WIXLIB

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2106allocated a significance weighting based on the analyst’s assessment of its relative significancein the selection criteria.Omdia awards: One to watch – Hitachi ID SystemsHitachi ID Systems should also be on your radar and is one to watch. The vendor has been in theidentity management market for nearly three decades, offering an Identity and Access ManagementSuite that consists of products in IAM, PAM and password management, with a cloud-based versionof its IAM platform having been in existence for several years. In October 2020, it brought its threeproduct lines under a single banner, with the launch of its Bravura Security Fabric, describing it as“the industry’s only single identity, privileged access, and password management platform.”The suite can both integrate with existing multifactor authentication (MFA) systems and provide itsown, net-new credentials: SMS/PIN, email/PIN, smartphone app, security questions, and voicebiometrics. When integrating with existing MFA technologies, Hitachi ID Suite supports both sign-oninto its own user interface (UI) with these credentials and managing these credentials.Provisioning access is available for on-premises, hybrid, and cloud-based scenarios, with support forAD, Azure AD, LDAP, eDirectory, and NIS/NIS directories. The platform also has the ability to secureedge devices with Internet of Things (IoT) networks. Hitachi ID Identity and Access ManagementSuite also has segregation of duties.Hitachi ID currently does not support the OAuth industry standard. However, support for OAuth ison its roadmap for the next 12 months. Another limitation of its current solution is the fact thatthere is no facility to add defined services.The launch of the Bravura Security Fabric represents an opportunity for Hitachi to raise its profile inthis busy market, in the hope of adding new customers. The Fabric lets organizations frame andoptimize their cybersecurity programs with a single platform across identity, group, password, andprivileged access. Organizations can weave the identity and access services in various patterns toprotect, manage, and govern their digital identity and access infrastructure from attacks with thescalability, flexibility, and integration they need as their roadmaps evolve. The vendor is targeting anumber of vertical markets including higher education, financial services, healthcare, andmanufacturing.Market outlookThe world market for IDaaS is projected to increase from 2.2 billion in 2018 to 5.1 billion in 2025,with a CAGR of 13.1%. Despite the global COVID-19 pandemic and economic downturn in 2020, theIDaaS market is projected to increase to 2.8 billion for the year. This represents annual growth of14.0% from 2019.The increase in the number of home workers and acceleration in companies moving to the cloudhave been key growth drivers for the IDaaS market during 2020. It is worth mentioning the fact thatIDaaS is cloud-based authentication built and operated by a third-party provider. Omdia believesthat the trend away from on-premises products toward cloud solutions such as IDaaS will continueduring the next five years. Indeed, the unexpected events of 2020, with the pandemic forcing 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-21millions to work from home for long periods of time, has led to even faster growth of cloud-basedidentity management (see Figure 3).Figure 3: The world market for IDaaS, by revenue, 2020–25Source: Omdia 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.07

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2108Vendor analysisCyberArk (Omdia recommendation: Leader)CyberArk should appear on your short list if you are looking for a provider of SaaS-delivered identitymanagement servicesThe CyberArk Idaptive platform features SSO, adaptive MFA, identity lifecycle management, anduser behavior analysis. CyberArk Idaptive secures access to both cloud-based and on-premisesapplications and resources via its App Gateway service. It also integrates with on-premises userrepositories, such as Active Directory and LDAP-based directories, by deploying a connector serviceinstalled on the customer’s on-premises server.Figure 4 shows the high-level performance of CyberArk, where it scored an average across all threedimensions of 85.1%. CyberArk scored an average of 90% in the capability dimension, 20% in marketpresence, and 84.8% in customer experience. In terms of capabilities, CyberArk’s strengths wereauthentication/MFA (100%), management and infrastructure (100%), and provisioning (95%). Itsweakest capability was reporting, alerting, and monitoring (75%). 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2109Figure 4: Omdia Universe ratings – CyberArkSource: OmdiaStrengthsIdaptive came into existence in October 2018, but its technology has a longer history, because thevendor was previously the IDaaS business unit that was spun out that year from PAM vendorCentrify, a company that was founded in 2004. Indeed, the latest version of its platform, released inAugust 2020, is version 20.6.Since its spinout, Idaptive has been working to establish its brand in the crowded market for identitytechnology and services. Now it belongs to CyberArk, a very well-known vendor and the marketleader in PAM, and is listed on NASDAQ, which should help raise its profile. The challenge that it now 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2110faces is to tie its technology platform, which is already a mature offering, with the CyberArk name,which is traditionally linked with PAM.Idaptive came into existence with a comprehensive and mature set of functions and features, whichit has continued to expand. For instance, in February 2020, in what would prove to be a timelyaddition, the vendor announced enhancements to the platform to help organizations with adistributed workforce simplify the onboarding of remote workers and ensure that endpoint devicesthat do not connect to corporate networks are nonetheless secured.It enables this simplification with the launch of agent software for endpoints running Windows orMac OS. These new clients include adaptive MFA, so once they are downloaded to an endpoint, theend user can immediately log in with their IT-provided credentials and complete the enrolmentprocess without being connected to a virtual private network (VPN) or corporate network.LimitationsOmdia has seen criticism of the CyberArk Idaptive user interface, which some commentators feltcould be made easier to use / more intuitive, though the vendor has made further improvements inthat direction in its latest release, v20.6.There were also those who felt the system was more complex to set up than competing services. Forinstance, one reviewer commented that if a customer wanted to use a specific version of an LDAPdirectory, that would require them to engage in some customization work.This sort of complexity led at least one customer to argue that it was unsuitable for smallerorganizations.One review, dating from Idaptive’s time as a standalone company after it was spun out fromCentrify, said levels of support services had fallen, but Omdia expects this to improve again now thatthe vendor has become part of CyberArk.OpportunitiesThe growing adoption of all forms of cloud computing bodes well for the IDaaS sector generally. Forcompanies that have no legacy on-premises IAM in place, it is a logical choice for them to useidentity services in the cloud if an increasing amount of their applications and business systems aredelivered from there. Even for companies that have already deployed an on-premises IAM platformand are still amortizing that investment, IDaaS represents an easier way to bring new business units,such as ones that come to them through acquisitions, onboard, particularly if their application estateis cloud-based.In 2020, the COVID-19 pandemic has only turbocharged the trend toward adoption of cloud-basedservices, as companies have faced an overnight change in their working habits, with their entire staffsuddenly having to work from home, often for long periods. Even when widespread vaccinationagainst the coronavirus has taken place, there are strong indications that working from home willcontinue as a much more significant trend among knowledge workers generally, which will tend todrive demand for even more identity services from the cloud. 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2111ThreatsThere are a number of big beasts in the IDaaS segment, most notably Okta (among the pure-plays),and IBM and Oracle, both of whom started on premises but have now built significant presence inthe cloud-based services segment. Switching to the CyberArk brand (with Idaptive retained in theshort term as the name of the IDaaS platform), the company will need to educate the market to thefact that the PAM market leader now has a “vanilla IAM” (i.e., identity services for a company’sgeneral employee base rather than just its privileged users) offering that is delivered from the cloud.IBM (Omdia recommendation: Challenger)IBM should appear on your short list if you are already an IBM customer using its on-premises IAMtechnologyAs a cloud-delivered service, IBM Security Verify can coexist alongside third-party IAM technologyand brings a broad portfolio of capabilities that will give you the opportunity to compare IBM’scommitment to innovation in the world of identity with that of your existing IAM provider. IBMSecurity Verify can also help in scenarios such as M&A, where there is suddenly a large number ofnew users you need to bring onto your enterprise infrastructure without all the challenges ofmerging two different corporate directories, not to mention the curveball IT departments worldwidefaced in 2020 thanks to the sudden and unpredicted increase in working from home.Figure 5 shows the high-level performance of IBM, where IBM is classified as a challenger in thisUniverse. IBM was strongest in the supplier capability subcategories of authentication/MFA (100%),management and infrastructure (100%), and certification (100%). The company was weakest inreporting, alerting, and monitoring (59%). 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2112Figure 5: Omdia Universe ratings – IBMSource: OmdiaStrengthsIBM has a long history in IAM, having been a major player in the market for on-premises software formanaging identities since the early 2000s. This heritage, together with its extensive enterprisecustomer base, positioned it well for an entry into the IDaaS market. The challenges it faced as theIDaaS market was taking off in the first half of the last decade were: Delivering cloud-based versions of the comprehensive functionality it already had in the onpremises world so as to attract new customers 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-21 Making it easy for its on-premises IAM customers to adopt IDaaS to complement their existinginfrastructure Continuing to innovate with what it offered on-premises to satisfy customers’ evolving identityrequirements, should they prefer to keep their infrastructure in their own data centers.13Its first foray into cloud-based identity management came in 2014, when it acquired managed IAMprovider Lighthouse Security, and since then it has developed an offering with breadth and depththat addresses all three of the use cases for IAM (i.e., B2E, B2B, and B2C). Its IDaaS offering, IBMSecurity Verify, has a broad range of capabilities that include SSO, MFA, adaptive access, identitygovernance, and identity analytics, with a roadmap that sees it doubling down on decentralizedidentity and adding machine learning to its analytical function.LimitationsIBM has a long history in IAM, and as you would expect, its IDaaS platform has a comprehensive setof capabilities and is supported by a large, globally distributed team. That said, Omdia notes an areaof functionality that is currently lacking.IBM’s IDaaS service has data centers, complete with geographic redundancy, in all the majorbusiness regions except Latin America, where it has none. This situation will clearly need to change ifbusiness grows in that region, particularly as data sovereignty becomes an issue there.OpportunitiesAn exact figure for the size of the identity management market (i.e., on-premises IAM and cloudbased IDaaS) is hard to come by, not least because for a number of the participants such as IBM,identity is a business unit within a much broader product portfolio, and separate revenue numbersare not reported. That said, Omdia reckons the total identity market to be worth around 10 billion,around 25% of which is IDaaS. The two worlds display fundamental differences, however.IAM customers are primarily large enterprises with big employee headcounts; most of the markethas already been addressed (i.e., most enterprises already have a platform in place), so most of therevenue is in subscription renewals and professional services. Net new business is less common.By contrast, IDaaS democratizes identity management, making it available to companies of all sizes,so brand-new customers are very much the norm, and the bulk of the revenue here is from newsubscriptions to the service. At the same time, IDaaS should offer enterprises with an existing IAMinfrastructure the ability to migrate that functionality into the cloud, at a pace that suits them.Omdia believes that in the coming years IDaaS will outgrow and eventually overtake its on-premisescousin. Indeed, the unexpected events of 2020, with the pandemic forcing millions to work fromhome for long periods of time, has led to even faster growth of cloud-based identity: IBM itself saysgrowth has exceeded its 10% prediction for this year.Omdia sees IBM as well placed to ride the wave of expansion in IDaaS, particularly with enterprisesthat are already IBM customers. 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2114ThreatsAs the longest-established name in the IT industry, IBM is clearly not a “new kid on the block.” Therecan, therefore, be no doubts about its longevity and its ability to weather the storm of technologicalchange. This generally plays well in the corporate world, where tried-and-tested suppliers can oftenwin out over newer challengers.There is a tipping point, however, when innovative newcomers begin to gain a head of steam in themarket, particularly as Generations Y and Z move up into key positions in organizations. Theconsumerization of IT is part of this process, and it behooves IBM to remain relevant to the cominggenerations of decision makers in the technology enterprises are using. The likes of Okta andOneLogin are names that spring to mind when IDaaS is mentioned, so IBM needs to cement itsreputation for innovation in this sector.Microsoft (Omdia recommendation: Prospect)Microsoft should appear on your short list if you are an enterprise customer deeply familiar withMicrosoft’s ecosystemMicrosoft's Azure Active Directory (AD) has tight integration with Windows Server Active Directory,Office 365 and is also highly scalable. Microsoft’s Azure AD also offers the lowest entry-level pricingfor handling MFA. It also offers advanced toolsets for managing identities and the cloud apps usedby enterprise customers.Microsoft is classified as a prospect (see Figure 6). Microsoft’s strongest categories were customerrecommendation (87%), product experience (77%), vendor experience (76%), and strategy androadmap (75%). The company’s weakest subcategory from a solution capability perspective weredirectory service (43%) and reporting, alerting, and monitoring (53%). 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2115Figure 6: Omdia Universe ratings – MicrosoftSource: OmdiaStrengthsMicrosoft first entered the IDaaS market in 2014 and has worked to update and improve its AzureActive Directory service. Microsoft brings scale and global brand recognition to this space.Microsoft Azure AD is a cloud-based IDaaS platform with service capabilities around adaptiveauthentication and access, SSO, domain services, user directory services, infrastructure-as-a-service(IaaS) platform services, API management and authorization, risk-based threat detection, and more.Capabilities can be leveraged across web, enterprise, and mobile service delivery modalities. 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited.

Omdia Universe: Selecting an Identity-as-a-ServiceSolution 2020-2116Microsoft is an obvious contender for enterprise customers deeply familiar with Microsoft’secosystem or already using Microsoft’s Azure cloud services. It will also suit those looking for basicidentity management capabilities. The vendor continues to mature its MFA, device registration, andself-service password management. Indeed, Microsoft is working to eliminate passwords altogether.Microsoft Azure AD also offers a flexible pricing structure. For example, Azure AD for employeeidentity is available in four pricing tiers. Azure AD Premium licenses are sold as a standalonesubscription and as part of value-added suites. Meanwhile, Azure AD B2C customer identityscenarios are sold as a consumption service with two pricing plans that vary by the level ofsophistication of security features.Another strength of Azure AD is that it can bring identities from different organizations together in acloud environment for all types of cross-organization collaborations. This is useful for joint venturesand strategic alliances between companies. Azure AD is a cloud-based directory that can be utilizedfor all kinds of identity authorizations.LimitationsIf an organization needs a deeper level of identity management and/or has a high volume of objectturnover (account provisioning and deletion), the limit of the basic functionality in Azure AD isquickly realized, and additional effort, expense, and technology may be required.Its support for non-AD user store infrastructures and virtual and meta directory are weaker than thatof some of its competitors. API security is largely missing, and dashboards are only in preview mode.It has also been stated that Microsoft Azure has so many tools, services, and functionalities that it isnot easy to find your way around and get to the maintenance area where you can start working. Thiscan make it harder to use.Some of the more useful features of Microsoft Azure are only available at an additional cost. Also,some of the most desirable and useful features are at the highest price. According to one customer,Azure AD Premium prices are very high.OpportunitiesThe post-COVID-19 world will provide opportunities for companies that can rapidly scale to supporttheir customers. During the pandemic, there has been accelerated adoption of remote work, evenamong conservative customers. For example, a large US retailer went from a no-work-from-homepolicy to 600,000 remote users in less than a month. The focus has been about providing remoteaccess to SaaS and on-premises apps (using capabilities such as Azure AD App Proxy). There has beenan increased strategic importance of conditional access policies to support such remote workers. ForMicrosoft’s customers, MFA usage doubled during the pandemic. Offering rapid deployment andscale to large customers is an opportunity for Microsoft in these uncertain and unpredictable times.ThreatsThe main threat faced by Microsoft is competition from other leading IDaaS vendors such as Okta,IBM, and Ping Identity. With little to choose between them in terms of core capabilities, the choicecomes down to the additional capabilities offered by each vendor and nontechnical issues such as 2020 Omdia. All rights reserved. Unauthorized reproduction prohibited. p

"the industry's only single identity, privileged access, and password management platform." The suite can both integrate with existing multifactor authentication (MFA) systems and provide its own, net-new credentials: SMS/PIN, email/PIN, smartphone app, security questions, and voice biometrics.