Markets, R. Wagner Research Note 31 October 2003 Magic Quadrant for Extranet Access Management, 2H03 Uncertain economic conditions continued to affect the extranet access management market in 2003. There were signs of recovery in large extranet deployments, federated identity projects and intranet/extranet unification. Core Topic Security and Privacy: Security Tools, Technologies and Tactics Key Issues Which vendors will emerge as leaders in the information security domain? Which technology and business factors will enterprises use to structure network-based security strategies? Strategic Planning Assumption By 2005, EAM vendors that don't provide enterprise identity administration functions or products, or comprehensive IAM suites (or partner solutions), will disappear (0.8 probability). Market Trends in 2003 Uncertain economic conditions dominate the extranet access management (EAM) market in 2003, although there are signs of recovery in several areas. As in 2002, most EAM activity in 2003 involves IS organizations attempting to reduce their operational costs of managing user access to externally exposed applications (primarily business-to-business) and Intranet-based applications and portals. However, vendors and Gartner clients report renewed efforts on several large extranet projects that were shelved in 2001 and 2002 because of the down market and IT budget constraints. Several combined EAM/user provisioning offerings emerged in 2003 to compete with the Oblix/BMC Software partnership, IBM/Tivoli (which acquired the user provisioning vendor Access360 in 2002 to strengthen Tivoli Identity Manager) and the Novell suite. These include Netegrity/Business Layers, Entrust/Waveset Technologies and RSA Security/Thor Technologies. This partnership activity belies the trend toward single-seller solutions for identity management, although few smaller players have resources for acquisition and larger players mostly have already completed their acquisitions. Sun Microsystems, Computer Associates International (CA) and Hewlett-Packard (HP) also have increased efforts in this area, with CA being furthest along. From a functional perspective, vendors have concentrated on making their products more intranet-friendly, with out-of-the-box integration for large, off-the-shelf enterprise applications from vendors such as Siebel Systems, PeopleSoft and SAP. Visionary vendors have begun to offer Web-services-based interfaces to their products as a step toward providing a true service-oriented architecture for identity management. Another major area of Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
interest (for vendors and users) and vendor effort in 2003 has been federated identity. Several large deployments of SAMLbased or Liberty Alliance-based federated identity are under way. On the standards front, the presentation by Microsoft and IBM of the Web Services Federation Language (WS-Federation) in July 2003 makes the standardization of federated identity more complex. The Liberty Alliance offered its 1.0 specification to the Organization for the Advancement of Structured Information Standards' SAML working group; this specification is expected to be included on the SAML 2.0 specification. SAML has become established as a method for passing authentication information in federated environments. EAM pricing has been affected by intense downward pressure because of the soft market, flat IT budgets and intense competition, especially from platform vendors such as IBM, CA and Sun. These vendors can deeply discount EAM offerings to customers in combination with the purchase of other products, such as directories, portals and application servers. List prices have dropped, and some vendors offer low-end package pricing that makes EAM and broader identity and access management (IAM) functionality cost-effective for smaller enterprises. EAM Magic Quadrant and Ranking Criteria In preparing this iteration of the EAM Magic Quadrant (see Figure 1), we used various criteria to rank vendors' ability to execute and completeness of vision. 31 October 2003 2
Figure 1 Magic Quadrant for Extranet Access Management, 2H03 Challengers Leaders IBM Netegrity Ability to Execute Hewlett- Packard Novell Sun Microsystems Computer Associates Int l Entegrity Solutions Secure Computing Wipro Niche Players Oblix RSA Security Entrust OpenNetwork Technologies As of October 2003 Visionaries Source: Gartner Research (October 2003) Completeness of Vision A vendor's ability to execute is ranked by four factors that pertain to near-term market performance: "Mind share" and visibility to the public and Gartner clients If a vendor can't or hasn't created awareness and desire for its product, as well as an understanding of its strategy, then the vendor won't be considered a strong player, no matter how good the product is. Strength of sales channel and partnerships The strengths and effectiveness of a vendor's sales channels have a direct bearing on its ability to create mind share and to match the timing of a sale to when a user is ready to buy. Scalability and performance Products in the EAM space are designed to be used in large extranets, and should scale easily to millions and even tens of millions of identities. Installed base and growth in the past year The degree to which the product has established a track record and to which the vendor has been able to stimulate and fulfill sales provide a measure of the product's viability. A vendor's completeness of vision is ranked by four factors pertaining to long-term product strategies: 31 October 2003 3
Mind share and ability to influence industry directions The vendor is ranked according to its ability to lead or follow the development of new technologies and standards. Identity administration capabilities Moving from extranet to complete IAM functionality requires strong administrative functionality, including workflow and approvals processing, automated credential management, delegated administration, user self-service and other capabilities. Integration with user provisioning and other IAM functionality or products The breadth and integration of the vendor's offerings in IAM are measured, including the strength of its partnerships to fill out the offering (especially in user provisioning). Federated identity and Web services capabilities This criterion measures support for standards-based crossdomain trust, using SAML-based or Liberty-based approaches, as well as the provision of Web-services-based (XML, SOAP and WS-Security) interfaces to the EAM product. Leaders IBM WebSphere's strong position in the application server and portal market gives Tivoli Access Manager a strong advantage in large enterprises. IBM's large customer base and channel strength make it the execution leader. Gartner client interactions suggest that, in 2003, Tivoli Access Manager has suffered from difficulties in deployment and integration. Oblix, Netegrity and others have made inroads even in IBM-centric environments. In Gartner's view, IBM is much less a factor in EAM product decisions outside of its traditional customer base. Netegrity's large installed base, wide channel support and strong customer service capabilities provides advantages in 2003 because IT spending continues to be soft. Netegrity has the highest mind share (in addition to IBM) among vendors as a leader. In early 2003, Netegrity introduced IdentityMinder Provisioning Edition, which integrates SiteMinder EAM and user provisioning technology from Business Layers. IdentityMinder Provisioning Edition recognizes the move toward "suite" IAM products, and complements the core SiteMinder and IdentityMinder products, as well as TransactionMinder, a Web services security product. Oblix competes closely with Netegrity in pure-play identity management/eam solutions. Although several other vendors brought combined EAM/user provisioning solutions to market (with partners) in 2003, Oblix, being first to market, has succeeded with IDLink and its BMC relationship. Oblix continues 31 October 2003 4
to perform as a visionary by providing the technology for several large federated identity projects (see "Southwest Airlines Shows SAML's Promise"). Challengers Novell has focused on completing its Nsure and Secure Access suite of identity management products, which includes the ichain EAM product. This is a complete offering, and ichain is a flexible, highly scalable and cost-effective choice for enterprises that make extensive use of Novell's other products (especially edirectory). However, Novell appears even less successful than other stack vendors outside of its base of customers, especially faced with new competition from Sun, CA and HP. Novell has been visionary in federated identity, with several Liberty-based projects in development and deployment. Visionaries RSA Security has a strong worldwide channel and support structure because of its strength in remote-access tokens. RSA has articulated a strong vision of complete identity-centric infrastructure, including identity administration, user provisioning, EAM, public-key infrastructure and strong authentication tools. RSA also has shown strength in federated identity, including a rare-for-2003 large-scale deployment of SAML-based federated identity in a multiple-eam product environment. Its partnership with Thor for user provisioning technology appears to be strong. Entrust GetAccess has less visibility than RSA ClearTrust in the EAM market, mainly because of limited channel support. Entrust and Waveset announced an Entrust-secured Waveset Lighthouse for user provisioning in early 2003; Entrust could build significantly on this partnership. Only Entrust and RSA have strong, mature public-key infrastructure products and expertise as adjuncts to other IAM products. This factor could prove important if Web services technologies achieve their hoped-for penetration. OpenNetwork Technologies has continued to execute on its strategy of providing a mechanism to extend Microsoft identity management offerings to bridge Unix and other heterogeneous environments with Active Directory deployments. It is most visible in this area. Although this strategy can be strategically dangerous, it has been successful tactically for OpenNetwork, which experienced increased deal flow and visibility in 2003. OpenNetwork still struggles with its sales channel and it has not been as active in federated identity efforts as market leaders. Niche Players 31 October 2003 5
Sun, CA and HP have been added to the EAM Magic Quadrant. In early 2003, Sun released Identity Server 6.0, which is a stronger technical offering than previous versions. It also has had some success with customers with competitive pricing. Sun may also benefit from its foundation support of the Liberty Alliance. CA offered etrust Web Access Control in late 2002 as part of a relatively complete set of identity management tools. It has had some deployment success. HP acquired SelectAccess from Baltimore Technologies, which has sold off all assets and will soon disappear. The entrance of these players to complement Novell and IBM indicates a maturing of the EAM and global IAM marketplaces. Entegrity Solutions' AssureAccess provides access control for Web and Java applications. Entegrity suffers from a lack of channel/sales strength. Also, it does have the same level of recognition as industry leaders. Secure Computing's SafeWord PremierAccess provides base rules-and-roles functionality, URL protection and integration hooks. Although this offering does not compete with more-mature products in functionality, the tight integration with Secure Computing's token products makes it a solid choice for Secure Computing's token customers. Wipro has little visibility and comes up short on vision, but it is a viable option, especially for enterprises that use Wipro's integration services. Not on the Magic Quadrant Recommended Reading and Related Research "Extranet Access Management 2H02 Magic Quadrant" Acronym Key CA EAM HP IAM Computer Associates International extranet access management Hewlett-Packard identity and access management We have removed or omitted several vendors from this iteration of the Magic Quadrant. For example, Microsoft has no EAM product offering, although it continues to pursue various product initiatives along similar paths. Microsoft Identity Integration Server was released in 2003 and is an update to the Microsoft Metadirectory Server product that moves the metadirectory closer to true user provisioning. Active Directory in Application Mode was also released; it could provide some EAM-like functionality. Microsoft continues to work closely with several EAM vendors, including Oblix, OpenNetwork and RSA. SSL-based remote-access vendors, such as PortWise, Neoteris (which is being acquired by NetScreen Technologies) and others, also offer some form of access control to Web-based applications. However, they don't support the variety of applications, Web servers and management capabilities that are required for effective EAM products. 31 October 2003 6
Bottom Line: Uncertain economic conditions continued to affect the extranet access management market in 2003, although there were signs of recovery in several areas. Integration with user provisioning and federated identity capabilities were the main functional differentiators among EAM products. Most vendors continued to make partnerships and to add identity administration functionality as the marketplace moved toward complete identity and access management offerings. 31 October 2003 7