efficient and expedient choices for more-focused access problems, or for logical partnerships. Many clients consider Challengers to be good alternatives to Niche Players or, occasionally, even Leaders, depending on the specific geography or industry. Challengers are not second-place vendors to Leaders and should not be considered as such in evaluations.

Challengers in this Magic Quadrant all have strong product capabilities, but often have fewer production deployments than Leaders do. Business models vary, as do overall product strength and breadth, marketing strategy, and business partnerships. This has kept some Challengers from moving into the Leaders quadrant.

Visionaries

Visionaries are distinguished by technical and/or product

innovation, but have not yet achieved a record of execution in the user-provisioning market to give them the high visibility of Leaders, or they lack the corporate resources of Challengers. Buyers should be wary of a strategic reliance on these vendors, and should closely monitor these vendors’ viability. Given the maturity of this market, Visionaries represent good acquisition candidates. Challengers that may have neglected technology innovation and/or vendors in related markets are likely buyers of Visionary vendors. As such, these vendors represent a higher risk of business disruption. Visionaries invest in the leading-edge features that will be significant in the next generation of products, and that will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver Challengers and Leaders. Clients pick Visionaries for best-of-breed features, and in the case of small vendors, they may enjoy more personal attention.

Niche Players

Niche Players offer viable, dependable solutions that meet the needs of buyers, especially in a particular industry, platform focus or geographic region. However, they sometimes lack the comprehensive features of Leaders, or the market presence and/ or resources of Challengers. Niche Players are less likely to appear on shortlists, but they fare well when given a chance. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders.

Niche Players may address subsets of the overall market, and often do so more efficiently than Leaders. Clients tend to pick Niche Players when stability and focus on a few important functions and features are more important than a “wide and long” road map. Customers that are aligned with the focus of Niche Players often find their offerings to be “best of need” solutions.

Vendor Strengths and Cautions

Avatier

Avatier Identity Management Suite (AIMS) v.8 (July 2009) — Avatier Account Creator, Avatier Account Terminator, Avatier Identity Enforcer, Avatier Identity Analyzer, Avatier Password Station, Avatier Compliance Auditor

Avatier is a pure-play identity management vendor focusing on user provisioning, password management, audit and compliance reporting, and SOD/rule enforcement. It features an innovative Web services connector architecture for heterogeneous integration across different platform environments.

In the U.S., most Avatier sales are direct. Internationally, Avatier is sold through an expanding number of midtier services and consulting partners.

Avatier’s focus is on creating identity management products that are simple and easy to understand for end users and administrators. The result is a very intuitive,

graphical-user-interface-driven environment that is understandable even by people with modest technical skills; a resulting positive benefit is that implementations generally are extremely quick compared with most competitors.

Strengths

• Avatier demonstrates consistent execution on its innovative vision and significant customer wins and satisfaction. • Avatier’s roots are in password management, where it has

traditionally picked up many small and midsize enterprise customers; however, it also has a number of successful large enterprise implementations and notable brand-name customers. • Avatier is directory-agnostic for its identity repository and

supports multiple databases for logging and other identity object storage.

• Avatier’s technology and subfunctions (such as its password policies) are developed with service-oriented architecture (SOA) in mind, and can be accessed through Web services. The client front end and target connectors also support SOA.

• Avatier’s deployment ratio is very good, estimated at 1-to-0.33, where for every $1 spent on licensing, only $0.33 is spent on deployment.

Cautions

• Avatier competes against large IAM suite vendors, such as Oracle and IBM Tivoli, and has difficulty gaining the attention of decision makers at larger enterprises, where larger competitors enjoy more access and exposure. As a pure-play provider, Avatier must partner with a shrinking number of partners to provide suite-style solutions to clients who want them. • Avatier’s innovative approach of hiding IAM complexity (for

example, its “shopping cart” models for entitlements) doesn’t always appeal to traditional “old school” technologists.

Beta Systems

SAM Enterprise Identity Manager v.1.1 (October 2009)

SAM Enterprise Identity Manager is Beta Systems’ new “next generation” identity-provisioning system. It replaces the older SAM Jupiter product, while retaining rich feature support for both the mainframe and other systems. The user interface is also greatly improved from previous versions. SAM Enterprise is one of the longest-lived role-based IAM solutions on the market.

Although most of its sales remain direct, partnerships and reseller agreements exist. Integrator partnerships with providers such as T-Systems, IBM Global Services and Accenture also ensure implementation options for customers. Beta Systems also has Europe-based VARs, and offers a managed/hosted service for SAM Enterprise.

Beta Systems is, at present, undergoing a significant organizational and road map realignment for IAM to position itself for better competitiveness in the market.

Strengths

• SAM Enterprise’s new interface for workflow creation focuses on simplifying IAM concepts and process development for business users.

• Beta Systems offers an entry package with fixed project prices for a defined function set.

• SAM Enterprise is now platform-independent and supports multiple databases for its identity repository and for the storage of other IAM-related data and objects.

• Beta Systems showed early strength in the banking and financial services sector and is attempting to expand in other

industries. The new SAM Enterprise leverages mature role-based design via its built-in role life cycle management support for unlimited role hierarchies, dynamic roles, SOD and role mining.

• Beta Systems offers customers more-flexible pricing options such as fixed-cost implementations.

Cautions

• Customer growth due to organizational and road map changes from 2007 to 2009 was marginal, with a temporary drop in 2008 revenue.

• Audit and reporting analytics and presentation capabilities lag those of competitor offerings.

• Beta Systems’ customer base remains 78% concentrated in Europe. North American market presence remains small (approximately 22%). Beta Systems is attempting to expand its U.S. market share and expand into Latin America.

• Current customers have complained about the quality and thoroughness of Beta Systems’ documentation; this is being addressed via documentation updates.

BMC Software

BMC Identity Management Suite — BMC User Administration and Provisioning v.5.5 (December 2009)

BMC Software is a long-standing IAM provider, still with significant market share dating back more than a decade with the original Control-SA product. BMC is one of the first companies to have recognized and leveraged the value of process-centric IAM (user provisioning).

BMC has relationships with technology partners to deliver IAM suite options, such as reduced sign-on (Hitachi ID Systems), role engineering (SailPoint) and Web access management (Symphony Services).

BMC’s key system integration and consulting partners include Eclipse, Ilantus Technologies, Logic Trends and Wipro

Technologies. BMC’s VAR channel partners include Accenture and Capgemini, particularly in Europe.

Strengths

• BMC’s Service Request Management module can be used as provisioning workflow by customers, as an option to BMC Identity Management Suite’s User Administration and Provisioning workflow.

• Integration with BMC’s Business Service Management (BSM) offering gives BMC’s provisioning product some unique capabilities in the areas of self-service, help desk, change management and asset management.