View
219
Download
0
Category
Preview:
Citation preview
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 1/16
The Forrester Wave™: Identity Management AndGovernance, Q2 2016
The Nine Providers That Matter Most And How They Stack Up
by Merritt Maxim
May 17, 2016
FOR SECURITY & RISK PROFESSIONALS
FORRESTER.COM
Key Takeaways
SailPoint, RSA, And Dell Lead The Pack
Forrester’s research uncovered a market inwhich SailPoint, RSA, and Dell lead the pack. CA
Technologies, Courion, Micro Focus (NetIQ), and
Oracle offer competitive options. IBM and SAP
lag behind.
S&R Pros Are Looking For Usability And
Automation
This market is growing because security
professionals use these solutions to address
key identity-related risks and streamline
operational efficiencies by migrating away from
existing inaccurate, manual, and inefficient
identity processes.
Identity Analytics And Ease Of Administration
Are Key Differentiators
As this market continues to mature, improved
end user interfaces, simplified and flexible
administration, and broader identity analytics will
dictate which providers lead the pack.
Why Read This Report
In our 17-criteria evaluation of identity
management and governance providers, weidentified the nine most significant ones — CA
Technologies, Courion, Dell, IBM, Micro Focus
(NetIQ), Oracle, RSA, SailPoint, and SAP — and
researched, analyzed, and scored them. This
report shows how each provider measures up and
helps security and risk professionals make the right
choice for managing and governing user access.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 2/16
2
5
7
12
© 2016 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of ForresterResearch, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or
distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA
+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
Table Of Contents
IMG Is Indispensable For Security,
Productivity, And Efficient Operations
Technical Complexity Can Delay Deployment
And Increase Administrative Difficulty
Identity Management And Governance
Evaluation Overview
Evaluated Vendors And Inclusion Criteria
Vendor Profiles
Leaders
Strong Performers
Contenders
Supplemental Material
Notes & Resources
Forrester conducted lab-based product
evaluations in February 2016 and interviewedseven vendors: CA Technologies, Courion, Dell,
Micro Focus (NetIQ), RSA, SailPoint, and SAP.
Related Research Documents
Build Your Identity And Access Management
Strategy
Making The Business Case For Identity And
Access Management
TechRadar™: Identity And Access Management
(IAM), Q1 2016
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance,Q2 2016
The Nine Providers That Matter Most And How They Stack Up
by Merritt Maximwith Stephanie Balaouras, Andras Cser, Salvatore Schiano, and Peggy Dostie
May 17, 2016
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 3/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
2
The Nine Providers That Matter Most And How They Stack Up
IMG Is Indispensable For Security, Productivity, And Efficient Operations
Identity management and governance (IMG) solutions give security and risk (S&R) pros the ability to
provision all users with the appropriate level of access to critical applications and systems, therebyminimizing the risk of users with excessive privileges or orphan accounts which hackers frequently
target to exfiltrate sensitive data. Comprehensive IMG platforms provide functionality such as user
account provisioning, delegated administration, role management, access request management, user
self-service, and access certification. They also provide reporting for on-premises, custom, and SaaS
applications. With an IMG platform, S&R pros can:
› Minimize the risk of data breaches. Public disclosures of large-scale data breaches have
become a daily occurrence. Since the majority of data breaches continue to occur as a result of
compromised credentials, over-privileged users, stale or orphan accounts, and segregation of duty
(SoD) violations, more than ever, security teams need strong, auditable processes for ensuring that
users have not accumulated unnecessary access rights during their job tenure.1 Security teams
that fail to invest in robust processes for managing user access to systems and data are increasing
their firm’s risk of a data breach.
› Improve end user productivity. In today’s highly distributed and complex organizations, it’s not
uncommon for new hires to wait days or weeks for technology management to grant them access
to systems and applications for their jobs. These delays only frustrate end users and decrease
productivity. The ability to automate and centralize the process by which users can request and
gain access to applications can yield significant employee benefits in both user satisfaction and
productivity. This in turn can help keep employee attrition low and enable your workforce to
function at an optimal level.2
However, this also means that vendors optimize IMG solutions forbusiness, not just technical users.
› Deliver operational efficiencies. Today’s digital workforce requires access to an increasingly
diverse set of data and applications. Managing and monitoring this access can be an
administrative nightmare as S&R pros struggle to both maintain consistency across environments
and mollify frustrated users who can’t access quickly and efficiently the systems needed for their
job. IMG solutions alleviate administrative headaches for managing and granting user access to
applications by providing a centralized platform with workflow, delegated administration, analytics,
and reporting to ensure that technology management grants access efficiently and within defined
business rules and policies.
Technical Complexity Can Delay Deployment And Increase Administrative Difficulty
Many IMG vendors have built up their IMG portfolios through acquisition during the past 10-plus years
(see Figure 1 and see Figure 2). While vendors made these acquisitions to accelerate time-to-market,
integrating these components takes time and can lead to multiple interfaces and complexity, resulting
in longer deployment periods and increased administration. These so-called acquisition architectures
may also lack flexibility to adjust to new requirements such as SaaS or mobile.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 4/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
3
The Nine Providers That Matter Most And How They Stack Up
In addition, IMG requirements have expanded beyond provisioning and creating an account in a
target system like Active Directory. While user provisioning is increasingly a capability of most IDaaS
offerings, these cloud offerings are not as mature in other core identity areas such as role management
or access certification for on-premises apps, making it challenging for security teams that are facing a
cloud-first mandate to migrate their IMG infrastructure to SaaS.3 S&R pros considering investment or
reinvestment in this space should consider how these solutions currently support new requirements
such as:
› Prioritizing flexible and responsive user interfaces optimized for business users. Traditionally,
IMG resided primarily within the purview of technology management. Even for technical staff,
IMG solutions were hard to work with, and security pros often had to spend nine to 12 months
to customize these solutions to achieve the most basic access request approval workflows. New
requirements in access request management and access governance mean that business users
will increasingly interact with IMG solutions. These business users place a premium on easy-to-useinterfaces as well as support for performing functions on mobile devices. Security teams should
prioritize business user experience when evaluating solutions; friendlier interfaces will result in
faster deployment times and quicker adoption.
› Managing the identity life cycle for SaaS environments. IMG solutions initially focused on
supporting the identity life cycle for on-premises client/server applications and have built up
broad support for most commonly used commercial applications. However, as digital businesses
increasingly adopt SaaS apps such as Concur, Office 365, Salesforce, and ServiceNow, security
teams must maintain the same centralized, policy-based approach for managing and governing
the identity life cycle. While the IMG vendor ecosystem has added support for a range of common
SaaS apps, functionality beyond core provisioning can be inconsistent. S&R pros should place apremium on a given vendor’s support for SaaS apps to ensure broadest possible coverage and
strongest business value.
› Delivering robust identity analytics to identify anomalous user behavior. Although IMG
solutions serve as an important resource of valuable identity information, many security teams have
not leveraged this identity data to its fullest effect, as identity data was often exported to a SIM
or another analytics tool. Going forward, IMG solutions will provide the foundation for capturing
and detecting potentially suspicious user activity and using that data to feed into dashboards and
remediation. S&R pros should evaluate the ability to collect and perform such analysis natively in
the IMG platform even if behavior analytics is not on your short-term priority list.
› Providing a risk-centric view of users, apps, and entitlements to mitigate identity risk. IMG
solutions collect and manage a wide range of data around usage, approvals, and workflow, but
security teams don’t always fully leverage this data, if at all. S&R pros can use this data to identify
segregation of duty (SoD) violations and to prevent the fulfillment of certain requests. Today,
S&R pros want risk-scoring models out of the box that they can customize to their firm’s specific
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 5/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
4
The Nine Providers That Matter Most And How They Stack Up
identity, application, and data risk. Such configurable models can deliver great value, especially
when onboarding new apps or users, which is why S&R pros should evaluate individual risk-scoring
type capabilities.
FIGURE 1 Identity Management And Governance Acquisition Timeline
IdM1logic
June 2015
IDFocus
Oct. 2008
Netegrity, Oct. 2004
SecureReset
Nov. 2015
EMC, Oct. 2015
Dell
Courion
CA
Technologies
Eurekify
Nov. 2008
Xceedium
July 2015
Bay31
May 2015
Core Security
Dec. 2015
Quest, July 2012
(BiTKOO, 2011)
(Voelcker Informatik, 2010)
(RSA, 2006)
(Aveksa,
2013)
(Business Layers, 2004)
2002 Present
Note: This figure is meant to be representative of the identity management and governance
acquisitions over the past five years only for vendors included in this Forrester Wave. Acquisitions
made outside core identity management solutions are not shown. Timeline is not to scale.
Lighthouse Security
Aug. 2014
Access360
Sept. 2002
IBM
CrossIdeas
July 2014
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 6/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
5
The Nine Providers That Matter Most And How They Stack Up
FIGURE 2 Identity Management And Governance Acquisition Timeline Continued
Attachmate, Sept. 2014
Aveksa
July 2013
Note: This figure is meant to be representative of the identity management and governance
acquisitions over the past five years only for vendors included in this Forrester Wave. Acquisitionsmade outside core identity management solutions are not shown. Timeline is not to scale.
SAP
RSA
Micro Focus
(Net IQ)
2002 Present
(NetIQ, 2006)(Novell, 2010)
Oblix
Mar. 2005Sun, Jan. 2010
Oracle
Thor
Nov. 2005
(Waveset, 2003)
(Vaau, 2007)
Whitebox Security
July 2015
Beacon PS
Feb. 2011
Cloudmasons
May 2012
SailPoint
BMC Control SA
Mar. 2011
Identity Management And Governance Evaluation Overview
To assess the state of the identity management and governance market and see how the vendors
stack up against each other, Forrester evaluated the strengths and weaknesses of top IMG vendors.
After examining past research, user need assessments, and vendor and expert interviews, we
developed a comprehensive set of evaluation criteria. We evaluated vendors against 17 criteria, which
we organized into three high-level buckets:
› Current offering. We evaluated the ability of IMG solutions to deliver the following capabilities out
of the box: 1) user account provisioning; 2) role management; 3) access request management; 4)
access certification; 5) integration and APIs; 6) reporting and scalability; 7) administration; and 8)
overall solution complexity.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 7/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
6
The Nine Providers That Matter Most And How They Stack Up
› Strategy. We evaluated: 1) the vendor’s IMG strategy and vision; 2) total complexity to implement
the solution; 3) pricing terms and flexibility; 4) customer satisfaction; and 5) breadth of the vendor’s
partner ecosystem.
› Market presence. We evaluated: 1) development, sales, and technical support staffing; 2) the size of
the IMG installed base; 3) product line and revenue; and 4) global presence (verticals and geographies.
Evaluated Vendors And Inclusion Criteria
Forrester included nine technology providers in the assessment: CA Technologies, Courion, Dell, IBM,
Micro Focus (NetIQ), Oracle, RSA, SailPoint, and SAP. Forrester also invited Hitachi-ID, IBM, Omada,
Oracle, and Microsoft, but these vendors declined to participate. Due to the volume of client inquiries
and their market presence, Forrester included IBM and Oracle as nonparticipating vendors in this
assessment. Each included vendor has (see Figure 3):
› A productized and publicly announced identity management and identity governance
offering. Participating vendor needed to have its own internally developed (not an OEM or resell)
IMG solution that supports the installation of the IMG policy administration console on-premises.
› At least $20 million in annual IMG license revenue over the past four fiscal quarters. The
vendor should have at least $20 million in true annual IMG license revenues. Hosted IMG solutions
do not count against this number.
› At least 50 paying customer organizations in production. The vendor’s IMG offering should
have at least 50 paying customer organizations in production at the cutoff date.
› A mindshare with Forrester’s clients during inquiries. Clients should mention the vendor’s namein an unaided context (“We looked at the following vendors for IMG”) during Forrester’s inquiries
and other interactions.
› A mindshare with other IMG competitive vendors. When Forrester asks other vendors about
their competition on briefings, inquiries, and other interactions, other vendors should mention the
vendor as a real competitor in the IMG market space.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 8/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
7
The Nine Providers That Matter Most And How They Stack Up
FIGURE 3 Evaluated Vendors: Identity Management And Governance Information And Selection Criteria
Vendor
CA Technologies
Courion
Dell
Micro Focus (NetIQ)
RSA
SailPoint
SAP
Product evaluated
CA Identity Suite 12.6.07
Courion Access Assurance Suite
Dell One Identity Manager 7
Identity Manager 4.5, Access Review 1.5,SecureLogin 8.1, Identity Tracking 1.1, DRA 9.0
RSA Via Lifecycle and Governance 7.0
IdentityIQ 7.0
SAP Identity Management 8.0, SAP Access
Control 10.1
Inclusion criteria
A productized and publicly announced identity management, role management ,and identitygovernance offering. The vendor should have its own internally developed (not an OEM or resell) IMGsolution that supports the installation of the IMG policy administration console on-premises.
At least $20 million in annual IMG license revenue over the past four1 fiscal quarters. The vendorshould have at least $20 million in true annual IMG license revenues. Hosted IMG solutions do not countagainst this number.
At least 50 paying customer organizations in production. The vendor’s IMG offering should have atleast 50 paying customer organizations in production at the cutoff date.
A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s namein an unaided context (“We looked at the following vendors for IMG”) on Forrester’s inquiries and otherinteractions.
A mindshare with other IMG competitive vendors. When Forrester asks other vendors about theircompetition on briefings, inquiries, and other interactions, other vendors should mention the vendor as areal competitor in the IMG market space.
Vendor Profiles
This evaluation of the identity management and governance market is intended to be a starting pointonly. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their
individual needs through the Forrester Wave Excel-based vendor comparison tool (see Figure 4).
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 9/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
8
The Nine Providers That Matter Most And How They Stack Up
FIGURE 4 Forrester Wave™: Identity Management And Governance, Q2 ’16
Challengers Contenders Leaders
Strong
Performers
StrategyWeak Strong
Current
offering
Weak
Strong
Go to Forrester.com to
download the Forrester
Wave tool for more
detailed product
evaluations, feature
comparisons, and
customizable rankings.
CA Technologies
Oracle
IBMCourion
Dell
Micro Focus (NetIQ)
RSA
SailPoint
SAP
Market presence
Full vendor participation
Incomplete vendor participation
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 10/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
9
The Nine Providers That Matter Most And How They Stack Up
FIGURE 4 Forrester Wave™: Identity Management And Governance, Q2 ’16 (Cont.)
C A T e c h n o l o g i e s
C o u r i o n
D e l l
M i c r o F o c u s ( N e t I Q )
R S A
CURRENT OFFERING
User account provisioning
Role management
Access request management
Access certification
Integration and APIs
Reporting and scalability Administration
Overall solution complexity
STRATEGY
IMG strategy and vision
IMG implementation complexity
IMG pricing terms and flexibility
Customer satisfaction
IMG partner ecosystem
MARKET PRESENCE
Development, sales, and technical
support staffing
IMG customer installed base
Product line revenue
Global presence (verticals
and geographies)
F o r r e s t e r ’ s
W e i g h t i n g
50%
13%
13%
13%
13%
10%
10%15%
15%
50%
30%
20%
15%
25%
10%
0%
20%
35%
30%
15%
3.35
4.00
3.00
3.00
4.00
3.00
4.004.00
2.00
2.70
3.00
2.00
4.00
2.00
3.00
3.80
4.00
3.00
4.00
5.00
2.73
3.00
2.00
3.00
3.00
3.00
3.002.00
3.00
3.00
3.00
3.00
3.00
3.00
3.00
2.30
1.00
3.00
2.00
3.00
3.58
3.00
4.00
3.00
3.00
3.00
3.005.00
4.00
4.25
4.00
4.00
5.00
4.00
5.00
3.40
5.00
3.00
2.00
5.00
3.00
3.00
4.00
3.00
2.00
2.00
4.004.00
2.00
3.05
3.00
2.00
4.00
3.00
4.00
3.85
4.00
4.00
3.00
5.00
3.93
3.00
4.00
4.00
4.00
4.00
3.005.00
4.00
4.10
5.00
3.00
4.00
4.00
4.00
3.30
3.00
3.00
4.00
3.00
S a i l P o i n t
S A P
4.68
5.00
5.00
5.00
4.00
4.00
4.005.00
5.00
4.45
5.00
3.00
4.00
5.00
5.00
4.00
3.00
5.00
4.00
3.00
2.58
2.00
4.00
3.00
2.00
2.00
4.003.00
1.00
1.85
2.00
1.00
1.00
2.00
4.00
2.95
1.00
4.00
2.00
5.00
All scores are based on a scale of 0 (weak) to 5 (strong).
Leaders
› SailPoint offers a solid and proven IMG solution. SailPoint is the one remaining IMG pure play
from the 2000s and has built an impressive and large customer install base and broad partnerecosystem to support IMG deployments across all verticals. The solution is less complex than other
solutions evaluated in this Forrester Wave. Customers reported some issues with documentation
and scalability in larger environments. The vendor’s future plans include: 1) management of access
to unstructured data resources; 2) continued user experience enhancements for mobile devices;
and 3) a stateless API integration model based on the SCIM standard.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 11/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
10
The Nine Providers That Matter Most And How They Stack Up
› RSA differentiates its IMG strategy with intriguing GRC integration. RSA is integrating its RSA
Via Lifecycle and Governance capabilities (acquired via Aveksa in 2013) with the RSA Archer GRC,
RSA Security Analytics, and RSA’s Advanced Authentication solutions. The solution is much less
complex than other solutions evaluated in this Forrester Wave with simple, flexible, and intuitive
user interfaces. Customers indicated concerns around the pending Dell/EMC merger’s influence
on future IMG support and strategy. The vendor’s future research and development include: 1)
continuous assurance; 2) integrated IAM portfolio with RSA’s strong and risk-based authentication;
and 3) synergy between IAM, security, and GRC.
› Dell has strong global IMG coverage. The EMEA heritage of Dell’s IMG solution (based on
the acquisition of Voelcker Informatik) has given Dell a strong and diverse global customer base
and partner ecosystem. The Dell administrative portal was intuitive and less complex than other
solutions evaluated in this Forrester Wave. Reference customers universally singled out Dell’s
support and service responsiveness. The vendor’s future plans include: 1) extending data accessgovernance to include support for cloud storage applications; 2) the addition of behavioral
analytics capabilities; and 3) the creation of native mobile apps for request and approval supporting
the major platforms (e.g., iOS, Android, Windows).
Strong Performers
› CA Technologies delivers IMG functionality as part of a broad IAM offering. CA has a very
broad IMG platform and connector coverage across on-premises and SaaS environments. The
solution is more complex than other solutions evaluated in this Forrester Wave, with multiple
nonintegrated product interfaces. In customers’ view, CA Technologies needs to do a better job
with customer support and services. CA Technologies has invested over the past 12 months,both through acquisition and in-house development, to improve and streamline the business
user experience. Forrester expects that the vendor’s future plans will include behavioral analytics,
continued user interface improvements, and specific certification campaigns and analytics for
privileged and shared accounts.
› Micro Focus (NetIQ) delivers directory-centric IMG capabilities. Micro Focus (NetIQ) has a
large IMG customer base and strong directory integration capabilities but has not added net new
customers as quickly as other vendors have. Micro Focus (NetIQ) OEMs its role management
capabilities from fellow IMG competitor SailPoint. Customer references expressed concerns
around the vendor’s slow-to-develop cloud strategy. The vendor’s future plans include: 1) business-
user-friendly user interface as a part of a larger focus on ease of use and lowering total cost of
ownership; 2) expanding the vendor ecosystem of system integrators and consultants; and 3)
expanding embedded decision support analytics focused on identity relationships and behavior.
› Courion is re-emerging in IMG with a new team, investors, and strategy. Courion has
changed dramatically in past 12 months: In addition to its management and investor changes, the
company completed three acquisitions. Courion has a strong legacy in password management
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 12/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
11
The Nine Providers That Matter Most And How They Stack Up
and strong penetration in North American healthcare. Customers have experienced support and
service disruptions recently, but they were optimistic about the company’s strategy and road map.
The vendor’s future plans include: 1) continued enhancements in workflow and business user
experience; 2) enhanced identity analytics; and 3) mobile-based two-factor authentication.
› Oracle has a large IMG installed base and broad application support. Like other IAM suite
vendors, Oracle built its IMG stack through acquisition but has strong platform support and
directory integration. Oracle has a broad global partner ecosystem for IMG. Customers report
issues with scalability and longer-than-estimated deployment times. The vendor’s future plans
include: 1) enhanced business user interface; 2) hybrid identity cloud service; and 3) continued
deployment and life cycle automation.
Contenders
› IBM’s IMG solution is a component of a broader security strategy. IBM has a large installed
base and vendor and partner ecosystem. IBM acquired Italian company CrossIdeas in 2014 to add
to its fledgling role management capabilities. IBM Security Identity Governance and Intelligence
(IGI) combines CrossIdeas and ISIM technology and provides business identity governance
capabilities, in addition to its role management and role mining. Customers report issues with
administrative complexity and product upgrades. The vendor’s future plans include: 1) persona-
based dashboards and reporting enhancements; 2) increased analytics capabilities; and 3) insider
threat analytics with integration to Guardium and QRadar.
› SAP provides powerful capabilities for managing identities within SAP. SAP provides
comprehensive role management capabilities for managing SAP segregation of duty (SoD)
violations and a strong non-North-American customer and revenue base. Customers reported
mixed results with customer support and lengthy implementation times. The solution is much more
complex than other solutions evaluated in this Forrester Wave. The vendor’s future plans include: 1)
enhanced analytics and reporting; 2) creation of deployment packages to speed deployment; and
3) integration with mobile device management solutions.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 13/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
12
The Nine Providers That Matter Most And How They Stack Up
Supplemental Material
Online Resource
The online version of Figure 4 is an Excel-based vendor comparison tool that provides detailed product
evaluations and customizable rankings.
Data Sources Used In This Forrester Wave
Forrester used a combination of three data sources to assess the strengths and weaknesses of each
solution. We evaluated the vendors participating in this Forrester Wave, in part, using materials that
they provided to us by January 26, 2016:
› Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation
criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls wherenecessary to gather details of vendor qualifications.
› Product demos. We asked vendors to conduct demonstrations of their products’ functionality. We
used findings from these product demos to validate details of each vendor’s product capabilities.
› Customer reference calls. To validate product and vendor qualifications, Forrester also conducted
reference calls with three of each vendor’s current customers.
Engage With An AnalystGain greater confidence in your decisions by working with Forrester thought leaders to apply our
research to your specific business and technology initiatives.
Analyst Inquiry
Ask a question related to our research; a
Forrester analyst will help you put it into
practice and take the next step. Schedule
a 30-minute phone session with the analyst
or opt for a response via email.
Learn more about inquiry, including tips for
getting the most out of your discussion.
Analyst Advisory
Put research into practice with in-depth
analysis of your specific business and
technology challenges. Engagements
include custom advisory calls, strategy
days, workshops, speeches, and webinars.
Learn about interactive advisory sessions
and how we can support your initiatives.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 14/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
13
The Nine Providers That Matter Most And How They Stack Up
The Forrester Wave Methodology
We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this
market. From that initial pool of vendors, we then narrow our final list. We choose these vendors basedon: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have
limited customer references and products that don’t fit the scope of our evaluation.
After examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria,
we gather details of product qualifications through a combination of lab evaluations, questionnaires,
demos, and/or discussions with client references. We send evaluations to the vendors for their review,
and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.
We set default weightings to reflect our analysis of the needs of large user companies — and/or
other scenarios as outlined in the Forrester Wave evaluation — and then score the vendors basedon a clearly defined scale. We intend these default weightings to serve only as a starting point and
encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool.
The final scores generate the graphical depiction of the market based on current offering, strategy, and
market presence. Forrester intends to update vendor evaluations regularly as product capabilities and
vendor strategies evolve. For more information on the methodology that every Forrester Wave follows,
go to https://www.forrester.com/marketing/policies/forrester-wave-methodology.html.
Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with our Integrity
Policy. For more information, go to https://www.forrester.com/marketing/policies/integrity-policy.html.
Endnotes1 The responsibility and the budget for identity and access management (IAM) often reside with a number of different
business and technology management teams. Historically, the easy business justification for IAM investment came from
its impact on administrative operational efficiency — for example, help desk agents spend less time resetting passwords,
and automated access recertification campaigns save managers and application owners time. To learn more, see the
“Brief: Reframe The Business Case For Identity And Access Management In Security Terms” Forrester report.
According to the Verizon 2016 Data Breach Investigations Report, 63% of confirmed data breaches in 2015 involved
weak, default, or stolen passwords. There were 10,489 total incidents classified as insider and privilege misuse,
which Verizon defines as any unapproved or malicious use of organizational resources. Source: “2016 Data BreachInvestigations Report,” Verizon (http://www.verizonenterprise.com/verizon-insights-lab/dbir/).
2 Psychological and neurological research offer critical insights into where high performance and creativity come from,
how they make an impact on customer experience and profit, and how organizations are destroying performance
without knowing it. For more information, see the “Workforce Enablement Defined: Elevate Productivity And
Engagement” Forrester report.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 15/16
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Identity Management And Governance, Q2 2016
May 17, 2016
© 2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
14
The Nine Providers That Matter Most And How They Stack Up
Employees that drive your digital business require access to an increasingly wide range of apps to maximize their
productivity. When employees have to wait days to gain access to selected apps, productivity and employee satisfaction
suffers. To learn more, see the “Use Identity Management To Streamline Employee Onboarding” Forrester report.
3 In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we identified thenine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity,
SailPoint, and Salesforce — and researched, analyzed, and scored them. For more information, see the “The Forrester
Wave™: B2E Cloud IAM, Q2 2015” Forrester report.
7/25/2019 The Forrester WaveTM - Identity Management and Governance - Q2-2016 - RES116325
http://slidepdf.com/reader/full/the-forrester-wavetm-identity-management-and-governance-q2-2016-res116325 16/16
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
PRODUCTS AND SERVICES
› Core research and tools
› Data and analytics
› Peer collaboration
› Analyst engagement
› Consulting
› Events
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com.
CLIENT SUPPORT
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester’s research and insights are tailored to your role andcritical business initiatives.
ROLES WE SERVE
Marketing & StrategyProfessionals
CMO
B2B Marketing
B2C Marketing
Customer Experience
Customer Insights
eBusiness & ChannelStrategy
Technology ManagementProfessionals
CIO
Application Development& Delivery
Enterprise Architecture
Infrastructure & Operations
› Security & Risk
Sourcing & VendorManagement
Technology IndustryProfessionals
Analyst Relations
116325
Recommended