MF
Uploaded byMichael Fidler
352 views

Forrester Report

Embed presentation

Downloaded 13 times
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com The Forrester Wave™: B2E Cloud IAM, Q2 2015 by Andras Cser and Merritt Maxim, June 29, 2015 For: Security & Risk Professionals Key Takeaways OneLogin And Okta Lead The Pack Forrester’s research uncovered a market in which OneLogin and Okta lead the pack. Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. Bitium lags behind. The B2E Cloud IAM Market Is Growing As S&R Pros Look For Simplicity, SSO, And Directory Integration The B2E cloud IAM market is growing because more S&R professionals see IDaaS as a way to address their top IAM challenges without the long deployment times of legacy IAM products. It’s also growing because S&R pros increasingly trust B2E cloud IAM providers to act as a backbone for employee IAM to SaaS and on-premises apps. API Security, Mobile Support, And Installed Base Are Key Differentiators In The B2E Cloud IAM Market Vendors that can provide API security and API-based integration for the Internet of Things and mobile single sign-on and who can grow their installed base faster position themselves to successfully deliver faster IAM to value to their customers. Access The Forrester Wave Model For Deeper Insight Use the detailed Forrester Wave model to view every piece of data used to score participating vendors and create a custom vendor shortlist. Access the report online and download the Excel tool using the link in the right-hand column under “Tools & Templates.” Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.
© 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester® , Technographics® , Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com. For Security & Risk Professionals Why Read This Report In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we identified the nine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their B2E cloud IAM, also known as identity-as-a-service (IDaaS), needs. Table Of Contents Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption Two Types Of Vendor Offerings Compete For Your Attention An SSO Portal, SAML Support, And Mobile Access Support Are Table Stakes Features Vendors’ Future Plans Include Provisioning And Access Governance B2E Cloud IAM Evaluation Overview Evaluation Criteria: Current Offering, Strategy, And Market Presence Included Vendors Offer Cloud IAM As A True SaaS Service And AD Authentication OneLogin And Okta Lead The Pack Vendor Profiles Leaders Strong Performers Contenders Supplemental Material Notes & Resources Forrester conducted product evaluations in March 2015 and interviewed 36 vendor and user companies, including Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Related Research Documents Brief: Top 10 IAM Trends From The RSA Conference 2015 The Forrester Wave™: Identity And Access Management Suites, Q3 2013 The Forrester Wave™: Risk-Based Authentication, Q1 2012 The Forrester Wave™: B2E Cloud IAM, Q2 2015 The Nine Providers That Matter Most And How They Stack Up by Andras Cser and Merritt Maxim with Stephanie Balaouras, Josh Blackborow, and Peggy Dostie 2 3 7 5 10 12 June 29, 2015
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 2 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption In our Forrester Wave evaluation and conversations with S&R pros and vendors, Forrester found that B2E cloud IAM has completely transformed the IAM market landscape. Why? It’s because cloud IAM: ■ Allows S&R pros to manage employee identities across cloud environments. As both business and technology leaders have eagerly adopted software-as-a-service (SaaS) such as Salesforce, ServiceNow, and Workday, the task of managing identities and controlling access to some of the firm’s most sensitive data fell to the security team.1 Luckily, cloud IAM came to the rescue: Not only did it provide a unified view of user access to SaaS applications but it also provided a single portal for employees to access these SaaS applications. ■ Limits complexity of IAM solutions. Historically, when S&R pros sought to deploy an on-premises IAM solution, they insisted on solutions that could support 100% of their brick-and-mortar legacy requirements.2 This resulted in implementations with a high degree of customization and, of course, cost; stories of IAM projects turning into mini ERP projects deterred firms from building out IAM solutions in earnest. Cloud IAM challenged this mentality and ultimately succeeded in changing the deployment approach. From the beginning, cloud IAM vendors started out with a simple set of capabilities: those focused on offering employee single sign-on (SSO) into SaaS applications. As the only real viable option for managing access across these cloud apps, S&R pros had to accept a simpler approach that focused on essential requirements. ■ Reduces license and ongoing maintenance costs. Many vendors offer pay-as-you-go and metered pricing models, which means that S&R pros are not hit by large, upfront per-user perpetual license costs. It also offers flexibility; S&R pros can scale the number of users and applications up or down as needed during their contract with the vendor. In addition, because security teams need only manage IAM policies and are no longer encumbered with the operational responsibilities of maintaining the solution itself, they need far fewer employees for maintenance.3 For many small and medium businesses that can’t afford four to five employees to support an on-premises IAM solution, cloud IAM is the answer. Even large enterprises are evaluating cloud IAM solutions in the hopes of converting spend from capex to opex. ■ Offers support for legacy apps on-premises as well as for SaaS applications. Provisioning and controlling access to cloud applications is but one challenge. S&R pros must still manage IAM for a plethora of legacy on-premises apps. Vendors have listened: Now they offer an on- premises component as part of their cloud IAM solution so that S&R pros can enable employees to authenticate against Active Directory (AD) on-premises and access on-premises applications without having to use the VPN. However, in customer interviews, Forrester found that today 20% of organizations use IDaaS for IAM to on-premises applications, while 80% organizations use IDaaS to manage access to SaaS applications.
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 3 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Supports SSO from and on mobile devices cost-effectively. S&R pros have to provide a repeatable security framework for their developers so that they can focus on achieving the business goals of their custom mobile applications and not have to worry about details of mobile application SSO and even management. Cloud IAM vendors recognized this need and now provide basic enterprise mobility management solutions (similar to mobile device management and mobile application management), as well as simple SSO for mobile applications, built on the emerging OpenID-based Native Applications Working Group (NAPPS) standard.4 Two Types Of Vendor Offerings Compete For Your Attention This Forrester Wave focuses on business-to-enterprise (B2E) cloud IAM solutions. These solutions provide access to SaaS applications and on-premises legacy web applications for the enterprise workforce (e.g., employees and contractors). When evaluating the B2E cloud IAM vendor landscape, Forrester found that solutions bifurcate into two types of offerings: ■ Vendors with an on-premises IAM pedigree offer capable B2E cloud IAM solutions. IBM, Microsoft, and Ping Identity built cloud front ends to their existing, robust, and capable on- premises IAM solutions. Although these solutions provide very extensive policy authoring features, especially for access management, they require a somewhat larger effort to initially implement and maintain. ■ Born-in-the-cloud B2E cloud IAM vendors offer simple and faster-to-implement solutions. Bitium, Centrify, Okta, OneLogin, and Salesforce solutions were born in the cloud and don’t have any background in on-premises solutions. As a result, solutions of this type may not offer the same depth of policy management capabilities that the on-premises pedigree vendors do. There are, of course, exceptions in every category: SailPoint developed its solution for the cloud, but it also contains intellectual property from the company’s on-premises IdentityIQ access governance product. Forrester evaluated both of these types of vendors in this Forrester Wave because our clients frequently ask us about and evaluate both types of vendors. An Sso Portal, Saml Support, And Mobile Access Support Are Table Stakes Features During the Forrester Wave evaluation, Forrester identified several nondifferentiating solution features. All evaluated vendors: ■ Provide a cloud-based portal for employees to access SaaS applications. With VPN use decreasing, all B2E cloud IAM solutions offer a portal that employees can access with their AD credentials. In the portal, they see icons for every SaaS application they are authorized to access as part of their job. Group information from the user store can drive which applications users have access to.
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 4 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Allow S&R pros to install an optional on-premises agent for the user store. All solutions we evaluated have either: 1) a Windows service component that S&R pros need to install AD in domain controllers or 2) an identity router that they need to put into the demilitarized zone (DMZ). These components allow for: 1) reading user passwords from AD and 2) the cloud IAM solution writing changed passwords to AD when users reset or change their passwords. ■ Offer bidirectional SAML SSO and single logout support. All evaluated vendors offer inbound and outbound SAML (consumer and producer) with support for custom attribute value injection into the SAML assertion from the identity provider (IdP). All solutions support the concept of a URL for single logout to terminate the user’s session. ■ Provide native iOS and Android mobile applications for login and 2FA. B2E cloud IAM solutions offer optional mobile applications for: 1) storing AD credentials that enable the user to establish a PIN code and allow users to log into their SaaS applications from the mobile device and 2) two-factor authentication (2FA) for step-up or greater strength authentication into sensitive, high-risk applications. Many of the vendors’ mobile applications provide support for forgotten password recovery and limited device management as well. Vendors’ Future Plans Include Provisioning And Access Governance While examining the solutions and vendor road maps for this Forrester Wave, Forrester found that vendors have plans for the following common enhancements: ■ Extended provisioning for both cloud and on-premises apps. Today’s cloud IAM solution support for SaaS and on-premises business application provisioning is simplistic. It usually involves the System for Cross-domain Identity Management (SCIM, also known as “Simple Cloud Identity Management”) or Security Assertion Markup Language (SAML) Just-in-Time (JIT) standards-based provisioning of users. However, the IDaaS solutions today do not offer fine-grained entitlement support provisioning in a separate user authorization store and usually do not automatically deprovision users. Similarly, these processes are not as robust when it comes to removing or deprovisioning access as it often has to be done manually. ■ Built-in support for attestation campaigns. With the exception of SailPoint, today’s cloud IAM solutions have only zero-to-minimal attestation campaign management and true enterprise business role-mining for access governance. Forrester expects that future solutions will increasingly incorporate these requirements. ■ Access request management workflow. Today’s fine-grained application access request management workflow capabilities in cloud IAM solutions are limited and are not on par with on-premises identity management platforms.5 Forrester expects that vendors will greatly expand graphical workflow design (similar to what is already available in IBM Cloud Identity Service) and selection of approvers and approval types (quorum, sequential optional, etc.).
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 5 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ User store support for IaaS workloads. Today’s user stores in cloud IAM solutions are only for managing access to the cloud IAM portal itself; they provide no capabilities to manage access to workloads in IaaS applications. In this case, cloud IAM vendors need to provide robust AD-like directory services. While Amazon Web Services (AWS) and JumpCloud offer this capability today, Forrester expects that leading cloud IAM vendors will support this requirement in the future. ■ Extensive mobile app access management with risk-based authentication. While Centrify, IBM, and Microsoft offer bundled enterprise mobility management solutions with their cloud IAM, Forrester expects that vendors will implement risk-based authentication capabilities complete with risk scoring that support desktops and mobile devices. Vendors are also working on creating a cross-mobile application SSO using the OpenID Connect NAPPS standard, and increasingly looking at the FIDO UAF specification to separate the business process from the registration and authentication logic in an application.6 B2E Cloud IAM Evaluation Overview To assess the state of the B2E cloud IAM market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of B2E cloud IAM vendors. Evaluation Criteria: Current Offering, Strategy, And Market Presence After examining past research, user need assessments, and vendor and expert interviews, Forrester developed a comprehensive set of evaluation criteria which we grouped into three high-level buckets: ■ Current offering. We evaluated how well solutions provide: 1) user directory support; 2) access management policy administration; 3) user account provisioning policy administration; 4) end user self-services from the solution’s web portal; 5) end user self-services from the solution’s mobile application; 6) API security and solution APIs; and 7) reporting and scalability. We also evaluated the overall complexity of solutions. ■ Strategy. We reviewed each vendor’s strategy to determine vendor differentiation in: 1) future product development and market plans; 2) customer satisfaction with the solution; 3) security implementation services and OEM partnerships; 4) development, sales, and technical support staffing; 5) pricing flexibility and transparency; and 6) customer reference scale and coverage. ■ Market presence. To determine market presence, we considered the vendors’: 1) revenue; 2) installed base; and 3) vertical and geographic presence of the evaluated vendor’s cloud IAM solution.
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 6 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Included Vendors Offer Cloud Iam As A True Saas Service And Ad Authentication In a very crowded market of IDaaS vendors, Forrester included nine vendors in the assessment: Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Each of these vendors had on or before December 16, 2014 (see Figure 1): ■ A productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. The vendor should have an announced, true multitenant SaaS (not hosted service) B2E cloud IAM offering. In Forrester’s and its clients’ assessment, the cloud IAM solution should have a primary focus on IAM for enterprise (internal employee) types of users. The vendor should have a strategy focus on the B2E cloud IAM solution, which should not be a “me too” checkbox solution in the vendor’s solution portfolio. ■ A B2E cloud IAM offering capable of authenticating users against on-premises AD. The solution should be able to manage and authenticate users against an on-premises AD user store. ■ At least $1 million in B2E cloud IAM subscription revenues in 2014. The vendor should have at least $1 million in true, B2E cloud IAM subscription revenues. Hosted IAM solutions do not count against this number. ■ At least 40 paying customer organizations in production. The B2E cloud IAM offering should have at least 40 paying customer organizations in production at the cutoff date. ■ A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s name in an unaided context (“We looked at the following vendors for B2E cloud IAM”) on Forrester’s inquiries and other interactions. ■ A mindshare with other B2E cloud IAM competitive vendors. When Forrester asks other vendors about their competition on briefings, inquiries, and other interactions, other vendors should mention the vendor as a real competitor in the B2E cloud IAM market space. Forrester invited CA Technologies, Dell, ForgeRock, Gemalto, JumpCloud, Microfocus/NetIQ, Oracle, RadiantLogic, RSA, SecureAuth, and SwivelSecure to this Forrester Wave, but these vendors opted out.
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 7 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Figure 1 Evaluated Vendors: Product Information And Selection Criteria Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. Vendor Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce Product evaluated Bitium Enterprise Centrify User Suite IBM Cloud Identity Service Microsoft Enterprise Mobility Suite Okta Identity Management and Mobility Management Service OneLogin PingOne SailPoint IdentityNow Salesforce Identity Vendor selection criteria Has a productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. Has a B2E cloud IAM offering capable of authenticating users against on-premises AD. Had at least $1 million in B2E cloud IAM subscription revenues in 2014. Has at least 40 paying customer organizations in production. Has mindshare with Forrester’s customers on inquiries. Has mindshare with other B2E cloud IAM competitive vendors. OneLogin And Okta Lead The Pack The evaluation uncovered a market in which (see Figure 2): ■ OneLogin and Okta lead the pack. These vendors demonstrated broad capabilities for user directory support, access policy administration, and a large catalog for supported SaaS applications. They have also shown relative simplicity among the evaluated offerings and have a large installed base. ■ Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. These vendors offer credible and robust offerings and outstanding future road maps for the
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 8 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 solution. Their solution complexity, customer satisfaction, customer reference scale, and coverage of implementation (in different combinations for different vendors) may be behind those of the Leaders. ■ Bitium lacks broad installed base but has potential. While showing a lot of promise for the future for a small company with only a handful of developers and sales people, offering a very simple and easy-to-use solution, Bitium today lacks a notable installed base, broad coverage of verticals, support for APIs, and end user self-service from the portal. This evaluation of the B2E cloud IAM market is intended to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool. Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. Risky Bets Contenders Leaders Strong Performers StrategyWeak Strong Current offering Weak Strong Go to Forrester.com to download the Forrester Wave tool for more detailed product evaluations, feature comparisons, and customizable rankings. Market presence Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 9 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 (Cont.) Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. CURRENT OFFERING User directory support Access management policy administration User account provisioning policy administration End user self-service from the solution’s web portal End user self-service from the solution’s purpose-built, vendor-supplied mobile application API security and solution APIs Reporting and scalability Overall solution complexity STRATEGY Future development and market plans for cloud IAM and technology Customer satisfaction Security services and OEM partners Development, sales, and technical support staffing Pricing flexibility and transparency Customer reference scale and coverage MARKET PRESENCE Revenue Installed base Verticals and geographies Forrester’s Weighting 50% 14% 14% 12% 12% 12% 12% 12% 12% 50% 35% 25% 10% 10% 10% 10% 0% 33% 33% 33% 1.88 3.00 1.00 1.00 3.00 1.00 0.00 1.00 5.00 1.75 1.00 4.00 0.00 1.00 2.00 1.00 1.33 1.00 1.00 2.00 2.86 2.00 3.00 0.00 4.00 5.00 1.00 4.00 4.00 4.10 4.00 4.00 5.00 5.00 3.00 4.00 2.67 1.00 4.00 3.00 2.18 3.00 4.00 2.00 3.00 1.00 0.00 2.00 2.00 3.60 5.00 3.00 3.00 2.00 3.00 3.00 3.33 4.00 3.00 3.00 3.02 3.00 4.00 1.00 2.00 4.00 3.00 3.00 4.00 3.40 2.00 4.00 4.00 5.00 3.00 5.00 4.00 4.00 5.00 3.00 3.52 5.00 3.00 2.00 3.00 5.00 3.00 2.00 5.00 3.85 3.00 4.00 5.00 4.00 4.00 5.00 3.33 3.00 5.00 2.00 3.80 5.00 5.00 2.00 4.00 3.00 3.00 3.00 5.00 3.50 4.00 4.00 3.00 2.00 3.00 3.00 4.00 4.00 5.00 3.00 2.62 3.00 2.00 1.00 4.00 3.00 3.00 3.00 2.00 3.20 3.00 3.00 4.00 4.00 3.00 3.00 2.67 2.00 3.00 3.00 2.76 3.00 3.00 3.00 4.00 3.00 0.00 2.00 4.00 3.35 4.00 3.00 1.00 4.00 3.00 4.00 2.33 3.00 1.00 3.00 3.26 3.00 4.00 3.00 1.00 4.00 5.00 4.00 2.00 2.70 3.00 3.00 2.00 3.00 3.00 1.00 2.67 2.00 2.00 4.00 All scores are based on a scale of 0 (weak) to 5 (strong). Bitium Centrify IBM Microsoft Okta OneLogin PingIdentity SailPoint Salesforce
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 10 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Vendor Profiles Leaders Leaders provide an overall a great solution with broad installed bases and credible solution features: ■ OneLogin is a thought leader in authentication with plans to extend mobility support. The solution is much less complex than other solutions evaluated in this Forrester Wave. It has outstanding support for user directory configuration and integration, access management policy administration, and end user self-service from the portal. The solution today lacks in user provisioning policy administration, and the vendor does not have its own MDM solution. Future plans of the vendor include: 1) developing mobile native SSO (NAPPS) and NAPPS toolkits; 2) desktop and device authentication support; 3) enterprise mobile management support; 4) third-party biometrics support; and 5) risk-based application access controls. ■ Okta has a large installed base, extensive mobility support, with plans for identity intelligence. The solution is much less complex than other solutions evaluated in this Forrester Wave. It has great capabilities for managing and integrating user directories, and end user self- service from the solution mobile interface (Okta offers its own MDM capabilities). The vendor has a large and powerful partner ecosystem for implementation and a large installed base of 1,250 direct customers. The solution lacks in the areas of reporting and scalability and user account provisioning policy management. Forrester expects that the future plans of the vendor include adaptive authentication, identity intelligence, ability to deploy in isolated instances, enhanced mobility management, and passwordless authentication. Strong Performers These vendors offer robust and credible solutions but are behind Leaders in the areas of mobility support, installed base, and partner ecosystems: ■ Centrify is strong in MDM, dashboards, and reporting. Centrify’s solution excels in the areas of end user self-service from the mobile application (Centrify provides its own MDM solution, bundled) and reporting: The solution has nice dashboards and 49 built-in reports. It lacks features in user directory support: Centrify does provide a standalone cloud directory, but does not support synchronization of attributes with the user’s on-premises user store to the cloud directory. (Instead it maintains access to user attributes only in the on-premises user store. This is by design.) While it does provide provisioning for cloud applications, it lacks user account provisioning for on-premises applications as well as attestation and workflow. Centrify’s plans include privileged IAM as a SaaS offering, managed security provider features, automated password management, private (single tenant) pods and podscapes, and FedRAMP certification.
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 11 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Microsoft has finally ventured into IAM in earnest with Azure AD Premium. The solution has great capabilities in access policy administration, provides bundled MDM capabilities (Intune), and a nice end user interface in the mobile application. The solution has a large SI ecosystem and a large population estimated at 300 employees working on the development of the solution. It requires the bundled Forefront Identity Manager to provision identities to on-premises applications. It has no access recertification, and its end user self-service portal is somewhat behind others: End users cannot add their own applications and cannot manage the look and feel of the interface. Administrators cannot define new ad hoc reports. The vendor’s future plans call for device identity-based, risk-based authentication, and expansion into the B2B and partner collaboration IAM ecosystem. ■ SailPoint makes access governance available in its B2E cloud IAM solution. The solution provides nice end user customization capabilities for its SSO web portal, allows a system administrator to manage provisioning policies and periodic attestation campaigns (beyond dashboards) to SaaS and on-premises applications. System administrators currently cannot create ad hoc reports (this is planned), and there is no way to limit who can see which report. Customers said that the solution meets their expectations. The SI partner ecosystem is fairly weak for the solution, and the solution has a small installed base of 47 customer organizations today. SailPoint plans to enhance its encryption and incorporate threat feeds and real-time code analysis and introspection for zero-day threats and a full SSAE16 Type II and SOC 1 certification. ■ Salesforce provides well-rounded capabilities with a powerful admin user interface. Salesforce offers its Salesforce Identity solution for free or at a discount for its CRM and non-CRM clients. It has good capabilities for access policy and detailed provisioning policy management (has a built-in graphical workflow) and end user interface in the mobile application. The solution’s user interface — while capable — is somewhat more complex than other solutions evaluated. Forrester estimates that a surprisingly small team of 15 developers work on the solution, and customer references interviewed by Forrester have not deployed it in production to more than 1,000 users and five applications. Salesforce plans to enhance encryption, expand AppExchange with IAM vendors, and improve risk-based authentication, security analytics, and malware detection.7 ■ Ping Identity offers PingOne bundled with Ping Federate and Ping Access. The solution has a strong partner SI ecosystem and a large developer base of 108. The vendor’s penetration is great in the communications and media, high-tech, and financial services verticals. Clients have deployed the solution into environments with more than 1,000 users and 20 applications, while the largest deployment is 850,000 users and 30 applications. While the PingOne B2E cloud IAM solution’s price includes the bundled Ping Federate and Ping Access products, customers have to install, configure, and maintain these environments to be able to satisfy most of the use
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 12 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 cases’ requirements in this evaluation. Ping Identity plans to introduce adaptive authentication, access control, a meta-registry for high scale connection management of federation, identity orchestration, and identity analytics. ■ IBM’s acquisition of Lighthouse Gateway offers a powerful policy management front end. IBM’s Cloud Identity Service solution has versatile access policy management capabilities (it is based on the IBM Security Access Manager ISAM) for not only SaaS but also on-premises web applications — a great benefit to those customers already familiar with IBM’s ISAM and IBM Security Identity Manager products. The solution lacks a graphical workflow, and the mobile application falls behind other vendors. IBM plans to support wizards for setting up federation profiles and setting up a federation marketplace, introduce QuickLaunch (canned modules of repeatable use cases to reduce professional services), integrate with CrossIdeas access governance platform, and offer enhanced mobile support. Contenders Forrester found the following vendor’s solution to lack many of the capabilities of other evaluated solutions, a convincing installed base, and some key functionality other vendors offer: ■ Bitium’s simple solution is tightly architected and exceeds customer expectations. In Forrester’s assessment, this solution has a lot of potential: The vendor is agile, and with only 14 developers created a viable solution. Users can customize the portal with their own application URLs. However, it lacks access management and user account provisioning policy administration capabilities, has no MDM solution of its own, and has no 2FA application of its own or exposed API for integration and policy management. Reporting lags behind other vendors with no custom, ad hoc reports, and only three different types of canned reports. The largest publicly referenceable deployment has only 632 users. The vendor’s plans include: password analysis, credential verification against external systems, support for Docker environments, logging and API enhancements, and hardware security module (HSM) support. Supplemental Material Online Resource The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings. Data Sources Used In This Forrester Wave Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution:
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 13 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where necessary to gather details of vendor qualifications. ■ Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We used findings from these product demos to validate details of each vendor’s product capabilities. ■ Demonstration environment. Every vendor provided us with independent and unfettered access to the solution in the vendor’s online demonstration environment. We conducted independent tests and reviews of solutions in this environment. ■ Customer reference calls. To validate product and vendor qualifications, Forrester also conducted reference calls with 3 of each vendor’s current customers. The Forrester Wave Methodology We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don’t fit the scope of our evaluation. After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies. We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve. For more information on the methodology that every Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wave- methodology.html. Integrity Policy All of Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more information, go to http://www.forrester.com/marketing/policies/integrity-policy.html.
For Security & Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 14 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Endnotes 1 For more details on cloud security taxonomy, please see the “An S&R Pro’s Guide To Security To, In, And From The Cloud” Forrester report. 2 For more information, see the “The Forrester Wave™: Identity And Access Management Suites, Q3 2013” Forrester report and see the “The Forrester Wave™: Role Management And Access Recertification, Q3 2011” Forrester report. For problems with on-premises IAM solutions, see the “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen” Forrester report and see the “User Account Provisioning For The Midmarket” Forrester report. 3 For more information, see the “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over Manual Processes” Forrester report. 4 Source: “Native Applications Working Group,” OpenID (http://openid.net/wg/napps/). 5 Also known as work item approval and rejection. 6 For more information, see the “The Forrester Wave™: Risk-Based Authentication, Q1 2012” Forrester report and see the “What You Need To Know About The FIDO Alliance And Its Impact On User Authentication” Forrester report. 7 Encryption is in general availability since the cutoff date.
Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 113063 Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester’s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance. About Forrester A global research and advisory firm, Forrester inspires leaders, informs better decisions, and helps the world’s top companies turn the complexity of change into business advantage. Our research- based insight and objective advice enable IT professionals to lead more successfully within IT and extend their impact beyond the traditional IT organization. Tailored to your individual role, our resources allow you to focus on important business issues — margin, speed, growth — first, technology second. for more information To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about. Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.

More Related Content

PPT
14 agenda setmana 51 6è B 2015-16
by6sise
 
PPTX
Alex Garmash - Промо-Акції
byjnk39
 
PPTX
Estequiometría de las reacciones
byMaxiel Sira
 
DOCX
100127512 crim-pro-cases
byhomeworkping7
 
PPTX
Persebaran flora dan fauna didunia
byYusron Nur Rosyid
 
DOC
Fichamento pedro
bypibidsociais
 
PDF
Pandangan Individu
bySYAZWANI IBRAHIM
 
DOCX
Alt
byWarnet Raha
 
14 agenda setmana 51 6è B 2015-16
by6sise
 
Alex Garmash - Промо-Акції
byjnk39
 
Estequiometría de las reacciones
byMaxiel Sira
 
100127512 crim-pro-cases
byhomeworkping7
 
Persebaran flora dan fauna didunia
byYusron Nur Rosyid
 
Fichamento pedro
bypibidsociais
 
Pandangan Individu
bySYAZWANI IBRAHIM
 
Alt
byWarnet Raha
 

Viewers also liked

PPT
10 agenda setmana 47 6è b 2015-16
by6sise
 
DOCX
Adan
byWarnet Raha
 
PDF
Kandidaatintutkielma_Jesper
byJesper Wallenius
 
PPTX
Rss diapositivas
byJuan Molina
 
PDF
AAD Brochure
byAditya Tekriwal
 
DOCX
101845787 insurance-cases
byhomeworkping7
 
PDF
Jimmy moliona curriculum.
byfranbrito94
 
PPTX
Proyecto Final Virus y Antivirus
byVielka Martinez
 
PPS
Mediastinum (Anatomy of the Thorax)
byDr. Sherif Fahmy
 
PPT
External features of heart
bymgmcri1234
 
DOCX
Survey report on Online Shopping
byShubham Saraf
 
PPT
Vegetable irritant poisoning(castor abrus croton)
byDr. Mohd Kaleem Khan
 
10 agenda setmana 47 6è b 2015-16
by6sise
 
Adan
byWarnet Raha
 
Kandidaatintutkielma_Jesper
byJesper Wallenius
 
Rss diapositivas
byJuan Molina
 
AAD Brochure
byAditya Tekriwal
 
101845787 insurance-cases
byhomeworkping7
 
Jimmy moliona curriculum.
byfranbrito94
 
Proyecto Final Virus y Antivirus
byVielka Martinez
 
Mediastinum (Anatomy of the Thorax)
byDr. Sherif Fahmy
 
External features of heart
bymgmcri1234
 
Survey report on Online Shopping
byShubham Saraf
 
Vegetable irritant poisoning(castor abrus croton)
byDr. Mohd Kaleem Khan
 

Forrester Report

  • 1.
    Forrester Research, Inc.,60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com The Forrester Wave™: B2E Cloud IAM, Q2 2015 by Andras Cser and Merritt Maxim, June 29, 2015 For: Security & Risk Professionals Key Takeaways OneLogin And Okta Lead The Pack Forrester’s research uncovered a market in which OneLogin and Okta lead the pack. Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. Bitium lags behind. The B2E Cloud IAM Market Is Growing As S&R Pros Look For Simplicity, SSO, And Directory Integration The B2E cloud IAM market is growing because more S&R professionals see IDaaS as a way to address their top IAM challenges without the long deployment times of legacy IAM products. It’s also growing because S&R pros increasingly trust B2E cloud IAM providers to act as a backbone for employee IAM to SaaS and on-premises apps. API Security, Mobile Support, And Installed Base Are Key Differentiators In The B2E Cloud IAM Market Vendors that can provide API security and API-based integration for the Internet of Things and mobile single sign-on and who can grow their installed base faster position themselves to successfully deliver faster IAM to value to their customers. Access The Forrester Wave Model For Deeper Insight Use the detailed Forrester Wave model to view every piece of data used to score participating vendors and create a custom vendor shortlist. Access the report online and download the Excel tool using the link in the right-hand column under “Tools & Templates.” Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.
  • 2.
    © 2015, ForresterResearch, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester® , Technographics® , Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com. For Security & Risk Professionals Why Read This Report In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we identified the nine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their B2E cloud IAM, also known as identity-as-a-service (IDaaS), needs. Table Of Contents Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption Two Types Of Vendor Offerings Compete For Your Attention An SSO Portal, SAML Support, And Mobile Access Support Are Table Stakes Features Vendors’ Future Plans Include Provisioning And Access Governance B2E Cloud IAM Evaluation Overview Evaluation Criteria: Current Offering, Strategy, And Market Presence Included Vendors Offer Cloud IAM As A True SaaS Service And AD Authentication OneLogin And Okta Lead The Pack Vendor Profiles Leaders Strong Performers Contenders Supplemental Material Notes & Resources Forrester conducted product evaluations in March 2015 and interviewed 36 vendor and user companies, including Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Related Research Documents Brief: Top 10 IAM Trends From The RSA Conference 2015 The Forrester Wave™: Identity And Access Management Suites, Q3 2013 The Forrester Wave™: Risk-Based Authentication, Q1 2012 The Forrester Wave™: B2E Cloud IAM, Q2 2015 The Nine Providers That Matter Most And How They Stack Up by Andras Cser and Merritt Maxim with Stephanie Balaouras, Josh Blackborow, and Peggy Dostie 2 3 7 5 10 12 June 29, 2015
  • 3.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 2 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption In our Forrester Wave evaluation and conversations with S&R pros and vendors, Forrester found that B2E cloud IAM has completely transformed the IAM market landscape. Why? It’s because cloud IAM: ■ Allows S&R pros to manage employee identities across cloud environments. As both business and technology leaders have eagerly adopted software-as-a-service (SaaS) such as Salesforce, ServiceNow, and Workday, the task of managing identities and controlling access to some of the firm’s most sensitive data fell to the security team.1 Luckily, cloud IAM came to the rescue: Not only did it provide a unified view of user access to SaaS applications but it also provided a single portal for employees to access these SaaS applications. ■ Limits complexity of IAM solutions. Historically, when S&R pros sought to deploy an on-premises IAM solution, they insisted on solutions that could support 100% of their brick-and-mortar legacy requirements.2 This resulted in implementations with a high degree of customization and, of course, cost; stories of IAM projects turning into mini ERP projects deterred firms from building out IAM solutions in earnest. Cloud IAM challenged this mentality and ultimately succeeded in changing the deployment approach. From the beginning, cloud IAM vendors started out with a simple set of capabilities: those focused on offering employee single sign-on (SSO) into SaaS applications. As the only real viable option for managing access across these cloud apps, S&R pros had to accept a simpler approach that focused on essential requirements. ■ Reduces license and ongoing maintenance costs. Many vendors offer pay-as-you-go and metered pricing models, which means that S&R pros are not hit by large, upfront per-user perpetual license costs. It also offers flexibility; S&R pros can scale the number of users and applications up or down as needed during their contract with the vendor. In addition, because security teams need only manage IAM policies and are no longer encumbered with the operational responsibilities of maintaining the solution itself, they need far fewer employees for maintenance.3 For many small and medium businesses that can’t afford four to five employees to support an on-premises IAM solution, cloud IAM is the answer. Even large enterprises are evaluating cloud IAM solutions in the hopes of converting spend from capex to opex. ■ Offers support for legacy apps on-premises as well as for SaaS applications. Provisioning and controlling access to cloud applications is but one challenge. S&R pros must still manage IAM for a plethora of legacy on-premises apps. Vendors have listened: Now they offer an on- premises component as part of their cloud IAM solution so that S&R pros can enable employees to authenticate against Active Directory (AD) on-premises and access on-premises applications without having to use the VPN. However, in customer interviews, Forrester found that today 20% of organizations use IDaaS for IAM to on-premises applications, while 80% organizations use IDaaS to manage access to SaaS applications.
  • 4.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 3 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Supports SSO from and on mobile devices cost-effectively. S&R pros have to provide a repeatable security framework for their developers so that they can focus on achieving the business goals of their custom mobile applications and not have to worry about details of mobile application SSO and even management. Cloud IAM vendors recognized this need and now provide basic enterprise mobility management solutions (similar to mobile device management and mobile application management), as well as simple SSO for mobile applications, built on the emerging OpenID-based Native Applications Working Group (NAPPS) standard.4 Two Types Of Vendor Offerings Compete For Your Attention This Forrester Wave focuses on business-to-enterprise (B2E) cloud IAM solutions. These solutions provide access to SaaS applications and on-premises legacy web applications for the enterprise workforce (e.g., employees and contractors). When evaluating the B2E cloud IAM vendor landscape, Forrester found that solutions bifurcate into two types of offerings: ■ Vendors with an on-premises IAM pedigree offer capable B2E cloud IAM solutions. IBM, Microsoft, and Ping Identity built cloud front ends to their existing, robust, and capable on- premises IAM solutions. Although these solutions provide very extensive policy authoring features, especially for access management, they require a somewhat larger effort to initially implement and maintain. ■ Born-in-the-cloud B2E cloud IAM vendors offer simple and faster-to-implement solutions. Bitium, Centrify, Okta, OneLogin, and Salesforce solutions were born in the cloud and don’t have any background in on-premises solutions. As a result, solutions of this type may not offer the same depth of policy management capabilities that the on-premises pedigree vendors do. There are, of course, exceptions in every category: SailPoint developed its solution for the cloud, but it also contains intellectual property from the company’s on-premises IdentityIQ access governance product. Forrester evaluated both of these types of vendors in this Forrester Wave because our clients frequently ask us about and evaluate both types of vendors. An Sso Portal, Saml Support, And Mobile Access Support Are Table Stakes Features During the Forrester Wave evaluation, Forrester identified several nondifferentiating solution features. All evaluated vendors: ■ Provide a cloud-based portal for employees to access SaaS applications. With VPN use decreasing, all B2E cloud IAM solutions offer a portal that employees can access with their AD credentials. In the portal, they see icons for every SaaS application they are authorized to access as part of their job. Group information from the user store can drive which applications users have access to.
  • 5.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 4 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Allow S&R pros to install an optional on-premises agent for the user store. All solutions we evaluated have either: 1) a Windows service component that S&R pros need to install AD in domain controllers or 2) an identity router that they need to put into the demilitarized zone (DMZ). These components allow for: 1) reading user passwords from AD and 2) the cloud IAM solution writing changed passwords to AD when users reset or change their passwords. ■ Offer bidirectional SAML SSO and single logout support. All evaluated vendors offer inbound and outbound SAML (consumer and producer) with support for custom attribute value injection into the SAML assertion from the identity provider (IdP). All solutions support the concept of a URL for single logout to terminate the user’s session. ■ Provide native iOS and Android mobile applications for login and 2FA. B2E cloud IAM solutions offer optional mobile applications for: 1) storing AD credentials that enable the user to establish a PIN code and allow users to log into their SaaS applications from the mobile device and 2) two-factor authentication (2FA) for step-up or greater strength authentication into sensitive, high-risk applications. Many of the vendors’ mobile applications provide support for forgotten password recovery and limited device management as well. Vendors’ Future Plans Include Provisioning And Access Governance While examining the solutions and vendor road maps for this Forrester Wave, Forrester found that vendors have plans for the following common enhancements: ■ Extended provisioning for both cloud and on-premises apps. Today’s cloud IAM solution support for SaaS and on-premises business application provisioning is simplistic. It usually involves the System for Cross-domain Identity Management (SCIM, also known as “Simple Cloud Identity Management”) or Security Assertion Markup Language (SAML) Just-in-Time (JIT) standards-based provisioning of users. However, the IDaaS solutions today do not offer fine-grained entitlement support provisioning in a separate user authorization store and usually do not automatically deprovision users. Similarly, these processes are not as robust when it comes to removing or deprovisioning access as it often has to be done manually. ■ Built-in support for attestation campaigns. With the exception of SailPoint, today’s cloud IAM solutions have only zero-to-minimal attestation campaign management and true enterprise business role-mining for access governance. Forrester expects that future solutions will increasingly incorporate these requirements. ■ Access request management workflow. Today’s fine-grained application access request management workflow capabilities in cloud IAM solutions are limited and are not on par with on-premises identity management platforms.5 Forrester expects that vendors will greatly expand graphical workflow design (similar to what is already available in IBM Cloud Identity Service) and selection of approvers and approval types (quorum, sequential optional, etc.).
  • 6.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 5 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ User store support for IaaS workloads. Today’s user stores in cloud IAM solutions are only for managing access to the cloud IAM portal itself; they provide no capabilities to manage access to workloads in IaaS applications. In this case, cloud IAM vendors need to provide robust AD-like directory services. While Amazon Web Services (AWS) and JumpCloud offer this capability today, Forrester expects that leading cloud IAM vendors will support this requirement in the future. ■ Extensive mobile app access management with risk-based authentication. While Centrify, IBM, and Microsoft offer bundled enterprise mobility management solutions with their cloud IAM, Forrester expects that vendors will implement risk-based authentication capabilities complete with risk scoring that support desktops and mobile devices. Vendors are also working on creating a cross-mobile application SSO using the OpenID Connect NAPPS standard, and increasingly looking at the FIDO UAF specification to separate the business process from the registration and authentication logic in an application.6 B2E Cloud IAM Evaluation Overview To assess the state of the B2E cloud IAM market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of B2E cloud IAM vendors. Evaluation Criteria: Current Offering, Strategy, And Market Presence After examining past research, user need assessments, and vendor and expert interviews, Forrester developed a comprehensive set of evaluation criteria which we grouped into three high-level buckets: ■ Current offering. We evaluated how well solutions provide: 1) user directory support; 2) access management policy administration; 3) user account provisioning policy administration; 4) end user self-services from the solution’s web portal; 5) end user self-services from the solution’s mobile application; 6) API security and solution APIs; and 7) reporting and scalability. We also evaluated the overall complexity of solutions. ■ Strategy. We reviewed each vendor’s strategy to determine vendor differentiation in: 1) future product development and market plans; 2) customer satisfaction with the solution; 3) security implementation services and OEM partnerships; 4) development, sales, and technical support staffing; 5) pricing flexibility and transparency; and 6) customer reference scale and coverage. ■ Market presence. To determine market presence, we considered the vendors’: 1) revenue; 2) installed base; and 3) vertical and geographic presence of the evaluated vendor’s cloud IAM solution.
  • 7.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 6 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Included Vendors Offer Cloud Iam As A True Saas Service And Ad Authentication In a very crowded market of IDaaS vendors, Forrester included nine vendors in the assessment: Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Each of these vendors had on or before December 16, 2014 (see Figure 1): ■ A productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. The vendor should have an announced, true multitenant SaaS (not hosted service) B2E cloud IAM offering. In Forrester’s and its clients’ assessment, the cloud IAM solution should have a primary focus on IAM for enterprise (internal employee) types of users. The vendor should have a strategy focus on the B2E cloud IAM solution, which should not be a “me too” checkbox solution in the vendor’s solution portfolio. ■ A B2E cloud IAM offering capable of authenticating users against on-premises AD. The solution should be able to manage and authenticate users against an on-premises AD user store. ■ At least $1 million in B2E cloud IAM subscription revenues in 2014. The vendor should have at least $1 million in true, B2E cloud IAM subscription revenues. Hosted IAM solutions do not count against this number. ■ At least 40 paying customer organizations in production. The B2E cloud IAM offering should have at least 40 paying customer organizations in production at the cutoff date. ■ A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s name in an unaided context (“We looked at the following vendors for B2E cloud IAM”) on Forrester’s inquiries and other interactions. ■ A mindshare with other B2E cloud IAM competitive vendors. When Forrester asks other vendors about their competition on briefings, inquiries, and other interactions, other vendors should mention the vendor as a real competitor in the B2E cloud IAM market space. Forrester invited CA Technologies, Dell, ForgeRock, Gemalto, JumpCloud, Microfocus/NetIQ, Oracle, RadiantLogic, RSA, SecureAuth, and SwivelSecure to this Forrester Wave, but these vendors opted out.
  • 8.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 7 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Figure 1 Evaluated Vendors: Product Information And Selection Criteria Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. Vendor Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce Product evaluated Bitium Enterprise Centrify User Suite IBM Cloud Identity Service Microsoft Enterprise Mobility Suite Okta Identity Management and Mobility Management Service OneLogin PingOne SailPoint IdentityNow Salesforce Identity Vendor selection criteria Has a productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. Has a B2E cloud IAM offering capable of authenticating users against on-premises AD. Had at least $1 million in B2E cloud IAM subscription revenues in 2014. Has at least 40 paying customer organizations in production. Has mindshare with Forrester’s customers on inquiries. Has mindshare with other B2E cloud IAM competitive vendors. OneLogin And Okta Lead The Pack The evaluation uncovered a market in which (see Figure 2): ■ OneLogin and Okta lead the pack. These vendors demonstrated broad capabilities for user directory support, access policy administration, and a large catalog for supported SaaS applications. They have also shown relative simplicity among the evaluated offerings and have a large installed base. ■ Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. These vendors offer credible and robust offerings and outstanding future road maps for the
  • 9.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 8 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 solution. Their solution complexity, customer satisfaction, customer reference scale, and coverage of implementation (in different combinations for different vendors) may be behind those of the Leaders. ■ Bitium lacks broad installed base but has potential. While showing a lot of promise for the future for a small company with only a handful of developers and sales people, offering a very simple and easy-to-use solution, Bitium today lacks a notable installed base, broad coverage of verticals, support for APIs, and end user self-service from the portal. This evaluation of the B2E cloud IAM market is intended to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool. Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. Risky Bets Contenders Leaders Strong Performers StrategyWeak Strong Current offering Weak Strong Go to Forrester.com to download the Forrester Wave tool for more detailed product evaluations, feature comparisons, and customizable rankings. Market presence Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce
  • 10.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 9 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 (Cont.) Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. CURRENT OFFERING User directory support Access management policy administration User account provisioning policy administration End user self-service from the solution’s web portal End user self-service from the solution’s purpose-built, vendor-supplied mobile application API security and solution APIs Reporting and scalability Overall solution complexity STRATEGY Future development and market plans for cloud IAM and technology Customer satisfaction Security services and OEM partners Development, sales, and technical support staffing Pricing flexibility and transparency Customer reference scale and coverage MARKET PRESENCE Revenue Installed base Verticals and geographies Forrester’s Weighting 50% 14% 14% 12% 12% 12% 12% 12% 12% 50% 35% 25% 10% 10% 10% 10% 0% 33% 33% 33% 1.88 3.00 1.00 1.00 3.00 1.00 0.00 1.00 5.00 1.75 1.00 4.00 0.00 1.00 2.00 1.00 1.33 1.00 1.00 2.00 2.86 2.00 3.00 0.00 4.00 5.00 1.00 4.00 4.00 4.10 4.00 4.00 5.00 5.00 3.00 4.00 2.67 1.00 4.00 3.00 2.18 3.00 4.00 2.00 3.00 1.00 0.00 2.00 2.00 3.60 5.00 3.00 3.00 2.00 3.00 3.00 3.33 4.00 3.00 3.00 3.02 3.00 4.00 1.00 2.00 4.00 3.00 3.00 4.00 3.40 2.00 4.00 4.00 5.00 3.00 5.00 4.00 4.00 5.00 3.00 3.52 5.00 3.00 2.00 3.00 5.00 3.00 2.00 5.00 3.85 3.00 4.00 5.00 4.00 4.00 5.00 3.33 3.00 5.00 2.00 3.80 5.00 5.00 2.00 4.00 3.00 3.00 3.00 5.00 3.50 4.00 4.00 3.00 2.00 3.00 3.00 4.00 4.00 5.00 3.00 2.62 3.00 2.00 1.00 4.00 3.00 3.00 3.00 2.00 3.20 3.00 3.00 4.00 4.00 3.00 3.00 2.67 2.00 3.00 3.00 2.76 3.00 3.00 3.00 4.00 3.00 0.00 2.00 4.00 3.35 4.00 3.00 1.00 4.00 3.00 4.00 2.33 3.00 1.00 3.00 3.26 3.00 4.00 3.00 1.00 4.00 5.00 4.00 2.00 2.70 3.00 3.00 2.00 3.00 3.00 1.00 2.67 2.00 2.00 4.00 All scores are based on a scale of 0 (weak) to 5 (strong). Bitium Centrify IBM Microsoft Okta OneLogin PingIdentity SailPoint Salesforce
  • 11.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 10 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Vendor Profiles Leaders Leaders provide an overall a great solution with broad installed bases and credible solution features: ■ OneLogin is a thought leader in authentication with plans to extend mobility support. The solution is much less complex than other solutions evaluated in this Forrester Wave. It has outstanding support for user directory configuration and integration, access management policy administration, and end user self-service from the portal. The solution today lacks in user provisioning policy administration, and the vendor does not have its own MDM solution. Future plans of the vendor include: 1) developing mobile native SSO (NAPPS) and NAPPS toolkits; 2) desktop and device authentication support; 3) enterprise mobile management support; 4) third-party biometrics support; and 5) risk-based application access controls. ■ Okta has a large installed base, extensive mobility support, with plans for identity intelligence. The solution is much less complex than other solutions evaluated in this Forrester Wave. It has great capabilities for managing and integrating user directories, and end user self- service from the solution mobile interface (Okta offers its own MDM capabilities). The vendor has a large and powerful partner ecosystem for implementation and a large installed base of 1,250 direct customers. The solution lacks in the areas of reporting and scalability and user account provisioning policy management. Forrester expects that the future plans of the vendor include adaptive authentication, identity intelligence, ability to deploy in isolated instances, enhanced mobility management, and passwordless authentication. Strong Performers These vendors offer robust and credible solutions but are behind Leaders in the areas of mobility support, installed base, and partner ecosystems: ■ Centrify is strong in MDM, dashboards, and reporting. Centrify’s solution excels in the areas of end user self-service from the mobile application (Centrify provides its own MDM solution, bundled) and reporting: The solution has nice dashboards and 49 built-in reports. It lacks features in user directory support: Centrify does provide a standalone cloud directory, but does not support synchronization of attributes with the user’s on-premises user store to the cloud directory. (Instead it maintains access to user attributes only in the on-premises user store. This is by design.) While it does provide provisioning for cloud applications, it lacks user account provisioning for on-premises applications as well as attestation and workflow. Centrify’s plans include privileged IAM as a SaaS offering, managed security provider features, automated password management, private (single tenant) pods and podscapes, and FedRAMP certification.
  • 12.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 11 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Microsoft has finally ventured into IAM in earnest with Azure AD Premium. The solution has great capabilities in access policy administration, provides bundled MDM capabilities (Intune), and a nice end user interface in the mobile application. The solution has a large SI ecosystem and a large population estimated at 300 employees working on the development of the solution. It requires the bundled Forefront Identity Manager to provision identities to on-premises applications. It has no access recertification, and its end user self-service portal is somewhat behind others: End users cannot add their own applications and cannot manage the look and feel of the interface. Administrators cannot define new ad hoc reports. The vendor’s future plans call for device identity-based, risk-based authentication, and expansion into the B2B and partner collaboration IAM ecosystem. ■ SailPoint makes access governance available in its B2E cloud IAM solution. The solution provides nice end user customization capabilities for its SSO web portal, allows a system administrator to manage provisioning policies and periodic attestation campaigns (beyond dashboards) to SaaS and on-premises applications. System administrators currently cannot create ad hoc reports (this is planned), and there is no way to limit who can see which report. Customers said that the solution meets their expectations. The SI partner ecosystem is fairly weak for the solution, and the solution has a small installed base of 47 customer organizations today. SailPoint plans to enhance its encryption and incorporate threat feeds and real-time code analysis and introspection for zero-day threats and a full SSAE16 Type II and SOC 1 certification. ■ Salesforce provides well-rounded capabilities with a powerful admin user interface. Salesforce offers its Salesforce Identity solution for free or at a discount for its CRM and non-CRM clients. It has good capabilities for access policy and detailed provisioning policy management (has a built-in graphical workflow) and end user interface in the mobile application. The solution’s user interface — while capable — is somewhat more complex than other solutions evaluated. Forrester estimates that a surprisingly small team of 15 developers work on the solution, and customer references interviewed by Forrester have not deployed it in production to more than 1,000 users and five applications. Salesforce plans to enhance encryption, expand AppExchange with IAM vendors, and improve risk-based authentication, security analytics, and malware detection.7 ■ Ping Identity offers PingOne bundled with Ping Federate and Ping Access. The solution has a strong partner SI ecosystem and a large developer base of 108. The vendor’s penetration is great in the communications and media, high-tech, and financial services verticals. Clients have deployed the solution into environments with more than 1,000 users and 20 applications, while the largest deployment is 850,000 users and 30 applications. While the PingOne B2E cloud IAM solution’s price includes the bundled Ping Federate and Ping Access products, customers have to install, configure, and maintain these environments to be able to satisfy most of the use
  • 13.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 12 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 cases’ requirements in this evaluation. Ping Identity plans to introduce adaptive authentication, access control, a meta-registry for high scale connection management of federation, identity orchestration, and identity analytics. ■ IBM’s acquisition of Lighthouse Gateway offers a powerful policy management front end. IBM’s Cloud Identity Service solution has versatile access policy management capabilities (it is based on the IBM Security Access Manager ISAM) for not only SaaS but also on-premises web applications — a great benefit to those customers already familiar with IBM’s ISAM and IBM Security Identity Manager products. The solution lacks a graphical workflow, and the mobile application falls behind other vendors. IBM plans to support wizards for setting up federation profiles and setting up a federation marketplace, introduce QuickLaunch (canned modules of repeatable use cases to reduce professional services), integrate with CrossIdeas access governance platform, and offer enhanced mobile support. Contenders Forrester found the following vendor’s solution to lack many of the capabilities of other evaluated solutions, a convincing installed base, and some key functionality other vendors offer: ■ Bitium’s simple solution is tightly architected and exceeds customer expectations. In Forrester’s assessment, this solution has a lot of potential: The vendor is agile, and with only 14 developers created a viable solution. Users can customize the portal with their own application URLs. However, it lacks access management and user account provisioning policy administration capabilities, has no MDM solution of its own, and has no 2FA application of its own or exposed API for integration and policy management. Reporting lags behind other vendors with no custom, ad hoc reports, and only three different types of canned reports. The largest publicly referenceable deployment has only 632 users. The vendor’s plans include: password analysis, credential verification against external systems, support for Docker environments, logging and API enhancements, and hardware security module (HSM) support. Supplemental Material Online Resource The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings. Data Sources Used In This Forrester Wave Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution:
  • 14.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 13 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where necessary to gather details of vendor qualifications. ■ Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We used findings from these product demos to validate details of each vendor’s product capabilities. ■ Demonstration environment. Every vendor provided us with independent and unfettered access to the solution in the vendor’s online demonstration environment. We conducted independent tests and reviews of solutions in this environment. ■ Customer reference calls. To validate product and vendor qualifications, Forrester also conducted reference calls with 3 of each vendor’s current customers. The Forrester Wave Methodology We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don’t fit the scope of our evaluation. After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies. We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve. For more information on the methodology that every Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wave- methodology.html. Integrity Policy All of Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more information, go to http://www.forrester.com/marketing/policies/integrity-policy.html.
  • 15.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 14 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Endnotes 1 For more details on cloud security taxonomy, please see the “An S&R Pro’s Guide To Security To, In, And From The Cloud” Forrester report. 2 For more information, see the “The Forrester Wave™: Identity And Access Management Suites, Q3 2013” Forrester report and see the “The Forrester Wave™: Role Management And Access Recertification, Q3 2011” Forrester report. For problems with on-premises IAM solutions, see the “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen” Forrester report and see the “User Account Provisioning For The Midmarket” Forrester report. 3 For more information, see the “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over Manual Processes” Forrester report. 4 Source: “Native Applications Working Group,” OpenID (http://openid.net/wg/napps/). 5 Also known as work item approval and rejection. 6 For more information, see the “The Forrester Wave™: Risk-Based Authentication, Q1 2012” Forrester report and see the “What You Need To Know About The FIDO Alliance And Its Impact On User Authentication” Forrester report. 7 Encryption is in general availability since the cutoff date.
  • 16.
    Forrester Research (Nasdaq:FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 113063 Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester’s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance. About Forrester A global research and advisory firm, Forrester inspires leaders, informs better decisions, and helps the world’s top companies turn the complexity of change into business advantage. Our research- based insight and objective advice enable IT professionals to lead more successfully within IT and extend their impact beyond the traditional IT organization. Tailored to your individual role, our resources allow you to focus on important business issues — margin, speed, growth — first, technology second. for more information To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about. Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.