The Forrester Wave™: Identity-As-A-Service, Q4 2017

1 The Forrester Wave : Identity-As-A-Service, Q4 2 017 The Seven Vendors That Matter Most And How They Stack Upby Andras Cser and Merritt MaximNovember 17, 2017 FOR SECURITY & RISK TakeawaysOkta, Centrify, And Microsoft Lead The PackForrester s research uncovered a market in which Okta, Centrify, and Microsoft lead the pack. OneLogin Ping Identity, and Oracle offer competitive options. Gemalto lags Pros Want Broad Access Control, Mobile Protection, And Identity ProvisioningThe IDaaS market is growing because more S&R pros see IAM, and specifically IDaaS, as a way to ensure users have the appropriate level of application access. It s also growing because S&R pros increasingly trust IDaaS providers to act as strategic partners who help solve their various challenges involving identity and Of Administration, Identity Analytics, And Mobile Device Support Are Key DifferentiatorsAs on-premises IAM solutions become dated, costly to maintain, and less effective, improved administration, application and device support, and breadth of IAM standards support will dictate which providers will lead the pack.

2 Vendors that can provide large catalogs of out-of-the-box-supported SaaS apps, include outstanding self-service in their mobile apps, and position themselves to successfully deliver seamless data protection and authentication experiences to their customers will Read This ReportIn our 41-criteria evaluation of IDaaS providers, we identified the seven most significant ones Centrify, Gemalto, Microsoft, Okta, OneLogin, Oracle, and Ping Identity and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk (S&R) professionals make the right 2017 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change.

3 Forrester , Technographics , Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. or +1 866-367-7378 Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | Of ContentsIDaaS Reduces Costs, Supports Flexibility, And Improves SecurityIDaaS Evaluation OverviewEvaluated Vendors And Inclusion CriteriaVendor ProfilesLeadersStrong PerformersContendersChallengersSupplemen tal MaterialRelated Research DocumentsThe Forrester Wave : B2E Cloud IAM, Q2 2015 Ten Critical Questions To Ask Before Adopting Identity-As-A-Service (IDaaS)Understand The State Of Identity And Access Management: 2017 To 2018 FOR SECURITY & RISK PROFESSIONALSThe Forrester Wave.

4 Identity-As-A-Service, Q4 2017 The Seven Vendors That Matter Most And How They Stack Upby Andras Cser and Merritt Maximwith Stephanie Balaouras, Madeline Cyr, and Peggy DostieNovember 17, 2017 Share reports with colleagues. Enhance your membership with Research SECURITY & RISK PROFESSIONALSThe Forrester Wave : Identity-As-A-Service, Q4 2017 November 17, 2017 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. or +1 866-367-73782 The Seven Vendors That Matter Most And How They Stack UpIDaaS Reduces Costs, Supports Flexibility, And Improves SecurityIdentity-as-a-service (IDaaS) was an emerging technology and deployment model in the last IDaaS Forrester Wave.

5 1 Since that time, the market has matured considerably and shows strong demand from enterprise clients. This is because IDaaS: Reduces labor costs by 30% to 35%. The biggest benefit of using IDaaS compared to on-premises IAM solutions is a 30% to 35% lower ongoing maintenance rate, most of which is manifested in a lower need for (expensive) IAM skilled In addition, you no longer have to upgrade a heavily customized on-premises IAM solution every year vendors seamlessly update their IDaaS solutions once every two to four weeks. Provides easy-to-configure access control and auditing solutions. IDaaS solutions provide a simple way to control access and provide single sign-on (SSO) to SaaS (and, to a lesser degree, on-prem) applications, and they require minimal initial implementation investment.

6 IDaaS solutions now offer much better support for industry protocols ( , SAML, OpenID Connect, OAuth2, etc.) and boast thousands of pre-integrated applications in their SaaS app catalogs. Certification with SaaS apps means the burden of troubleshooting falls on the vendor, not the client organization. Security teams also often use IDaaS solutions to direct traffic to cloud security gateways (CSGs), also known as cloud access brokers (CASBs). According to our surveys, 73% of global network security decision makers have implemented, are implementing/expanding/upgrading, or plan to implement an IDaaS solution (see Figure 1). Enables cost-effective two-factor authentication (2FA).

7 In the light of recent high-profile data breaches, it s imperative to protect application access with stronger passwords and 2FA. IDaaS solutions allow S&R pros to centrally and cost effectively define and enforce password policies for Active Directory (AD) as well as to add on software/hardware token, push notification, SMS one-time passwords, and biometrics as 2FA to those applications that do not by themselves support it. In this Forrester Wave, we saw early signs of IDaaS solutions allowing administrators not only to define static rules-based policies but also to rely on an IDaaS-generated risk score (which can be high, for example, when a user accesses the IDaaS solution from a new device from a new IP address).

8 Helps to protect credentials and data on mobile devices . Okta, Centrify, and Microsoft bundle their own native enterprise mobility management (EMM) solution with their IDaaS platform. For smaller organizations that have no preexisting investment in a larger EMM platform, such as Airwatch and Mobile Iron, this can be a simple and cost-effective alternative to protect application credentials as well as data on mobile Simplifies basic SaaS identity management tasks. Today s IDaaS solutions provide simple provisioning from HR systems ( , BambooHR, Workday) or Active/LDAP Directory using SCIM, SAML Just In Time (JIT), or even SaaS native user management APIs to many SaaS apps (Conjur, Salesforce, ServiceNow, etc.)

9 While identity governance (attestation, periodic recertification, etc.) FOR SECURITY & RISK PROFESSIONALSThe Forrester Wave : Identity-As-A-Service, Q4 2017 November 17, 2017 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. or +1 866-367-73783 The Seven Vendors That Matter Most And How They Stack Upfeatures are currently lacking, vendors actively partner with RSA, SailPoint, and other vendors for this functionality. Forrester expects that IDaaS solutions will provide native identity governance capabilities for SaaS apps in the next 18 to 24 Increasingly supports hybrid environments especially for provisioning.

10 Security teams want to expand IDaaS solutions to: 1) manage SSO and identity management and governance (IMG) and 2) provide a single pane of glass of auditing access for SaaS as well as on-premises applications. As a result, we re seeing Oracle and Ping Identity bridging their on-premises SSO and IMG product portfolios to their IDaaS solution, while Okta and OneLogin build and acquire on-prem SSO solutions. This ultimately increases the complexity of IDaaS solutions and raises questions on how to build connectors to on-prem apps in a scalable and repeatable way. This will help organizations that struggle with the high cost of implementing today s complex workflows in on-prem IMG solutions.