7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325 http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 1/16 The Forrester Wave™: Identity Management And Governance, Q2 2016 The Nine Providers That Matter Most And How They Stack Up by Merritt Maxim May 17, 2016 FOR SECURITY & RISK PROFESSIONALS FORRESTER.COM Key Takeaways SailPoint, RSA, And Dell Lead The Pack Forrester’s research uncovered a market in which SailPoint, RSA, and Dell lead the pack. CA Technologies, Courion, Micro Focus (NetIQ), and Oracle offer competitive options. IBM and SAP lag behind. S&R Pros Are Looking For Usability And Automation This market is growing because security professionals use these solutions to address key identity-related risks and streamline operational efficiencies by migrating away from existing inaccurate, manual, and inefficient identity processes. Identity Analytics And Ease Of Administration Are Key Differentiators As this market continues to mature, improved end user interfaces, simplified and flexible administration, and broader identity analytics will dictate which providers lead the pack. Why Read This Report In our 17-criteria evaluation of identity management and governance providers, we identified the nine most significant ones — CA Technologies, Courion, Dell, IBM, Micro Focus (NetIQ), Oracle, RSA, SailPoint, and SAP — and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk professionals make the right choice for managing and governing user access.
16
Embed
The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
The Nine Providers That Matter Most And How They Stack Up
IMG Is Indispensable For Security, Productivity, And Efficient Operations
Identity management and governance (IMG) solutions give security and risk (S&R) pros the ability to
provision all users with the appropriate level of access to critical applications and systems, therebyminimizing the risk of users with excessive privileges or orphan accounts which hackers frequently
target to exfiltrate sensitive data. Comprehensive IMG platforms provide functionality such as user
account provisioning, delegated administration, role management, access request management, user
self-service, and access certification. They also provide reporting for on-premises, custom, and SaaS
applications. With an IMG platform, S&R pros can:
› Minimize the risk of data breaches. Public disclosures of large-scale data breaches have
become a daily occurrence. Since the majority of data breaches continue to occur as a result of
compromised credentials, over-privileged users, stale or orphan accounts, and segregation of duty
(SoD) violations, more than ever, security teams need strong, auditable processes for ensuring that
users have not accumulated unnecessary access rights during their job tenure.1 Security teams
that fail to invest in robust processes for managing user access to systems and data are increasing
their firm’s risk of a data breach.
› Improve end user productivity. In today’s highly distributed and complex organizations, it’s not
uncommon for new hires to wait days or weeks for technology management to grant them access
to systems and applications for their jobs. These delays only frustrate end users and decrease
productivity. The ability to automate and centralize the process by which users can request and
gain access to applications can yield significant employee benefits in both user satisfaction and
productivity. This in turn can help keep employee attrition low and enable your workforce to
function at an optimal level.2
However, this also means that vendors optimize IMG solutions forbusiness, not just technical users.
› Deliver operational efficiencies. Today’s digital workforce requires access to an increasingly
diverse set of data and applications. Managing and monitoring this access can be an
administrative nightmare as S&R pros struggle to both maintain consistency across environments
and mollify frustrated users who can’t access quickly and efficiently the systems needed for their
job. IMG solutions alleviate administrative headaches for managing and granting user access to
applications by providing a centralized platform with workflow, delegated administration, analytics,
and reporting to ensure that technology management grants access efficiently and within defined
business rules and policies.
Technical Complexity Can Delay Deployment And Increase Administrative Difficulty
Many IMG vendors have built up their IMG portfolios through acquisition during the past 10-plus years
(see Figure 1 and see Figure 2). While vendors made these acquisitions to accelerate time-to-market,
integrating these components takes time and can lead to multiple interfaces and complexity, resulting
in longer deployment periods and increased administration. These so-called acquisition architectures
may also lack flexibility to adjust to new requirements such as SaaS or mobile.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
The Nine Providers That Matter Most And How They Stack Up
In addition, IMG requirements have expanded beyond provisioning and creating an account in a
target system like Active Directory. While user provisioning is increasingly a capability of most IDaaS
offerings, these cloud offerings are not as mature in other core identity areas such as role management
or access certification for on-premises apps, making it challenging for security teams that are facing a
cloud-first mandate to migrate their IMG infrastructure to SaaS.3 S&R pros considering investment or
reinvestment in this space should consider how these solutions currently support new requirements
such as:
› Prioritizing flexible and responsive user interfaces optimized for business users. Traditionally,
IMG resided primarily within the purview of technology management. Even for technical staff,
IMG solutions were hard to work with, and security pros often had to spend nine to 12 months
to customize these solutions to achieve the most basic access request approval workflows. New
requirements in access request management and access governance mean that business users
will increasingly interact with IMG solutions. These business users place a premium on easy-to-useinterfaces as well as support for performing functions on mobile devices. Security teams should
prioritize business user experience when evaluating solutions; friendlier interfaces will result in
faster deployment times and quicker adoption.
› Managing the identity life cycle for SaaS environments. IMG solutions initially focused on
supporting the identity life cycle for on-premises client/server applications and have built up
broad support for most commonly used commercial applications. However, as digital businesses
increasingly adopt SaaS apps such as Concur, Office 365, Salesforce, and ServiceNow, security
teams must maintain the same centralized, policy-based approach for managing and governing
the identity life cycle. While the IMG vendor ecosystem has added support for a range of common
SaaS apps, functionality beyond core provisioning can be inconsistent. S&R pros should place apremium on a given vendor’s support for SaaS apps to ensure broadest possible coverage and
strongest business value.
› Delivering robust identity analytics to identify anomalous user behavior. Although IMG
solutions serve as an important resource of valuable identity information, many security teams have
not leveraged this identity data to its fullest effect, as identity data was often exported to a SIM
or another analytics tool. Going forward, IMG solutions will provide the foundation for capturing
and detecting potentially suspicious user activity and using that data to feed into dashboards and
remediation. S&R pros should evaluate the ability to collect and perform such analysis natively in
the IMG platform even if behavior analytics is not on your short-term priority list.
› Providing a risk-centric view of users, apps, and entitlements to mitigate identity risk. IMG
solutions collect and manage a wide range of data around usage, approvals, and workflow, but
security teams don’t always fully leverage this data, if at all. S&R pros can use this data to identify
segregation of duty (SoD) violations and to prevent the fulfillment of certain requests. Today,
S&R pros want risk-scoring models out of the box that they can customize to their firm’s specific
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
The Nine Providers That Matter Most And How They Stack Up
FIGURE 2 Identity Management And Governance Acquisition Timeline Continued
Attachmate, Sept. 2014
Aveksa
July 2013
Note: This figure is meant to be representative of the identity management and governance
acquisitions over the past five years only for vendors included in this Forrester Wave. Acquisitionsmade outside core identity management solutions are not shown. Timeline is not to scale.
SAP
RSA
Micro Focus
(Net IQ)
2002 Present
(NetIQ, 2006)(Novell, 2010)
Oblix
Mar. 2005Sun, Jan. 2010
Oracle
Thor
Nov. 2005
(Waveset, 2003)
(Vaau, 2007)
Whitebox Security
July 2015
Beacon PS
Feb. 2011
Cloudmasons
May 2012
SailPoint
BMC Control SA
Mar. 2011
Identity Management And Governance Evaluation Overview
To assess the state of the identity management and governance market and see how the vendors
stack up against each other, Forrester evaluated the strengths and weaknesses of top IMG vendors.
After examining past research, user need assessments, and vendor and expert interviews, we
developed a comprehensive set of evaluation criteria. We evaluated vendors against 17 criteria, which
we organized into three high-level buckets:
› Current offering. We evaluated the ability of IMG solutions to deliver the following capabilities out
of the box: 1) user account provisioning; 2) role management; 3) access request management; 4)
access certification; 5) integration and APIs; 6) reporting and scalability; 7) administration; and 8)
overall solution complexity.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
The Nine Providers That Matter Most And How They Stack Up
› Strategy. We evaluated: 1) the vendor’s IMG strategy and vision; 2) total complexity to implement
the solution; 3) pricing terms and flexibility; 4) customer satisfaction; and 5) breadth of the vendor’s
partner ecosystem.
› Market presence. We evaluated: 1) development, sales, and technical support staffing; 2) the size of
the IMG installed base; 3) product line and revenue; and 4) global presence (verticals and geographies.
Evaluated Vendors And Inclusion Criteria
Forrester included nine technology providers in the assessment: CA Technologies, Courion, Dell, IBM,
Micro Focus (NetIQ), Oracle, RSA, SailPoint, and SAP. Forrester also invited Hitachi-ID, IBM, Omada,
Oracle, and Microsoft, but these vendors declined to participate. Due to the volume of client inquiries
and their market presence, Forrester included IBM and Oracle as nonparticipating vendors in this
assessment. Each included vendor has (see Figure 3):
› A productized and publicly announced identity management and identity governance
offering. Participating vendor needed to have its own internally developed (not an OEM or resell)
IMG solution that supports the installation of the IMG policy administration console on-premises.
› At least $20 million in annual IMG license revenue over the past four fiscal quarters. The
vendor should have at least $20 million in true annual IMG license revenues. Hosted IMG solutions
do not count against this number.
› At least 50 paying customer organizations in production. The vendor’s IMG offering should
have at least 50 paying customer organizations in production at the cutoff date.
› A mindshare with Forrester’s clients during inquiries. Clients should mention the vendor’s namein an unaided context (“We looked at the following vendors for IMG”) during Forrester’s inquiries
and other interactions.
› A mindshare with other IMG competitive vendors. When Forrester asks other vendors about
their competition on briefings, inquiries, and other interactions, other vendors should mention the
vendor as a real competitor in the IMG market space.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
A productized and publicly announced identity management, role management ,and identitygovernance offering. The vendor should have its own internally developed (not an OEM or resell) IMGsolution that supports the installation of the IMG policy administration console on-premises.
At least $20 million in annual IMG license revenue over the past four1 fiscal quarters. The vendorshould have at least $20 million in true annual IMG license revenues. Hosted IMG solutions do not countagainst this number.
At least 50 paying customer organizations in production. The vendor’s IMG offering should have atleast 50 paying customer organizations in production at the cutoff date.
A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s namein an unaided context (“We looked at the following vendors for IMG”) on Forrester’s inquiries and otherinteractions.
A mindshare with other IMG competitive vendors. When Forrester asks other vendors about theircompetition on briefings, inquiries, and other interactions, other vendors should mention the vendor as areal competitor in the IMG market space.
Vendor Profiles
This evaluation of the identity management and governance market is intended to be a starting pointonly. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their
individual needs through the Forrester Wave Excel-based vendor comparison tool (see Figure 4).
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
All scores are based on a scale of 0 (weak) to 5 (strong).
Leaders
› SailPoint offers a solid and proven IMG solution. SailPoint is the one remaining IMG pure play
from the 2000s and has built an impressive and large customer install base and broad partnerecosystem to support IMG deployments across all verticals. The solution is less complex than other
solutions evaluated in this Forrester Wave. Customers reported some issues with documentation
and scalability in larger environments. The vendor’s future plans include: 1) management of access
to unstructured data resources; 2) continued user experience enhancements for mobile devices;
and 3) a stateless API integration model based on the SCIM standard.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
The Nine Providers That Matter Most And How They Stack Up
› RSA differentiates its IMG strategy with intriguing GRC integration. RSA is integrating its RSA
Via Lifecycle and Governance capabilities (acquired via Aveksa in 2013) with the RSA Archer GRC,
RSA Security Analytics, and RSA’s Advanced Authentication solutions. The solution is much less
complex than other solutions evaluated in this Forrester Wave with simple, flexible, and intuitive
user interfaces. Customers indicated concerns around the pending Dell/EMC merger’s influence
on future IMG support and strategy. The vendor’s future research and development include: 1)
continuous assurance; 2) integrated IAM portfolio with RSA’s strong and risk-based authentication;
and 3) synergy between IAM, security, and GRC.
› Dell has strong global IMG coverage. The EMEA heritage of Dell’s IMG solution (based on
the acquisition of Voelcker Informatik) has given Dell a strong and diverse global customer base
and partner ecosystem. The Dell administrative portal was intuitive and less complex than other
solutions evaluated in this Forrester Wave. Reference customers universally singled out Dell’s
support and service responsiveness. The vendor’s future plans include: 1) extending data accessgovernance to include support for cloud storage applications; 2) the addition of behavioral
analytics capabilities; and 3) the creation of native mobile apps for request and approval supporting
the major platforms (e.g., iOS, Android, Windows).
Strong Performers
› CA Technologies delivers IMG functionality as part of a broad IAM offering. CA has a very
broad IMG platform and connector coverage across on-premises and SaaS environments. The
solution is more complex than other solutions evaluated in this Forrester Wave, with multiple
nonintegrated product interfaces. In customers’ view, CA Technologies needs to do a better job
with customer support and services. CA Technologies has invested over the past 12 months,both through acquisition and in-house development, to improve and streamline the business
user experience. Forrester expects that the vendor’s future plans will include behavioral analytics,
continued user interface improvements, and specific certification campaigns and analytics for
privileged and shared accounts.
› Micro Focus (NetIQ) delivers directory-centric IMG capabilities. Micro Focus (NetIQ) has a
large IMG customer base and strong directory integration capabilities but has not added net new
customers as quickly as other vendors have. Micro Focus (NetIQ) OEMs its role management
capabilities from fellow IMG competitor SailPoint. Customer references expressed concerns
around the vendor’s slow-to-develop cloud strategy. The vendor’s future plans include: 1) business-
user-friendly user interface as a part of a larger focus on ease of use and lowering total cost of
ownership; 2) expanding the vendor ecosystem of system integrators and consultants; and 3)
expanding embedded decision support analytics focused on identity relationships and behavior.
› Courion is re-emerging in IMG with a new team, investors, and strategy. Courion has
changed dramatically in past 12 months: In addition to its management and investor changes, the
company completed three acquisitions. Courion has a strong legacy in password management
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
The Nine Providers That Matter Most And How They Stack Up
The Forrester Wave Methodology
We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this
market. From that initial pool of vendors, we then narrow our final list. We choose these vendors basedon: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have
limited customer references and products that don’t fit the scope of our evaluation.
After examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria,
we gather details of product qualifications through a combination of lab evaluations, questionnaires,
demos, and/or discussions with client references. We send evaluations to the vendors for their review,
and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.
We set default weightings to reflect our analysis of the needs of large user companies — and/or
other scenarios as outlined in the Forrester Wave evaluation — and then score the vendors basedon a clearly defined scale. We intend these default weightings to serve only as a starting point and
encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool.
The final scores generate the graphical depiction of the market based on current offering, strategy, and
market presence. Forrester intends to update vendor evaluations regularly as product capabilities and
vendor strategies evolve. For more information on the methodology that every Forrester Wave follows,
go to https://www.forrester.com/marketing/policies/forrester-wave-methodology.html.
Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with our Integrity
Policy. For more information, go to https://www.forrester.com/marketing/policies/integrity-policy.html.
Endnotes1 The responsibility and the budget for identity and access management (IAM) often reside with a number of different
business and technology management teams. Historically, the easy business justification for IAM investment came from
its impact on administrative operational efficiency — for example, help desk agents spend less time resetting passwords,
and automated access recertification campaigns save managers and application owners time. To learn more, see the
“Brief: Reframe The Business Case For Identity And Access Management In Security Terms” Forrester report.
According to the Verizon 2016 Data Breach Investigations Report, 63% of confirmed data breaches in 2015 involved
weak, default, or stolen passwords. There were 10,489 total incidents classified as insider and privilege misuse,
which Verizon defines as any unapproved or malicious use of organizational resources. Source: “2016 Data BreachInvestigations Report,” Verizon (http://www.verizonenterprise.com/verizon-insights-lab/dbir/).
2 Psychological and neurological research offer critical insights into where high performance and creativity come from,
how they make an impact on customer experience and profit, and how organizations are destroying performance
without knowing it. For more information, see the “Workforce Enablement Defined: Elevate Productivity And
The Nine Providers That Matter Most And How They Stack Up
Employees that drive your digital business require access to an increasingly wide range of apps to maximize their
productivity. When employees have to wait days to gain access to selected apps, productivity and employee satisfaction
suffers. To learn more, see the “Use Identity Management To Streamline Employee Onboarding” Forrester report.
3 In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we identified thenine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity,
SailPoint, and Salesforce — and researched, analyzed, and scored them. For more information, see the “The Forrester