 |
|
 |
|
 |
|||
 |
|||
|
|
Magic Quadrant for User Provisioning, 1H06 Gartner RAS Core Research Note G00138621, Roberta J. Witty, Ant Allan, Ray Wagner, 25 April 2006 R1816 05012007 User-provisioning implementations are increasing due to regulatory compliance needs.Enhancements in role management, reporting,industry support and products for small and midsize businesses are required. Expansion to other identity and access management markets is crucial for pure-play survival. WHAT YOU NEED TO KNOW User-provisioning (UP) implementations are growing in number and complexity, largely because of regulatory pressures. Gartner estimates that there are approximately 1,200 production deployments that are significant: These implementations are enterprisewide, and they use multiple connectors, workflow and approval processing. Most implementations are in enterprises with workforce head counts of 5,000 and larger. Implementations of smaller workforce count are new, most within the past 12 months, as they too feel regulatory compliance pressures. As one customer reference stated, "When you screw it up, everyone knows because nothing works; but when you do it right, no one notices because access is seamless." The following messages were consistently heard about successful and unsuccessful UP projects and act as advice directly from deployed production customers:
Two fundamentally different ways to solving the security administration problem are the UP (middleware) approach and the enterprise access management approach. All vendors, except Microsoft, are taking the middleware approach, which addresses the management of the complex authentication environment (for example, a user ID on every unique target system used by the enterprise) that has evolved during the past 20 years with the growth of computing platforms other than the mainframe. On the other hand, Microsoft and its partners are solving the enterprise access management problems - authentication and authorization as well as user account management. As long as enterprises are willing to make Active Directory their central authentication service (a result that will take many years for most enterprises) and rely on the access control infrastructure of the Windows server, fewer user IDs will be needed, and those that remain can be managed as an Active Directory account. This approach does not preclude the use of non-Microsoft development platforms because Microsoft partners, such as Centrify and Quest Software, are building tools to provide the translation of Unix, Linux, Mac OS, VMware, WebSphere, WebLogic, JBoss and Apache accounts so that they can be managed as Active Directory accounts. Microsoft Identity Integration Server (MIIS) is required to provision user accounts and synchronize user profile information between target systems (until such time that only one Active Directory user account is needed), and additional components, such as BizTalk for workflow and partner products, are required. Gemini, the next release of MIIS in the second half of 2007, will integrate the ability to perform complex workflows. To fully support the heterogeneous ITinfrastructure and see this approach grow, Microsoft's partners need to expand into the legacy environment with mainframe, iSeries and relational database management system (RDBMS) support. Microsoft is also keen to solve the authorization problem. It has had the "plumbing" - (Authorization Manager, commonly known as AzMan) - for some time, and we expect it to focus more on this in the future. Active Directory wasn't designed for real-time application authorization access, so Microsoft has kept application authorization access out of Active Directory for the most part. AzMan is a way to externalize an application's authorization requirements using XML. One of AzMan's deployment alternatives is to keep this in Active Directory, but Active Directory isn't required - Active Directory in this case is just a potential repository. This means that Microsoft would:
Clearly, this is a lot to accomplish - especially No. 3 - but no other vendor is in a position to pull this off; perhaps Oracle or Sun could, but they would need a very aggressive road map to do so and could not force Oracle Internet Directory (OID) nor Sun ONE Directory Server as the central authentication service. The enterprise access management approach is not for everyone, especially if enterprises have a need right now for managing and reporting on the messy, complex user accounts environment that currently exist. This approach is also not for those enterprises that want to maintain an "open" authentication and authorization infrastructure. However, even though there are many components to assemble with the Microsoft enterprise access management approach, all customers spoken to that have taken this approach report a much less expensive implementation. Lower cost and the growth of Active Directory as the central enterprise authentication service will make this approach a compelling choice within the next 24 months. No enterprise should choose any vendor and product based solely on one criterion. Therefore, choosing a UP vendor should not be based solely on the quadrant in which the vendor is placed. A number of evaluation criteria might not make the leader as attractive as a challenger or niche player. These criteria could include:
Document and prioritize your overall evaluation criteria (not just product requirements) before choosing a vendor. STRATEGIC PLANNING ASSUMPTIONS By 2008, investments in user-provisioning solutions will increase 60 percent to address regulatory compliance requirements (0.8 probability). User-provisioning products will continue to be used to manage and report on internal user access through 2010 (0.8 probability). By 2008, only 10 percent of enterprises will require support for incoming (from a target system to the user provisioning product) SPMLrequests (0.7 probability). MAGIC QUADRANT Market Overview 
UP is one product market in Gartner's definition of the IAM product area. IAM solutions solve two main functions: administration of user attributes, credentials and privileges; and real-time enforcement of assigned privileges. UP solutions are the main engine in support of administration activities, and Web access management (WAM) solutions - Gartner recently renamed this market from extranet access management (EAM) - are the main engine in support of real-time enforcement activities. Both tools are used to address the broader identity management (IdM) goals of the enterprise. In this Magic Quadrant, Gartner ranks vendors based on product capability and market performance through March 2006. This Magic Quadrant considers which vendors will likely dominate sales and influence technology directions through 2006, as well as considers which vendors are most visible among clients, generate the greatest number of requests for information and contract review, and account for the most new and ongoing installations in Gartner's client base. Market Definition/Description UP solutions address the enterprise's need to administer (create, modify, disable and delete) the following identity objects across the heterogeneous IT system infrastructure environment (operating systems, databases, directories, business applications and security systems):
Ensuring a complete audit trail of administration activities associated with each of these objects, and reporting on these activities for compliance purposes - regulatory, internal and business relationship - are also key activities that are required for a successful IdM project and process. Gartner distinguishes an IAM suite vendor from a pure-play UP vendor. An IAM suite vendor is one that has, at a minimum, both UP and WAM products. Common additional IAM components to a suite can include federated identity management (FIM), enterprise single sign-on (ESSO), and audit and compliance reporting. Rarely does an IAM suite vendor have a strong authentication product, preferring to partner with those vendors rather than owning them. This Magic Quadrant does not focus only on core UP capabilities (for example, connector breadth, delegated administration, self-service, HR application support), because some of these capabilities are largely commoditized with little differentiation between the products. Rather, the additional focus of this Magic Quadrant is in two areas:
Inclusion and Exclusion Criteria Inclusion Criteria UP vendors were considered for the document under the following conditions:
Exclusion Criteria UP vendors that were not included in this Magic Quadrant might have been excluded for one or more of the following conditions:
Vendors not included in the Magic Quadrant but worthy of mention are:
Added This is the first UP Magic Quadrant. Therefore, all vendors are considered new. Dropped Not applicable. Evaluation Criteria Ability to Execute Gartner considers the UP market to be a maturing market. Therefore, many Ability to Execute subcriteria were ranked, but the following most influenced our ratings. Product/Service
Sales Execution/Pricing
Completeness of Vision 
Completeness of vision for this Magic Quadrant has two main focuses: UP vendors are looking outside of the core ITaccount marketplace and integrating with the broader provisioning capabilities of the enterprise (for example, asset management, software distribution, facilities management, vertical markets), and they are broadening their sales channel by working with SIs and other partners. Again, because the UP market is considered a maturing market by Gartner, many Completeness of Vision subcriteria were ranked, but the following most influenced our ratings. Market Understanding
Sales Strategy
Vertical/Industry Strategy
Geographic Strategy
Leaders Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. Aleading vendor is not a default choice for every buyer, and clients are warned not to assume that they should buy only from the Leaders quadrant. Some clients may actually feel that leaders are spreading efforts too thinly and not pursuing their special needs. Sun Microsystems and IBM Tivoli have dominated the UP market for the past two years. Of all the UP vendors, they have the largest installed bases, and they have leading product capabilities. Also, they both have strong sales and marketing teams that have made them the winners they are. Oracle now has an extremely strong UP product through the Thor Technologies acquisition and the organizational force behind it, so that it will be the IAM force to be reckoned with. Thor on its own could not have achieved the same success. Challengers 
Challengers have solid products that address the typical needs of the UP market, with strong sales, visibility and clout that add up to higher execution than niche players. Challengers are good at winning contracts, but they do so by competing on basic functions rather than on advanced features. Challengers are efficient and expedient choices to narrowly defined access problems. Many clients consider challengers to be the conservative safe alternative to niche players. Challengers in this Magic Quadrant all have strong product capabilities, but they have fewer production deployments than the leaders. Their business model, overall product strength, marketing strategy and business partnerships vary and, hence, has kept them from breaking into the Leaders quadrant. Courion has demonstrated consistent vision and execution in meeting the needs of the UP market, especially in the area of role management. Beta Systems, BMC Software, CAand Novell have been in the UP market for some time and have been making steady progress, albeit with a bump or two along the way. M-Tech has been succeeding in the UP market in a more tactical manner. M-Tech has been building special features based on specific customer demand (for example, organization chart generation, rather than broad usage, such as role management). HPis new to the UP market, but it has the organizational strength to make much progress during 2006. It is this set of vendors from which Gartner expects the greatest amount of progress during the next 18 months. Visionaries Visionaries invest in the leading/"bleeding"-edge features that will be significant in the next generation of products and that will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver challengers and leaders. Clients pick visionaries for best-of-breed features, and in the case of small vendors, they may enjoy more personal attention. In this Magic Quadrant, there are no visionaries, because no vendor has introduced such leadingedge capabilities for how UP or IdM activities are performed without having the market execution to show for it; hence, they would be a challenger or a leader. Providing a product whose architecture is a SOA is innovative, but it is one of a number of criteria that makes a vendor be visionary. Niche Players Niche players offer viable, dependable solutions that meet the typical needs of buyers, especially in a particular industry or geographic region. Niche players are less likely to appear on shortlists but fare well when given a chance. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market, and often they can do so more efficiently than the leaders. Clients tend to pick niche players when stability and focus on a few important functions and features are more important than a "wide and long" road map. Niche players in this Magic Quadrant comprises the following vendors:
Vendor Comments Avatier Avatier Identity Management Suite (AIMS) - Account Creator,Account Terminator and Identity Enforcer - v.6.0 - 15 August 2005 Avatier (pure play) started in the password management market and developed its Microsoft .NET and Sun Java SOA architecture UP offering through tactical customer requests, as is reflected in its current multiple module configuration: Account Creator, Account Terminator and Identity Enforcer. Avatier's road map for the products includes merging the three modules under a common graphical interface during the second half of 2006 and adding support for the following functions currently missing in their product: a multilevel approval processing workflow engine, SOD, attestation reporting and SPMLsupport. Aunique feature of the Avatier UP offering is real-time multilingual support. The current (and future) offering only runs on the Microsoft .NET platform with an MS-SQLrepository for its audit repository (it uses an existing Active Directory deployment for the authoritative repository); however, their use of Web services for connector development will ease support for the heterogeneous IT infrastructure. Avatier's pricing is well-suited for the SMB market. Its ease of implementation as a result of the SOA product architecture should be of interest to all enterprises. With only one SI partnership (started in January 2006), Avatier needs to expand their business partners - SIs and non-UPIAM component vendors - to ensure growth in large enterprises and internationally. Beta Systems SAM Jupiter - v.3.4 - August 2005 The Beta Systems' (pure play) Java-based SAM Jupiter product, developed by Schumann Security Software, was one of the earliest shipping security administration products released in 1994. Schumann was sold to Systor, a Swiss consulting firm, in January 2000. Because of the insolvency of Systor's German consulting division, the UP division was sold in February 2003 to Beta Systems, best-known as an IToperations software vendor. Beta Systems' marketing efforts and resulting UP sales have been stronger in Europe than in North America. To add to its UP offering, Beta acquired Focal Point from Okiok in December 2005 for ESSO. SAM Jupiter has the best role-based provisioning support in the market, including a role-mining module. It is one of the few vendors that can perform RAM on a number of target systems, and it also has SPMLsupport. Beta has expanded from its original mainframe-only runtime environment to a Unix-based offering. It also offers a Windows version of SAM Jupiter and a special pricing program for the SMB market. SAM Jupiter does not take advantage of Web services within the architecture, and it has no out-of-the-box attestation reporting support. Beta must enhance its sales and marketing efforts, especially in North America, to be back on the shortlist of large enterprises. BMC Software BMC Identity Management Suite - BMC User BMC Software's (suite) acquisitions of Calendra (January 2005) and OpenNetwork Technologies (March 2005) demonstrate its commitment to the IAM market. The acquisitions were much-needed because BMC had lost significant "mind share" during the past three years or so because of its lack of useful workflow and other IAM components, primarily WAM. With Calendra, BMC acquired good workflow, white and yellow pages capability as well as a directory-centric application development environment. With OpenNetwork, BMC acquired WAM and UP products for both the Microsoft and heterogeneous IT infrastructure. The Microsoft-focused OpenNetwork UP offering was very beneficial; BMC used this technology and introduced a .NEToffering in January 2006, making it the first suite vendor to have both Java and .NET UP products. This .NET offering makes BMC a good choice for a UP enhancement module, compared with Microsoft's MIIS UP offering, for functions such as workflow, role management, SPML support and connectors, which MIIS doesn't currently support. BMC also has partnered with Consul Risk Management to deliver broader audit and compliance reporting capability than most other UP vendors. And, BMC markets its UP offering with integration to some of its business services management product line for ITSM support. Even though BMC has its own dedicated IAM international sales force, it must establish a partnership with a Tier 1 SI to ensure entry to large IAM enterprise deals. CA CA Identity Manager r8 (Integrated CA eTrust CA's (suite) acquisition (November 2004) of Netegrity mainly for WAM and federation left CA with two UP offerings: eTrust Admin (frequently reported as one of the hardest UP products to implement) and Netegrity's eProvision (Netegrity acquired Business Layers, a pure-play UP vendor, in December 2003). With the Netegrity acquisition, the CAIAM product management team has stabilized with a combined CA, Netegrity and Business Layers team, and Netegrity personnel is leading the team - a good result. However, in addition to regulatory limitations that restricted, and therefore delayed, communications between the two companies, CAwas slow to articulate to the market its integration road map for the two UP products. This resulted in a bit of confusion and mind share gap for the direction of the CAUP offering. But, in January 2006, CAreleased a combined Java-based UP offering, newly named "Identity Manager r8," with better end-user interfaces and SPMLsupport. This new offering has both a software perpetual license and subscription-based pricing model. All core connectors are bundled into the base offering, with CAcharging extra only for Resource Access Control Facility (RACF), SAP, Oracle applications, and so on. CAis also an ITSM vendor, and it is the only vendor that currently has a common workflow module across its IAM and ITSM products. A connector development wizard capability is in development for General Availability (GA) in the third quarter of 2006. eTrust Directory is required for the "identity map" - a mapping of users to all of their IT accounts. CA needs to continue its product modernization efforts and focus on developing stronger SI partnerships. With a new CEO in John Swainson from IBM, CAis successfully changing its corporate culture and improving it market reputation as a software vendor. Therefore, CAis well-placed to become a UP market leader within the next 24 months. Courion Courion Enterprise Provisioning Suite - AccountCourier - v.7.30 - December 2005 Courion (pure play) entered the IAM market with PasswordCourier, a password management product. As with M-Tech, it logically expanded into the broader IAM market with UP. Courion has come a long way from its early days when its marketing was better than the product. Although it doesn't have a large number of production deployments, Courion has demonstrated consistent execution of its product vision, especially in the area of role management, with both role mining and role development. Courion is also the vendor that has best articulated the business benefits of automated UP. Its industry-focused marketing strategy is a demonstration of this point. Courion is one of only a few vendors (Sentillion and Siemens being the others) with strong support for the healthcare industry, where deep application provisioning is required. As a UP pure-play vendor, Courion integrates with a number of ITSM products, including Remedy, Peregrine and MRO. AccountCourier has SPMLsupport, but it does not take advantage of Web services, and it has no version control over workflow (a growing need for audit/compliance). Although Courion runs in a Windows environment (it plans a Unix release in the second half of 2007), it is not a common add-on to Microsoft's MIIS UP product. For Courion to remain independent, it needs to deliver a Unix-based UP offering and develop its international distribution through VARs and SI partnerships. It also needs to have a strong WAM go-to-market partner for broader sales opportunities. Fischer International Fischer Identity Suite - Fischer Provisioning - v.2.2 - December 2005 The newest vendor in the UP market, Fischer International (pure play), owned by Addison Fischer - an early expert in the information security field - introduced its UP product in May 2005. The UP management team is very strong, with members having a variety of industry ITexperience. The product has been designed and developed from "the bottom up" using Java and an SOAframework. The company has been very aggressive in pricing - a tactic often seen in early vendors trying to obtain market share and, therefore, very attractive to the SMB market. The UP product has the ability to discover resources on the network (IT resource discovery), and it has PDAsupport for approval processing. Limitations in the current UP offering include: no out-of-the-box attestation reporting, no enterprise-level role management and no SPML support. Because of its SOAarchitecture and the financial strength of the company, Fischer has the potential of becoming a UP challenger during the next 24 months. But it must move quickly on the business partnership front, including a Tier 1 SI partner (an activity that it has just started to do), international sales channels (Fischer currently sells into the North American market only), and other IAM component vendors. HP HP OpenView Identity and Access Management - HP OpenView Select Identity - v.4.0 - 31 January 2006 HP(suite) is one of the newest vendors that has been buying its way into the IAM market with the acquisitions of: the Select Access software from Baltimore for WAM (July 2003), TruLogica for UP (March 2004), and TrustGenix for federation (December 2005 - following a prior OEM agreement going back to November 2004). So far, it has executed successfully with no missteps along the way. Fortunately, it has changed the original TruLogica marketing message that the product was a "context identity management" tool, a distinction that the market did not understand. HPnow refers to the unique approach to packaging its policies, workflows, forms, roles and rules as business service identity management. HP's IAM sales are split 50-50 between North America and Europe, demonstrating its strong organization sales, marketing and consulting support. Because of the integration with OpenView, Select Identity can play a role in ITSM, such as service life cycle management, resource discovery, help desk and configuration management database operations. HPwill include its new Select Audit module (June 2006 GA) for attestation reporting and extended SOD support in the core suite pricing. SPMLsupport is available today. HP- with a strong IAM suite - has strong SI partnerships that now need to be further mined for international distribution and entry into large-enterprise deals. HPwill add more focus to the SMB market later in 2006 when it adds JBoss as a platform for its solution - consistent with HP's strong commitment to the Java application development environment, although an offering based on a Microsoft platform seems to be the current direction for this market. IBM Tivoli IBM Tivoli Identity Manager (ITIM) - v.4.6 - 28 June 2005 IBM Tivoli (suite) was a very early buyer of IAM technologies: Dascom in September 1999, Metamerge in June 2002 and Access360 in October 2002. IBM's acquisition of Metamerge for virtual directory technology, now renamed Tivoli Directory Integrator (TDI), was a good move, and many of the Access360 connectors have been replaced with TDI connectors. IBM had one significant misstep after the acquisition of Access360 - trying too quickly to convert to the WebSphere application server environment; resulting in customers suffering through those implementations, although IBM was "at their side" throughout. Even so, it has become a leader in the UP market because of strong workflow, connector management and production deployment change management features, the number of "blue" shops (ITIM has been developed using a J2EE/WebSphere platform) and enterprise software deals. Attestation reporting, called "recertification," is built into the core UP product, as is SPMLsupport. ITIM has no core product SOD support; partners such as Vaau and Eurekify provide it. To further enhance its role management capabilities, it is partnering with Bridgestream. In March 2006, it announced ITIM Express - a UP product for enterprises with fewer than 5,000 users. Thirty connectors are available with the core Express offering, and applications such as SAPare available for an additional fee. SMBs can trade up to the full ITIM product if they so desire. IBM Global Services is IBM's premier SI, but IBM has other strong Tier I SI partnerships. M-Tech M-Tech Identity Management Suite - ID-Synch - v.4.0 - 29 September 2005 M-Tech (pure play) is a privately owned business that had its start in the IAM market with a password management offering - P-Synch. As with Courion, it needed to expand into other areas of IAM, so UP was a logical area into which to expand. M-Tech has been a very consistent vendor in both product development and deployment. Innovation has come through add-on modules, such as ID-Org (an organization chart generation tool good for smaller firms that don't have an organization chart reporting capability), ID-Certify for audit/compliance attestation reporting, and ID-Access for Windows RAM. M-Tech also has SPMLsupport. With the acquisition of Thor by Oracle, M-Tech has been working with RSA Security for RSAdeals that require UP (Thor was RSA's UP partner until the acquisition). ID-Synch, a Windows-based runtime environment, is the most proprietary application infrastructure of all the UP vendor products. However, customers report that it is easily configurable, lowering implementation costs and making it a good choice for outsourcing and MSP companies that need fast and multiple deployments. This Windows-based platform has contributed to M-Tech's partnership with Microsoft. Although strong in business development, M-Tech must develop SI partnerships to get more market share. It should consider re-architecting its UP product on newer technologies (for example, .NET), and expand its IAM business partners to win larger IAM deals. MaXware MaXware Identity Center - v.8.0.687 - 26 August 2005 MaXware (suite) is a vendor that started in the metadirectory market and evolved its offering into a UP product. It has other IAM components as well (such as federation and a virtual directory). The product is developed in a Java architecture with some Web services support. It is the only vendor that reports using LAMP- an open-source application development platform that includes Linux, Apache, MySQLand PHP(also known as Hypertext Preprocessor). It has SPMLsupport, but there is no out-of-the-box attestation reporting; however, its attestation template has recently been available since March 2006. To make MaXware a well-known IAM vendor, it must enhance its SI partnerships with Tier 1 players and follow through on its recent reinvestment in their worldwide marketing program. Microsoft Microsoft Identity Integration Server Microsoft's (suite) UP offering, developed on the .NET platform, was originally built as a metadirectory product that now supports much of the heterogeneous ITinfrastructure (connectors for SAP, PeopleSoft, CA-ACF2 and CA-Top Secret are in the works) and provides RAM for all Microsoft systems, LDAPv.3 and RDBMS. However, it is a set of modules that must be integrated to make up a basic UP product. For example, workflow capability comes through BizTalk, with Visual Studio required for complex workflow and rule support, and Unix support comes through Services for Unix. There is no support for SPML, role management nor out-of-the-box reporting of any kind, although customers can use their existing reporting products to get access to the data in the MS-SQLdatabase. Gartner's assessment of MIIS as a UP offering is that it is very much a consulting engagement. However, customers report that the software license fees and integration costs are so much lower than other UP product deployments, that it is worth the effort. Microsoft has not productized capability (for example, workflow templates, developed by Microsoft Consulting Services from its deployments). Microsoft's next planned release in the second half of 2007 will be comparable with today's UP product offerings, with workflow provided at the Windows server level. Add-on products from M-Tech and BMC can be currently used to round out the UP offering for workflow, role management and connectors that are not currently available through MIIS. However, for enterprises (such as K-12 education market) in which there is little need for workflow and more-sophisticated UP capabilities, MIIS is adequate. But because the two different strategies to solving the security administration problem - middleware vs. enterprise access management - are not well-articulated nor understood in the market, comparing MIIS with a middleware UP product will result in MIIS not measuring up 100 percent. However, through business partners, lower software and professional services costs, and the growth of Active Directory as the central enterprise authentication service, the Microsoft approach will likely be a compelling choice within the next 24 months. nCipher nCipher Provisor - User,Group and Compliance Manager - v.5.3.1 - 3 February 2006 nCipher (pure play) bought its way into the UP market with the acquisition of Abridean in October 2005. nCipher brought to the table a larger channel to sell in to and sell from. The Abridean product management team currently is still intact, and the Abridean sales team has been integrated into an overlay team with the existing nCipher sales force. The February 2006 announcement that SafeNet planned to acquire nCipher is no longer in play, eliminating the potential risk to existing Abridean customers of such an acquisition. The nCipher strategy of expanding UP with credential management, database security and digital rights management is irrelevant for most enterprises in the short term (less than three years); the limited current market need is mainly for the Payment Card Industry (PCI) and California Bill 1386 (CA-1386) support. The product is a good Java-based UP product, with SPMLsupport, and success has come mainly in the SMB market. One feature that Abridean had before most of the other UP vendors was Windows RAM - shares, folders, printers, e-mail distribution lists. The product's ability to split Active Directory into multiple management domains is a valuable tool when needing to have different people, perhaps from different companies, manage just their slice of Active Directory. Pricing is done on a per-user basis as well as a subscription basis. For enterprises with a workforce of fewer than 5,000 employees, there is a flat-fee pricing of $50,000, making this product a good choice for the SMB market. The Compliance Manager product is an add-on module. nCipher must beef up its project management methodologies and partner with a Tier 1 SI to succeed at larger UP deals. Novell Identity Manager 3 - December 2005 Novell (suite) was one of the vendors that took its meta directory product and evolved it into a Java-based UP product. Because earlier versions of its UP product were based on the meta directory product, it has strong data synchronization and RAM capabilities, but it lacked certain core UP functions, such as self-service password reset and workflow, and it required a fair amount of consulting work for implementation. Novell has continually enhanced its UP offering (for example, graphical interface for connector management and SPMLsupport), and with the introduction of Identity Manager 3, it has a product that provides very good UP capabilities, albeit with a few oddities (such as, template workflow by the number of approval steps rather than UP function, for example, add a new user). The workflow module is priced separately from the core UP module. Identity Manager 3 has attestation reporting, but it does not use workflow, so that attestation reporting is its own integrated process for management review and follow-up actions. Novell has done a good job in focusing on the federal and state government sectors with their IAM offerings, and overall customer satisfaction is high. To be the success it wants to be, Novell must be more strategic by adding capabilities around RME, ensure it has a Tier 1 SI (many of its implementations are done by Novell Consulting) and provide a solution for the SMB market. Novell has done a good job selling its UP solutions to its target customers; however, Novell's target audience is too narrow. Gartner wants Novell to expand its marketing and sales efforts to a broader range of customers. Oracle Xellerate Identity Manager - 31 January 2006 Oracle (suite) bought into the IAM market with acquisitions of Phaos (May 2004), Oblix (March 2005), Thor Technologies (a small, pure-play J2EE UP vendor in the UP market for eight years that catered to large financial services organizations, December 2005) and OctetString (December 2005). In a short time, it has amassed a very strong management team and IAM technology portfolio. Adding its January 2005 PeopleSoft acquisition for HR management, Oracle is positioning itself to be the "mover and shaker" in the IAM market. To date, Oracle is fulfilling on its strategy in delivering an integrated product suite. Its IAM road map looks the best of all vendors, including an offering for fine-grained authorization (only BEASystems and Securent currently have such an offering). Pricing for the IAM suite includes the following modules: federation, access manager, virtual directory and OID, UP, and the Audit/Compliance Manager module for attestation reporting. Oracle's acquisition of Thor was a good move because it had no UP product outside of its own Oracle product suite. It also left RSASecurity with a gap in its IAM suite because it had a strong partnership with Thor before the Oracle acquisition. Administrative SOD enforcement is native to the UP product (through the "explicit deny" access policies function), with violations reporting through the Web application. Reporting of SOD violations will be available in the second half of 2006. Real-time enforcement of SOD policies is available through Oracle's Internal Control Manager (ICM) product, which currently supports the Oracle eBusiness Suite. The product has good production deployment change management features and has SPMLsupport. Oracle partners with Bridgestream for RME capability. With PeopleSoft being a leading HR application, we will continue to look for progress on Oracle selling its IdM suite through this channel. Sentillion Vergence - v.1.8 - January 2006 Sentillion (suite) has been dedicated to the healthcare industry from its inception - no surprise given the background of its founder - a good thing for healthcare because the industry's needs are unique. What makes healthcare so different from other industries from the IAM perspective is the need to provision deeply into the application, and the healthcare industry has very complex role relationships and delegated administration needs (for example, a doctor is a contractor from an employment perspective, a patient for personal medical services, a faculty member if the facility is a teaching hospital, a grant worker if the hospital is an R&D facility, and so forth). Sentillion can provision to every one of the major healthcare applications and suite. Sentillion's open-source community, IdMPOWER, provides members with the ability to share IdM software adapters for all types of clinical and nonclinical applications. Combined with its other IAM offerings (which provide in essence a "physician's portal"), including single sign-on and HL7 Clinical Context Object Workgroup (CCOW) support, Sentillion is a lead choice for healthcare enterprises. However, the UP product does not offer attestation reporting nor SPMLsupport. Reporting of historical views of access must be done by copying the information to an SQLdatabase and reporting from there. There is no version control on workflow. For Sentillion to grow (80 percent of its business is in the United States and 20 percent in Canada), it must have business partnerships with leading healthcare SIs and software vendors - it can no longer rely on its direct sales channel. Sentillion also needs to watch other UP vendors, such as CA, Courion and Siemens, which sell successfully into the healthcare market, by having relationships with their own medical software businesses, their own medical consulting practices or healthcare software vendors. Siemens HiPath SIcurity DirX - v.7.0 - August 2005 Siemens (suite) is another vendor that started in the metadirectory market and evolved its offering into a J2EE UP product. Currently, it is better known in Germany and Europe than in other regions, and it recently enhanced its U.S.-based sales and marketing program. The September 2005 announced agreement with SAPfor UP should make it much better-known. And in March 2006, it announced the acquisition of Okiok's "Global Trust" WAM product, thereby enhancing its HiPath SIcurity DirX Access product. Siemens is unique in that it offers a UP product specific to facilities management (partnering with its Siemens Building Technologies [SBT] division) - a development that Gartner will be watching closely, given all the discussion on the overlap between information and physical security. It also has partnered with its Siemens Medical Solutions division to offer a UP product that is integrated with its healthcare software. As with the other German-based UP vendors, Siemens has strong support for role-based provisioning; it also has SPML support. Current product feature limitations include: no out-of-the-box attestation reporting support, no Web services support, little UP product event logging and no version control on workflow. Its success will depend on continuing management focus and investment in geographic regions other than Germany. To do this, it must have at least one Tier 1 SI. Siemens has no SI partnerships today. Sun Microsystems Sun Java System Identity Manager - Identity Manager - v.6.0 - 20 January 2006 When Sun (suite) acquired Waveset in December 2003, it stated that it would retain its heterogeneous runtime environment. It did. Sun also executed on its IAM road map, putting it in the lead with a Java Platform, Enterprise Edition (Java EE) product with strong workflow, connector management and end-user interfaces. The UP product also has SPML support. The Sun IAM management team is very strong. As with Oracle, it is partnering with Bridgestream for RME. Sun offers a perpetual pricing license and a subscription model ($50 per user per year, with no discounting for the Identity Management Suite). However, Sun deeply discounts its perpetual license deals, especially if enterprises run the product on Sun hardware. Its Identity Auditor module is priced separately. For enterprises with fewer than 5,000 users, Gartner advises enterprises go with the subscription pricing model, or look to a vendor with a more SMB-friendly price point. Sun is introducing a telecommunications industry focus, a potentially huge market for data and services provisioning to millions of cellular phones. Other vendors' customer references report that Sun can be heavy-handed when pitted against Microsoft, and this behavior has lost Sun a deal or two. Sun has a strong global business partner and SI presence that can continue to be successful. Voelcker Informatik ActiveEntry - ActiveEntry 3.1 - 1 April 2005 Voelcker (pure play) is a .NETand Mono UP vendor that currently markets its offerings in only Germany, Austria and Switzerland. Its UP product is part of a broader ITSM suite covering asset management provisioning and software management provisioning. It has a UP offering specific to the education market, can perform IT resource discovery and has the lowest maintenance of all vendors at 10 percent. The European regulated labor market creates a complex role and rule approval relationship (for example, union influence over workforce changes). As such, Voelcker has strong role management support in that it can bridge the gap between the business role and the IT role, especially as it relates to the mapping between IT and ERP systems. SPML support will be in the product by midyear 2006. It has sold mainly to the SMB market in Germany, Austria and Switzerland and has good SI partnerships there as well. To grow its business outside of this region, it must partner with other IAM vendors and SIs, and expand its sales channel through VARs. Evaluation Criteria Definitions Ability to Execute Product/Service:Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit,Financial,Strategy,Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: Aclear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. The Magic Quadrant is copyrighted April 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. ©2006 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for ththese materials to achieve its intended results. The opinions expressed herein are subject to change without notice. |
|
|
||||||||||||||||||
