Leadership Compass

Access Management

This Leadership Compass provides insights to the leaders in innovation, product features, and market reach for Access Management on-premises, cloud, and hybrid platforms. Your compass for finding the right path in the market.

Richard Hill


1 Introduction

Access Management refers to the group of capabilities targeted at supporting an organizations' access management requirements traditionally found within Web Access Management & Identity Federation solutions, such as:

  • Authentication
  • Authorization
  • Single Sign-On
  • Identity Federation

These access management capabilities are well-established areas in IAM's broader scope (Identity and Access Management). They are continuing to gain attraction due to emerging requirements for integrating business partners and customers.

Web Access Management (WAM) & Identity Federation started as distinct offerings. (Web) Access Management is a rather traditional approach that puts a layer in front of web applications that takes over authentication and – usually coarse-grained – authorization management. That type of application can also provide HTTP header injection services to add authorization information to the HTTP header used by the back-end application. Also, tools are increasingly supporting APIs for authorization calls to the system. Identity Federation, on the other hand, allows splitting authentication and authorization between an IdP (Identity Provider) and a Service Provider (SP) or Relying Party (RP). The communication is based on standard protocols. Back-end systems need to be enabled for Identity Federation in one way or another, sometimes using the Web Access Management tool as the interface. Identity Federation can be used in various configurations, including federating from internal directories and authentication services to Cloud Service Providers or different organizations. However, most vendors today provide integrated solutions that support both a centralized access management based on federation protocols such as:

  • SAML v2
  • OAuth
  • OIDC

Access Management focused IDaaS vendors vary from the traditional SSO vendors. Overtime, WAM vendors progressed to address most internal web-centric use-cases with greater customization flexibility according to business-specific requirements. Further progressions included vendor solutions born in the cloud that address standardized access management requirements for SaaS and IaaS applications. However, this came with some architectural limitations in how their solutions could be more easily extended to address access management for on-prem applications. Over the last few years, these vendors have made significant changes to their product architecture to make them cloud-ready or support extended to on-premises applications.

However, support for web applications without federation support through traditional approaches such as Http header injection or credential injection must still be considered. Both methods deliver a single sign-on (SSO) experience to the users across multiple web sites and allow for centralized user management, authentication, and access control.

These technologies are enabling technologies for business requirements such as agility, compliance, innovation (for instance, by allowing new forms of collaboration in industry networks or by adding more flexibility in the R & D supply chain), and the underlying partnership & communication.

The enterprise requires access to systems, either on-premise or in the cloud, for all types of user populations
Figure 10: The enterprise requires access to systems, either on-premise or in the cloud, for all types of user populations

Although traditional on-premises Access Management solutions have focused on WAM & Identity Federation solutions in the past, KuppingerCole sees a convergence of this market with Access Management focused IDaaS solutions. Therefore, this Leadership Compass considers Access Management solutions deployed on-premises, in the cloud, or as a hybrid model. Solutions offered as a managed service are also be considered when the technology is owned by the MSP (Managed Service Provider).

1.1 Market Segment

Access Management and Identity Federation are still frequently seen as separate segments in the IT market. However, when looking at the business problems to be solved, these technologies are inseparable. The business challenge to solve is how to support the growing “Connected and Intelligent Enterprise.” Businesses require support for business processes incorporating external partners and customers. They need access to external systems and rapid onboarding of externals for controlled and compliant access to internal systems. They request access to external services such as Cloud services, as well as capabilities to use their acquired access data to drive intelligence within their systems. The required use of mobile devices is also leveraged onto organizations as the changing workforce desires to work anywhere from any device. IT has to provide an infrastructure for this increasingly connected and intelligent enterprise, both for incoming and outgoing access, both for customers and other externals such as business partners, including existing and new on-premise applications, cloud services, and mobile devices.

The increasingly connected enterprise ecosystem
Figure 11: The increasingly connected enterprise ecosystem

IDaaS Access Management (AM) offers a springboard for most organizations to start using foundational IAM elements delivered from the cloud and move the rest of the IAM functions, as they find it appropriate and at a pace that matches the organizational security maturity and cloud strategy. The IDaaS market, with its ease of adoption and cloud-native integrations, is slowly overtaking the on-premises IAM market.

The IDaaS AM market is continuing on a growth spree allowing these technology trends to speed up the adoption by aligning them to match the organization’s IAM priorities that security in which IAM leaders must take note. The IDaaS market continues to evolve with a significant push from organizations looking to adopt cloud-based delivery of security services, including IAM. With IDaaS vendors slowly bridging the gap with traditional on-premises IAM software in terms of depth of functionalities, they present a strong alternative for organizations to replace existing on-premises IAM deployments.

IDaaS is only delivered as SaaS, hosted, and managed by the IDaaS vendor itself. Vendors that use the on-premises software provided by other vendors to offer hosted and managed IAM services are not considered IDaaS vendors. Mostly combined in separate service bundles based on adoption and usage trends, most services are priced per managed identity or active users per month. Some functions such as user authentication or fraud detection can be charged on a per-transaction basis depending on the function’s delivery and consumption.

As an alternative to organizations managing the Access Management solutions themselves, some vendors provide offerings described as Managed Services, whether on-premises or Software as a Service (SaaS) offerings. Pure-play SaaS solutions are multi-tenant by design. Customers can easily onboard, usually as simple as booking online and paying with a credit card. On the other side, Managed Service offerings are run independently per tenant. The two aspects of the high relevance are the elasticity of the service and a pay-per-use license model.

Providers of CIAM solutions increasingly understand the business use-cases requirements of managing privacy policies, terms of service, and data sharing arrangements that change frequently and adapt their services accordingly. For organizations doing business across borders, it is important to offer functions that allow them to comply with data sharing and privacy regulations, such as consumer notification and consent management. There’s a varying level of support available from Access Management vendors to manage these CIAM functions.

The support for open identity standards shapes the direction and defines AM implementations' success increasingly. This also drills down to the sense that an organization's ability to support business requirements through IAM depends on the AM vendor's flexibility to support both open industry standards and protocols. Support for Open Banking presents a great validation of that observation. Most popular authentication and identity federation standards include support for LDAP, Kerberos, OpenID, OAuth, SAML and sometimes RADIUS and TACAS. Organizations with a need for dynamic authorization management might require support for XACML or UMA. User provisioning services commonly require support for SCIM and SPML. Security and IAM leaders are encouraged to understand whether the service supports these standards OOTB or require customizations using available SDKs or other programmable interfaces. This will go a long way in keeping your IAM flexible and sustainable.

Increasingly we are seeing security platform APIs becoming more readily available, exposing the platform's functionality to the customer for its use. It's driven by the need to meet emerging IT requirements that include hybrid environments that span across on-premises, the cloud, and even multi-cloud environments. APIs are provided for the different functional requirements of IAM, Federation, IDaaS & CIAM, giving the ability to select these market segment capabilities a la carte as needed. Exposing key functionality via APIs allows for workflow and orchestration capabilities across environments and better DevOps support through automation. API-driven platforms diverge from the COTS solutions offered in the past and are defined by its use cases. Some use cases are targeted at organizations that, due to the complexity of internal processes and other operational reasons, are looking to build their own C/IAM platform, automate or enhance existing IAM capabilities. Also, where traditional turn-key COTS are primarily UI-driven, API-based platforms typically require a developer-ready solution, providing API toolkits such as widgets or SDKs that facilitate rapid development.

Fraud is a major cost to businesses worldwide. As one would expect, banking, finance, payment services, and retail organizations are some of the most frequent fraudsters' objectives. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. Moreover, after years in the sights of cybercriminals, banking, and finance, in general, are better secured than other industries, so fraudsters attack any potentially lucrative target of opportunity. Fraud perpetrators also continually diversify their Tactics, Techniques, and Procedures (TTPs). Although Fraud Detection solutions, also referred to as Fraud Reduction Intelligence Platforms (FIPS), is often considered a different market with its separate offerings, there has been a noticeable up-tick in Access Management solutions providing some level of Fraud Detection capabilities. These capabilities range from the detection of identity fraud through Identity Proofing to the detection of unauthorized account takeover, response mechanisms, or support for user and device profiling as some examples. This Leadership Compass evaluates and reports on the level of Fraud Detection support for each vendor, giving the reader an indication of the extent of this trend in the AM market.

Besides these technical capabilities, we evaluate participating Access Management vendors on the breadth of supported capabilities, operational requirements such as support for high availability and disaster recovery, strategic focus, partner ecosystem, quality of technical support, and the strength of market understanding and product roadmap. Another area of emphasis is providing Access Management capabilities out-of-the-box, rather than delivering functionality partially through 3rd party products or services. Finally, we also assess their ability to deliver a reliable and scalable Access Management service with desired security, UX, and TCO benefits.

1.2 Delivery models

Increasingly there is a clear trend in the market to move Access Management solutions from an on-premises delivery model to a cloud delivery model. And even though vendors are helping customers to make this transition easier, there will still be valid reasons that organizations will need to maintain an on-premise presence, such as the continued use of legacy and sometimes in-house developed custom systems, among other reasons. Because of this, it is safe to assume that a hybrid delivery model will be a viable option for the foreseeable future. Therefore, this Leadership Compass will consider all delivery models.

Although all delivery models are looked at in this Leadership Compass, it is worth considering each delivery model's pros and cons against the use cases for Access Management solutions. For instance, some customers still focus on on-premise products due to specific internal organizational reasons such as security policy requirements. It is also good to be aware that public cloud solutions are generally multi-tenant in most cases, while some cloud services are single-tenant. Other approaches use container-based microservice deployments to provide consistent delivery of a vendor's solution, whether cloud-hosted or on-premises. An alternative approach offered is a managed service by a Managed Service Provider that outsources the responsibility for maintaining an organization's Access Management. Ultimately selecting the right Access Management solution delivery model will depend on the customer requirements and their use cases.

1.3 Required Capabilities

When evaluating the products, we start by looking at standard criteria such as:

  • overall functionality
  • size of the company
  • number of customers
  • number of developers
  • partner ecosystem
  • licensing models
  • platform support

Each of the features and criteria listed above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative product features that distinguish them from other market offerings.

When looking at this market segment, we evaluate solutions that support a broad range of features that span the Access Management capabilities within the portfolios of a wide range of vendors in the market. Aside from the baseline Access Management characteristics such as federation, authentication, authorization, reporting, etc., we expect to see at least some of the capabilities listed in the required qualifications below as necessary features. Furthermore, Access Management solutions must support centralized management of user access to various types of applications and services and the overall configuration of the solution itself.

Features such as mobile support, governance, integration with ITSM solutions, or analytics, and intelligent capabilities are also considered but are not mandatory for this category of products. However, delivering a very comprehensive set of capabilities will influence our ratings. In the case of fraud detection, the level of ability will be measured and reported but weighted to a lesser extent.

Expected features include, amongst others:

  • Authentication, including:
    • Flexible support for different types authenticators
    • Strong authentication (e.g. 2FA, MFA)
    • Some level of support for contextual, adaptive, or continuous authentication
    • Device Authentication (e.g. IoT)
  • Authorization Management
  • Policy Management and Security Orchestration
  • Password Management
  • Session Management (e.g. Single Sign-On, Secure Token Translation, etc.)
  • Identity Federation
    • Including broad support for federation standards and related standards
  • Support for non-federation-enabled applications
  • Some level of support for on-premises deployments
  • Integration to existing directory services
  • Support for access protocols (OAuth, OIDC etc.) and open identity standards such as FIDO, etc.
  • Support for user self service
  • Centralized management of users, authorization policies, dashboards, reporting, etc.
  • Some level of access to the solutions capabilities via APIs
  • API Security
  • Support for audit, forensics, compliance, and reporting
  • Support for Administrators and DevOps

Inclusion criteria:

  • Support for the capabilities listed above
    • Although all expected features listed will be evaluated, some features will be weighted differently than others, for example:
    • Higher weighted features include, but not limited to, authentication, authorization, session, and password management, as well as identity federation
    • Lower weighting would include features such as API security and fraud detection
  • On-premises, cloud, or hybrid solutions
  • Support for both Access Management & Identity Federation capabilities
  • IAM suites providing a comprehensive feature set for Access Management and Identity Federation

Exclusion criteria:

  • Point solutions that support only isolated capabilities such as:
    • MFA or SSO centric solutions, but little support the other expected features
  • Solutions that only support Identity Federation via federation standards such as SAML and OAuth, but no non-federation-enabled web applications, or don’t support federation standards
  • MSP solutions that are based on technology of other vendors, with the MSP not owning the IP on the technology

We’ve reached out to a large number of vendors for providing a comprehensive overview of the current state of the market. In the end, picking the right vendor will always depend on your specific requirements and your current and future IT landscape that will be managed.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.