Analysis and research firm Gartner, Inc. recently released its latest Critical Capabilities Report for Identity Governance and Administration (IGA).
In the 2017 version of their Critical Capabilities report for IGA, Gartner takes the 15 products that it considers most significant in the worldwide IGA market and evaluates the strengths and weaknesses of those vendors against 11 ‘critical capabilities’ and four common use cases for IGA. Gartner does not endorse any vendor, product, or service depicted in its research publications.
The 15 products featured in the report are, in alphabetical order, AlertEnterprise, Atos (Evidian), CA Technologies, Core Security, Dell Technologies (RSA), Hitachi ID Systems, IBM, Micro Focus (NetIQ), Omada, One Identity, Oracle, Sailpoint IdentityIQ, Sailpoint IdentityNow, and Saviynt.
I read the report, available in full here, and pulled the three most important takeaways and key market indicators. But first, let’s get a couple of definitions out of the way…
So What are Critical Capabilities, Exactly?
This one is pretty straightforward: Gartner defines Critical capabilities as “attributes that differentiate products/services in a class in terms of their quality and performance.”
For IGA, those critical capabilities are identity life cycle, entitlements management, access requests, workflow, policy and role management, access certification, fulfillment, auditing, reporting and analytics, ease of deployment, and scalability and performance.
Gartner rates each product or service on a five-point scale in terms of how well it delivers each capability across four use cases: Global Enterprise, Midsize or Large Enterprise, Governance-Focused, and Automation-focused.
Just one more thing before we jump in—let’s clarify exactly what Gartner analysts mean when they talk about IGA.
- 15 IGA Products Compared
- 11 Critical Capabilities
- 3 Use Cases
How Gartner defines IGA
According to Gartner, IGA solutions are tools that “manage digital identity and access rights across multiple systems.” They accomplish this by aggregating and correlating identity and access rights data that is distributed throughout the IT landscape, in order to enhance control over user access. This aggregated data serves as the basis for the core IGA functions that Gartner calls critical capabilities.
To be included in The 2017 IGA Critical Capabilities report, vendors must have a significant market presence in at least one of the use cases and at least four of the critical capabilities listed above. Market presence can be demonstrated in one of two ways — by significant market share or by differentiating innovation.
IGA-as-a-service Adoption—and Functionality— are Growing Fast
IGA is a critical part of the security and governance programs at most sizable organizations, but it has a reputation as an unwieldy and difficult-to-deploy tool. What’s more, many organizations are struggling to pull significant value from their IGA tools, especially in automated user account provisioning, due to complex integration issues, says Gartner.
With that in mind, it’s no surprise that many companies are turning to the cloud and furnishing IGA-as-a-service products to ease deployment and integration issues for customers looking for streamlined IGA functionality.
The nascent IGA-as-a-service market growth is primarily driven by small and midsized businesses that look to cloud-based SaaS delivery models to simplify their application deployment and usage, but Gartner analysts predict that by 2019, more than half of IGA vendors will have significant IGA capabilities available as a service, up from less than 10% in 2016. In the same time frame, more than 30% of new IGA deployments will be service-based, up from less than 5% in 2016. The future, it seems, is in the cloud.
But it’s not all good news, many of those products that emphasize ease of deployment typically provide out-of-the-box process frameworks which could be difficult for organizations with mature processes to adopt, says Gartner.
Saviynt and Oracle Lead in Ratings
While Gartner makes it a point not to endorse specific vendors in their reports, the 2017 IGA Critical Capabilities report gives a lot of love to a few vendors, namely Saviynt and Oracle, who placed in the top 3 for most use cases.
Saviynt specifically was the only vendor to place in the top two across all four use cases, with the top spot for Midsize or Large Enterprise and Governance-Focused use cases. Gartner praised the company for its “Outstanding support for role management” which “bridges the gap between enterprise and application role management with the ability to design and transport roles for complex applications with their own RBAC models.”
For their part, legacy IGA vendor Oracle was among the top three scores for three use cases, and came in with the number one spot for Global Enterprise use cases. Gartner praised the company as “especially well-suited to global enterprises with mature and complex processes for access administration and signification requirements for the automation of account management,” but warned that deployment can be complex, as the product requires more compiled Java code than most other products.