The Forrester Wave : B2E Cloud IAM, Q2 2015

(1)

Q2 2015

by Andras Cser and Merritt Maxim, June 29, 2015

Key TaKeaways

OneLogin and Okta Lead The Pack

Forrester’s research uncovered a market in which OneLogin and Okta lead the pack. Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. Bitium lags behind.

The B2e Cloud IaM Market Is Growing as s&R Pros Look For simplicity, ssO, and Directory Integration

The B2E cloud IAM market is growing because more S&R professionals see IDaaS as a way to address their top IAM challenges without the long deployment times of legacy IAM products. It’s also growing because S&R pros increasingly trust B2E cloud IAM providers to act as a backbone for employee IAM to SaaS and on-premises apps.

aPI security, Mobile support, and Installed Base are Key Differentiators In The B2e Cloud IaM Market

Vendors that can provide API security and API-based integration for the Internet of Things and mobile single sign-on and who can grow their installed base faster position themselves to successfully deliver faster IAM to value to their customers.

access The Forrester wave Model For Deeper Insight

Use the detailed Forrester Wave model to view every piece of data used to score

participating vendors and create a custom vendor shortlist. Access the report online and download the Excel tool using the link in the right-hand column under “Tools & Templates.” Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.

(2)

why ReaD ThIs RePORT

In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we identified the nine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their B2E cloud IAM, also known as identity-as-a-service (IDaaS), needs.

notes & resources

Forrester conducted product evaluations in March 2015 and interviewed 36 vendor and user companies, including Bitium, centrify, iBM, Microsoft, okta, onelogin, Ping identity, SailPoint, and Salesforce.

the nine Providers that Matter Most and How they Stack up

by andras cser and Merritt Maxim

with Stephanie Balaouras, Josh Blackborow, and Peggy Dostie

2 3 7 5 10 12

(3)

CLOuD IaM ReDuCes COMPLexITy anD COsT, ReMOVes BaRRIeRs TO aDOPTIOn In our Forrester Wave evaluation and conversations with S&R pros and vendors, Forrester found that B2E cloud IAM has completely transformed the IAM market landscape. Why? It’s because cloud IAM:

■

Allows S&R pros to manage employee identities across cloud environments. As both

business and technology leaders have eagerly adopted software-as-a-service (SaaS) such as Salesforce, ServiceNow, and Workday, the task of managing identities and controlling access to some of the firm’s most sensitive data fell to the security team.1 Luckily, cloud IAM came to

the rescue: Not only did it provide a unified view of user access to SaaS applications but it also provided a single portal for employees to access these SaaS applications.

■

Limits complexity of IAM solutions. Historically, when S&R pros sought to deploy an

on-premises IAM solution, they insisted on solutions that could support 100% of their brick-and-mortar legacy requirements.2 This resulted in implementations with a high

degree of customization and, of course, cost; stories of IAM projects turning into mini ERP projects deterred firms from building out IAM solutions in earnest. Cloud IAM challenged this mentality and ultimately succeeded in changing the deployment approach. From the beginning, cloud IAM vendors started out with a simple set of capabilities: those focused on offering employee single sign-on (SSO) into SaaS applications. As the only real viable option for managing access across these cloud apps, S&R pros had to accept a simpler approach that focused on essential requirements.

■

Reduces license and ongoing maintenance costs. Many vendors offer pay-as-you-go and

metered pricing models, which means that S&R pros are not hit by large, upfront per-user perpetual license costs. It also offers flexibility; S&R pros can scale the number of users and applications up or down as needed during their contract with the vendor. In addition, because security teams need only manage IAM policies and are no longer encumbered with the

operational responsibilities of maintaining the solution itself, they need far fewer employees for maintenance.3 For many small and medium businesses that can’t afford four to five employees

to support an on-premises IAM solution, cloud IAM is the answer. Even large enterprises are evaluating cloud IAM solutions in the hopes of converting spend from capex to opex.

■

Offers support for legacy apps on-premises as well as for SaaS applications. Provisioning

and controlling access to cloud applications is but one challenge. S&R pros must still manage IAM for a plethora of legacy premises apps. Vendors have listened: Now they offer an on-premises component as part of their cloud IAM solution so that S&R pros can enable employees to authenticate against Active Directory (AD) on-premises and access on-premises applications without having to use the VPN. However, in customer interviews, Forrester found that today 20% of organizations use IDaaS for IAM to on-premises applications, while 80% organizations use IDaaS to manage access to SaaS applications.

(4)

■

Supports SSO from and on mobile devices cost-effectively. S&R pros have to provide a

repeatable security framework for their developers so that they can focus on achieving the business goals of their custom mobile applications and not have to worry about details of mobile application SSO and even management. Cloud IAM vendors recognized this need and now provide basic enterprise mobility management solutions (similar to mobile device management and mobile application management), as well as simple SSO for mobile applications, built on the emerging OpenID-based Native Applications Working Group (NAPPS) standard.4

TwO TyPes OF VenDOR OFFeRInGs COMPeTe FOR yOuR aTTenTIOn

This Forrester Wave focuses on business-to-enterprise (B2E) cloud IAM solutions. These solutions provide access to SaaS applications and on-premises legacy web applications for the enterprise workforce (e.g., employees and contractors). When evaluating the B2E cloud IAM vendor landscape, Forrester found that solutions bifurcate into two types of offerings:

■

Vendors with an on-premises IAM pedigree offer capable B2E cloud IAM solutions. IBM,

Microsoft, and Ping Identity built cloud front ends to their existing, robust, and capable on-premises IAM solutions. Although these solutions provide very extensive policy authoring features, especially for access management, they require a somewhat larger effort to initially implement and maintain.

■

Born-in-the-cloud B2E cloud IAM vendors offer simple and faster-to-implement solutions.

Bitium, Centrify, Okta, OneLogin, and Salesforce solutions were born in the cloud and don’t have any background in on-premises solutions. As a result, solutions of this type may not offer the same depth of policy management capabilities that the on-premises pedigree vendors do. There are, of course, exceptions in every category: SailPoint developed its solution for the cloud,

but it also contains intellectual property from the company’s on-premises IdentityIQ access governance product.

Forrester evaluated both of these types of vendors in this Forrester Wave because our clients frequently ask us about and evaluate both types of vendors.

an sso Portal, saml support, and Mobile access support are Table stakes Features During the Forrester Wave evaluation, Forrester identified several nondifferentiating solution features. All evaluated vendors:

■

Provide a cloud-based portal for employees to access SaaS applications. With VPN use

decreasing, all B2E cloud IAM solutions offer a portal that employees can access with their AD credentials. In the portal, they see icons for every SaaS application they are authorized to access as part of their job. Group information from the user store can drive which applications users have access to.

(5)

■

Allow S&R pros to install an optional on-premises agent for the user store. All solutions we

evaluated have either: 1) a Windows service component that S&R pros need to install AD in domain controllers or 2) an identity router that they need to put into the demilitarized zone (DMZ). These components allow for: 1) reading user passwords from AD and 2) the cloud IAM solution writing changed passwords to AD when users reset or change their passwords.

■

Offer bidirectional SAML SSO and single logout support. All evaluated vendors offer

inbound and outbound SAML (consumer and producer) with support for custom attribute value injection into the SAML assertion from the identity provider (IdP). All solutions support the concept of a URL for single logout to terminate the user’s session.

■

Provide native iOS and Android mobile applications for login and 2FA. B2E cloud IAM

solutions offer optional mobile applications for: 1) storing AD credentials that enable the user to establish a PIN code and allow users to log into their SaaS applications from the mobile device and 2) two-factor authentication (2FA) for step-up or greater strength authentication into sensitive, high-risk applications. Many of the vendors’ mobile applications provide support for forgotten password recovery and limited device management as well.

Vendors’ Future Plans Include Provisioning and access Governance

While examining the solutions and vendor road maps for this Forrester Wave, Forrester found that vendors have plans for the following common enhancements:

■

Extended provisioning for both cloud and on-premises apps. Today’s cloud IAM solution

support for SaaS and on-premises business application provisioning is simplistic. It usually involves the System for Cross-domain Identity Management (SCIM, also known as “Simple Cloud Identity Management”) or Security Assertion Markup Language (SAML) Just-in-Time (JIT) standards-based provisioning of users. However, the IDaaS solutions today do not offer fine-grained entitlement support provisioning in a separate user authorization store and usually do not automatically deprovision users. Similarly, these processes are not as robust when it comes to removing or deprovisioning access as it often has to be done manually.

■

Built-in support for attestation campaigns. With the exception of SailPoint, today’s cloud IAM

solutions have only zero-to-minimal attestation campaign management and true enterprise business role-mining for access governance. Forrester expects that future solutions will increasingly incorporate these requirements.

■

Access request management workflow. Today’s fine-grained application access request

management workflow capabilities in cloud IAM solutions are limited and are not on par with on-premises identity management platforms.5 Forrester expects that vendors will greatly expand

graphical workflow design (similar to what is already available in IBM Cloud Identity Service) and selection of approvers and approval types (quorum, sequential optional, etc.).

(6)

■

User store support for IaaS workloads. Today’s user stores in cloud IAM solutions are only for

managing access to the cloud IAM portal itself; they provide no capabilities to manage access to workloads in IaaS applications. In this case, cloud IAM vendors need to provide robust AD-like directory services. While Amazon Web Services (AWS) and JumpCloud offer this capability today, Forrester expects that leading cloud IAM vendors will support this requirement in the future.

■

Extensive mobile app access management with risk-based authentication. While Centrify,

IBM, and Microsoft offer bundled enterprise mobility management solutions with their cloud IAM, Forrester expects that vendors will implement risk-based authentication capabilities complete with risk scoring that support desktops and mobile devices. Vendors are also working on creating a cross-mobile application SSO using the OpenID Connect NAPPS standard, and increasingly looking at the FIDO UAF specification to separate the business process from the registration and authentication logic in an application.6

B2e CLOuD IaM eVaLuaTIOn OVeRVIew

To assess the state of the B2E cloud IAM market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of B2E cloud IAM vendors.

evaluation Criteria: Current Offering, strategy, and Market Presence

After examining past research, user need assessments, and vendor and expert interviews, Forrester developed a comprehensive set of evaluation criteria which we grouped into three high-level buckets:

■

Current offering. We evaluated how well solutions provide: 1) user directory support; 2) access

management policy administration; 3) user account provisioning policy administration; 4) end user self-services from the solution’s web portal; 5) end user self-services from the solution’s mobile application; 6) API security and solution APIs; and 7) reporting and scalability. We also evaluated the overall complexity of solutions.

■

Strategy. We reviewed each vendor’s strategy to determine vendor differentiation in: 1) future

product development and market plans; 2) customer satisfaction with the solution; 3) security implementation services and OEM partnerships; 4) development, sales, and technical support staffing; 5) pricing flexibility and transparency; and 6) customer reference scale and coverage.

■

Market presence. To determine market presence, we considered the vendors’: 1) revenue; 2)

(7)

Included Vendors Offer Cloud Iam as a True saas service and ad authentication In a very crowded market of IDaaS vendors, Forrester included nine vendors in the assessment: Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Each of these vendors had on or before December 16, 2014 (see Figure 1):

■

A productized and publicly announced, true multitenant SaaS B2E cloud IAM offering.

The vendor should have an announced, true multitenant SaaS (not hosted service) B2E cloud IAM offering. In Forrester’s and its clients’ assessment, the cloud IAM solution should have a primary focus on IAM for enterprise (internal employee) types of users. The vendor should have a strategy focus on the B2E cloud IAM solution, which should not be a “me too” checkbox solution in the vendor’s solution portfolio.

■

A B2E cloud IAM offering capable of authenticating users against on-premises AD. The

solution should be able to manage and authenticate users against an on-premises AD user store.

■

At least $1 million in B2E cloud IAM subscription revenues in 2014. The vendor should have

at least $1 million in true, B2E cloud IAM subscription revenues. Hosted IAM solutions do not count against this number.

■

At least 40 paying customer organizations in production. The B2E cloud IAM offering should

have at least 40 paying customer organizations in production at the cutoff date.

■

A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s

name in an unaided context (“We looked at the following vendors for B2E cloud IAM”) on Forrester’s inquiries and other interactions.

■

A mindshare with other B2E cloud IAM competitive vendors. When Forrester asks other

vendors about their competition on briefings, inquiries, and other interactions, other vendors should mention the vendor as a real competitor in the B2E cloud IAM market space.

Forrester invited CA Technologies, Dell, ForgeRock, Gemalto, JumpCloud, Microfocus/NetIQ, Oracle, RadiantLogic, RSA, SecureAuth, and SwivelSecure to this Forrester Wave, but these vendors opted out.

(8)

Figure 1 Evaluated Vendors: Product Information And Selection Criteria

Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited.

Vendor Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce Product evaluated Bitium Enterprise Centrify User Suite IBM Cloud Identity Service Microsoft Enterprise Mobility Suite

Okta Identity Management and Mobility Management Service OneLogin

PingOne

SailPoint IdentityNow Salesforce Identity

Vendor selection criteria

Has a productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. Has a B2E cloud IAM offering capable of authenticating users against on-premises AD. Had at least $1 million in B2E cloud IAM subscription revenues in 2014.

Has at least 40 paying customer organizations in production. Has mindshare with Forrester’s customers on inquiries. Has mindshare with other B2E cloud IAM competitive vendors.

OneLOGIn anD OKTa LeaD The PaCK

The evaluation uncovered a market in which (see Figure 2):

■

OneLogin and Okta lead the pack. These vendors demonstrated broad capabilities for

user directory support, access policy administration, and a large catalog for supported SaaS applications. They have also shown relative simplicity among the evaluated offerings and have a large installed base.

■

Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options.

(9)

solution. Their solution complexity, customer satisfaction, customer reference scale, and coverage of implementation (in different combinations for different vendors) may be behind those of the Leaders.

■

Bitium lacks broad installed base but has potential. While showing a lot of promise for the

future for a small company with only a handful of developers and sales people, offering a very simple and easy-to-use solution, Bitium today lacks a notable installed base, broad coverage of verticals, support for APIs, and end user self-service from the portal.

This evaluation of the B2E cloud IAM market is intended to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool.

Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15

Risky

Bets Contenders PerformersStrong Leaders

Strategy Weak Strong Current offering Weak Strong Go to Forrester.com to download the Forrester Wave tool for more detailed product evaluations, feature comparisons, and customizable rankings. Market presence Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce

(10)

Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 (Cont.)

CURRENT OFFERING User directory support Access management policy administration User account provisioning policy administration End user self-service from the solution’s web portal End user self-service from the solution’s purpose-built, vendor-supplied mobile application API security and solution APIs Reporting and scalability Overall solution complexity

STRATEGY

Future development and market plans for cloud IAM and technology Customer satisfaction

Security services and OEM partners Development, sales, and technical support staffing

Pricing flexibility and transparency Customer reference scale and coverage

MARKET PRESENCE Revenue

Installed base

Verticals and geographies

Fo rr es te r’s We ightin g 50% 14% 14% 12% 12% 12% 12% 12% 12% 50% 35% 25% 10% 10% 10% 10% 0% 33% 33% 33% 1.88 3.00 1.00 1.00 3.00 1.00 0.00 1.00 5.00 1.75 1.00 4.00 0.00 1.00 2.00 1.00 1.33 1.00 1.00 2.00 2.86 2.00 3.00 0.00 4.00 5.00 1.00 4.00 4.00 4.10 4.00 4.00 5.00 5.00 3.00 4.00 2.67 1.00 4.00 3.00 2.18 3.00 4.00 2.00 3.00 1.00 0.00 2.00 2.00 3.60 5.00 3.00 3.00 2.00 3.00 3.00 3.33 4.00 3.00 3.00 3.02 3.00 4.00 1.00 2.00 4.00 3.00 3.00 4.00 3.40 2.00 4.00 4.00 5.00 3.00 5.00 4.00 4.00 5.00 3.00 3.52 5.00 3.00 2.00 3.00 5.00 3.00 2.00 5.00 3.85 3.00 4.00 5.00 4.00 4.00 5.00 3.33 3.00 5.00 2.00 3.80 5.00 5.00 2.00 4.00 3.00 3.00 3.00 5.00 3.50 4.00 4.00 3.00 2.00 3.00 3.00 4.00 4.00 5.00 3.00 2.62 3.00 2.00 1.00 4.00 3.00 3.00 3.00 2.00 3.20 3.00 3.00 4.00 4.00 3.00 3.00 2.67 2.00 3.00 3.00 2.76 3.00 3.00 3.00 4.00 3.00 0.00 2.00 4.00 3.35 4.00 3.00 1.00 4.00 3.00 4.00 2.33 3.00 1.00 3.00 3.26 3.00 4.00 3.00 1.00 4.00 5.00 4.00 2.00 2.70 3.00 3.00 2.00 3.00 3.00 1.00 2.67 2.00 2.00 4.00 All scores are based on a scale of 0 (weak) to 5 (strong).

Bitium Centri fy IB M Microsof t Ok ta OneLo gin Pi ng Identi ty Sail Po int Salesf orce

(11)

VenDOR PROFILes Leaders

Leaders provide an overall a great solution with broad installed bases and credible solution features:

■

OneLogin is a thought leader in authentication with plans to extend mobility support. The

solution is much less complex than other solutions evaluated in this Forrester Wave. It has outstanding support for user directory configuration and integration, access management policy administration, and end user self-service from the portal. The solution today lacks in user provisioning policy administration, and the vendor does not have its own MDM solution. Future plans of the vendor include: 1) developing mobile native SSO (NAPPS) and NAPPS toolkits; 2) desktop and device authentication support; 3) enterprise mobile management support; 4) third-party biometrics support; and 5) risk-based application access controls.

■

Okta has a large installed base, extensive mobility support, with plans for identity

intelligence. The solution is much less complex than other solutions evaluated in this Forrester

Wave. It has great capabilities for managing and integrating user directories, and end user self-service from the solution mobile interface (Okta offers its own MDM capabilities). The vendor has a large and powerful partner ecosystem for implementation and a large installed base of 1,250 direct customers. The solution lacks in the areas of reporting and scalability and user

account provisioning policy management. Forrester expects that the future plans of the vendor include adaptive authentication, identity intelligence, ability to deploy in isolated instances, enhanced mobility management, and passwordless authentication.

strong Performers

These vendors offer robust and credible solutions but are behind Leaders in the areas of mobility support, installed base, and partner ecosystems:

■

Centrify is strong in MDM, dashboards, and reporting. Centrify’s solution excels in the areas

of end user self-service from the mobile application (Centrify provides its own MDM solution, bundled) and reporting: The solution has nice dashboards and 49 built-in reports. It lacks features in user directory support: Centrify does provide a standalone cloud directory, but does not support synchronization of attributes with the user’s on-premises user store to the cloud directory. (Instead it maintains access to user attributes only in the on-premises user store. This is by design.) While it does provide provisioning for cloud applications, it lacks user account provisioning for on-premises applications as well as attestation and workflow. Centrify’s plans include privileged IAM as a SaaS offering, managed security provider features, automated password management, private (single tenant) pods and podscapes, and FedRAMP certification.

(12)

■

Microsoft has finally ventured into IAM in earnest with Azure AD Premium. The solution

has great capabilities in access policy administration, provides bundled MDM capabilities (Intune), and a nice end user interface in the mobile application. The solution has a large SI ecosystem and a large population estimated at 300 employees working on the development of the solution. It requires the bundled Forefront Identity Manager to provision identities to on-premises applications. It has no access recertification, and its end user self-service portal is somewhat behind others: End users cannot add their own applications and cannot manage the look and feel of the interface. Administrators cannot define new ad hoc reports. The vendor’s future plans call for device identity-based, risk-based authentication, and expansion into the B2B and partner collaboration IAM ecosystem.

■

SailPoint makes access governance available in its B2E cloud IAM solution. The solution

provides nice end user customization capabilities for its SSO web portal, allows a system administrator to manage provisioning policies and periodic attestation campaigns (beyond dashboards) to SaaS and on-premises applications. System administrators currently cannot create ad hoc reports (this is planned), and there is no way to limit who can see which report.

Customers said that the solution meets their expectations. The SI partner ecosystem is fairly weak for the solution, and the solution has a small installed base of 47 customer organizations today. SailPoint plans to enhance its encryption and incorporate threat feeds and real-time code

analysis and introspection for zero-day threats and a full SSAE16 Type II and SOC 1 certification.

■

Salesforce provides well-rounded capabilities with a powerful admin user interface.

Salesforce offers its Salesforce Identity solution for free or at a discount for its CRM and non-CRM clients. It has good capabilities for access policy and detailed provisioning policy management (has a built-in graphical workflow) and end user interface in the mobile

application. The solution’s user interface — while capable — is somewhat more complex than other solutions evaluated. Forrester estimates that a surprisingly small team of 15 developers work on the solution, and customer references interviewed by Forrester have not deployed it in production to more than 1,000 users and five applications. Salesforce plans to enhance encryption, expand AppExchange with IAM vendors, and improve risk-based authentication, security analytics, and malware detection.7

■

Ping Identity offers PingOne bundled with Ping Federate and Ping Access. The solution has

a strong partner SI ecosystem and a large developer base of 108. The vendor’s penetration is great in the communications and media, high-tech, and financial services verticals. Clients have deployed the solution into environments with more than 1,000 users and 20 applications, while the largest deployment is 850,000 users and 30 applications. While the PingOne B2E cloud IAM solution’s price includes the bundled Ping Federate and Ping Access products, customers have to install, configure, and maintain these environments to be able to satisfy most of the use

(13)

cases’ requirements in this evaluation. Ping Identity plans to introduce adaptive authentication, access control, a meta-registry for high scale connection management of federation, identity orchestration, and identity analytics.

■

IBM’s acquisition of Lighthouse Gateway offers a powerful policy management front end.

IBM’s Cloud Identity Service solution has versatile access policy management capabilities (it is based on the IBM Security Access Manager ISAM) for not only SaaS but also on-premises web applications — a great benefit to those customers already familiar with IBM’s ISAM and IBM Security Identity Manager products. The solution lacks a graphical workflow, and the mobile application falls behind other vendors. IBM plans to support wizards for setting up federation profiles and setting up a federation marketplace, introduce QuickLaunch (canned modules of repeatable use cases to reduce professional services), integrate with CrossIdeas access governance platform, and offer enhanced mobile support.

Contenders

Forrester found the following vendor’s solution to lack many of the capabilities of other evaluated solutions, a convincing installed base, and some key functionality other vendors offer:

■

Bitium’s simple solution is tightly architected and exceeds customer expectations. In

Forrester’s assessment, this solution has a lot of potential: The vendor is agile, and with only 14 developers created a viable solution. Users can customize the portal with their own application URLs. However, it lacks access management and user account provisioning policy administration capabilities, has no MDM solution of its own, and has no 2FA application of its own or exposed API for integration and policy management. Reporting lags behind other vendors with no custom, ad hoc reports, and only three different types of canned reports. The largest publicly referenceable deployment has only 632 users. The vendor’s plans include: password analysis, credential verification against external systems, support for Docker environments, logging and API enhancements, and hardware security module (HSM) support. suPPLeMenTaL MaTeRIaL

Online Resource

The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings.

Data sources used In This Forrester wave

Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution:

(14)

■

Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation

criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where necessary to gather details of vendor qualifications.

■

Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We

used findings from these product demos to validate details of each vendor’s product capabilities.

■

Demonstration environment. Every vendor provided us with independent and unfettered

access to the solution in the vendor’s online demonstration environment. We conducted independent tests and reviews of solutions in this environment.

■

Customer reference calls. To validate product and vendor qualifications, Forrester also

conducted reference calls with 3 of each vendor’s current customers. The Forrester wave Methodology

We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don’t fit the scope of our evaluation. After examining past research, user need assessments, and vendor and expert interviews, we develop

the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies. We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve. For more information on the methodology that every Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wave-methodology.html.

Integrity Policy

All of Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more information, go to http://www.forrester.com/marketing/policies/integrity-policy.html.

(15)

enDnOTes

1_{For more details on cloud security taxonomy, please see the “}_{An S&R Pro’s Guide To Security To, In, And} From The Cloud” Forrester report.

2_{For more information, see the “}_{The Forrester Wave™: Identity And Access Management Suites, Q3 2013}_”

Forrester report and see the “The Forrester Wave™: Role Management And Access Recertification, Q3 2011” Forrester report.

For problems with on-premises IAM solutions, see the “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen” Forrester report and see the “User Account Provisioning For The Midmarket” Forrester report.

3_{For more information, see the “}_{Use Commercial IAM Solutions To Achieve More Than 100% ROI Over} Manual Processes” Forrester report.

4_{Source: “Native Applications Working Group,” OpenID (http://openid.net/wg/napps/).} 5_{Also known as work item approval and rejection.}

6_{For more information, see the “}_{The Forrester Wave™: Risk-Based Authentication, Q1 2012}_{” Forrester report}

and see the “What You Need To Know About The FIDO Alliance And Its Impact On User Authentication” Forrester report.

(16)

Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act

Forrester Focuses On

Security & Risk Professionals

to help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester’s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance.

the complexity of change into business advantage. our research-based insight and objective advice enable it professionals to lead more successfully within it and extend their impact beyond the traditional it organization. tailored to your individual role, our resources allow you to focus on important business issues — margin, speed, growth — first, technology second.

for more information

To find out how Forrester Research can help you be successful every day, please

contact the office nearest you, or visit us at www.forrester.com. For a complete list

of worldwide locations, visit www.forrester.com/about.

Client support

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer