Leadership Compass

Identity Fabrics

This report provides an overview of the market for Identity Fabrics, comprehensive IAM solutions built on a modern, modular architecture, and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing solutions that serve customers best in building their Identity Fabrics.

Martin Kuppinger

mk@kuppingercole.com

1 Introduction

The term “Identity Fabrics” stands for a paradigm of a comprehensive set of Identity Services, delivering the capabilities required for providing seamless and controlled access for everyone to every service. They support various types of identities such as employees, partners, consumers, or things. They deliver the full range of identity services required by an organization.

Identity Fabrics are not a single technology, tool, or cloud service, but a paradigm for architecting IAM within enterprises. Commonly, the services are provided by a set of tools and services. However, most organizations that are using this paradigm as a foundation for the evolution of their overall IAM tend to build on a strong core platform for delivering major features and complementing this by other solutions.

In this Leadership Compass, we evaluate solutions that can serve as a foundation for customers creating their own Identity Fabrics by delivering a wide range of capabilities in a modern architecture.

Thus, this Leadership Compass analyzes which of the IAM offerings in the market are best suited to form the foundation for an Identity Fabric, in delivering

  • a broad range of IAM capabilities, at minimum including a good level in both IGA (Identity Governance and Administration) and Access Management (Identity Federation, Multi Factor Authentication, etc.)
  • by providing a comprehensive set of APIs for consuming these services, beyond the admin and end user UI/UX
  • this in a modern architecture, following paradigms such as microservices architectures and container-based deployments
  • support for different deployment models, serving the needs of customers for options in their operating models
  • support for all types of identities, including employees, business partners, customers and consumers, connected things, devices, and services

In sum, solutions must not only deliver functionality and support for all types of identities, but also meet our requirements regarding the architecture, deployment model, and their interoperability with traditional applications, cloud services, and new digital services.

1.1 Market Segment

Digital business has evolved from simple e-commerce websites from the 90s. Modern digital business models are complex, distributed, multidimensional and involve many parties in a variety of roles. This has a direct impact on how communication takes place, how people work together and how services and goods are created and delivered to customers.

Employees, partners, service providers, customers, devices, and processes use and provide services. Access is made from and to any conceivable location to services that are somewhere between on-premises data centers, the cloud, mobile systems.

Identity Fabrics are a set of services that support all users in gaining seamless yet controlled access to all services they require.
Figure 10: Identity Fabrics are a set of services that support all users in gaining seamless yet controlled access to all services they require.

The formerly classic corporate network with clearly defined "inside" and "outside" has given way to a massively hybrid, new IT reality. IAM (Identity and Access Management) is the essential security infrastructure for this and at the same time a facilitator of these new services, models and forms of cooperation.

To make this possible, IAM must be transformed. It needs to be converted into a consolidated portfolio of isolated but corresponding services that enable to connect anything and anyone via a comprehensive architecture, and to make services available to all users everywhere: secure, scalable and without losing control.

“Identity Fabric” refers to a logical infrastructure for enterprise Identity and Access Management. It is conceived to enable access for all, from anywhere to any service while integrating advanced features such as support for adaptive authentication, auditing capabilities, comprehensive federation of services, and dynamic authorization capabilities.

Digital technologies influence and change all areas of an organization, and this fundamentally shapes the way communication takes place, how people work together and how value is delivered.

IT architectures, in turn, are undergoing profound structural changes to enable and accelerate this gradual paradigm shift. This evolution reflects the transformation resulting from the changing challenges facing virtually every organization worldwide for a long time in different contexts. They affect processes and systems alike and the underlying architectures.

In order to remain competitive in this charged environment, companies strive to be as flexible as possible by adapting and modifying business models and, last but not least, opening up new channels of communication with their partners and customers. With the rapid growth of cloud and mobile computing, businesses are becoming increasingly networked. The very idea of a company's outer boundary, the concept of a security perimeter, has practically ceased to exist.

The assumption that previously independent identities (employees, customers, partners, mobile devices, etc.) in an enterprise can be regarded as isolated is no longer valid.  The management of identities and permissions in digital transformation is the key to security, governance and audit, but also to system usability and user satisfaction. The demands on a future-proof IAM are complex, diverse and sometimes even conflicting. These include:

  • Different types of identities (first and foremost, consumers) must be integrated quickly and securely in user-friendly processes.
  • At the same time, users should be able to retain control over their identities by bringing their own identities with them (BYOID).
  • Employees (internal and external) should be able to use the devices they prefer.
  • Secure access to working environments must be possible no matter where users and systems are located.
  • Zero Trust such as continuously verifying access must be part of the capabilities.
  • Identities must be linked to reflect relationships within teams, companies, families, or partner organizations.
  • Identities maintained in trusted organizations should be directly and reliably integrated and authorized in each organization’s IAM.
  • Identities should be able to do business and execute payments.
  • All relevant laws and regulations must be observed.
  • At the same time, KYC processes are to be optimized, enabling rather than deterring visitors from using the service.
  • Existing data should be usable by analytics and artificial intelligence applications.
  • All this must apply to all possible identities, beyond people, so that devices, services and networks are integrated into our next generation IAM infrastructure.
  • New digital services must be able to consume the identity services, building on a consistent set of services e.g., for onboarding and authenticating users.

Today's IAM systems meet, if at all, only a fraction of current requirements. In many cases these IAM infrastructures stem from traditional enterprise IAM systems, sometimes extended with an additional customer identity system, most probably siloed. At the same time, they are often monolithic in design and implementation, making it difficult to break them down into individual components.

Unfortunately, this is exactly one of the central challenges. In many situations, the path to an identity fabric will pass along the challenge of unambiguously isolating individual functional components and exposing their interfaces through secure and accessible APIs. This applies to source systems that provide identities and enforce permissions, but also to all target systems. And in individual cases it can also apply to one or more legacy IAM systems if a replacement is difficult or not possible in a timely manner.

If organizations need to seamlessly give access to all users, wherever they are accessing from, and provide any digital service to these users, the Identity Fabric must be able to securely mediate that very connection between user and service.
To achieve this, we are shifting away from isolated, singular systems to a logical platform that provides and orchestrates a set of required IAM services and related functions. The way these services are delivered can vary: they may involve existing as-a-service offerings or might be based on existing on-premises services.

These services can be located in a public cloud, they can be web applications with or without support of federation standards, they can be exclusively back-end services only accessible via REST APIs, or even legacy applications encapsulated by some kind of middleware. At the same time, it might be even valid to integrate redundant services for different usage scenarios.

What they all have in common is that they are always part of a consistent framework of services, capabilities and building blocks as part of a well-defined, loosely coupled overall architecture that is ideally delivered and used homogeneously via secure APIs.

However, the agility of the digital journey requires IT to provide seamless access to all these services while maintaining control and security. In parallel, all requirements for scalability, performance and resilience must be met.

A sample high-level, conceptual architecture for an Identity Fabric. The set of capabilities and services provided depends on the specific requirements of the organization.
Figure 11: A sample high-level, conceptual architecture for an Identity Fabric. The set of capabilities and services provided depends on the specific requirements of the organization.

Identity fabrics are not an entirely new concept. They are based on the challenges of a modern workplace and digitalization, which is responsible for almost everything. The resulting tasks, which cannot be solved with traditional IAM paradigms, must be mastered.

They combine current and proven IAM concepts, supplemented by security by design and APIs, a service-oriented IT concept (which can certainly be implemented in microservices) and modern delivery concepts for cloud, hybrid infrastructures, containers and their orchestration or serverless infrastructures.

The way towards the implementation of an Identity Fabric as a strategic, hybrid IAM platform is a company-specific challenge, because the actual requirements and the individual starting points are company-specific.

KuppingerCole recommends the following strategic approach, which should be mapped to meaningful technical, conceptual and project planning measures.

  • Define a comprehensive and efficient target architecture, based on microservices architecture and container-based deployment, and work towards its implementation in well-organized individual projects.
  • Proceed consistently, step by step and in an integrated manner.
  • Provide your company with all the necessary services it needs for its current and strategic identity needs.
  • Offer consistent backend services and develop an identity API platform as the foundation.
  • Define a clear architecture layer model. Reuse and encapsulate whatever and whenever you can.
  • Organically add missing functionality to your target architecture when needed.
  • Replace inappropriate components along the way, but if possible, later.

This transformation of your IAM infrastructure into an Identity Fabric does not need to be and is not meant to be disruptive by any means. It can be executed in a way that allows for stable and reliable continuous operations without any kind of “big bang” while augmenting new functions and enabling new categories of access paths, ideally driven by changing corporate demands.

Required technological and architectural building blocks are already available and proven reliable. However, choosing the right components to enable support for individually required new authentication and authorization use cases with stepwise extended platform capabilities demands strict strategic oversight and management.

To clarify it once again: There is no “standard Identity Fabric”. An Identity Fabric is based on the required capabilities and services for digital identities an organization has. These commonly involve certain key capabilities but will always differ slightly. Also, the implementation of an Identity Fabric commonly builds on very few (one or two) main technical components for IGA and Access Management, but is complemented by additional components that provide further services and capabilities. There might be even some level of redundancy, either in migration or for technical or organizational reasons. However, the concept of Identity Fabrics serves well for designing and implementing a modern IAM that is modular, flexible, and provides the capabilities required, including a consistent Identity API layer that allows digital services to consume the identity services.

1.2 Delivery models

Identity Fabrics are, generally speaking, agnostic to the deployment model. Ideally, various components can be deployed in different types of deployments, including instance of components running in different locations such as a public cloud and on the edge of the on-premises infrastructure.

However, this also includes support for some level of IDaaS capabilities. This defines IAM solutions that are delivered in an as-a-service model. In our definition, IDaaS includes

  • Multi-tenant public cloud services
  • Single-tenant public cloud services if updates, patches, etc. are deployed by the service provider across all tenants with full automation, which requires adequate software architectures (segregation of customizations and data from application code)
  • Single-tenant services that can operate in various deployment models, i.e., in private or public clouds or even on-premises, as long as they can be operated in a full as-a-service model if updates, patches, etc. are deployed by the service provider across all tenants with full automation, which requires adequate software architectures (segregation of customizations and data from application code)

Furthermore, delivery must meet the expectations regarding licensing models (pay-per-use), elasticity and scalability, i.e. flexible scaling of the service. Beyond that, as mentioned above, we expect modern software architectures, which are anyway the foundation for flexibility in deployment.

We thus prefer solutions that can be deployed and orchestrated flexibly, supporting a variety of deployment models. This gives customers the choice for a gradual migration to the cloud, but also enables support for more complex scenarios such as geographically dispersed deployments and hybrid scenarios.

This Leadership Compass looks at solutions that are traditionally deployed on-premises but can be deployed and operated as a service by Managed Service Providers (MSPs) as well as pure-cloud solutions.

1.3 Required capabilities

Identity Fabrics must support a good baseline level in both IGA and Access Management but could add further capabilities such as integrated directory services, PAM (Privileged Access Management), and other IAM capabilities that are commonly required by customers.

IGA covers two broad functional areas

  • Identity Lifecycle Management/Identity Provisioning
  • Access Governance, including Access Reviews and Access Intelligence

The focus of this report is on solutions that cover both aspects of IGA and are not solely limited to either Identity Provisioning or Access Governance.

Main capabilities of IGA solutions are

  • Automated User Provisioning
  • Connectors to both cloud services and on-premises applications
  • Toolkits for customizing connectors
  • Integration and/or synchronization to directory services
  • Self-services for credentials and user profiles
  • Access Request & Approval
  • Entitlement Management, including Role Management
  • SoD Controls Management & Enforcement
  • Access Certification
  • Identity and Access Analytics
  • Auditing, Reporting & Dashboarding

We expect solutions to cover a majority of these capabilities at least at a good baseline level.

Access Management also consists of various capability areas such as

  • Identity Federation and Web Access Management
  • Multi-Factor Authentication and Adaptive Authentication (risk-/context-based)

Again, we expect support for both areas.

Main capabilities in Access Management include but are not limited to

  • Support for inbound and outbound federation
  • Support for all major Identity Federation standards, including SAML and OAuth
  • Web Access Management capabilities for integrating applications without built-in federation support
  • User onboarding and registration
  • Self-services for credentials and user profiles
  • Integration and/or synchronization to directory services
  • Support for federated provisioning
  • Auditing, Reporting & Dashboarding
  • Support for a broad range of authenticators
  • Toolkits for adding additional authenticators
  • Support for 2FA/MFA
  • Step-up authentication
  • Risk- and context-based authentication

As mentioned above, we also expect a comprehensive set of APIs, exposing capabilities via APIs and not just UI/UX, a modern architecture, and support for a broad range of deployment models.

Included in this Leadership Compass are solutions that serve both IGA and Access Management, provide a comprehensive set of APIs (plus traditional UI/UX), follow modern architectural paradigms, and support flexible deployment models and thus can form the foundation for customers building their own Identity Fabric.

Excluded from this Leadership Compass are:

  • Vendors that only cover IGA or Access Management will not be considered. We expect at least good baseline capabilities in both areas and appreciate seeing additional IAM capabilities. On exception, we considered vendors covering only one of these areas, but delivering strong capabilities in another field of IAM such as PAM.
  • Vendors that have multiple products with heterogeneous architectures and no or little integration regarding deployment, operations, architecture, UI/UX, APIs etc., will not be considered.
  • Vendors that don’t meet the definition of IDaaS will not be considered for this Leadership Compass. This includes pure MSP (Managed Service) deployments as well as solutions without a pay-per-use licensing model.
  • Vendors without active deployments at customers (e.g., start-ups in stealth mode) will not be considered.
  • Solutions with a traditional architecture, not supporting modern deployment models such as container-based deployments, but only traditional installs, will not be considered.
  • Solutions that lack a comprehensive set of APIs will not be considered.
  • Solutions that are targeted at either only employees/business partners or at customers/consumers will not be considered.

However, there are no further exclusion criteria such as revenue or number of customers. We cover vendors from all regions, from start-ups to large companies.

Based on that, we have a list of evaluation criteria for the products and services covered in this Leadership Compass:

Functionality Weightage
Key Capabilities
Automated User Provisioning High
Connectors to both cloud services and on premises applications High
Toolkits for customizing connectors High
Integration and/or synchronization to directory services High
Self-services for credentials and user profiles High
Access Request & Approval High
Entitlement Management, including Role Management High
SoD Controls Management & Enforcement High
Access Certification High
Identity and Access Analytics High
Auditing, Reporting & Dashboarding High
Support for inbound and outbound federation High
Support for all major Identity Federation standards, including SAML and OAuth High
Web Access Management capabilities for integrating applications without built-in federation support High
Support for federated provisioning High
Support for a broad range of authenticators High
Support for 2FA/MFA High
Risk- and context-based authentication High
Step-up authentication High
Comprehensive set of APIs High
Flexible, modern software architecture & deployment High
Additional Capabilities (Selection)
Standards support High
Automated reconciliation High
Out-of-the-box processes, e.g., JML and beyond High
Mobile support Medium
Extended Service Catalogues Medium
Delegated Administration High
SoD Controls Management (in-depth) for Business Applications, e.g., SAP Medium
Password Synchronization Medium
Workflow capabilities High
Policy management High
Flexible approaches for access reviews High
Toolkits for adding additional authenticators Medium
Privileged Access Management capabilities Medium
Enterprise Single Sign-On capabilities Low
Innovative Capabilities (Selection)
ITSM Integration (e.g., ServiceNow) High
Applied AI/ML for Identity and Access Analytics Medium
Applied AI/ML for Adaptive Authentication High
Data Access Governance Medium
API Management and Security Medium
Privacy & Consent Management Medium
BYOD support High
Developer support/capabilities Medium

The list of functionalities is not complete but intended to give an overview of our expectations regarding functionality in the Identity Fabrics market segment. Certain capabilities of high weightage will be rated higher than others.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.