GARTNER MAGIC QUADRANT ANALYSIS, IGA 2017

2017 is a year of changes:  a new four-year cycle, a new US President, and a new Magic Quadrant. Congratulations to Gartner with breaking from previous trends shown the during second term of the Obama administration for releasing MQ later and later every year. This time, surprisingly, the report came one week earlier than in 2016, which corresponded to my prediction in last year’s analysis.

In my humble opinion, it has something to do with having four authors instead of three.  It is nice to see Gartner in the forefront of adding more jobs for hard working Americans, in this case, adding more responsibilities for hard working analysts.

One note about the report itself as a file: If you look at the report on somebody’s Web site (IBM, SailPoint, etc.) and try to print it in PDF format, the PDF file will have 43 pages (2016 had 33), but every page after page 29 is blank. Is it a tribute to the new White House administration or some secret messages are written on these pages? I hope it is just a formatting error.

My main impression of reading the report/forecast: it is getting cloudy as a service in the next couple of years.  The uncertainty of 2016 is over for most of the vendors, cloud is accepted, so let’s talk about if we should go to the cloud solutions (adoption and trade-offs) and how we can control administrators and other privileged users (PAM).  Even strategic planning assumptions are getting tighter; in 2016 Gartner made predictions for 2020 (4 years ahead), but in 2017 Gartner just looked forward for 2019 (2 years ahead).

In terms of the report’s language, it became more precise and less vague, so one can conclude that not only the IGA market “has reached the point of maturity”, but also IGA MQ.  The biggest announcement of this report is that “ancillary capabilities”, not main functionalities, are the differentiation factors. The dictionary defines ancillary as “providing necessary support to the primary activities or operation of an organization, institution, industry, or system.”  Here is the translation of the message to vendors: “Please listen more to your customers, especially their operation and business units, and make their life easier, and you will move right up the quadrant”. The ability of IGA solution to read CISO mind is not considered to be an advantage: it’s not ancillary enough.

Another interesting fact of the IGA market in 2016: name confusions. Just try to explain someone outside of the industry that the 2016 Dell solution (formerly known as Voelcker/Quest) in 2017 is known as One Identity, while the 2017 Dell product is formerly known as Aveksa, then RSA and now has the name Dell Technologies/RSA. How about that the 2016 Courion did not disappear from MQ, just lost “u” and “ion” and added “Security” to its name, which resulted in moving left and down not only to niche quadrant, but geographically (from Boston area to Atlanta).  On the other hand, it makes sense: MQ was published after the Super bowl, and both Atlanta organizations have blown their leads (just want to remind you that Courion was in MQ leaders quadrant in 2014). We hope both teams rebound and have great success in the coming years.

Before going to the report analysis, I would like to repeat my mantra: please read carefully what Gartner wrote about each of the vendors and recommend your customers TO READ IT TOO. There is a reason why Gartner does not write MQ results in the forms of tweets (SAD! As our President would tweet) #DoNotBeLazy #DetailsMatter #MakeOurIGAGreatAgain.

And now for my general observations:

  • Congratulation to CA for finally breaking the ceiling (a.k.a. the line between visionaries and leader’s quadrant). The new product management vision (thanks Nick!) won appreciation of customers and analysts alike. Now it is all about delivering, and we hope CA upper management will read MQ report and start spending money on customer’s facing the side of the house.
  • Congratulations to Microsoft on being Microsoft and staying away from MQ for the fourth year in a row. Such consistency! The uncertainties of 2016 became confusions in 2017.
  • Two vendors move up different quadrant’s (Savyint to Challengers and CA to Leaders) and two vendors went down different quadrant’s (Micro Focus to Visionaries and RSA/Aveksa, now known as Dell/RSA to niche).
  • One vendor became a victim of minimal revenue barrier: Hitachi ID. This is the message from Gartner to the vendor world: your solution is as good as your ability to sell and support it.
  • This year Gartner-supported trends are different from 2016: from risk-awareness, data governance and analytics, we pivot to ancillary capabilities (i.e. clear view of people, processes and day-to-day IGA activities) There is more emphasis on administration, execution, visibility, process management, user behavior (UBA/UEBA) and data reconciliation in one place. I interpret this as another message from Gartner to vendors: make your solution practical for IGA administrators, let them spend more time on daily activities instead of tool configurations.
  • Cloud conversation in this year’s report also turns more practical: when one should consider pure cloud, hybrid, or on-premises solution. All types mentioned above are accepted, so choosing one method does not put you in a disadvantage.
  • Since practicality is an operational word of the report, the number of hidden messages are a little bit down and harder to find. Looks like the trend to reduce “political correctness” also affected this report. But they are still there, and I will point you to some of them as usual.
  • Like in 2016, Gartner warns the readers (if you can read between the lines): all four MQ Leaders require significant professional services efforts to implement or upgrade to a new shiny version. Since we are in 2017, I will reformulate the hidden message: buying or upgrading to new IGA solution from leaders will create more jobs for hard working US-based professional services consultants. At least that is what you will say to your CFO when asked about going over the budget.

Let’s take a closer look at the vendors and find the hidden messages, starting with leaders:

  • CA is our new/old addition to the Leaders quadrant. Welcome back to the club, hope you will be staying here. Finally, IDMLogic acquisition paid off, and “low level of innovations” years are over. Gartner concentrates on three strengths: “improvements in ease of deployment”, “very scalable” and “synergies between its IGA solution and its portfolio of other security and IAM products”. Cautions are very familiar: “customer satisfaction scores remain in the lowest quartile of all vendors”, “no central console for … audit policies”, “challenging upgrade path from older versions” and “no out-of-the-box integration with products from other PAM vendors”.

Read between the lines.  If you are a thorough reader, you would be surprised to learn that the first two strengths are about two different products. “Ease of deployment” is about “..virtual appliance quick deployment tool, Deployment Xpress and a marketplace featuring preconfigured, pluggable scenario templates.”, while  the second strength, scalability, is about old version, not Deployment Xpress, because it is “used in large, consumer-facing deployments”, and Xpress was just released. So, you are left to rely on “synergy” between CA “security and IAM products”. Beware: Gartner is smartly using the word “synergy”, not “seamless integration” or “interoperability”.  Gartner likes changes at CA and wants to boost up even caution about user dissatisfaction of support by using “while still positive overall” sweetener at the end. One more thing: it is the only MQ leader vendor with 4 cautions; the others have three. Summarizing:  CA is looking for believers in new direction, and if you are one of them, please apply.

  • IBM is in the Leaders quadrant for the fourth year in a row. Nothing has changed in Big Blue and looks like nothing will. IBM is still for “large organizations with complex processes … and… willing to invest in significant professional services”.  Descriptions of strengths contains all catchy words symbolizing a BIG company like “large, global presence”, “comprehensive approach to security”, “sold and supported everywhere”. One interesting twist on strength: “application-specific intelligence”, i.e. “linking business processes and controls with entitlements”.

Read between the lines. In my last year’s review, I wrote that if your organization is not large and unwilling to feed hungry herds of consultants, an IBM product is not for you. It is still the case, but in the light of “ancillary capabilities”, one thing strikes the most: there is no mentioning of a human being in the description or strength. The only place you can find it is in caution section: “causes confusion, especially in deals involving multiple types of user constituencies”. Such a smooth touch by Gartner: pointing to something without directly saying it.  If you add opaque pricing model, like in 2016, then you will get the complete picture. Summarizing: IBM is good for large, solid, seasoned rich organizations whose security model is based on application-specific intelligence (Watson-like) with preferably no attention to whining of human beings confused with their user constituencies and lost among significant professional services projects.

  • Oracle, the perennial member, is on tenure track or already received tenure position in Leader’s quadrant. Oracle is already a leader of creating jobs in IAM consulting; without Oracle line of products most of the implementation companies will be out of business. Analysts recognized three strengths: flexible and customizable, being a part of Fusion middleware and global presence with global channel partners. By the way, they were the same in 2016.

Cautions are as powerful as strengths, but the main caution is complexity: “more complex to work with than other products that were evaluated”. As a result, “finding, training and retaining experienced in-house talent for Oracle’s IGA product is difficult”. If someone tries to avoid this issue with buying managed service, they “should pay close attention to Oracle’s strategy for cloud-delivered IGA before making any long-term decision” 

Read between the lines.  There is no other vendor with such a troubling underlying message. Just think about it: flexible and customizable solution which is so complex that clients need to hire professional services for a long-term contract with possibility of never finding the resource to manage it internally. I was using only the words from the report. Global outreach is great, but it does not help in “ancillary capabilities”. Gartner again does not use any direct discouragement related to Oracle offerings, but if one looks deeper, cautions becomes warnings.  Summarizing: Oracle Identity Manager is good for hooked-on-Fusion Oracle shops with either unlimited consulting budget or an abundance of chained-to-the-company internal resources with deep knowledge of the solution. The rest should stay away.

  • SailPoint is the MQ winner again, sailing away further and further from the competition into the upper right corner. Gartner continues its romance with the vendor describing their strengths in “large partner network… with an abundance of professional services skills set”, “strong messaging”, which leads to “strong brand recognition”, and “to start focusing on healthcare and federal government”. At the same time, all the cautions from 2016 are still there: “difficult to customize”, “pricing remained high” and bait and switch tactic for smaller companies: “SailPoint will attempt to sell them its IdentityNow cloud offering, which does not feature parity with the on-premises IdentityIQ”. This is direct message to SailPoint leaders: we are waiting for changes in these areas or your rise will change to a fall.

Read between the lines.  SailPoint is definitely the trendiest solution, it’s the “talk of the town”, darlings of the industry and clear winner of the beauty contest. Excellent reports, state-of-the-art marketing, sleek sales force – everything is going SailPoint’s way. But there is something missing in this rosy picture. Oh yes, TECHNOLOGY; there is absolutely nothing about what are the PRODUCT strengths and advantages, it is all about “messaging”, “partner network”, “value proposition for industries”.  What happened? Here is the Gartner review in 2014 MQ: “Its product scores among the highest across traditional governance capabilities because of its excellent access certification and role management features”.  In 2016 MQ, governance was mentioned along with WhiteBox Security assets. This year, nothing.  Gartner is sending a between the line message to the SailPoint management: bring technology back to focus, show us something new and exciting, and we will love you even more. Summarizing: if you are looking for glitzy, easy-to-show governance solution with simple provisioning, and it has to be a Leaders quadrant, this is your choice. Otherwise, do not rush and make your decision based on use case implementation results,  “ancillary capabilities”, not glamour and popularity contest.

For the rest of significant in US players I will be short (in alphabetical order):

  • Core Security – The whole report is based on briefings, not actual conversation with customers or standard package of supplemental information. Basically, Gartner was listening to “business, vision, product strategy and go-to-market strategy” of Core Security and collecting information available “in the public domain — such as company websites, press releases, reference material, publications and case studies — and credible reports from independent industry sources”. I am sure it did not make analysts happy. Gartner mentions that “the company continues to experience significant disruption”, but in addition to known “real-time security intelligence and response” vendor “renewed its focus on customer success and has introduced the concept of a “customer success manager” who — without revenue and quota responsibility — is assigned to customers and acts as their advocate.” We will see how successful this model will be.

Hidden message: “Wait and see, downfall continues”

  • Dell Technologies (RSA) – RSA solution continues its downfall. This time you cannot blame it squarely on Dell: “organizational changes have caused a downturn in customer satisfaction scores, forcing RSA to lag in comparison to last year, resulting in its new position in the Niche Players quadrant.” Basically, no time for product improvement or customer support where managers are jockeying for positions in the corporate musical chair game. But there is hope: “RSA’s brand depth in security and its strong IGA offering”, “partner ecosystem and a partner-first strategy” along with “highest-rated product for the small or midsize business” gives RSA a chance for the improvement. At the same time, old issues (“The product is difficult to customize — it works best when organizations can deploy the solution”, “support and maintenance still ranks in the bottom quartile of vendors”) and new ones (“Multiple re-brandings of the product over the past few years”) are pretty severe and do not produce much of optimism.

Here is the message for the potential customers: “Unless you already own Aveksa and have a great partner who can take care of it, do not engage”.

  • Micro Focus (NetIQ) – 2016 was a rebuilding year for Micro Focus. Making then breaking OEM agreement with SailPoint, an intent to merge with HPE, plus “focusing on improving the capabilities of its Identity Governance solution to replace the AGS functionality” moved the vendor down to Visionaries quadrant. Gartner recognized why it was done, embraced the future vision, and declared “improved revenue growth for a second straight year after a period of stagnation”. The vendor still issues with pricing, role mining and role analytics, in addition being the middle of transformation.

The hidden message is simple: “Like the direction, but not there yet. Buyers beware, we have warned you”

  • Omada – This vendor positioned itself for a long time as a FIM/MIM replacement. Gartner characterizes it as a “flexible solution with strong reporting capabilities”, which should be translated as a “great reporting tool; no comments on the rest of capabilities”. On a positive note, it’s loved by existing customers (“highly rated by customers for products, support, and maintenance”), affordable (“one of the best-value IGA software vendors”) and balanced (“only product that performed well consistently across every functional capability’). Therefore, Omada is neck-in-neck with One Identity and Savyint, remember “ancillary capabilities”. At the same time, cautions are very serious: lack of brand recognition, relying on old MIIS technology for sync and requiring binding commitments from the potential buyers.

Hidden message is clear: “If you are looking for a cheap escape from FIM, take a look at Omada. If you are a Microsoft shop and need reporting, Omada could be good for you. No comments on the rest”

  • Savyint – I think we found a new darling of Gartner. Watch out for this vendor: included in MQ last year, and already in Challengers quadrant. Why? Because they are in the forefront of IAM as a service with comprehensive cloud offering (“most fully featured IGA solution delivered as a service”), deep analytics (“powerful analytics base to combine IGA with elements of data access governance (DAG), SOD controls monitoring and cloud access security brokerage (CASB) in a single platform”, a.k.a. “Hello, Securonix!”), and “aggressively building a sustainable and robust partner ecosystem”. At the same time, Gartner warns that “Saviynt needs to prove that it’s able to execute on a global scale”, “Saviynt remains a small independent vendor” and “Its pricing is perceived by clients to be relatively high … tendency to bundle additional modules that are not core to IGA “. If you look carefully, you will find “the golden nugget” sentence in the report: “The solution … for organizations that are looking beyond traditional IGA … multiple environments including the cloud … willing to adopt new technology from a small vendor.” Great promotion of innovators with three hidden warning on one sentence: no traditional stability or huge list of features (it is not your traditional IGA), expect bugs and shortcomings (“new technology”), prepare to be a quick self-learner with not much hand holding (small vendor).

Hidden message is clear: “Innovative, forward looking early adopter customers wanted, preferably cloud-based and willing to grow with us. Guaranteed growing pains and great analytics confirming necessity of going through those pains”

  • And finally, as usual, One Identity. This time, “Gartner is cautiously optimistic about One Identity’s continued success as an independent entity, given the fact that the IGA team is largely intact and has recently led improvements on many fronts”. Great use of a two-word combination: “cautiously optimistic”, typical example of “the real meaning is in the eye of the beholder”. If you believe that the first word is more important, then, in your opinion, Gartner is telling the market “we are not sure if they can make it”. If you believe that the second word is crucial (which goes along very well with the second half of the sentence after “given the fact”), then, in your opinion, Gartner is embracing changes and strongly believe in success. Kudos to the authors for hinting two opposite messages without confirming none of them.

The biggest positive news: One Identity is the ONLY VENDOR which has two out of three strengths ACTUALLY RELATED TO THE QUALITY OF THE PRODUCT: “superior policy and role management features” and “deeper integration with complex applications than other vendors”. None of the Leaders’ quadrant vendors has more than one. Gartner also sees the improvements in partner’s relationships: “increased focus on partnerships with resellers and system integrators is fueling rapid and continued improvement in execution”.  At the same time, cautions are not easy to avoid: “new brand operating in a new company”, “brand identity has been somewhat obscured by the Dell-EMC acquisition”, “auditing, reporting and analytics capabilities … still below average among products” and “administration are fragmented and continue to rely on a Windows application for some configuration activities”. Last two are directly related to “ancillary capabilities”, and can be fixed with enough money spent on R&D (direct message to Quest/One Identity budget decision makers). One thing is missing in the report: new Connect for Cloud IM (supporting SCIM) announced late in 2016, probably after all the information for the report was collected.

Here is what I found as the hidden messages from Gartner:

  • To One Identity: “New brand, new company: chance of a lifetime to part with bad memories and mistakes of the past. Use it wisely, and if you do, Gartner will omit “cautiously” in the next report. Do not be cheap, spend money on R&D, brand recognition and strategy build, love your partner as yourself and finally IMPROVE YOUR ABILITIES TO SELL THE SOLUTION WITH EXISTING PRODUCT CAPABILITIES”
  • To potential customers: “This is a great time to consider One Identity if you are on the market for superior policy and role management tool with excellent provisioning capabilities and no needs for superior auditing, reporting and analytics capabilities. New brand means new deals and personal attention to the client’s needs”

Published by

Vlad Shapiro

Vlad Shapiro

Vladislav (Vlad) Shapiro, has been working in the the Identity Governance and Administration (IGA) field for 10+ years, during which time he has developed the business advisory concepts of Identity Posture, Fundamental Conflict in IGA and most recently, Costidity™.