Analyst Chat

Analyst Chat #125: Leadership Compass Access Management

Access Management refers to the group of capabilities targeted at supporting an organization's access management requirements traditionally found within Web Access Management & Identity Federation solutions, such as Authentication, Authorization, Single Sign-On, Identity Federation. Richard Hill joins Matthias for the first time to talk about this topic and the recent developments in that area as reflected in his Leadership Compass on Access Management.

Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Richard Hill. He is a Lead Analyst with KuppingerCole Analysts as well. And he's acting out of Seattle, I assume. Hi, Richard. Good to see you.

Hi! Doing good. It's a little rainy here in Seattle, but that's normal.

Great. Great to have you. This is actually the first time we manage to have a conversation. But let's start with the overall topic. You just completed a Leadership Compass, our comparison document between different vendors and services around the topic of Access Management. And if you talk to three people around IAM, you get four definitions of access and Access Management. What is our official definition of Access Management? What is the market that you had to look at?

Well, really, in short, it's the ability to identify and manage users access to systems applications or other resources. I mean, that's really the short of it. So there's authentication, authorization through good policy management as well as single sign on and identity federation. So those are some of the core capabilities. It started out in what is called a Web Access Management and Identity Federation and then evolved into just Access Management. But really that was partly because of the expansion of the different IT environments. So traditionally things were on-premise. And then as we know, there's a migration to the cloud. So as things started to move to the cloud, as well as multi-cloud and these hybrid environments where part of the applications and services are still on-premise, partly in the cloud, there's been an expansion and a consolidation of the term Access Management.

Right, when you say hybrid and cloud and on-premise, did you look at the full scope of potential implementations between on-premise and in the cloud?

Yes. In the past, we, KuppingerCole had a Leadership Compass that focused on on-premise solutions for Access Management and Identity Federation. And then we had the IDaaS, and recently, over the last two years, we consolidated that to include both on-premise and in the cloud.

Right. As an advisor, I'm working with our end user customers and organizations, and we usually see quite a difference between the offerings for consumer based Identity and Access Management and employee focused Identity and Access Management. Is this also reflected within your market segment? Or is this all in one bag?

Well, that's actually an interesting question. So Consumer Identity and Access Management, or CIAM, that has a market of its own. So but Access Management, you know, between employees and customers, well, traditionally there was a distinct line between them. But organizations also need to interact with customers, too. And what I've noticed in the last two Leadership Compasses, and more particularly this one, the Access Management Leadership Compass is that half of the vendors that I evaluated were able or capable of Consumer Identity Access Management as well. So there seems to be, I would say, some crossover between the workforce and consumer side. So I'd be interested to see how this plays out over the years.

Right. And you already mentioned that this is an update of this Leadership Compass. We had different formats, different versions of that before. When somebody is interested in what is happening in 2022, what did you find out about the market? What has changed in the meantime, what are the striking events that you consider to be worthwhile looking at and talking about?

Well, I mean, that's interesting. So at the beginning I talked a little bit about the core capabilities of Access Management. In this Leadership Compass, it's a slightly higher number of vendors and about 20% of those vendors we hadn't seen in the last Leadership Compass. So there was 20% of new vendors that haven't been evaluated. So we have that to look forward to, as well as the more traditional Access Management capabilities as well as more focus on access intelligence. So that has been increasing year by year. Vendors have been putting a lot more focus. Matter of fact, a lot of acquisitions from the vendors have been in the space of access intelligence. So and also fraud detection. This is often considered a separate market and it still is and we have a Leadership Compasses around that as well. But I've also sort of seen more fraud detection type of capabilities being built into these Access Management solutions. So we're seeing an increase over last year in that regard. And I put a little bit more focus on that this year. Verifiable credentials, that was something that had some interest. Customers have been asking about it. There's some talk about, you know, when is the momentum of that going to take off? And so I look at that as well in the Leadership Compass. And then, of course, API security is a focus of the report because it's not just anything that a user would use at a UI anymore. So it's more about solutions interacting through APIs on premise in the cloud, interacting together, doing orchestration, automation. So there's a lot more focus in the Access Management Leadership Compass on API security as well.

OK. With the breadth of this market, as you just describe it, I assume there are lots of vendors in there and lots of different types of vendors, everything between start ups and and established vendors, I assume?

Yeah. So there's 20 vendors this year that have been evaluated and there's I think 14 vendors to watch that we include in there as well. So there's some new players that are coming to the market that we hadn't seen in the last Leadership Compass. That's in this one, 1Kosmos started back out in 2018 with a blockchain ID solution, Cloudentity, it's also a 2018 company and then PortSys. So those are some of the newer vendors that we're seeing in this Leadership Compass. And then as I mentioned there's been quite a few acquisitions that have taken place over the last year. Or I'd say like two. I mean Broadcom acquired Symantec back in 2019 CyberArk acquired Idaptive Identity Platform in 2020, Ilex was acquired by Inetum last year and OneLogin acquired by OneIdentity and Ping had several acquisitions, Symphonic Software for their policy driven authorization, more recently SecuredTouch to have that anti-fraud capability and then Singular Key for users experience to be able to orchestrate over their different platforms so, and then SecureAuth had a recent acquisition of Acceptto for that context behavior threat intelligence type of capability. So there have been changes in the market over the last year that readers should take note.

Right, understood. We provide this Leadership Compass not to have the reader decide, OK I take the product that is in the right upper corner and this should be the perfect one for me, but as a tool for understanding their own requirements and mapping your assessment to what they did. So it's really something that needs more work with it. But nevertheless, when we talk about this market, can you mention a few of those organizations and vendors that you consider to be leaders in different angles, not to endorse them, but just to mention how that market looks like? And what are the typical players that you could think of when reading that Leadership Compass.

Yeah, well, so not to name specific, but I would put emphasis on how I would look at the spectrum of vendors that we evaluate in this Leadership Compass is that there are large enterprises that have multiple systems that they need to consider. And so there are some of these more well-established vendors that have been in the market for quite a while. They may have existing products already and they may be upgrading and so there's a lot more consideration in larger enterprises where they have to integrate with systems and they have systems of systems. So that is, in my mind, one category. So when you're looking at the Leadership Compass, you need to also consider, what does your organization need as far as you know, what is your environment? Is it systems of systems, large legacy applications that you need to integrate with, et cetera. And then there's kind of like this mid-market area of vendors. And these are typically companies that maybe have some IT staff available in their organization, but not a lot. And they may also need to consider an MSP to help out if they don't have the skill set involved. And then there's the smaller or SMB type of organizations that are looking for more of an all in one type of Access Management solution that not doesn't just include authentication and authorization and SSL, but but also includes things like IGA, identity governance type of capabilities. And some of these products have that with the understanding that the smaller companies aren't going to buy discrete products and have a large system of system type of environment. And they need to have something that's a little easier to manage for them at that point in time. So there's actually a breadth in a range of solutions within this Access Management Leadership Compass. And and so you need to also consider that as you're looking at it, to evaluate where your organization is, what are your particular requirements and which one also fits maybe your regional requirements. So you may be an organization in the U.S. and you want to have someone, a vendor that is closer to home, as opposed to another organization in Europe where some of those organizations have a deep ecosystem of partners and system integrators that they could collaborate with in that region. So there's a lot of things to consider. So this is one of those type of Leadership Compasses that you may have a first glance at. But then as it is, you really try to determine which one is closer to what your organization needs, you dig into it a little bit deeper.

Absolutely. And I really would like to reinforce that because it's really not just a document to read, but to work with. And I would highly recommend that the audience that is interested in learning more about your results of the current market of Access Management Solutions, go to our website and have a look at the document and it's available all there and has been released already. So just go there and search for Leadership Compass Access Management or for your name, Richard Hill. That should help you in finding the document very quickly. Thank you very much, Richard, for joining me today. Any final thoughts that you would like to add, something striking that came across you when you did the research? Any new changes, new trends? You've mentioned a few already, but maybe there is something more that you would like to highlight?

Yeah. So I mean, one of the things that is kind of exciting that I've noticed is that finally passwordless is starting to gain some momentum. One of the open standards, FIDO2, it's like 93% of the vendors supported it. And those that didn't support it, currently it's in their roadmap. So I'm glad to see that that's taking off and is gaining some momentum in the market.

Yeah, that sounds great and it's really making authentication simpler for all of us. So that's really an important thing to look at. And even more secure and more convenient. So this combination is not that often achieved. So that is something where FIDO2 really is important. So thanks again, Richard, for joining me today. I'm looking forward to having a new episode with you very soon. Thank you very much.

Yeah, thank you.

Bye. Bye bye.