Who We Are Careers Leadership Core Values Laurus Headlines Events Sitemap
Business Applications Business Continuity/Disaster Recovery Data Center Management Enterprise Storage Identity Management Security And Compliance Case Studies and White Papers Technical Papers
Laurus Healthcare Laurus University Laurus Financial Laurus Manufacturing


The Forrester Wave User Account Provisioning, Q1 2006

Sun Microsystems Leads In Our Product Evaluation
by Jonathan Penn with Laura Koetzle, Paul Stamp, Simon Yates, and Adele Sage
January 27, 2006

EXECUTIVE SUMMARY

Forrester evaluated leading user account provisioning vendors across 125 criteria and found that Sun Microsystems is a market leader for a reason - its product delivers superior provisioning functionality with the highest ease of use. BMC Software offers the most attractive vision of provisioning that aligns closely with its overall corporate strategy. IBM and CA, followed by Novell, also appear in the Leaders category. Thor Technologies' Xellerate Identity Manager is one to watch: It is highly functional, and its recent acquisition by Oracle will allow Thor to scale to match its competition. Included in this report is an interactive vendor comparison tool that provides detailed product evaluations and customizable rankings.

TABLE OF CONTENTS

  1. Executives Scrutinize Management Of Users' Privileges More Than Ever
    Vendor Activity Is Stabilizing, But Products Continue To Evolve
    Select The Product Whose Architecture Matches Yours And Will Be Easiest To Deploy
  2. User Account Provisioning Evaluation Overview
    Evaluation Criteria
    Evaluation Methodology
    Evaluated Vendors
  3. Leaders Offer Ease Of Implementation And Breadth Of Solutions
  4. Vendor Profiles
    Leaders
    Strong Performers
    Contenders
  5. Supplemental Material

NOTES & RESOURCES

Forrester conducted evaluations that concluded in December 2005 of nine vendors: BMC Software, CA, Courion, Hewlett-Packard, IBM, Microsoft, Novell, Sun Microsystems, and Thor Technologies. We also interviewed leading system integrators and scores of Forrester clients who engaged us with inquiries or consulting on the topic.

Related Research Documents

"The Standalone Web SSO Market Vanishes"
March 30, 2005, Quick Take

"Building A Role-Based Access Control Model"
June 23, 2004, Best Practices

"User Account Provisioning"
March 8, 2004, Trends

EXECUTIVES SCRUTINIZE MANAGEMENT OF USERS' PRIVILEGES MORE THAN EVER

User account provisioning - the administration and audit of users' accounts and privileges - is a core element of security hygiene and compliance efforts. Provisioning solutions help organizations efficiently and effectively manage users' various accounts and their associated system privileges.

Provisioning functionality includes:

  1. A framework for managing access control policies, one which usually incorporates the concept of roles.
  2. Connectors to various target systems to manage.
  3. A workflow to guide and monitor processes requiring sign-off or dependent on external events like physical equipment acquisition.
  4. Delegated administration and self-service.
  5. Password management, including self-service reset and synchronization.
  6. An auditing component that unifies reporting of people's privileges across systems and also monitors the administrative process and polices themselves.

User account provisioning improves efficiency in two ways; it increases user productivity by giving new employees and contractors access to applications more quickly, and it lets IT departments handle more users with fewer people - and at less cost - by automating IT processes like resetting passwords. However, chief information security officers (CISOs) and other executives are primarily funding user account provisioning projects to comply with regulations like Sarbanes-Oxley (SOX), HIPAA, and the Payment Card Industry (PCI) Data Security Standard. And compliance can be neither effectively achieved nor maintained without a mechanism to manage which users have access to certain systems and what their privileges are. Moreover, firms' increased focus on information risk management elevates the priority of data privacy and intellectual property protection, and you can't do either of these things without proper user account administration.

Vendor Activity Is Stabilizing, But Products Continue To Evolve

In the midst of all this, the market landscape has been tumultuous:

  • Pioneering vendors, such as BMC and Systor, needed to modernize. User account provisioning solutions were developed before the Web, before Java, and before the rise of corporate directory services. Startups like Access360 (acquired by IBM in 2002), Business Layers (acquired by Netegrity in 2003), Thor Technologies (acquired by Oracle in 2005), and Waveset (acquired by Sun in 2003) took advantage of these new technologies to make their solutions more agile. Vendors of these older products have been responding by re-architecting through organic development and/or acquisition. 1
  • Functional overlap of identity management product areas created friction. Identity management product categories eventually began to clash and compete with each other. Provisioning solutions and metadirectories were the first to be directly competitive, and vendors like Microsoft, Novell, and Siemens layered provisioning functionality on top of their metadirectory offerings. These solutions are typically strong in their data management capabilities. Provisioning solutions and password management products also began to compete, so vendors like Courion and M-Tech responded by adding provisioning on top of their password management products. These solutions are typically strong in their self-service capabilities.
  • The big vendors came in and consolidated. Major software vendors entered the market and started amassing identity management suites. Identity management consists of a set of discrete products that also have elements of overlapping and common functionality: workflow, a roles framework, interfaces for self-service and delegated administration, and a directory. Large vendors sought to build portfolios that would integrate by sharing these services, which simplifies their coordinated use by customers and establishes footholds with one product on which to sell others. Hence, the market has undergone a three-year period of aggressive acquisition activity.

The result is that user account provisioning products have been changing fairly rapidly, which creates disruption of its own. New provisioning products have never been able to prove themselves right out of the gate, and this also holds true for major version changes. So whenever there has been a major architecture upgrade or integration of acquired technology, users had to resign themselves to a certain number of glitches and patches to make the new components work together as advertised.

Select The Product Whose Architecture Matches Yours And Will Be Easiest To Deploy

Provisioning is not an easy solution to implement. Customers struggle with integration to the managed systems, codification of business rules and policies, and configuration of role frameworks and of workflow. Some rules of the road:

  • Simple needs beg lightweight products. Smaller organizations or those under less regulatory oversight will likely have less rigorous requirements around roles, policies, and auditing. They should look into products from vendors like Courion, Sun, and Thor that don't require a lot of organizational groundwork, product customization, or add-on products to prop up the solution.
  • Big shops must choose: Is identity management part of app security or systems management? For organizations with complex needs, provisioning is becoming a platform decision more often than not. But not all identity management suites are the same. In the course of the identity management acquisition activity, the market split into two fairly discernable segments. Vendors like BMC, CA, HP, and IBM have a systems management perspective on identity management that is more administration-focused. Vendors like Novell, Microsoft, Oracle, and Sun have an application platform perspective on identity management that is more access-focused.

So it isn't just a question of which vendors' products you have more of in your infrastructure; besides, many large enterprises have enough of a mix of products that this criterion doesn't sufficiently narrow the field. Rather, it's also a question of whether the underlying requirements for provisioning and its integration into a broader IT strategy pertain more to IT management or application delivery.

USER ACCOUNT PROVISIONING EVALUATION OVERVIEW

To assess the state of the user account provisioning market and to see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top user account provisioning vendors.

Evaluation Criteria

After examining past research, user need assessments, and vendor and expert interviews, we developed a comprehensive set of evaluation criteria (see Figure 1). We evaluated vendors against approximately 125 criteria, which we grouped into three high-level buckets:

  • Current offering. Forrester evaluated each provisioning products' current capabilities using nine groups of criteria: 1) connectors and managed system support; 2) data tools; 3) self-service and delegated administration; 4) password management; 5) policy management; 6) workflow; 7) auditing and reporting; 8) architecture; and 9) enterprise deployability.
  • Strategy. To assess the vendors' strategy, Forrester considered: 1) the vendor's product vision; 2) the degree of corporate contribution from provisioning and identity management and corporate investment in it; 3) the vendors' breadth of identity management solutions; 4) the pricing model for the product; and 5) the strength of the vendor's channel, integrator, and technology partnerships.
  • Market presence. Forrester analyzed data about each vendor's installed base and revenues. We looked at absolute numbers, growth, and profitability at both a corporate and product level. We also looked at how many of their customers were large enterprises and how globally distributed they were.

Figure 1 Evaluation Criteria

CURRENT OFFERING

Connectors and managed system supportWhat are the built-in and customizable capabilities of the product in terms of the managed systems it supports?
Data toolsWhat tools does the product have to manage and check on the consistency and accuracy of the data across managed systems?
Self-service and delegated administrationWhat are the product's capabilities for self-service and delegated administration?
Password managementHow does the product support self-service password reset, password synchronization, and password policy enforcement?
Policy managementWhat are the contructs for abstracting common sets of entitlements, and how flexible are these constructs to use?
WorkflowDoes the system support advanced workflow capabilities and management?
Auditing and reportingCan the product audit and report on all types of system activity?
ArchitectureHow is the product architected?
Enterprise deployabilityWhat makes the product easy or difficult to deploy and configure in a complex enterprise environment, relative to its competitors' products?

STRATEGY

Product visionWhat is the vendor's vision for the future of its provisioning product? How strong is the vendor's overall product direction and ability to execute from a functional, technical, and vendor risk perspective?
Corporate contribution and investmentHow much do provisioning and identity management solutions contribute to the company?
Breadth of identity management solutionsHow strong is the vendor's strategy and product direction for building a platform to provide all of a customer's identity management technology needs?
PricingHow much does the product cost?
Sales and partner strategyHow strong are the vendor's sales and partner strategies?

MARKET PRESENCE

Installed baseHow large is the vendor's customer base for the product overall and in specific regard to enterprise customers?
RevenueWhat is the vendor's revenue status overall and specific to provisioning?

Evaluation Methodology

Forrester used a combination of three data sources to assess the strengths and weaknesses of each solution:

  • Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls as necessary to gather details of vendor qualifications.
  • Discussions with prospective and established customers. In the course of our research, we regularly engage with clients evaluating and running provisioning solutions. These discussions were not formal customer reference calls arranged and vetted by the vendor. We used our own conversations as opportunities to delve into scores of enterprises' user account provisioning projects. We sought to understand: 1) the users' requirements; 2) how products fared in their own evaluations; 3) the rationale behind the customers' product selection decisions; and 4) their experiences in configuring and deploying the solutions. These sessions helped us validate product claims and understand important subtleties of functionality that a questionnaire cannot elicit.
  • Input and validation from leading system integrators and consultants. We asked leading systems integrators (SI) and consultants about their experiences deploying the solutions for customers. These firms have intimate knowledge of all the products and provided a unique perspective on their relative merits and drawbacks. We specifically used the findings from these interviews to assess the products' abilities to succeed in complex customer environments.

Evaluated Vendors

Forrester included nine vendors in the assessment: BMC Software, CA, Courion, HP, IBM, Microsoft, Novell, Sun Microsystems, and Thor Technologies. We chose these vendors because: 1) They have a large market share; 2) they exert significant influence over the whole identity management market; or 3) they possess unique product features or architecture that made them appealing for evaluation. These are also the vendors that our clients specifically ask about. Each of these vendors took part in our evaluation by providing information on their current offering, road map, and business.

LEADERS OFFER EASE OF IMPLEMENTATION AND BREADTH OF SOLUTIONS

The evaluation uncovered a market in which (see Figure 2):


  • Sun stands out as functionally superior. Sun sets the gold standard for user account provisioning. Sun has managed to develop a highly functional and flexible solution that is also relatively easy to implement, while other vendors still struggle to balance these competing objectives.
  • BMC, IBM, CA, and Novell also lead the pack. BMC's recently revamped User Administration and Provisioning is a highly functional product, and the company's product road map aligns closely with its overall corporate business service management strategy. IBM Tivoli Identity Manager has a track record of successful, scalable deployments. CA eTrust Admin has a robust architecture and powerful auditing, powered with new capabilities in policy management and user administration by IdentityMinder (from the Netegrity acquisition). 2 Novell Identity Manager boasts recent advancements in workflow, policy management, and auditing. Each of these vendors also brings along a broad portfolio of identity management solutions.
  • Courion, HP, and Thor offer competitive options. Courion's Enterprise Provisioning Suite is functionally strongest in the areas of password management and self-service - not surprising, given the vendor's pedigree. What is surprising is that this small identity management vendor has established an impressive range of technology partnerships that rivals that of its large, suite-vendor competitors. Within HP OpenView Select Identity is the foundation for a market-leading product, but the absence of a few key features underscores the product's relative immaturity. 3 Thor's Xellerate Identity Manager (XellerateIM) stands with the best on functionality but suffered because of the company's small size and limited partnerships - all problems that acquirer Oracle can remedy quickly.
  • Microsoft trails in overall functionality. Microsoft has delivered a product with few connectors, little built-in workflow, and no self-service. Today, Microsoft Identity Integration Server (MIIS) is a metadirectory foundation with the ability for organizations to customize some basic provisioning functionality through scripting.

This evaluation of the user account provisioning market is only intended to be a starting point. Readers are encouraged to view detailed product evaluations and adapt the criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool.

VENDOR PROFILES

Leaders

  • Sun. By a large margin, Sun Java System Identity Manager came in as the most function-rich solution in Forrester's evaluations. The product led all of its competitors in several categories: connector functionality, policy management, auditing, and architecture. Identity Manager is also the market share leader with no signs yet of a slowdown. Moreover, the vendor has an excellent sales channel by virtue of its strong ties to the leading systems integrators. 4
  • BMC. BMC is far along in its efforts to modernize its provisioning solution. Its new package, BMC User Administration and Provisioning, boasts improvement in the areas of workflow, user administration, and password management. The solution retains its powerful security and compliance features, but it is also encumbered by deployment complexity, requiring significant customization effort to use these advanced features. More than any other major software vendor we evaluated, BMC has tightly aligned its provisioning solution to its overall corporate strategy, one that places a strong focus on business service management. 5
  • IBM. IBM Tivoli Identity Manager has improved significantly during the past few years. IBM has opened up the product to ease integration and customization; it has also improved the manageability and flexibility of roles, policies, and delegation. This enables the product to support very complex provisioning environments. IBM's rich suite of identity management solutions also ties into other successful IBM products, such as WebSphere, boosting the product's market footprint. 6
  • CA. eTrust Admin is a solid, all-around product - strong on architecture and auditing. The integration of Netegrity's IdentityMinder addresses prior shortcomings in user administration and password management. CA has a rich and unique portfolio of integrated identity management solutions and a strong commitment to the market that aligns well with its overall corporate strategy. The only thing holding CA back is its historic weakness in forming meaningful technology and integration partnerships, something that Netegrity excelled at and will hopefully bring to CA. 7
  • Novell Novell Identity Manager has solid overall functionality, with notable strengths in data management - thanks to its metadirectory underpinnings. Some of Novell's more advanced workflow and self-service features require a bit more configuration and customization effort than for competing solutions. Novell has also upgraded the product's auditing features. Organizations that feel comfortable with XML scripting and have an existing Novell eDirectory investment will find this product attractive. 8

Strong Performers

  • Courion. Courion's Enterprise Provisioning Suite has far more functionality than just the excellent set of self-service features one would expect from a company founded upon password management. But implementing some of these more sophisticated provisioning features in ways that large enterprises require is complex, hindering scalability. So Courion does well with midmarket organizations and environments that use roles lightly - where solutions from larger identity management platform vendors seem too cumbersome. 9
  • Thor. Thor has one of the most functionally rich solutions of all the provisioning products that Forrester evaluated. Its only weaknesses were XellerateIM's lack of a track record in deployments supporting several hundred thousand users and its narrow identity management portfolio; in other words, Thor lacks related products like a directory and Web SSO. With Oracle's recent acquisition of Thor, XellerateIM will pose a strong challenge to the established market leaders. 10
  • HP. HP OpenView Select Identity has the foundation to be a market-leading product. It has a near-religious commitment to Java and XML standards, and the architecture has been well proven in several large deployments. The absence of a few key features underscores the product's immaturity, although HP plans to remedy these in the near term. However, HP has to show more corporate commitment to the identity management market in several facets - notably sales structure and partnerships - to build the momentum that would move it into a leadership slot. 11

Contenders

  • Microsoft. MIIS is a good tool for coarse-level user administration across a fairly narrow set of systems. It represents a simple, low-cost alternative to heavyweight provisioning products for Microsoft-centric environments with rudimentary account automation needs. But it lacks common features found in other provisioning products, such as self-service and complex workflow, and it has an architectural dependence on Microsoft products like Windows, Active Directory, and SQL Server. 12

SUPPLEMENTAL MATERIAL

Online Resource

The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings.

The Forrester Wave Methodology

We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don't fit the scope of our evaluation.

After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.

We set default weightings to reflect our analysis of the needs of large user companies - and/or other scenarios as outlined in the Forrester Wave document - and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and readers are encouraged to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve.

ENDNOTES

1 Forrester has covered these acquisitions and the context in which they were made. See the September 16, 2002, IdeaByte "IBM Acquires Access360: Accelerates Construction Of Identity Management Platform," see the January 21, 2004, IdeaByte "Netegrity Strengthens Its Growth Prospects With Business Layers Acquisition," see the November 17, 2005, Quick Take "Oracle Doubles Down On Identity Management," and see the November 26, 2003, IdeaByte "Sun Acquires Waveset And Instant Cachet."

2 With Netegrity, CA became a top contender in the identity management market. However, because CA already sells Web single sign-on (SSO) and user account provisioning products, post-acquisition development will focus on integration instead of innovation. Current Netegrity customers will hang tough, but new buyers will steer clear until the dust settles, gravitating instead to competitors like IBM, Oblix, RSA Security, and Sun. Consolidation isn't over, though. Oracle and SAP still lack identity management, and small fries like OpenNetwork and Thor Technologies are tempting targets. See the October 8, 2004, Quick Take "Computer Associates Buys Netegrity, Raises Identity Management Stakes."

3 HP's acquisition of user provisioning vendor TruLogica was a logical next step after its acquisition of a Web single sign-on product, and it fits nicely into its adaptive management strategy. See the March 29, 2004, Quick Take "HP Acquires TruLogica."

4 View the vendor summary for more detailed analysis on how Sun fared in this evaluation. See the January 27, 2006, Tech Choices "Sun Leads In Provisioning, Offering Both High Functionality And Ease Of Use."

5 View the vendor summary for more detailed analysis on how BMC fared in this evaluation. See the January 27, 2006, Tech Choices "BMC Software Brings Powerful Security And Compliance Features To Provisioning."

6 View the vendor summary for more detailed analysis on how IBM fared in this evaluation. See the January 27, 2006, Tech Choices "IBM Addresses Complex Provisioning Needs With Open And Flexible Solution."

7 View the vendor summary for more detailed analysis on how CA fared in this evaluation. See the January 27, 2006, Tech Choices "CA Provisioning Delivers Strong Auditing And Administration Atop A Robust Architecture."

8 View the vendor summary for more detailed analysis on how Novell fared in this evaluation. See the January 27, 2006, Tech Choices "Novell Provisioning Excels At Managing Data And Policies."

9 View the vendor summary for more detailed analysis on how Courion fared in this evaluation. See the January 27, 2006, Tech Choices "Courion Offers An Independent And Highly Interoperable Provisioning Solution."

10 View the vendor summary for more detailed analysis on how Thor fared in this evaluation. See the January 27, 2006, Tech Choices "Thor Technologies Offers A Standalone, Enterprise-Class Provisioning Solution."

11 View the vendor summary for more detailed analysis on how HP fared in this evaluation. See the January 27, 2006, Tech Choices "Hewlett-Packard Offers Standards-Based, Scalable Provisioning."

12 View the vendor summary for more detailed analysis on how Microsoft fared in this evaluation. See the January 27, 2006, Tech Choices "Microsoft Focuses On Provisioning To Core Infrastructure."

Forrester: Helping Business Thrive On Technology Change
Headquarters
Forrester Research, Inc.
400 Technology Square
Cambridge, MA 02139 USA
Tel: +1 617/613-6000
Fax: +1 617/613-5000
Email: forrester@forrester.com
Nasdaq symbol: FORR
www.forrester.com

Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice about technology's impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets through its research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com.

Research and Sales Offices
Australia
Brazil
Canada
Denmark
France
Germany
Hong Kong
India 		Israel
Japan
Korea
The Netherlands
Switzerland
United Kingdom
United States
For a complete list of worldwide locations, visit www.forrester.com/about.
For information on hard-copy or electronic reprints, please contact the Client Resource Center at +1 866/367-7378, +1 617/617-5730, or resourcecenter@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.
To receive more articles like this on a quarterly basis, sign-up for the Laurus Newsletter



Read the full White Paper on this article
  • PDF version

    Contact a Laurus Representative for more information