Event Recording

John Tolbert - The CIAM Solutions Market

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
CIM still the fastest growing overall market segment within IM we're estimating somewhere around 21, maybe 22 billion over the next three plus years. There's a lot of acquisition and consolidation going on in the market between last year. And this year we're aware of quite a few new small vendors in the market. So I'm gonna take some time to include some of the newer vendors in this evaluation as well. And I think the three real key things to, to point out about cm vendors in general is it's those specialized vendors that actually created this market who saw that, you know, they're not the needs of consumers and consumer facing organizations. Weren't being adequately served by traditional IAM products. So that in effect created also not a backlash, but you know, the IAM vendors decided, Hey, there's money to be made here. We're gonna try to extend our products to be more consumer facing. And then a more recent twist in the market is around what we are calling identity API platform providers, which is kind of a different approach altogether. And I'll try to give you a little flavor of that in the next few minutes too.
So let's look at, you know, what we think of as the large solution providers in the cm space and what functional components are all packaged together. So especially if you go get a cloud-based service SA application for CIM, many of the solution providers will be able to give you pretty much everything that you need to get your system up and running. They'll run it for you in the cloud, they'll manage the identities. They will, you know, provide the registration, the repositories. They can do things like, you know, the, the security aspects. They can do consent management and get all the privacy under wraps. And then also they provide built in marketing analytics capabilities. So that's like one approach for cm that we see today. And a lot of those specialized CIM vendors that I was just talking about, take this everything in one approach.
Then there's the more modular approach where you might have a CIM solution that kind of provides core identity management functions for, you know, your consumer facing sites. But you may also use rest APIs to do your marketing analytics in some sort of external application. You may pull in external fraud and threat intelligence feeds from different services and evaluate those you'll output, your own identity analytics information to SIM and other kinds of security analytics providers, along with your, you know, the identity analytics. So there's different ways of sort of like carving this up. And a lot of the traditional or enterprise IM vendors are kind of fitting into this space where, you know, they're comfortable with extending basic IAM functionality, but maybe they don't have everything that they need around marketing analytics built in to their platform. So they find it easier to either partner with third party providers that can do that, or just leave it up to the customer to figure that out part, figure that part out on their own.
But what I'm calling this identity API platform is a little bit of a different animal altogether. It may not involve necessarily buying a solution, either a full cm solution or, you know, adding on functionality to your IAM system. This is, might be something as simple as freemium services that, you know, give you bits of code and little bits of online presence and, and, and SAS applications that are very tailored down to the microservice level that you and your applications can use. So instead of building out, let's say a full CIM or extending your IM your developers. And this is a very developer-centric approach will use the tools that are provided by some of these API identity API platforms and do it yourself. And of course this means all the other functions are generally something that your developers have to build or add as well. But, you know, if you've got a case where maybe you have a single application or just a couple of applications that you need to provide some sort of identity solution for this is a different kind of approach. If you've got your own in-house development team, it's definitely suited to specific types of customers and organizations,
But it is an emerging trend in talking to all the vendors that I've spoken to in the last several weeks or months on the cm and IM solution side, there's a big impetus to make all their services available through API. So for the leadership compass that I'm working on, I thought I'd talk about what, you know, the criteria are, how we do that and give you a look at last year's results and, and talk a bit about what we think are important criteria, the things that I'm gonna be doing the rating on for this year.
So we start out by, you know, putting the criteria together, finding the vendors, like I said, there are several more vendors this year that are gonna be in the report than last year. Then we invite them to participate, send out big questionnaires, full of technical questions, get their responses back, evaluate those, write the report. Then it goes out for fact check, they can contest, or they say, you know, we forgot to tell you this, or you got this wrong. You know, we happily try to make the reports as accurate as possible. And then we publish. So we have nine functional areas we like to cover in these reports security. And by that, I mean, internal product security, you know, do you require strong authentication for the administrative users? Do you have role or delegated access control for the administrators? Do you store all the data in an encrypted format?
Those are some of the, the key things that we try to look for there, functionality just like what you would think it would be, you know, what are the functions that the products have or the services have within them? How do they compare with what we think, you know, a baseline should be. And then also, how do they compare to peers and industry usability has two meanings, like from the user perspective, what does it look like? And then also from the administrative user, what, what does that look like? Is it easy for the administrative user to get the information that they need? Generate reports, take care of the system integration. This is particularly important with the bigger suites that may have lots and lots of different functions within them over and above consumer identity. If that, if the product is part of a suite, then how well does it integrate? Can you manage everything from a central console or are there lots of different tasks that administrators have to do that should be made easier interoperability? This is where we look for standard support. That's should be pretty clear the value of standards. Being able to propagate identity information, let's say, you know, SAML or open ID or OAuth or skim.
Then we also look at how innovative is a company and their product. Is it meeting the market demand? Are they doing new and exciting things? Are they responding to customer requests? That's really how that's, what drives the position and the innovation leader chart inside the leadership compass. Sometimes you'll find the companies, especially ones that are new, you know, they don't have all the latest and greatest features. So they may be lagging a little bit, but, you know, in time they may catch up. Market position is not only limited to, you know, how many users or how many customers are they covering, but it's also about geographic distribution. Do they work in all the different areas around the world? Because you know, you could be very centralized in north America, but it's hard to really be a market leader. If you're not covering all the other geographies around the world, then there's the financial side and distinguish between, you know, startups that are not very well funded. They just got going and then long established startups that are on the, a path to being revenue positive, to, you know, large enterprise it shops that are, are doing quite well. And by ecosystem, we mean all the various channel partners, resellers system integrators consultants. And again, how does that work around the world? Do you have people who can provide support in Australia, New Zealand or not?
So this is a list of vendors that should be in this year's report. Again, I haven't gone through and I haven't talked to every single one of them yet, but we have gotten most of the responses. So hopefully the next couple of weeks after the conference, I'll be able to finish the paper and publish this. Then I thought I'd go quickly through the top 20 list of criteria that we look at, not only as Analyst, but that we think are important for anybody who may like to conduct an RFP for a cm solution.
So basic things like user, self registration, most everyone in the field does that. It's not that difficult. I, I am occasionally surprised by those who don't provide some sort of L D or skim support, because if you wanna move between solution providers, you know, you gotta have a way to get users in and out, but not everybody does provide that consent mechanisms. That's probably one of the bigger areas that we focus on being headquartered in Europe consent. Management's really important for GDPR. And then not only can you collect the consent, is it clear what the consumer is giving consent for? But then there's also the provisions for needing to be able to either export their data so they can take it to another service provider if they want to, or delete their data altogether. Now, a lot of the vendors are able to, you know, provide nice dashboards for collecting consent or showing you what you've consented to. But surprisingly, there are, there have been a few that haven't gotten all the capabilities around deleting or exporting customer profile information. So we tend to call that out on our reports,
Automatic privacy policy notifications, when your terms of service change, there should be some sort of automated mechanism to let people know again, that's, it's good, but, but not everyone provides that capability. Scalability is, is another big key. I mean, there are some vendors that we deal with and rate that are very regional in their focus. They may work in, in certain areas and they may have good relationships with governments and the, the big businesses in those areas, but they may not tend to scale to the global level of support, billions of users and billions of transactions per month, the white labeling sort of related to the user self registration. It's, you know, how do you set up the site? How easy is it to get on board with a CIM solution, whether it's, you know, a cloud based or you're gonna run it yourself, you still want the ability to give it the same look and feel across all your web properties, as well as your mobile channel.
Authentic. We talked a lot about authentication yesterday and a little bit today having the, the choices that that people want to use, not forcing them to use passwords. If you don't have to, there's been a lot of talk about biometrics, both pros and cons and usability and, and operational aspects. But I think again, you've gotta meet the users where they are and give them choices. And then you, as the customer of the solution provider can decide, you can write your policies to say what's an equivalent form of authentication, or which ones will we accept so that you can keep up with those who are both pushing the, the cutting edge with the smartphone adoption. And then those that aren't because the lowest common denominator is always gonna have to be provided for as far as authentication options go social logins. Again, this is becoming more ubiquitous.
Most of the solution providers will accept social logins. And if it's an O I D C construct, that's pretty easy for them to do risk engine. I think this is one of the more innovative differentiators that are out there today. A lot of what you see in terms of products in the market, the, the features that they have are defined by the kinds of customers they're, they're going after. So risk engines, you know, doing adaptive risk authentication and authorization is really important for things like the finance industry, but maybe a little less important for media. And I think I've got a slide about that in a minute too. So we'll try to hurry through this. So the risk adaptive authentication, you need the risk engine for that. You need to be able to look at different factors yesterday. We talked about some of those that could be things like geolocation or geo velocity, you know, is it reasonable that somebody could have logged in and in Chile and then two hours later logged in, in China?
Probably not. So, you know, you need the ability to look for things that are obvious signs of fraud, as well as importing fraud intelligence. There are lots of different services that are out there that consumer identity solution providers can subscribe to or offer subscriptions to so that you get real time updates about things like fraud patterns, compromise, credential intelligence, whether or not a, you know, your users are exhibiting signs, being part of a botnet, that sort of thing, consumer profiles, there's actually kind of a wide variety in the, the solutions that are out there and how they handle consumer profiles. And again, that's largely based on whether they have an enterprise IM origin, or if they're pure cm to start with. And there are kind of moving to the middle. So as I was mentioning this morning, you know, some will store much more complicated or unstructured data formats within the profile.
Not all the solution providers can handle that. So if that's an important thing for you and your company, keep that in mind, single sign on across multiple web properties. We've heard examples earlier about Nestle and 2000 web applications. I think single signs really important, but even even now, I mean, it's, that's the technology, there is pretty cut and dried what you can use in terms of SAML or OAuth and O IDC and things like that. I also describe the identity analytics and marketing analytics, you know, identity being more focused on logs, registrations, things that can be passed as security for analysis, marketing analytics are, you know, the useful bits of information that you're marketing and sales teams would like to get. And again, you know, the full cm packages, the all in one cloud that I had earlier, they tend to have much more inclusive marketing analytics capabilities.
So if that's something that you want in your consumer identity solution, make sure that's rated highly on your RFP. There's also the ability to directly tie into marketing automation, again, with the SaaS providers. That tends to be something that you see as a common feature, CRM integration, many of both the cm and then the traditional IM vendors offer either rest APIs or in some cases, a few custom connectors. And then IOT integration, again, as we're talking about this morning, connected home connected car, those kinds of things are becoming much more prevalent users, want more sophisticated abilities, more than just, you know, associating themselves with a device, but being able to control the device or have set up family management plans. If we're talking about the home, you know, who's in charge of, you know, certain devices and which members of the family can make requests for access to those devices. So it's kind of like a role-based access control that we've know and talked about for the last 30 or 40 years, but applied to in-home situations.
So in our reports, we call out four different categories of leadership, product leadership, which is about, you know, do they meet the standards of what we think a good product in that space should be? Does it have all the functionality, market leadership? You know, it's looking at all those different factors about economic position markets that they're in around the world and numbers of covered users and, and customer companies as customers, innovation, leadership, you know, how many of the latest and greatest features are involved in the latest release of the platform. And then we put it all together into overall leadership
In last year's graph, looked like that. And as I said, hopefully in about the next month or so, I'll have a new graphic, a new report out with more vendors, and I'm pretty sure they're gonna be many changes to the list. So I've got a minute for questions. Or at this point I would encourage you to everybody who's attending will be able to get a 30 day trial account to look at our research. So feel free to go take a look at this report, or, you know, wait until the new CA report comes out. If you're interested, it's a good way to introduce you into and look at more of our research in depth.
Hey John, can you go back to your list of the new, the new group, and then just comment on what you've seen. That's kind of changed to bring forward some of the new names?
Well, Patrick was here earlier and he mentioned the acquisition of giga by SAP. Let's see cloud identity is a locally based company. They do Ida they're here in Seattle, coffee, bean tech. They have offices here in the states, but they have pretty large deployment in Brazil, empower ID additional I N company out of Ohio. Let's see, who else is new
NRA secure from Japan had numerous conversations with them there working with mostly customers in Japan at this time. One Ginny's a, a Dutch company sort of specialize on finance per UK and Australia. And Vidas is a, is a German company that's been around for a while, but they're, they have a consumer identity solution that's sort of based on their experiences with other customers over the last 20 plus years. So again, I'll be able to go into more depth in the report, but there, those are some of the new ones original as well as vertical. Yeah, exactly. Okay. Well, we have one more before lunch,
So maybe like 32nd summary of giga, why, you know, it's quite new, understand it and significantly ahead of the curve, based on that chart, what are the, you know, top three differences, for example, comparing it to four drop. Why they're so ahead in your report?
Well, I probably won't go into detail about that right now, but
What are the top difference there? Are they pretty much
So? Well, no, they're different. That's, that's one reason the report is evolving bit this year too, because like I tried to say in the very beginning, you've got C cm specific vendors, then you've got your IAM moving into cm, and now you've got this identity API thing, you know, and there are different sets of features that are strongly associated with each one. So I'm still in the process of trying to figure out how to evaluate that because of the changes in the market.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00