This is the second edition of the Market Guide for Identity Governance and Administration, circa 2022, the year of the comebacks. Thoma Bravo is back on a shopping spree, Tom Brady is back with the Buccaneers, conferences are mostly back to an in-person format (with the ever-present online option sticking around), while the bravest among us attended them despite an unpleasant comeback, a spike of COVID-19. Hail to the strong-willed, adventurous vaccinated folks!
In last year’s analysis, I compared the market guide with a traveler’s book. This year, that comparison wouldn’t work since the vendor details were omitted. So, the better analogy would be a traveler’s map as all the landmarks are there, but with non-descript locations. An odd thing I noticed was that every non-North American HQ is represented in cities like Shanghai, Sao Paulo and Melbourne while the North American ones are states or provinces like California, Texas, and Ontario. Perhaps Copenhagen is easier to spell than Cupertino?
Anyway, as a mathematician with heart, I pay attention to numbers and feelings. We know that the guide is missing those vendor details, so will Gartner write in-between the line messages directed at specific vendors, or will those wise thoughts only be for customers? Let’s investigate.
This year there are more authors (5 vs. 3), more listed vendors (31 vs. 19), more key findings (4 vs. 3), and more recommendations (4 vs. 3) using fewer pages (15 vs. 19) than last year’s edition.
The 31 showcase vendors are listed in alphabetical order with no exceptions, whereas last year there was a disturbance of alphabetical peace (see my 2020 report on that) and was excluded from the sample list, which immediately resulted in changing the Web front-page to Italian ( www.netstudio.it). I believe this is related to the subpar performance of Firenze in Serie A but I’m not certain, we need to ask Henrique.
General observations:
- Gartner did a great job on refreshing key findings as instead of focusing on famous corporate Bingo words such as “cloud” and “zero trust”, the authors found a new approach: discovering challenges. They hit on topics such as Asset Management, Operations Problems and Machine Identities, but it’s interesting that one of their key findings contains actual recommendations on how to deal with challenges, which before you’d only find in the recommendations section. They say to “look beyond technical capabilities and evaluate how, and how easily, they can be deployed, integrated and operated”. What is the message between the lines here? My take is that it’s all about the human factor. Each key finding is directed towards the specific needs of the specific group of individuals, like SRM and IGA managers, and giving them talking points for promoting their agenda within the organization (“It’s not me talking – it’s GARTNER!”). There is also a message to vendors: here are the real issues, please address them in the products. My question for Gartner is: did you consult with your lawyers before writing “underpinning identity fabric in which insights from identity and access management (IAM) tools are shared reciprocally with insights from adjacent tools”? I understand that Halloween recently passed, but this is too spooky for even someone whose native tongue isn’t English.
- As in 2020, the recommendations section starts with a shorter version of the same revealing sentence about who it’s addressed to: “SRM leaders responsible for IAM and fraud detection”. However, unlike in 2020, there’s no decoding of both acronyms. The message to the readers is if you don’t know what this is by now, stop reading. This edition’s recommendations are definitely deeper and more multifaceted than in 2020. Instead of just “simplify the selection of
IGA vendors” and “ensure you have a long-term strategy “(2020), the authors recommend to “Evaluate not just traditional capabilities, but also meet upcoming cloud-related needs, security coverage, and support AI and ML” (2022). Instead of suggesting to “target a SaaS or cloud-based deployment first” (2020), the analysts proposed a different strategy that it’s “important to examine SaaS and platform solutions, estimates, and cost of using professional services or managed service.” (2022). In addition, there are two new recommendations: “Treat machine identities as distinct identity types that must be managed and governed similarly to human identities” and “Identify key use cases early in any review process”. What is the underlying message behind all of that? To me, it is a request for shifting from an architectural-project approach to a more practical business/financial one with a much wider view. Gartner hopes that users and vendors will follow these recommendations.
- The same shift is visible in changes related to strategic planning. In 2020 it was very architectural with “SaaS-delivered, converged IAM platforms like IGA, AM, PAM”, but in 2022 it’s about “using IGA analytics and insights as part of a wider identity fabric to reduce security risks across IAM estate”, which is clearly more of a business-like approach that appeals to a larger crowd than just IGA. Since strategic planning is addressed to business leaders, who understand and appreciate “security risk reduction”, this shift should help you to get better funding. Again, I did not say it, Gartner did.
- The market direction and market analysis sections showed us why Gartner decided to forego vendor details as it gives the reader’s a different perspective and hints which can be easily interpolated on a particular software maker. You just need to find the golden nuggets hidden in their messaging, and that’s exactly what we’ll do.
Let’s get deeper into the market direction, or at least the Gartner analysts’ opinion of where we’re going. In 2020, we were going to expand on the “unaddressed market segment for large to global enterprises in emerging geographical markets”, and evaluate “IGA technology rapidly being adopted by midsize organizations with less demanding requirements”. In 2022, the direction changed as it started by getting “cloudy” for two paragraphs which then led to RPAs with a “significant number of machine identities …to the extent that nonhuman identities now outnumber humans” and the emergence of “identity fabric” which was mentioned 9 (!) times in the report overall. As a comparison, “identity governance” appeared 7 times.
Hint to vendors: you better start including “identity fabric” in your marketing materials as a new checkbox is coming into your RFI and RFPs! Especially since there is no official definition of what it is. KuppingerCole version is that it “stands for a paradigm of a comprehensive set of Identity Services, delivering the capabilities required for providing seamless and controlled access for everyone to every service”, while the Security Boulevard version is a “distributed, multi-cloud identity management framework integral to Identity Orchestration software”. Wikipedia has no idea as the page “Identity Fabric” does not exist as of October, 1st 2022, but Wikitia has a version that states an “architecture design approach that serves as a foundation for defining or continually updating enterprise architectures for Identity and Access Management (IAM).”
If you Google it, the “People also ask” section has the following answer:
An Identity Fabric is an abstraction layer in a distributed identity management framework provided by Strata’s Maverics Platform.
Bravo, Strata! Your money was not wasted on Google advertisements. Someone deserves a promotion!
The Authors dedicated 4 (!) paragraphs to vendor directions as “vendors are responding”, “vendors have relatively stable offerings”, “vendors have SaaS deployment options”, and “vendors are striving to improve.. support for nonhuman identities”. All of these research insights are hidden demands aimed at product management teams across the esteemed IGA space. Another hint for vendors: potential customers will read the market guide too! Look for more checkboxes!
Continuing our tradition from my 2020 analysis, we’ll use a table with 2022 quotes and their subsequent hidden messages:
Quote | Message to vendors |
IGA vendors are providing solutions to consolidate tools and .. for an identity fabric, but not necessarily at the same time. | Do it in the same product, under the same set of licenses, please! |
Most of the complete IGA suite vendors will meet most of their (customers) use-case requirements | If you cannot meet use cases, you are either not a complete IGA suite or you fall into the category of “not most IGA suite vendors”. Fix it! |
All the main IGA suite vendors have SaaS deployment options, which are increasingly recommended by them in preference to their software-based solutions, even for large, complex organizations. | Three things to note: If you want to call yourself a “main” IGA suite, offering SaaS options is a must. Push SaaS good, push it “real good”! Do not limit SaaS proposals to SMBs. |
Proliferation of new IGA applications based on the popular ServiceNow platform. | How is your proliferation going? Better hurry up, or we’ll call ClearSkye! |
Existing vendors offering light IGA capabilities as part of a platform will continue to enhance their capabilities to get closer to those of a suite. | Two-directional message: do not be satisfied with the status-quo (for light IGA) and do not sleep on light IGA (for complete IGA), who knows…. |
Suites typically offer much stronger management of contract workers, third-party access, deeper connectors, and flexible workflow with policy-based access controls. | Are you covering all of that, Mr. Suite IGA vendor? Look carefully at the order: contract and third party come first on the list and are very specific requirements. The rest are more general. SecZetta, anyone? |
The next three paragraphs are for leaders, SRM and IAM. Interestingly the authors assume that leaders have more time to read, so the title “Gartner’s Buyer’s Guide for Identity Governance and Administration” is directed to them. It’s probably because IAM leaders are too busy with “assessing the capabilities and deployment and management implications of available solutions against the needs of their organization both now and for the lifetime of an IGA tool” for “five to eight years”. I’m not sure if these overwhelmed people can foresee needs for 5-8 years ahead, or prepare the next generation of IAM leaders to replace the solution in 5-8 years, perhaps both. Meanwhile both types of leaders should remember that “platform-based tools have technical deficiencies, they have attractions in terms of cost, ease of deployment and ongoing management of fewer solutions … reduces the overall IT overhead within an organization.” Here is my reading between the lines: choose your list of “must haves” and look at a platform-based solution. Maybe you do not need all these extra technical capabilities?
Now let’s talk about Market Analysis. As done previously, I’ll extract some interesting quotes and decode their messages.
Quote | Message |
Robust governance and transparency of consumption are required across a range of cloud service providers | Choose your service providers based on transparency and governance, not price or marketing slides! |
IGA tools have to support this move by using proprietary connectors and converging on standards-based connectors | To vendors: do more with standards-based connectors for cloud applications To users: always prefer using standards-based connectors and avoid customization as much as you can! |
SaaS IGA offerings: dig below any marketing in order to assess their true cloud credentials and ability to manage other cloud-based assets | Evaluate SaaS IGA only based on use cases, which should include scenarios involving managing cloud assets and credentials. No Marketing people in the room allowed during POC. |
The ability to participate fully in an identity fabric will act as a value multiplier, compared with insular IGA offerings that fail to play a full part. | Be ready for a new checkbox for “Identity Fabric” to your RFI/RFP. It will multiply your value, unlike isolated IGA. More instructions to follow in 2023. |
We expect IGA functions to be more composable as part of a cybersecurity mesh by 2025. | Analysts call for a joint venture between IGA and IT Security (see figure 2). Maybe joined budget? In 2025? |
Analytics and ML .. to add them they will need to accept input from external sources and systems. Similarly, they will need to help make decisions and constructed insights available to other, related systems in security mesh | This is how you can get money for an analytics tool: a joint proposal with other sources with a promise of cooperation on data and analysis level. Don’t forget the “Value Multiplier” from an earlier comment! |
IGA solutions…to plan mainly for likely requirements in 2030 | Vendors: you better come up with a roadmap for 2030 that includes “likely requirements”. Users: Plan to stick around until 2030 to see if your predictions come true. Also, prepare Plan B in case you’re wrong, but you have another 7 years for that. |
The next two paragraphs within the market analysis are dedicated to two thoughts:
- Light, Platform-based IGA is a real thing and, in some cases, even preferable for fulfilling certain needs.
- A machine Identity avalanche is coming and requires management strategy now. Due to the sheer number of such identities projected in the near future, governing them will become a necessity and part of regulatory requirements and compliance, so you’d better plan for what’s coming.
Similar to the previous report, the “Market Guide does not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings”. Again, there are two hidden messages here (like in 2020):
- To potential customers: “An exhaustive list exists; it is long and dynamic (requires timestamp, almost like attestation), so we decided not to exhaust ourselves to assemble it. If you found a good match in terms of value/capabilities, you can tell your management that this vendor is on the list. We will confirm it as long as your organization is our client.”
- To a vendor: “You are always on our exhaustive list. We care about you even if you are not a listed vendor. You are still important; just help the customers!”
Finally, 5 market recommendations for SRM leaders. Please note: they are not the same as the recommendations on page 2. Why are there two sections on recommendations? My answer is the following: it does not matter if you are a person who just reads the first two pages or last two pages – you cannot avoid direct recommendations! Smart! It allows busy people to save tons of time and get straight pointers on both ends.
I would love to hear your opinion about the guide and my observations.