When looking at the core IAM (Identity and Access Management) market with its main product categories of Identity Provisioning and Access Governance, some customers and vendors currently raise the question of whether there is still a need to keep these product categories separate or whether a single, combined view on these is the better choice.
Looking at the vendor landscape, some vendors such as CA Technologies or Beta Systems still have two distinct offerings. Others merged their product line from either Access Governance towards integrated Identity Provisioning, such as SailPoint did, or the other way, by adding more and more Access Governance features to Identity Provisioning products. Dell is a good example of that. Oracle, as another example, focuses on increasingly integrating its product portfolio into one suite. Aside from that, there are various vendors that, for instance, have strong Access Governance capabilities with some Identity Provisioning, but also the opportunity to still integrate well with existing Identity Provisioning solutions of other vendors. Examples for that strategy include RSA/Aveksa and CrossIdeas.
But that is only the vendor view on what is happening in the market. The more important question is: What serves the customer’s needs best? There is not a single right answer on that question.
It depends, perhaps, on where these customers are today. Customers that have already successfully deployed an Identity Provisioning solution might opt for a separate Access Governance tool for various reasons, such as reducing vendor lock-in or just because the Access Governance capabilities of their Identity Provisioning solution are not good enough. However, replacing an established Identity Provisioning tool might be too huge an effort to be considered economically feasible.
I also see many organizations, including large organizations, that want to proceed step by step and feel that they should first do the Identity Provisioning basics right. On the other hand, there are many organizations that need a rapid solution for Access Governance, without all the overhead that the technical elements of Identity Provisioning might cost.
There are various other scenarios I have described in detail in a report on Access Governance architectures. My perspective and experience is that there are varying customer requirements. While some need only Identity Provisioning (for instance to replace existing products, having Access Governance already deployed), while others need integrated solutions or only Access Governance (for rapid deployment or to integrate with existing provisioning tools).
Aside from the different customer requirements, there are pros and cons of integrated solutions. On the positive side there is that customers only need one tool and that the potential complex integration of Identity Provisioning and Access Governance is already done. On the other hand, there are scenarios where it is about integrating with existing Identity Provisioning tools. Aside from that, solutions that try to cover everything have a tendency to become more complex, while sometimes lacking the depth of features specialized solutions provide. Some vendors manage that well, while others are not as perfect.
Beyond that, there is another argument that speaks for keeping Access Governance and Identity Provisioning separate. While Access Governance focuses on business users and bridging the gap between business and IT, Identity Provisioning is far more a technical solution for interfacing with target systems. There might be different owners; there are definitely different user requirements.
These are just some of the reasons why we still keep these segments separate. We are currently updating our Leadership Compass on Identity Provisioning and will do so for the one on Access Governance. We are also working on a Leadership Compass on IAM Suites, looking at the overall IAM market well beyond Provisioning and Access Governance.
Importantly, in both our Identity Provisioning and our Access Governance Leadership Compass, we already evaluate the strength of Identity Provisioning products to support Access Governance requirements and vice versa. However, that is just one view that is kept separate, allowing customers to make their own decisions, depending on their requirements. Putting everything into one basket appears, from our perspective, to be inadequate for that complex market.