Identity as a Service (IDaaS) - IGA
An emerging market, IDaaS IGA, is characterized mainly by cloud-based delivery of Identity Provisioning and Access Governance capabilities for business irrespective of the application and service delivery models. Improved time-to-value proposition prioritizes adoption of IDaaS for traditional IGA use cases, helping IDaaS IGA to increasingly become the preferred choice of customers for IAM purchases globally. This Leadership Compass discusses the market direction and provides a detailed evaluation of market players to offer necessary guidance for IAM and security leaders to make informed decisions.
1 Introduction / Executive Summary
The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of Identity-as-a-Service (IDaaS) with a focus on IGA (Identity Governance and Administration, i.e., Identity Provisioning and Access Governance) technologies. IDaaS IGA, as the market is termed, has observed a significant growth in terms of new IAM (Identity and Access Management) purchases and is emerging as one of the fastest-growing markets of IAM characterized by cloud-based delivery of traditional IAM services.
The overall IDaaS market, driven largely by web-centric use-cases in its early days, now offers full-fledged delivery of IAM capabilities irrespective of application delivery models. The significant growth of the IDaaS market can be attributed to the ever-increasing demand of organizations to achieve better time-to-value proposition over on-premises IAM deployments and to extend IAM capabilities to meet the security requirements of growing SaaS portfolio.
- This Leadership Compass evaluates over 40% more IDaaS IGA product vendors over the previous years.
- The IDaaS IGA market is growing, and although maturing it continues to evolve.
- IGA is essential to business as a strategic approach to ensure overall IT security and regulatory compliance.
- The level of identity and access intelligence has become a key differentiator between IGA product solutions.
- Automation is a key trend in IGA to reduce management workload by automating tasks and providing process workflows.
- Leading IGA vendors are increasingly focusing on supporting interoperability with other products and services through the provision of secure APIs.
- The Overall Leaders are (in alphabetical order) EmpowerID, IBM, Microsoft, One Identity, SailPoint, Saviynt, Simeio.
- The Product Leaders (in alphabetical order) are EmpowerID, IBM, Ilantus, Microsoft, One Identity, SailPoint, Saviynt, Simeio.
- The Innovation Leaders (in alphabetical order) are Accenture, Avatier, EmpowerID, IBM, Microsoft, SailPoint, Saviynt, Simeio.
- Leading vendors in innovation and market (a.k.a. the "Big Ones") in the IGA market are (in alphabetical order) IBM, Microsoft, SailPoint, Saviynt, Simeio.
1.2 Market Segment
IDaaS is a growing market segment of IAM characterized by delivery of traditional IAM services in an as-a-service model, with immediate to at least very rapid deployment and standardized capabilities, in contrast to individual implementations per customer. The market, driven largely by cloud-centric use-cases in its early days, now offers full-fledged delivery of IAM capabilities irrespective of application delivery models. The IDaaS market has significant growth primarily driven by the need of organizations to:
- Achieve better time-to-value proposition over on-premises IAM deployments
- Extend IAM capabilities to meet the security requirements of growing SaaS portfolio
- Adopt global IAM standards and practices with access to industry expertise
- Reduce internal IAM costs and efforts to keep up with the market trends
- Limit internal IAM failures in project delivery and ongoing operations
IDaaS vendors have originated from different markets, and therefore their abilities to support IDaaS use-cases vary. IDaaS vendors backgrounds includes:
- Access Management vendors that offered broader IAM capabilities required for large IAM implementations that extend these functions to support emerging cloud and consumer access use-cases.
- IGA (Identity Governance and Administration) vendors that traditionally offered support for identity lifecycle management and access governance on-premises but could not extend these capabilities to applications in the cloud, or support access management beyond basic authentication and authorization.
- Traditional SSO (Single Sign-On) vendors that evolved to support web and cloud access use-cases but were deficient on common Identity Governance and Administration (IGA) functions required by most organizations for basic IAM implementation.
The IDaaS market combines Access Management functions with IGA and Access Governance capabilities-- all delivered and managed as a service. Today, all IDaaS vendors predominantly deliver a cloud-based service in a multitenant or dedicatedly hosted fashion to serve the common IAM requirements of an organization's hybrid IT environment. The common IAM capabilities served by most IDaaS vendors can be grouped largely in three categories:
Identity Administration: This represents the group of capabilities required by organizations to administer identity lifecycle events including provision/ de-provision of user accounts, maintaining identity repository, managing access entitlements and synchronization of user attributes across the heterogeneous IT environment. A self-service user interface allows for requesting access, profile management, password reset, and synchronization. Configurable connectors, either cloud-native or based on gateways back to on premises environments, offer automated user provisioning to both on-premises as well as SaaS applications. Other common identity administration capabilities include administrative web interface, batch import interface, delegated administration, SPML, and SCIM support.
Access Management: This refers to the group of capabilities targeted at supporting access management requirements of organizations ranging from authentication, authorization, single sign-on and identity federation for both on-premises and SaaS applications delivered as a cloud service. The underlying support for industry standards such as SAML, OAuth and OpenID Connect can vary but are largely present in most IDaaS offerings. API security and web access management gateways are fast becoming a differentiator for IDaaS vendors looking to offer competitive access management capabilities and so is social identity integration – which now represents a basic qualifier for consumer access use-cases.
Access Governance: Access governance represents the group of capabilities that are least mature and still frequently absent from the portfolio of IDaaS vendors, partly due to architectural limitations and partly due to ownership issues. While many organizations still prefer to keep access governance on-premises for better control and auditing purposes, several others are moving it to the cloud for ease of integration and better time to value as their SaaS portfolio continues to grow. IDaaS vendors may have some serious limitations in how they could support integration with legacy on-prem systems for common access governance capabilities such as auditing and reporting, and so it is important for IAM leaders to ensure they assess their access governance requirements aligned with their IAM vision before starting to evaluate IDaaS vendors for their access governance capabilities.
Generally speaking, supporting hybrid IT environments is amongst the main challenges for IDaaS, across all areas. Connecting back to legacy web applications is more challenging than with most on-premise solutions, and Identity Provisioning as well. This needs to be kept in mind and carefully considered during choosing an IAM solution. The strength and weaknesses of IDaaS solutions in connecting back to on-premise environments are an important factor throughout our evaluation in this Leadership Compass.
As the IDaaS market continues to evolve, its adoption is inhibited by several factors including the concerns of data residency, dependency on providers internal security controls and the ability to address scenarios that require extensive customizations to address organization's internal process complexity and where organizations believe these could be better solved with on-premises IGA or access governance product deployments. However, we observe a clear trend to shifting also more complex use cases such as access governance to IDaaS.
In the later parts of this document, we also discuss the evaluation criteria important for IAM leaders to help decide whether they should move to an IDaaS platform for their IAM requirements or a conventional on-prem IAM deployment should suffice their IAM requirements in the short to midterm.
Depending on the key focus, architectural type and product origin, which affect their overall ability to support IDaaS functions, most IDaaS vendors can be classified in two major categories - either as Access Management or IGA focussed IDaaS vendors:
- IDaaS Access Management (IDaaS AM)
There are primarily 2 types of AM focussed IDaaS vendors:
The first type is the traditional SSO vendors that progressed overtime as WAM vendors to mostly address web-centric use-cases along with identity federation but originally lacked the ability to address IAM requirements for cloud-based infrastructure and applications. Over the last few years, these vendors have made significant changes to their product architecture to make them cloud-ready, however, there remain certain limitations in addressing cloud AM requirements.
The second category of IDaaS AM vendors are the vendors that are born in the cloud to primarily manage access management requirements of SaaS and IaaS applications but have architectural limitations in how these could be easily extended to address access management for on-prem applications.
- IDaaS Identity Governance and Administration (IDaaS IGA)
The IGA focused IDaaS vendors are the ones that have traditionally been offering identity administration capabilities including identity provisioning, lifecycle management and access governance across on-premises IT applications and systems. The key focus of these vendors on managing user identities in an increasingly complex IT environment combined with the demand and adoption trends of identity-centric solutions in the market has led these vendors to focus lesser and lesser on building access management capabilities. The move to the cloud, however, required them to support basic access management functions, in addition, to be able to support the delivery of all IGA capabilities to compete with the new IDaaS entrants. The depth of IGA functions delivered by these vendors in a cloud-based delivery model to support a hybrid IT environment not only remains questionable due to the technological limitations but also due to the consumption archetypes of on-premises IT applications and systems.
The IDaaS market continues to evolve with a significant push from organizations looking to adopt cloud-based delivery of security services including IAM. With IDaaS vendors slowly bridging on the gap with traditional on-premises IAM software in terms of depth of functionalities, particularly IGA, they present a strong alternative for organizations to replace existing on-premises IAM deployments.
Besides replacing traditional on-premises deployments for workforce IAM, IDaaS has evolved as a strong enabler of CIAM offering the required availability and scalability. With IDaaS starting to dominate new IAM purchases for most use-cases across the industry verticals, traditional IAM vendors are gearing up to deliver more cohesive IDaaS capabilities as part of their security services, including tighter integrations with Cloud Access Security Broker (CASB), Enterprise Mobility Management (EMM) and User Behavior Analytics (UBA).
IDaaS is only delivered as SaaS, hosted and managed by the IDaaS vendor itself. Vendors that use the on-premises software provided by other vendors to offer hosted and managed IAM services are not considered IDaaS vendors. Mostly combined in separate service bundles based on adoption and usage trends, most services are priced per managed identity or active users per month. Some functions such as user authentication or fraud detection can be charged on per transaction basis depending on the function's delivery and consumption.
The use cases for IDaaS technology adoption and their primary characteristics as observed by the industry are listed below:
- Web Access Management - Many organizations have the need to deliver basic authentication and authorization for the variety of internal web applications they have across their IT environment. IDaaS offers basic authentication and session management capabilities including single sign-on, coarse-grained authorization and identity federation required by these organizations to meet the most common web access management demands.
- Hybrid Access Management - Many organizations today have an urgent need to extend internal access management policies to the range of SaaS and IaaS platforms being integrated into their IT application portfolio. IDaaS can provide a seamless extension of on-premises IAM capabilities to the applications and infrastructure in the cloud in an effective and secure manner. There are, however, limitations in how they can support internal legacy IT systems versus SaaS applications.
- Workforce IAM - With most traditional IAM deployments suffering from internal inefficiencies, staffing, and budgeting concerns, IDaaS promises a flexible approach for organizations looking to on-board a workforce IAM program to deliver better time to value and agility. With IDaaS commonly offering capabilities across identity administration, access management and access governance, more advanced features such as access certification, role lifecycle management, SOD controls management etc. may not be adequately supported or entirely absent.
- Consumer IAM - IDaaS delivery model with its significant business value in terms of better flexibility and time to value has become a strong enabler of CIAM – offering the required scalability and availability. Most IDaaS vendors are aggressively building on or acquiring capabilities to better support CIAM use-cases, for eg., Okta acquired Stormpath and Ping Identity acquired UnboudID to strengthen their CIAM features. Most IDaaS vendors today support capabilities required by organizations to support CIAM programs including social identity integration, progressive customer profiling, fraud and risk intelligence as well as identity analytics.
There may be more use cases that are driven by the organization and business-specific access management requirements; however, most will fit well into one of these categories.
- Market Direction
IDaaS IGA offers a springboard for organizations to start using foundational IAM elements delivered from the cloud and move rest of the IAM functions as they find it appropriate and at a pace that matches the organizational security maturity and cloud strategy. The IDaaS market, with its ease of adoption and cloud-native integrations, is slowly overtaking the on-premises IAM market.
IDaaS IGA market continuing on a growth spree allows the following technology trends to speed up the adoption by aligning them to match better with the organization's IAM priorities that security and IAM leaders must take note of. The IDaaS market continues to evolve with a significant push from organizations looking to adopt cloud-based delivery of security services including IAM. With IDaaS vendors slowly bridging on the gap with traditional on-premises IAM software in terms of depth of functionalities, particularly IGA, they present a strong alternative for organizations to replace existing on-premises IAM deployments.
The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS, in general, provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. These solutions also vary in their support for different groups of users - such as employees, business partners, and customers - their support for mobile users, and their integration capabilities back to on-premise environments.
Several vendors provide offerings that can be better described as Managed Services than as Software as a Service (SaaS) offerings. Pure-play SaaS solutions are multi-tenant by design. Customers can easily onboard, usually as simple as booking online and paying with a credit card. On the other side, Managed Service offerings are run independently per tenant. Factually, the need for multi-tenancy appears to be disappearing with modern software architectures and deployment models. Container-based deployment allow for quickly bringing up new instances, and the underlying microservice architectures simplify updates across tenants, specifically by segregating customizations from the standard. Thus, the criteria for considering solutions for this Leadership Compass are based on the customer perspective: From that perspective, two aspects are of highest relevance: Elasticity of the service and a pay-per-use license model. If these criteria are met, we include offerings in our evaluation.
Specifically, to IDaaS IGA, we are observing more vendors providing such capabilities, either focused on specific use cases such as Access Governance and, in particular, Access Analytics and Access Review, or by delivering a more comprehensive set of IGA capabilities. However, the IDaaS IGA market is still in a relatively early stage of maturity. Currently, most of the leading solutions have been ported from traditional on premises deployments by moving them to container-based deployments and gradually migrating them to more modern, microservices-based software architectures. There are few cloud-born offerings available for now, but we expect to see them evolving. Specifically, we observe that leading IDaaS AM vendors are starting to add more advanced IGA features to their offerings.
In some cases, vendors build on a mix of new IDaaS IGA offerings that have their strength in connecting to cloud services, while they rely on existing on premises IGA solutions to connect back to hybrid environments. We don't consider this being a favourable solution, unless the on-premises component is delivered in a "black box" approach as a single packaged deployment and fully managed from the IDaaS IGA service. Otherwise, customers have to deal with two separate solutions, adding massive complexity to their environments.
1.3 Required Capabilities
For the market segment of IDaaS IGA, on a high level, we expect the vendors to support the following set of features and capabilities:
|Directory Services & Integration||Support existing Directory Services, both on premises and in the cloud, as both source and target of identity information.|
|Flexible User Onboarding||Integration to HR/HCM systems and other sources for identity information and support for mapping identity data from different sources.|
|Breadth of Connectors||Connectors to a broad variety of target systems, both cloud services and on premises applications and systems. Provisioning of users to cloud services, beyond just SSO, is considered a key capability.|
|Depth of Connectors||For certain target systems, connectors must support deep integration, beyond just creating accounts and simple group/role mapping. This specifically affects business applications with complex entitlement structures such as SAP.|
|Provisioning Flows||The flow of information from target to source system shall be flexibly configurable.|
|Workflow Capabilities||Flexible workflows e.g. for access requests and approvals that can be configured to the specific customer’s demand, without coding. Furthermore, we expect pre-configured workflows/Identity Management processes to be part of such solutions, for simplifying deployments of IDaaS IGA solutions.|
|User Self Services||Pre-configured user self-services e.g. for password management or access requests. Again, required customization should be feasible by configuration, not coding.|
|Mobile Interfaces||Support for access of key functionality such as access approval and reviews via modern, mobile UIs.|
|Access Request Management||Access requests are a key capability of every IDaaS IGA solution, requiring users to be able to identify the assets (applications, services,…) they need access to and the specific entitlements. Access Request Management includes flexible approval workflows.|
|Access Reviews||For Access Reviews, we observe a need in the market to keep these lean and efficient. Beyond regular review campaigns, solutions should also support risk-based and other types of reviews that reduce the workload for reviewers and focus on high-risk items.|
|Access Analytics||Additionally, analytics that identifies such high-risk users and entitlements is a feature we like to see in IDaaS IGA solutions.|
|SoD Management||SoD (Segregation of Duties) management is another important capability. As of not, it is not a commonly found feature in IDaaS IGA, but we expect solutions to deliver at least a good baseline capability in this area.|
|Flexible Entitlement Management||Managing entitlement constructs such as groups and roles should be supported with a good level of flexibility, i.e. not requesting customers to e.g. mandatorily use a multi-tiered role models. Multiple models can ideally co-exist for separate use cases.|
|Baseline IDaaS AM Capabilities||While the focus of IDaaS IGA is on Identity Provisioning and Access Governance, solutions commonly deliver at least some baseline Access Management capabilities, which allow customers to deliver a core IDaaS based on a single offering.|
|Central Administrative UI||All administrative features should be integrated into a single UI. This specifically also includes management of components that can or must be installed on premises.|
|Strong set of APIs||All features should be exposed via APIs, allowing flexible integration and customization of capabilities wherever required.|
|Hybrid Support||Supporting the hybrid environments most businesses still have today is a key capability. IDaaS IGA must not be limited to SaaS only target environments to deliver on its promise.|
|Modern Architecture||Finally, the architecture of IDaaS IGA should be based on a well-thought-out microservices architecture and delivery in container-based deployments or fully multi-tenant public cloud environments. However, the latter might impose (perceived, not necessarily real) challenges regarding regulatory compliance and confidentiality. From our perspective, analysing and validating the software architecture of solutions is an essential criterion in any tool’s choice today, because of the significant impact software architecture has on customization, integration, but also the ability of the vendor for further and rapidly developing its solutions.|
Table 1: Capability matrix for IDaaS IGA, showing the most relevant high-level capabilities we expect to see in this group of products.
Besides these technical capabilities, we evaluate participating IDaaS IGA vendors on the breadth of supported IDaaS capabilities, operational requirements such as support for high availability and disaster recovery, strategic focus, partner ecosystem, quality of technical support and the strength of market understanding and product roadmap. Finally, we also assess their ability to deliver a reliable and scalable IDaaS IGA service with desired security, UX and TCO benefits.