Leadership Compass

IDaaS Access Management

A fast-growing market, IDaaS AM is largely characterized by cloud-based delivery of access management capabilities for business irrespective of the application and service delivery models. Improved time-to-value proposition prioritizes adoption of IDaaS for B2B, B2E and B2C access management use-cases, helping IDaaS AM to dominate new IAM purchases globally. This Leadership Compass discusses the market direction and provides a detailed evaluation of market players to offer necessary guidance for IAM and security leaders to make informed decisions.

Martin Kuppinger

mk@kuppingercole.com

Anmol Singh

asi@kuppingercole.com

1 Introduction

The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of Identity-as-a-Service (IDaaS) with a focus on access management technologies. IDaaS AM, as the market is termed, has observed a significant growth in terms of new IAM (Identity and Access Management) purchases and has emerged as one of the fastest-growing markets of IAM characterized by cloud-based delivery of traditional IAM services. The market, driven largely by web-centric use-cases in its early days, now offers full-fledged delivery of IAM capabilities irrespective of application delivery models. The significant growth of IDaaS AM market can be attributed to the ever-increasing demand of organizations to achieve better time-to-value proposition over on-premises IAM deployments and to extend IAM capabilities to meet the security requirements of growing SaaS portfolio.

1.1 Market Segment

IDaaS is a growing market segment of IAM characterized by cloud-based delivery of traditional IAM services. The market, driven largely by web-centric use-cases in its early days, now offers full-fledged delivery of IAM capabilities irrespective of application delivery models. The IDaaS market has registered significant growth over the last few years primarily driven by the need of organizations to:

  • Achieve better time-to-value proposition over on-premises IAM deployments
  • Extend IAM capabilities to meet the security requirements of growing SaaS portfolio
  • Adopt global IAM standards and practices with access to industry expertise
  • Reduce internal IAM costs and efforts to keep up with the market trends
  • Limit internal IAM failures in project delivery and ongoing operations

KuppingerCole estimates the global IDaaS market to continue growing at a CAGR of 24% in 2019. The IDaaS market size estimated at the end of the year 2018 was approximately $1.06 billion.

IDaaS vendors have originated from distinct backgrounds and therefore their abilities to support the primary IDaaS use-cases vary significantly. Most of the IDaaS vendors come from different backgrounds including:

  1. Access Management vendors that offered broader IAM capabilities required for large IAM implementations but could not easily extend these functions to support rapidly emerging cloud and consumer access use-cases.
  2. IGA (Identity Governance and Administration) vendors that traditionally offered support for identity administration and access governance on-premises but neither could extend these capabilities to applications in the cloud, nor could support access management beyond basic authentication and authorization
  3. Traditional SSO vendors that have evolved over time to support web and cloud access use-cases but are deficient on common Identity Governance and Administration (IGA) functions required by most organizations for basic IAM implementation

IDaaS market consolidates access management functions with few IGA and Access Governance capabilities thrown in – all delivered and managed as a service. Today, all IDaaS vendors predominantly deliver a cloud-based service in a multitenant or dedicatedly hosted fashion to serve the common IAM requirements of an organization’s hybrid IT environment. The common IAM capabilities served by most IDaaS vendors can be grouped largely in three categories:

IDaas Capability Matrix
Figure 9: IDaas Capability Matrix

Identity Administration: This represents the group of capabilities required by organizations to administer identity lifecycle events including provision/ de-provision of user accounts, maintaining identity repository, managing access entitlements and synchronization of user attributes across the heterogeneous IT environment. A self-service user interface allows for requesting access, profile management, password reset, and synchronization. Configurable cloud-native connectors offer automated user provisioning to both on-premises as well as SaaS applications. Other common identity administration capabilities include administrative web interface, batch import interface, delegated administration, SPML, and SCIM support.

Access Management: This refers to the group of capabilities targeted at supporting access management requirements of organizations ranging from authentication, authorization, single sign-on and identity federation for both on-premises and SaaS applications delivered as a cloud service. The underlying support for industry standards such as SAML, OAuth and OpenID Connect can vary but are largely present in most IDaaS offerings. API security and web access management gateways are fast becoming a differentiator for IDaaS vendors looking to offer competitive access management capabilities and so is social identity integration – which now represents a basic qualifier for consumer access use-cases.

Access Governance: Access governance represents the group of capabilities that are least mature and largely absent from the portfolio of most IDaaS vendors, partly due to architectural limitations and partly due to ownership issues. While many organizations still prefer to keep access governance on-premises for better control and auditing purposes, several others are moving it to the cloud for ease of integration and better time to value as their SaaS portfolio continues to grow. IDaaS vendors may have some serious limitations in how they could support integration with legacy on-prem systems for common access governance capabilities such as auditing and reporting, and so it is important for IAM leaders to ensure they assess their access governance requirements aligned with their IAM vision before starting to evaluate IDaaS vendors for their access governance capabilities.

Generally speaking, supporting hybrid IT environments is amongst the main challenges for IDaaS, across all areas. Connecting back to legacy web applications is more challenging than with most on-premise solutions, and Identity Provisioning as well. This needs to be kept in mind and carefully considered during choosing an IAM solution. The strength and weaknesses of IDaaS solutions in connecting back to on-premise environments are an important factor throughout our evaluation in this Leadership Compass.

As the IDaaS market continues to evolve, its adoption is inhibited by several factors including the concerns of data residency, dependency on providers internal security controls and the ability to address scenarios that require extensive customizations to address organization’s internal process complexity and could be better solved with on-premises IGA or access governance product deployments.

In the later parts of this document, we also discuss the evaluation criteria important for IAM leaders to help decide whether they should move to an IDaaS platform for their IAM requirements or a conventional on-prem IAM deployment should suffice their IAM requirements in the short to midterm.

Depending on the key focus, architectural type and product origin, which affect their overall ability to support IDaaS functions, most IDaaS vendors can be classified in two major categories - either as Access Management or IGA focussed IDaaS vendors:

1. IDaaS Access Management (IDaaS AM)

There are primarily 2 types of AM focussed IDaaS vendors:

The first type is the traditional SSO vendors that progressed overtime as WAM vendors to mostly address web-centric use-cases along with identity federation but originally lacked the ability to address IAM requirements for cloud-based infrastructure and applications. Over the last few years, these vendors have made significant changes to their product architecture to make them cloud-ready, however, there remain certain limitations in addressing cloud AM requirements.

The second category of IDaaS AM vendors are the vendors that are born in the cloud to primarily manage access management requirements of SaaS and IaaS applications but have architectural limitations in how these could be easily extended to address access management for on-prem applications.

2. IDaaS Identity Governance and Administration (IDaaS IGA)

The IGA focussed IDaaS vendors are the ones that have traditionally been offering identity administration capabilities including identity provisioning, lifecycle management and access governance across on-premises IT applications and systems. The key focus of these vendors on managing user identities in an increasingly complex IT environment combined with the demand and adoption trends of identity-centric solutions in the market has led these vendors to focus lesser and lesser on building access management capabilities. The move to the cloud, however, required them to support basic access management functions, in addition, to be able to support the delivery of all IGA capabilities to compete with the new IDaaS entrants. The depth of IGA functions delivered by these vendors in a cloud-based delivery model to support a hybrid IT environment not only remains questionable due to the technological limitations but also due to the consumption archetypes of on-premises IT applications and systems.

The IDaaS market continues to evolve with a significant push from organizations looking to adopt cloud-based delivery of security services including IAM. With IDaaS vendors slowly bridging on the gap with traditional on-premises IAM software in terms of depth of functionalities, particularly IGA, they present a strong alternative for organizations to replace existing on-premises IAM deployments.

Besides replacing traditional on-premises deployments for workforce IAM, IDaaS has evolved as a strong enabler of CIAM offering the required availability and scalability. With IDaaS now dominating new IAM purchases for most use-cases across the industry verticals, traditional IAM vendors are gearing up to deliver more cohesive IDaaS capabilities as part of their security services, including tighter integrations with Cloud Access Security Broker (CASB), Enterprise Mobility Management (EMM) and User Behavior Analytics (UBA).

IDaaS is only delivered as SaaS, hosted and managed by the IDaaS vendor itself. Vendors that use the on-premises software provided by other vendors to offer hosted and managed IAM services are not considered IDaaS vendors. Mostly combined in separate service bundles based on adoption and usage trends, most services are priced per managed identity or active users per month. Some functions such as user authentication or fraud detection can be charged on per transaction basis depending on the function’s delivery and consumption.

The use cases for IDaaS technology adoption and their primary characteristics as observed by the industry are listed below:

  • Web Access Management - Many organizations have the need to deliver basic authentication and authorization for the variety of internal web applications they have across their IT environment. IDaaS offers basic authentication and session management capabilities including single sign-on, coarse-grained authorization and identity federation required by these organizations to meet the most common web access management demands.
  • Hybrid Access Management - Many organizations today have an urgent need to extend internal access management policies to the range of SaaS and IaaS platforms being integrated into their IT application portfolio. IDaaS can provide a seamless extension of on-premises IAM capabilities to the applications and infrastructure in the cloud in an effective and secure manner. There are, however, limitations in how they can support internal legacy IT systems versus SaaS applications.
  • Workforce IAM - With most traditional IAM deployments suffering from internal inefficiencies, staffing, and budgeting concerns, IDaaS promises a flexible approach for organizations looking to on-board a workforce IAM program to deliver better time to value and agility. With IDaaS commonly offering capabilities across identity administration, access management and access governance, more advanced features such as access certification, role lifecycle management, SOD controls management etc. may not be adequately supported or entirely absent.
  • Consumer IAM - IDaaS delivery model with its significant business value in terms of better flexibility and time to value has become a strong enabler of CIAM – offering the required scalability and availability. Most IDaaS vendors are aggressively building on or acquiring capabilities to better support CIAM use-cases, for eg., Okta acquired Stormpath and Ping Identity acquired UnboudID to strengthen their CIAM features. Most IDaaS vendors today support capabilities required by organizations to support CIAM programs including social identity integration, progressive customer profiling, fraud and risk intelligence as well as identity analytics.

There may be more use cases that are driven by the organization and business-specific access management requirements, however, most will fit well into one of these categories.

1.2 Market Direction

IDaaS AM offers a springboard for most organizations to start using foundational IAM elements delivered from the cloud and move rest of the IAM functions as they find it appropriate and at a pace that matches the organizational security maturity and cloud strategy. The IDaaS market, with its ease of adoption and cloud-native integrations, is slowly overtaking the on-premises IAM market.

IDaaS AM market continuing on a growth spree allows the following technology trends to speed up the adoption by aligning them to match better with the organization’s IAM priorities that security and IAM leaders must take note of. The IDaaS market continues to evolve with a significant push from organizations looking to adopt cloud-based delivery of security services including IAM. With IDaaS vendors slowly bridging on the gap with traditional on-premises IAM software in terms of depth of functionalities, particularly IGA, they present a strong alternative for organizations to replace existing on-premises IAM deployments.

Besides replacing traditional on-premises deployments for workforce IAM, IDaaS has evolved as a strong enabler of CIAM offering the required availability and scalability. With IDaaS now dominating new IAM purchases for most use-cases across the industry verticals, traditional IAM vendors are gearing up to deliver more cohesive IDaaS capabilities as part of their security services, including tighter integrations with Cloud Access Security Broker (CASB), Enterprise Mobility Management (EMM) and User Behavior Analytics (UBA).

The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS, in general, provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. These solutions also vary in their support for different groups of users - such as employees, business partners, and customers - their support for mobile users, and their integration capabilities back to on-premise environments.

Several vendors provide offerings that can be better described as Managed Services than as Software as a Service (SaaS) offerings. Pure-play SaaS solutions are multi-tenant by design. Customers can easily onboard, usually as simple as booking online and paying with a credit card. On the other side, Managed Service offerings are run independently per tenant. The criteria for considering solutions for this Leadership Compass are based on the customer perspective: From that perspective, two aspects are of highest relevance: Elasticity of the service and a pay-per-use license model. If these criteria are met, we include offerings in our evaluation.

We have observed some traction in extending IDaaS AM solutions to cater to light-weight API security requirements that have some overlap with API gateways but are faster and easier to implement as well as provide central management of API-based IAM functions such as API authentication. Many IDaaS AM vendors embed basic access management features required for API management such as API authentication and authorization. Additional API security features include API traffic analysis, throttling, schema validation, secure token service etc. are also becoming a part of the IDaaS vendors to support and promote adoption of microservices-based IAM architectures.

We also see that IDaaS AM requirements are increasingly coupled with requirements for providing better enterprise mobility such as digital workplace and BYOD initiatives as well as growing requirements to manage user and administrative access across the SaaS applications. Most IDaaS AM solutions have a considerable overlap with Enterprise Mobility Management and Cloud Access Security solutions to some extent, especially for basic EMM and CASB functionalities that include authentication and authorization for enterprise mobile apps as well as access brokering functions for the organization’s portfolio of SaaS and IaaS applications. It is therefore important that security and IAM leaders understand the organization’s mobility and cloud access brokering requirements and whether they can be matched by the generic features offered by IDaaS vendors. Alternatively, they should evaluate whether the IDaaS AM vendor supports integration with third-party EMM and CASB products to support necessary enterprise mobility and cloud access brokering requirements and what is the depth of the integration offered.

As IDaaS adoption increases for CIAM use-cases, the requirement of a business to support social identity integration for user registration and login processes now become a common functionality. Understand what social identity providers are more relevant for your business use-cases and what’s the required level of social identity integration as vendors offer OOB integration with multiple social identity providers (Facebook, Google, LinkedIn, Twitter etc.) but the underneath capabilities to extend social identity integration for other access management features such as higher risk access decisions including profile and preference management, single sign-on across consumer applications etc. may vary.

IDaaS providers of CIAM use-cases are increasingly understanding the business requirements of managing privacy policies, terms of service and data sharing arrangements that change frequently, and accordingly, adapt their services. For organizations doing business across borders, it is important to offer functions that allow them to comply with data sharing and privacy regulation such as consumer notification and consent management. There’s a varying level of support available from IDaaS AM vendors to manage these CIAM functions.

Lastly, the support for open identity standards is seen to increasingly shape the direction and define the success of IDaaS implementations. This also drills down to the sense that an organization’s ability to support business requirements through IAM depends on the flexibility of the IDaaS AM vendor to support both open industry standards and protocols. Support for Open Banking presents a great validation of that observation. Most popular authentication and identity federation standards include support for LDAP, Kerberos, OpenID, OAuth, SAML and sometimes RADIUS and TACAS. Organizations with a need for dynamic authorization management might require support for XACML or UMA. User provisioning services commonly require support for SCIM and SPML. Security and IAM leaders are encouraged to understand whether the service supports these standards OOTB or require customizations using available SDKs or other programmable interfaces. This will go a long way in keeping your IAM flexible and sustainable.

For the market segment of IDaaS AM, on a high level, we expect the vendors to support the following set of features and capabilities:

  • A cloud-based directory that provides a mechanism to manage the identities, identity attributes, access entitlements and other identity-related information scattered across the IT environment. Some niche IDaaS vendors offer virtualized directory services to manage information and attributes scattered across disparate identity repositories both on-premises and in the cloud. These built-in Directory Services for managing the users must be scalable, enabling organizations to deal efficiently not only with their employees but with the massive number of consumers. These should support a highly flexible schema (data structure) that allows managing different types of users and their respective attributes, but also managing relationships between various objects within the directory. Relying just on existing on-premise directory services limits the flexibility and scalability of supported IAM functions including authentication and authorization to on-prem as well as cloud applications.
  • Directory sync for providing the mechanism to synchronize the changes made to identity information and other attributes across the applications, systems and other directories in near real-time to have a consistent operational environment. Serving as an identity bridge, many traditional IAM providers rely on directory sync mechanism to push identity information including changes to access entitlements and password changes to the SaaS applications. For eg., if a user is deleted from enterprise directory on-premises, it will be deleted from all SaaS applications as well.
  • Availability of required options/ form-factors to authenticate users to access IT resources in a hybrid setting. Most organizations have a requirement to implement MFA or contextual support for authentication. IDaaS AM vendors have varied capabilities in supporting the range of form-factors for authentication such as traditional passwords, PKI tokens (Smartcards and others), OTP (Soft and hard), Out-of-Band (OOB) and biometric methods. The support for contextual attribute also varies significantly amongst most IDaaS vendors. We also expect to see significant support for industry standards such as FIDO 2.0.
  • Basic authorization capabilities include coarse-grained authorization based on user-groups, associated roles and other access entitlements to control access to resources mostly referenced through URLs. Fine-grained authorization offers better access control over a wider range of targets resources such as files, databases etc. through a more complex combination of rules, access policies, and contextual data.
  • Identity federation which refers to the access management features offered by vendors for session management in a federated environment such as single sign-on, timeout and log-out across the federated applications and domains. Assess the IDaaS vendors for ease of federation support like SAML, WS Fed etc. with the ability to act as multiple federation actors such as service provider, identity provider or the broker
  • Session Management that refers to the capabilities supported by vendors to offer control over the user’s application session, providing access management capabilities such as single sign-on, global or application-specific session timeouts and logouts. Session management capabilities from the IDaaS vendors differ significantly across domains and in a federated environment
  • Portal/ Self-service UI that serves as the Intranet portal or landing page with applications and services the users are entitled to. A self-service user interface for users to access their profile, manage preferences and request access to IT assets and applications from the available catalogue. The interface also allows for password resets and user account recovery in case of forgotten passwords. Security leaders are advised to evaluate the user intuitiveness of these self-service functions to ensure desired UX
  • Administrative web interface or console and other services that are available to manage user accounts and associated data. The interface is used to set-up operational accounts, define access and workflow policies, and configure IAM services. It is important for security leaders to assess the usability of administration UI across the IDaaS data centres and instances
  • Access Governance to provide the necessary (mostly self-service) tools for business to manage workflows and access entitlements, run reports, access certification campaigns and SOD checks. An additional layer of intelligence over access governance offers business-related insights to support effective decision making and potentially enhance access governance. Additionally, data analytics and machine learning techniques enable pattern recognition to deliver valuable intelligence for process optimization, role design, automated reviews, and anomaly detection. Access governance still remains largely unaddressed by most IDaaS vendors today.
  • Support for hybrid infrastructures, in contrast to traditional web access management (WAM) solutions, which are targeted at cloud services, IDaaS AM must serve the hybrid environments that are the norm for organizations. Features supporting the management of on-premise applications, from SSO to provisioning, or tight integration with on-premise tools, are thus, expected.

Besides these technical capabilities, we evaluate participating IDaaS AM vendors on the breadth of supported IDaaS capabilities, operational requirements such as support for high availability and disaster recovery, strategic focus, partner ecosystem, quality of technical support and the strength of market understanding and product roadmap. Finally, we also assess their ability to deliver a reliable and scalable IDaaS AM service with desired security, UX and TCO benefits.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.