June 18, 2008

Forrester TechRadar™: Identity And Access Management, Q2 2008
by Andras Cser for Security & Risk Professionals

Making Leaders Successful Every Day

For Security & Risk Professionals
Includes a Forrester TechRadar™ June 18, 2008

Forrester TechRadar™: Identity And Access Management, Q2 2008
by Andras Cser with Jonathan Penn and Allison Herald

Market Seeks Solutions That Support Business And IT Flexibility And Compliance

Identity and access management (IAM) continues to be a fragmented field of disjointed technologies with difficult and expensive implementation cycles and even more costly efforts in the wake of bad technology decisions. Products that give quick answers to immediate security and audit problems (privileged user and password management, identity audit, enterprise single sign-on) continue to excel and move fast along our adoption curves. While these products deliver demonstrable value, they oftentimes complicate the CISO’s plan to establish a unified IAM portfolio. More established IAM products (Web single sign-on, provisioning, and directories) continue providing security and efficiency benefits for organizations that can afford their adoption. Standalone password management and metadirectories continue their decline, being subsumed by provisioning and virtual directories.

2 The State Of Plans For Identity And Access Management 2 Why The Future Of Identity And Access Management Matters 3 Overview: Forrester’s TechRadar For Identity And Access Management 8 IAM TechRadar: Business Benefits Of IAM Are Eclipsing Compliance Needs

N OT E S & R E S O U R C E S
Forrester interviewed 15 vendors and users, including: Autonomic Networks, Bayshore Networks, BHOLD COMPANY, CA, Eurekify, IBM, Novell, Oracle, Passlogix, Rohati Systems, and Sun Microsystems, for this report.

Related Research Documents “Identity-Management-As-A-Service” April 2, 2008
“The Forrester Wave™: Identity And Access Management, Q1 2008” March 14, 2008 “Identity Management Market Forecast: 2007 To 2014” February 6, 2008

21 Major Centers Of Gravity Will Form In Identity And Access Management 21 Supplemental Material

© 2008, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints of this document, please email resourcecenter@forrester.com.

Segregation of duties (SoD) ensures that no conflicts of interest exist between access rights for a user within one application and across multiple applications. WHY THE FUTURE OF IDENTITY AND ACCESS MANAGEMENT MATTERS Identity and access management plays a large role in an organization’s IT portfolio because: · IAM addresses key regulatory compliance concerns. and removal of user identities in applications yields significant IT administration efficiencies and cycle time reductions. Reproduction Prohibited . Inc. 2008 © 2008. or enterprise single sign-on) are increasingly looking toward adopting user account provisioning. Leading organizations realize its value in improving efficiency. and when. modification.1 · All applications have identity — and related security and risk — implications. and understanding long-term implications and potential IT and business benefits of IAM solutions. cost savings. Forrester Research. Identities for legacy and new applications will need to be managed securely within the frameworks of information risk management and compliance. These audit trails give relatively easy and readily available answers to who got access to what application. and view it as a collection of disjointed technologies and tools to pass audits or remediate audit findings. they still lack a strategy vision of IAM. identity audit point solutions. creating sets of pre-approved access roles. Organizations that have already implemented IAM piecemeal to address tactical issues (privileged user and password management. Automating workflow for approvals. and Web single sign-on (SSO) solutions to enable them to realize ease-of-use and business benefits from IAM. · IAM reduces the cost of IT administration. thus creating an identity fabric. and they spend time analyzing business and IT processes. Centralized policy management and enforcement of SoD needs capable IAM solutions for entitlement management and role management. IAM solutions provide a great array of centralized auditing and trending features (often providing templates for an integrated reporting solution). selecting an array of smoothly interoperating products. making automatic (and often rule-based) changes to administered endpoint systems. who approved it. Q2 2008 For Security & Risk Professionals THE STATE OF PLANS FOR IDENTITY AND ACCESS MANAGEMENT Pressures continue to mount on organizations to keep up with compliance. Automating creation. and IT administration efficiency improvement initiatives. Whenever CISOs need to show evidence of compliance in identity life-cycle management and application access.2 Forrester TechRadar™: Identity And Access Management. comprehensive enterprise role management. June 18. As a result. Organizations striving for proficiency in using integrated IAM solutions are extending IAM Web services for use by line-of-business applications in a reusable manner. and automating password resets are all examples of IT administration cycle time reduction.

we also highlight integration points. identity proofing. Windows. 3) the time experts think the technology will need to reach the next stage of maturity.g. We examined past research. help desk solutions that perform password resets. We also focused on enterprise identity management and thus excluded IAM solutions that are specific to a particular application (enterprise resource planning. innovation networks.Forrester TechRadar™: Identity And Access Management. Forrester investigated the current state of 14 of the most important technologies (see Figure 1). Q2 2008 For Security & Risk Professionals 3 · Business relationships continue to evolve. traditional IAM models will cease to be sufficient for managing these new relationships. Inc. and conducted detailed research with multiple current or potential users of each of the technologies. With outsourcing. 2008 . Reproduction Prohibited June 18.g. the mainframe). others we see playing an important role in shaping the future landscape of IAM. Why Do These 14 Technologies Appear In The TechRadar? We included technologies with a significant installed base and about which we routinely answer our IT clients’ and vendors’ inquiries. rightsourcing. synergies. © 2008. and business value challenges. and 4) the technology’s overall trajectory. and mergers and acquisitions on the rise. To help security and risk management professionals plan their next decade of investments in IAM. We left out certain solution areas which are not core technologies or which we view as features rather than standalone products (e. compliance. from minimal success to significant success. This overview helps security practitioners make the right decisions concerning which technologies to invest in and how to preserve value of IAM investment during a time of economic recession.. Companies adopting a suitable model early for managing these relationships will enjoy competitive advantages.. OVERVIEW: FORRESTER’S TECHRADAR FOR IDENTITY AND ACCESS MANAGEMENT Forrester Research gives guidance as to what technologies organizations need to track in the next 10 years to remain on top of effective identity management to help solve significant risk. and development dynamics between IAM products. We used the data collected to assess four things: 1) the current state of the technology. 2) the technology’s potential impact on customers’ businesses. and identity issues grow increasingly complex.2 In this TechRadar. interviewed experts in the field. Some products we consider cornerstones of current IAM offerings. email) or platform (e. risk based authentication). Forrester Research.

Reproduction Prohibited . Address books and white pages aggregate user information stored in a hierarchical format and provide fast access to applications. relational database management system (RDBMS) systems. Novell. document management systems BEA AquaLogic Enterprise Security/Oracle. IBM.) and can be accessed using the LDAP protocol. ActivIdentity. Oracle. CA. Some organizations use LDAP directories as an authoritative source of information about their employees and partners. Healthcare workstations. Oracle. the E-SSO application automatically logs the user in without the user having to enter their credentials. Passlogix. Implementation costs depend on the number of identities stored in the directory. Vanguard Integrity Professionals $150. Imprivata. Cisco Systems/Securent. multi-factor desktop authentication before starting proprietary or closed legacy applications. passwords. LDAP services provide centralized authentication and authorization information about users to LDAP-enabled applications. Centralized access policy management for Microsoft SharePoint and other portals.000 and up — depends on the number and availability of plug ins into applications and the number of users. Q2 ’08 Technologies Evaluated Directories Definition Directories. Q2 2008 For Security & Risk Professionals Figure 1 Forrester TechRadar™: Identity And Access Management. etc. Usage scenario Vendors Estimated cost to implement Enterprise single sign on (E-SSO) Definition E-SSO desktop applications recognize the layout of various Web-based and thick-client applications. CA. Sun Microsystems $31. Evidian.000. Oracle. and context. BMC Software. resource. Source: Forrester Research. IBM/Encentuate.000 — depends on the number of users. or LDAP directories.4 Forrester TechRadar™: Identity And Access Management. Citrix Systems. and mining roles and account linkage information. IBM. Siemens AG. Novell. Inc. store identity and security information (user names. CA. Upon invocation of the application.000 to $200. Inc. Usage scenario Vendors Estimated cost to implement Entitlement management Definition Usage scenario Entitlement management is a centralized way of managing fine-grained access based on user. Vendors Estimated cost to implement 45768 June 18. Forrester Research. retail and banking shared desktop workspaces. Microsoft. Sentillion $214. security question/answer pairs. 2008 © 2008.

Usage scenario Vendors Estimated cost to implement Identity audit Definition Identity audit products answer the following questions: who has access to what resources and how can I prove my knowledge to auditors? The identity audit products typically provide read-only access to application repositories and discover segregation of duty issues. IBM.000 — heavily depends on the number of partners in federated relationships. Inc. and healthcare providers all deal with users whose identities are maintained in a different place from where the identities are used. Oracle. An entry in a metadirectory is a composited image from many different data sources. 2008 .000 for initial implementation. Ping Identity. Identity providers authenticate users and send assertions to service providers who trust those assertions. portal environments. Symlabs $211. and help remediate these issues through integration with a provisioning system. Novell.000 to $100. service providers do not have to manage user names and passwords. Microsoft. depending on the number of applications reviewed. SailPoint Technologies $50.) Federation Definition Federation (or identity federation) allows two or more organizations to trust each other’s identities and authentication decisions. Sun Microsystems. Usage scenario Vendors Estimated cost to implement Metadirectories Definition Metadirectories provide identity data synchronization and aggregation services. Q2 ’08 Technologies Evaluated (Cont. Identity audit is used most often when organizations have to map out who has access to what applications. Financial services and mobile carriers who fold third-party applications into their customer portals. IBM. Usage scenario Vendors Estimated cost to implement 45768 © 2008. Novell. Forrester Research. Metadirectories typically use LDAP to represent their data. Reproduction Prohibited June 18. using data synchronization. Sun Microsystems $146. Siemens AG.Forrester TechRadar™: Identity And Access Management. NetVision. CA. Inc. mostly due to an audit finding or a security breach. Microsoft. Aveksa. Source: Forrester Research. Outsourced services. Oracle. Holding companies with many lines of business typically use metadirectories to create a unified white pages service. metadirectories help maintain consistency of identity data stored redundantly across these accounts. Most large organizations have users with accounts in multiple repositories.000 — depends on the number of users in the metadirectory and the number of connected systems. Q2 2008 For Security & Risk Professionals 5 Figure 1 Forrester TechRadar™: Identity And Access Management. BMC Software. This way.

The solutions are available as appliances or software only formats. have (one-time password tokens.6 Forrester TechRadar™: Identity And Access Management. checkout. or do (keystroke dynamics. Cyber-Ark. Symark $127. Proginet $50. Q2 ’08 Technologies Evaluated (Cont. High-risk and confidential data. USB tokens. Secure Computing (Secure SafeWord). VeriSign $50. RSA Security. VASCO Data Security. Cloakware. applications. grids. Avatier. Reproduction Prohibited . IBM. PassMark Software.$75.000 to $100. motion analysis). Courion. and if needed. application-to-application sensitive password management. Arcot Systems. Source: Forrester Research. Hitachi ID Systems. Usage scenario Vendors Estimated cost to implement Privileged user and password management (PUPM) Definition PUPM solutions perform the management change. TriCipher. Gemalto. Q2 2008 For Security & Risk Professionals Figure 1 Forrester TechRadar™: Identity And Access Management. Forgotten password recovery self-service and password synchronization. managing temporary and workflow granting of administrative and root access to system administrators. Lieberman Software.000 — depends on the number of administrators using the PUPM solution and the number of connected systems. Partial list: ActivIdentity.000 — depending on the number of the connected systems and number of users. CA. Inc. Usage scenario Vendors Estimated cost to implement 45768 June 18. and check-in of sensitive and administrative user IDs and passwords to both human administrators and also applications. Usage scenario Vendors Estimated cost to implement Password management Definition Password management allows users to reset their passwords without having to call a help desk. a third factor credential. This results in a client using multiple user names but a single password to access applications.000 — depending on the number of users. and transactions need to be protected by more than a password. static and dynamic security questions and answers. Managing shared-account (administrator) passwords. Inc. smartcards).) Multi-factor authentication Definition Multi-factor authentication allows organizations to supplement user name/password authentication with a second. Valimo Wireless. second password. Entrust. Forrester Research. verification. When the password is reset. The second or third factors can be based on something you know (out-of-band authentication. it is also propagated automatically to all connected systems. It is also important to distinguish between the cost of the tokens and the cost of the software solution providing the infrastructure for accepting the tokens. Authentify Technology. iMagic Software. 2008 © 2008.000 . workflow approvals for granting passwords. Aladdin Knowledge Systems. Passlogix. PortWise. and thus all endpoint passwords are kept in sync. e-DMZ Security. are (biometrics). AdminOne.

BMC Software. and software-as-a-service providers IBM (Higgins framework). offboarding. depth of workflow customization. manufacturing. energy. Siemens AG.000. Novell. Provisioning solutions are used to automatically make changes to target systems based on HR feed-based provisioning. © 2008. access request submission and approval workflows. Sun Microsystems. Reproduction Prohibited June 18. CA. SAP. SMBs can implement role mining and design projects for around $300. Beta Systems Software AG. and the number of users. Avatier. while large. provisioning role maintenance.) Provisioning Definition User account provisioning solutions manage identity life cycles (onboarding. These enterprise job roles contain logical groups of application entitlements. Hitachi ID Systems. and auditing of the above processes. Q2 ’08 Technologies Evaluated (Cont.000 to $1 million price tags. Novell Bandit. Sun Microsystems $630. Oracle. Enterprise job roles are then assigned (either by rule-based provisioning or by request-approval workflows) to people in real and virtual organizations. Q2 2008 For Security & Risk Professionals 7 Figure 1 Forrester TechRadar™: Identity And Access Management. the following vendors extend roles to business roles to be managed by the business: BHOLD COMPANY. Largely depends on the organization’s size and activity type.000 to $500. IBM. Usage scenario Vendors Estimated cost to implement Role management Definition Role management allows creation and life-cycle management of enterprise job roles.Forrester TechRadar™: Identity And Access Management. Online marketplaces. online retailers. and status changes). Inc. 2008 . higher education.000 — depends on the number and kind of connected systems (whether they require a custom connector to be developed). Inc. Forrester Research. Microsoft CardSpace. Eurekify. Microsoft. then select which user profile attributes will be relayed to the service provider with the authentication token obtained at the identity provider. Fischer International. healthcare. Evidian. submission and approval of user access rights. and government Although provisioning vendors also provide support for enterprise IT role management. Usage scenario Vendors Estimated cost to implement User-centric identity Definition User-centric identity allows users to authenticate at an identity provider. Courion. and auditing. Financial services. OpenID N/A Usage scenario Vendors Estimated cost to implement 45768 Source: Forrester Research. Oracle. complex organizations will face $500. Prodigen.

Entrust. in access recertification. Instead of synchronizing data (as metadirectories do). the business environment has changed. the provisioning application indicates to the manager that his/her employee belongs to a role called “Branch Teller. Few companies have consolidated their identity repositories. role management. modules. Source: Forrester Research.000 — heavily depends on the number of onboarded applications. they provide dynamic. financial services applications consisting of several. and the number of users. Sun Microsystems. and badly developed. and provisioning products. Symlabs. This is prompting IAM vendors to support abstractions in their products to express business terms. IT is increasingly trying to delegate the management of IAM policies to those business units using them.” instead of indicating that the employee is a member of an LDAP group with a cryptic name. Forrester Research. Many implementations faced grim realities of IAM: By the time the solution is designed and implemented.) Virtual directories Definition Virtual directories are data services and virtualization engines. applications’ support for externalizing authentication. Portals. Q2 2008 For Security & Risk Professionals Figure 1 Forrester TechRadar™: Identity And Access Management. Integration of disparate Web applications into one unified framework. flat files. we found that (see Figure 2): · Business users demand direct use of products and business abstractions. and virtual LDAP views overlaid on many data sources (LDAP. BMC Software. protocol translation. Novell. forcing IT to change roles and policies in the solution.000 Usage scenario Vendors Estimated cost to implement Web single sign-on (SSO) Definition Usage scenario Web SSO allows a user to log in to a Web application and then move to another application without being prompted again for authentication. Symlabs $115. Use cases include hiding sensitive record attributes from unauthorized applications.8 Forrester TechRadar™: Identity And Access Management. RSA Security. For example.). Inc. customizable. RDBMS. and schema transformations — also includes avoiding data recertification. · Fragmentation of identity data remains a challenging reality. Inc. Radiant Logic. Vendors Estimated cost to implement 45768 IAM TECHRADAR: BUSINESS BENEFITS OF IAM ARE ECLIPSING COMPLIANCE NEEDS In mapping the futures of IAM technologies. etc. Oracle. CA. internal employee information is typically stored June 18. Evidian. 2008 © 2008. using easily understood and customizable labels and descriptions in access management. LDAP directory joins. Because of this. IBM. Oracle. Reproduction Prohibited . Q2 ’08 Technologies Evaluated (Cont. Sun Microsystems $187. SAP.

Many consumers have expressed privacy concerns about the dissemination of personally identifiable information and called for better user controls as to what attributes of their personal information they want to submit to an online retailer or other service provider. Q2 ’08 Trajectory: Significant success Moderate success Minimal success Time to reach next phase: < 1 year 5 to 10 years 1 to 3 years > 10 years 3 to 5 years Directories Web SSO High Business value-add. adjusted for uncertainty Provisioning Medium Virtual directories Multi-factor authN E-SSO Low Entitlement mgmt. This data fragmentation and siloed ownership causes difficulties with management of policies for role assignments. Inc. and entitlements. Q2 2008 For Security & Risk Professionals 9 separately from vendor and partner information. Although user-centric identity management technologies would make this possible. access control. Role mgmt. Figure 2 Forrester TechRadar™: Identity And Access Management. PUPM Password mgmt. their deployment is not financially justified for the majority of service providers. June 18. Reproduction Prohibited Source: Forrester Research. 2008 . Inc. and even within each user group identities may reside in multiple stores. Forrester Research. Federation Metadirectories Negative User-centric identity Identity audit Creation Survival Growth Ecosystem phase Equilibrium Decline 45768 © 2008. provisioning. · Consumers’ needs play a minor role compared to enterprises’ needs.Forrester TechRadar™: Identity And Access Management.

application-level. While identity audit and entitlements show promise. user-centric identity fails to gain support. This technology is focused on a centralized definition.10 Forrester TechRadar™: Identity And Access Management. Two forms of entitlement management are competing for IT users’ attention. fine-grained authorizations. · Identity audit. as they believe they can control internal exchange of personal information reliably. Q2 2008 For Security & Risk Professionals Creation: Identity Audit And Entitlement Management Show Promise These relatively new technologies today generate comparatively little revenue and are being adopted by leading-edge companies only. This type of solution is currently inhibited by the lack of support from enterprise application vendors. and entitlements. Forrester assessed game-changing technologies and found that products leading to tangible business benefits will find greater adoption in (see Figure 3): · Entitlement management. which requires opening up the application and integrating it with the policy enforcement point of the entitlement management system. Forrester sees entitlement management as a gamechanging technology altering the future of access management. · User-centric identity management. constituting the first phase of a more comprehensive IAM project consisting of role management and provisioning deployment. 2008 © 2008. The other form of entitlement management is based on inspecting payload of network packets. and enforcement of externalized. North American consumers have not asked service providers and online retailers loudly enough to support this technology. and European government-issued IDs have not provided enough pull-through for this technology. These solutions provide a systematic view into the organization’s resources and answer the following questions: who has access to what and why? Companies that suffered a security or data breach or that were hit with poor audit reports are the most likely to use these solutions. Enterprises are not yet displaying significant interest in adopting usercentric identity management. Used primarily in a federated business-to-consumers (B2C) context. June 18. Forrester Research. The first is software-based entitlement management. this technology allows users to take direct control of their personally identifiable information and limit how their profile’s attributes are being sent to service providers from identity providers. which requires minimal to no involvement of application developers or opening up applications. management. Reproduction Prohibited . Inc.

Appearance of network-based entitlement management solutions (Autonomic Networks. entitlement management deployment requires some application modification (externalizing authorization from the application). and document management systems. Inc. and to some degree. The long-term business value add of identity audits alone is limited. Forrester expects this technology to mature rapidly and to converge with Web SSO in the long term. users are quickly realizing the need to expand to and integrate with other areas of IAM to provide preventive enforcement of segregation of duties: access management. Trajectory (known or prospective) Identity audit Why the Creation phase? Especially among organizations hit with an auditing finding. 1 to 3 years. databases. Reproduction Prohibited June 18. Q2 2008 For Security & Risk Professionals 11 Figure 3 Forrester TechRadar™: Creation Phase Technologies Entitlement management Why the Creation phase? Business value-add. Business value-add. Inability to fix noncompliance issues easily with pure-play identity auditing products limits this technology’s applicability. Negative. Forrester Research. Inc. Bayshore Networks. The primary value of entitlement management will be in enterprises centrally managing and enforcing segregation of duties among fine-grained access in and across various applications. Current independent software vendor (ISV) support for entitlement management is none to minimal but is expected to grow with the adoption of XACML and federation. to provide the full circle of preventive and corrective enforcement of segregation of duties. Although capable to address immediate concerns of centrally managing and enforcing access to portals. collaboration sites. PacketMotion. allowing them to avoid audit findings and remediation costs. both entitlement management and user account provisioning solutions.Forrester TechRadar™: Identity And Access Management. as the question any organization needs to answer after identifying segregation of duty issues is how to fix the problem. Source: Forrester Research. and user account provisioning. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 © 2008. identity management. packet-level inspection. Significant success. 2008 . Identity audit products will probably converge with enterprise role-management solutions. Although remediation of these issues can happen manually. systemic and closed-loop management usually requires deployment of a provisioning system. In its current implementation form. standalone deployment of identity audit solutions is rapidly gaining acceptance. Moderate success. Rohati Systems) will allow companies to keep their legacy applications intact and enforce centralized entitlement policies at the network layer by performing deep. 1 to 3 years. However. adjusted for uncertainty Time to reach next phase The XML Access Control Markup Language (XACML) — on which most entitlement products policy repositories are based — is a relatively new technology in its infancy of adoption. Negative.

Virtual Directory.12 Forrester TechRadar™: Identity And Access Management. perceived value in enterprises. Forrester expects well-adopted federation technologies to incorporate user-centricity. 2008 © 2008. social networks. These technologies are: · Privileged user and password management (PUPM). Forrester Research. Q2 2008 For Security & Risk Professionals Figure 3 Forrester TechRadar™: Creation Phase Technologies (Cont. and passwords can also be automatically updated on managed systems once the system administrator checks in the password. Enterprises will have a hard time justifying building internal user-centric identity solutions for their employees. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 Survival: Federation. Role Management Offer Flexibility And Efficiency These technologies have found some adoption and are deployed in production at several organizations. reselling customer information). etc. Real growth of user-centric identities will be fueled by wide adoption in B2C and C2C federated relationships. Lack of technology standardization. 1 to 3 years. Reproduction Prohibited . Businesses can benefit from collecting user information (tracking user behaviors. reconciled. These benefits will eclipse concerns and liabilities related to lost user records. and the emergence of trusted identity providers. Inc. Minimal success. they will also aid in determining minimal privilege levels for system administrators. and interoperable universal acceptance frameworks hinder adoption. PUPM solutions allow passwords to sensitive accounts (system administrator. All password releases are audited. segmenting users. and aggregated view into multiple data sources containing user identity information. In the future. Business value-add.) User-centric identity management Why the Creation phase? User-centric identity solutions are starting to emerge as users grow concerned about dissemination of their personally identifiable information. software-as-a-service. All these technologies offer a promise for the long term. Adoption of user-centric identity will depend on software-as-a-service companies’ adoption of federated technologies. Virtual directories provide a dynamic. These technologies have a limited customer base and have not yet garnered wide adoption but are on their way to doing so (see Figure 4). increase operational stability. auditing of administrative access. PUPM solutions have also started to provide more fine-grained auditing information as to what the administrator did after checking out the administrator password. Most organizations deploy PUPM to reduce the risk of managing sensitive passwords. varying in size. Negative. Typical use cases for virtual June 18. and fine-grained policy definition of what administrators can and cannot do. Inc. · Virtual directories. Partnership and circle of trust creation concerns that exist with current federation implementations remain valid with user-centric identities. PUPM solutions will combine dissemination of administrative passwords.) to be centrally stored and divulged only temporarily to system administrators or applications. and address audit findings. Source: Forrester Research. root.

avoidance of data recertification. Reproduction Prohibited June 18. Federated identity and access management enables organizations to form circles of trust with their partners and accept security tokens and assertions for authentication. 2008 . creating lightweight. Emerging key differentiators for role management solutions include integration with leading ERP systems’ role structures (SAP. Oracle). and integration with legacy provisioning and newer identity audit products. Q2 2008 For Security & Risk Professionals 13 directories are temporary data consolidation projects. These products allow discovery and grouping of application-level. standalone solutions that don’t require deployment of a full-blown Web SSO solution. Federation’s adoption is hampered by: 1) lack of legal templates that can be used to create circles of trust. SAML. · Federation. management of versioning and temporality of roles. finally making Project Concordia a reality. OpenID. These roles can then be assigned based on an authoritative feed from an HR system or on requests from managers and employees. Inc. WS-Federation. Vendors will continue to simplify deployment of federated access management products. and CardSpace will be supported not only for producing and accepting tokens. © 2008. · Role management. fine- grained authorizations and entitlements into enterprise roles. and allowing decoupling of the provisioning process from application development. Virtual directories can also prevent certain data fields from being exposed to certain callers.Forrester TechRadar™: Identity And Access Management. and 4) lack of scalability in extending federated relationships to a large number of partners. Forrester Research. 3) different technology maturity levels of partners. in the future it will allow for federated user account provisioning and enterprise role management. 2) lack of technical ability to create dynamic federation agreements. but also for protocol translation.

and limiting access to system administrators. Adoption of virtual directories are accelerated by the adoption of user account provisioning solutions. flat files) and extensive data and schema transformation capabilities of virtual directories. Q2 2008 For Security & Risk Professionals Figure 4 Forrester TechRadar™: Survival Phase Technologies Privileged user and password management (PUPM) Why the Survival phase? Business value-add. 2) clear accountability and auditing of the use of administrative passwords. The provisioning solution can use a virtual directory front end to provision users to the business application’s user repository. Moderate success. Inc. Inc. Forrester expects a broader adoption of virtual directories. corporate-wide directory but where organizational silos in data ownership prevent directory and identity services consolidation. PUPM solutions are increasingly called for in managing application-to-application password. In addition to providing virtual and real-time views into non-LDAP technologies (RDBMS. adjusted for uncertainty PUPM vendors have experienced double. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 June 18. Significant success. entitlement management. and role management solutions.and triple-digit growth due to organizations needing to close audit findings around managing administrative access. identity auditing. Forrester Research. especially in large companies with many business lines where there is a need for an integrated.14 Forrester TechRadar™: Identity And Access Management. Time to reach next phase Trajectory (known or prospective) Virtual directories Why the Survival phase? Most vendors (with the exception of Radiant Logic and Symlabs) have been acquired by IAM vendors. Its being a standalone. often appliance-based solution with relatively low implementation costs and integration to a provisioning system helps with easy business justification of the solution. add extensive and customizable logging of data access and data transformation services. Reproduction Prohibited . Medium. Virtual directories also allow that account provisioning and application development can be completely decoupled from each other. Adoption of role based access control in applications development and the need to avoid data recertification (which is a mandate when using metadirectories) also help businesses quickly realize value with virtual directories. PUPM solutions will integrate more tightly with user account provisioning. Business value-add. virtual directories create an up-to-date and mashed-up information representation from all multiple data sources. granularly enforcing and auditing system administrator activity. 1 to 3 years. Business value comes from: 1) fewer audit findings and reduced cost to remediate those audit findings associated with management of administrative passwords. 1 to 3 years. Data stewardship and some performance issues still remain with the use of virtual directories. and present minimal overhead in low to medium volume data access scenarios. and 3) increased password strength and automatic and periodic changing of administrative passwords. 2008 © 2008. These features allow organizations to reach data compliance relatively inexpensively. Source: Forrester Research. Virtual directories require no modification of back-end user repositories. Low.

Lack of legal frameworks for creating circles of trust. Many organizations are looking to resolve identity audit findings before starting to implement enterprise roles. Today. Inc. hampering scalability. Significant success. and vendors providing interoperability between disparate protocols (SAML.Forrester TechRadar™: Identity And Access Management. and identity auditing. WS-Federation) will be the cornerstone of success for federation technologies. certification). Low. versioning. Scaling the currently bilateral federation model to many (potentially thousands of) partners raises questions around hidden implementation costs. Trusted broker networks and workspaces will provide federation technologies required to connect organizations reliably and in a scalable way. trusted broker networks. definition. Inc. Current technology does not address the effort of adding new partners into the federated ecosystem. which are increasingly important use cases. Low. Federation today lacks mechanisms for trusting digital signatures or provisioning. Organizations can define provisioning. 1 to 3 years. and enforce identity auditing processes much quicker when they use enterprise role management. adjusted for uncertainty Time to reach next phase Role management is growing as businesses realize that business and IT role definitions need to be unified and increasingly managed by the business. but creating circles of trust will remain a legal problem that a technology solution cannot answer. Emergence of trusted identity providers. Moderate success. Forrester Research. access control. Trajectory (known or prospective) Federation Why the Survival phase? Federation has been struggling to find acceptance. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 © 2008. CardSpace. 2008 . Role management provides a very powerful abstraction and enforcement paradigm for effective user account provisioning. auditing. Business value-add. 1 to 3 years. Business process differences and organizational challenges require highly sophisticated role management features (role mining. segregation of duties rules. Q2 2008 For Security & Risk Professionals 15 Figure 4 Forrester TechRadar™: Survival Phase Technologies (Cont. Adoption of software-as-a-service will help proliferation of federation — albeit in a different form.) Role management Why the Survival phase? Business value-add. Risks and liabilities associated with losing identity information and passwords will have to outweigh benefits that organizations can reap from maintaining user marketing and security information. Forrester continues to see segregation of duties and compliance requirements take the front seat for business drivers behind IAM. abundance of incompatible protocols. and varying maturity of IAM across partners all contributed to lower-than-expected adoption. no trusted identity providers. OpenID. Organizations today often undertake the risk of exchanging user information over unreliable channels. Source: Forrester Research. which will take time to be developed and shrink-wrapped to reduce the cost of implementation service costs and to be fully usable by business. Federation will mature. Reproduction Prohibited June 18. role design has a significant element of services cost associated with role mining and definition.

Reproduction Prohibited . and are also used for authentication and in risk-based authorization. · E-SSO. Enterprise single sign-on systems allow users to enjoy a reduced sign-on experience. out-of-band authentication. Vendors are working with traditional physical access management systems to provide a one-stop shopping experience for their customers for employee onboarding and offboarding. one-time password hardware and software tokens. E-SSO is regarded as a forerunner of IAM — clients report easy implementations that bring immediate end user benefits. · Multi-factor authentication. smartcards. managing workflows. even though its abstractions were too IT-based. provide simple password reset self services. Forrester found that the following technologies are fueling IAM’s market growth:3 · Provisioning. These solutions add strength and security to passwords.16 Forrester TechRadar™: Identity And Access Management. It has been integrating enterprise role management and identity audit for a long time. public key certificate-based digital signatures and encryption. and decreased need for extensive customizations (see Figure 5). 2008 © 2008. energy. while healthcare struggles with unique. providing unified access-request interfaces to users. and enable organizations to easily protect a large number of legacy. ESSO solutions require no application modification. Most traditional IAM vendors have partnerships with E-SSO vendors or provide OEM E-SSO solutions themselves. System integrators have accumulated a sizeable body of business-process reengineering and implementation expertise and are now able to offer their customers significantly reduced implementation times of provisioning systems. Q2 2008 For Security & Risk Professionals Growth: Security Administration And Identity Assurance Address Key Market Concerns Security administration through provisioning is gaining acceptance due to maturity of solutions available. and automating endpoint connector development. improved product quality. Forrester Research. and gas verticals (where smartcards are already well-adopted) are the easiest areas for adoption. oil. Inc. thick-client applications with multi-factor authentication. almost real-time login and session management requirements and lack of adoption by physicians. These solutions require significant integration efforts when deployed with enterprise single sign-on (E-SSO) or Web SSO systems and are provisioned. and biometrics all fall into the fragmented domain of multi-factor authentication products. providing very little support for business users. Manufacturing. User account provisioning has been the workhorse of IAM growth. Newer provisioning products have come a long way in improvements for automatically discovering endpoint schemas. Thus. Strong authentication solutions. June 18.

and eventually privileged user and password management will all contribute to the success of provisioning. reduced IT administration cycle times. Inc. Multi-factor authentication will continue to exist as a separate and fragmented market. they will find increased adoption with small and medium-size businesses. The greatest value of provisioning is seen in easier IT administration. enforcing segregation of duties with job-role-based access control. and minimized remediation cost for audit findings. Forrester Research. Inc. development of customized connectors. 2008 . machine fingerprint. reduced help desk call volumes. Although the barriers to entry into provisioning are relatively high (business process definition. 3 to 5 years. Forrester foresees adaptive and risk-based authorization to be subsumed into generic Web access management (early signs of this are the acquisition of Bharosa by Oracle and CA’s partnership with Arcot Systems). Reproduction Prohibited June 18. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 © 2008. This market is currently too fragmented. Low. Businesses have realized that passwords are insecure. simplifying access request and approval workflows. and out-of-band authentication to be used before or instead of asking the user to enter a one-time password from a hardware token. Moderate success. Significant success. As solutions become easier to architect and implement and support more requirements out-of-the-box. multi-factor authentication is considered a pure cost item required to prevent future breaches. user self-service. and improving security by detection and removal of orphaned accounts are the factors behind the rapid growth of provisioning. streamlined business processes. Business value-add.Forrester TechRadar™: Identity And Access Management. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) Multi-factor authentication Why the Growth phase? Multi-factor authentication has grown significantly during the past five years and has added exciting new technologies that allow implicit second-factor authentication such as IP geolocation. accountability of account and privilege assignments. password management. and integration with existing E-SSO and Web SSO solutions poses significant challenges. reducing IT administration cycle time. As such. High. small to medium-size enterprises are opting to implement it. Convergence of IT and business role management. 3 to 5 years. Some verticals are forced to adopt multi-factor authentication due to a security exposure/breach or audit finding. Q2 2008 For Security & Risk Professionals 17 Figure 5 Forrester TechRadar™: Growth Phase Technologies Provisioning Why the Growth phase? Extensive out-of-the-box capabilities for supporting regulatory compliance. Source: Forrester Research. and workflows). Business value-add.

1 to 3 years. and authorization will also fuel growth of E-SSO. However. Reproduction Prohibited June 18. Web SSO Supports Expansion Of Digital Business Transaction processing performance requirements and mission-critical infrastructure build-out in IAM propelled these technologies to become very mature offerings with advanced high-availability. providing improved end user experience and security to users. adjusted for uncertainty E-SSO’s relative ease to implement makes it an ideal candidate to implement the first phases of IAM. Source: Forrester Research. Inc. After user account provisioning. and 4) exposing policy objects in more business-friendly terms to non-IT users. · Directories. Hundreds of millions of objects are routinely stored in LDAP user stores. 3) finer granularity of policy definition. disaster recovery. Lightweight directory access protocol (LDAP) directories represent the largest deployments in IAM today. Moderate success. Once deployed. 2) access pattern auditing information. Forrester Research. Medium. and 5) ability to protect closed. centralized administration of E-SSO clients can be costly at large organizations. 3) basic password reset functionality (reducing help desk call volumes). and operations support. offsetting E-SSO’s value. E-SSO will continue to help growth of IAM due to its ease of implementation and ability to produce quick wins and benefits in IAM. Forrester expects capacities to reach the © 2008. Q2 2008 For Security & Risk Professionals Figure 5 Forrester TechRadar™: Growth Phase Technologies (Cont. 2) better policy management integration with XACML policy stores and entitlement management solutions. it does not scale well for B2C solutions. 2008 . these technologies become part of the backbone of the organization’s IT infrastructure. with the expansion of mobile carriers in Asia. Inc. 4) user-established and reliable linkage information between accounts across various user repositories. IBM’s recent acquisition of Encentuate will lead to extended growth for E-SSO. which can lead to savings in license costs and better enterprise job role definitions. manufacturing).) Enterprise single sign-on (E-SSO) Why the Growth phase? Business value-add. E-SSO vendors are building vertical specific solutions (healthcare. Customers asking for biometrics. strong and adaptive authentication. Future growth of Web SSO will come from: 1) integration of risk-based and adaptive authorization technologies. and are moving into privileged user and password management and shared accounts management. legacy applications with strong authentication. Since E-SSO requires a desktop client component to be installed. Web SSO provides the second-largest revenue stream for IAM suite vendors. Time to reach next phase Trajectory (known or prospective) 45768 Equilibrium: Directories Remain Core. which is notorious for its long project timelines. Implementing E-SSO does not require extensive application modification efforts and provides enterprises with: 1) reduced sign-on time and improved user experience.18 Forrester TechRadar™: Identity And Access Management. making them rather difficult to replace or phase out (see Figure 6): · Web SSO. Web SSO continues to expand in both B2C and B2B relationships.

government e-initiatives. and authorization policy definition and management. Significant success. Figure 6 Forrester TechRadar™: Equilibrium Phase Technologies Web single sign-on (SSO) Why the Equilibrium phase? Business value-add. Most commercially available modern business applications support the LDAP authentication. Inc. Externalizing authentication (and in some cases authorization) also yields significant business benefits in increased security. Substantially improved application security. and reduced application development cycle times. user self-service. adjusted for uncertainty Web SSO is a well-understood and mature technology. Oftentimes. 5 to 10 years. change will happen only infrequently. Significant success. Web SSO will need to support these Web-based applications. A safe and centralized repository for passwords and other identity data significantly reduces the need for IT administration. LDAP functionality will continue to evolve with replication capabilities extended to federated user information exchange. Inc. High. This means that users existing in the LDAP directory will automatically have access to applications that use the directory for their user repository and can use the password in the directory for all applications. >10 years. 2008 Business value-add. or an enterprise may have many directories of separate and/or overlapping user populations. Once applications are integrated into a Web SSO environment. Adoption of directory technology and associated centralizing projects will eventually become less relevant as federation and other information/identity services make this information more available to applications regardless of where it is stored. entitlement management. Directories provide a very good revenue model for vendors as they are typically priced based on the number of user entities in the directory. and online services in general. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 © 2008. Web SSO improves end user experience. Its integration with most commercial Web applications is supported by application and/or IAM vendors. a large number of consumers need to be represented in these LDAP services. Source: Forrester Research. convergence with adaptive and strong authentication. High. Time to reach next phase Trajectory (known or prospective) Directories Why the Equilibrium phase? Enterprises have mostly implemented some kind of directory service to store internal and external user authentication and authorization information. employees). June 18. As more and more thick-client applications are converted to be Web-based.. This reduces the need for users to remember multiple user names and passwords and thus reduces password reset calls. and distributed Web SSO solutions will continue to underpin Web SSO’s importance in any IAM suite vendor’s product portfolio. Virtual directory and directory router/load balancer functionality will be subsumed eventually into LDAP directory products. Reproduction Prohibited . Forrester Research. this service holds only a certain user group (e. allows for centralized authentication. code reuse.Forrester TechRadar™: Identity And Access Management.g. Q2 2008 For Security & Risk Professionals 19 one billion mark by 2009 to 2010. With the growth of mobile carriers. Forrester expects Web SSO to subsume adaptive authentication in three to five years.

Pure password management requirements can be met with E-SSO or provisioning solutions. 3 to 5 years. 5 to 10 years. Inc.20 Forrester TechRadar™: Identity And Access Management. and data recertification cost account for metadirectories not reaching their full potential. Password reset and synchronization solves only a small piece of the identity life-cycle management problem. Business value-add. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) 45768 June 18. Source: Forrester Research. Password management Why the Decline phase? Password management (self-service password reset and password synchronization) is continuing to decline due to organizations looking to solving the more systemic problems of identity management and identity life-cycle management using provisioning and identity audit solutions. and growth of user account provisioning. 2008 © 2008. Metadirectories are phased out by the emergence of virtual directories and advanced data reconciliation features of provisioning systems. · Password management. Low. their business value is reduced by the need to recertify data in the metadirectory any time a new back-end information source is added to the metadirectory ecosystem. adjusted for uncertainty Time to reach next phase Trajectory (known or prospective) The emergence of feed-based user account provisioning. performance and stability issues. Inc. weak workflow capabilities during data transformations. Metadirectories will continue to decline due to the cost of moving and recertifying data. As metadirectories store user information pulled from many data sources. Value for money. The following technologies are related to fairly basic administrative functions (see Figure 7): · Metadirectories. Password management will be subsumed into user account provisioning and privileged user and password management (PUPM). Negative. Q2 2008 For Security & Risk Professionals Decline: Metadirectories And Password Management Are Reaching Obsolescence Point solutions are on the decline as organizations cannot realize the same value for their investment as they can from implementing virtual directories or user account provisioning. Moderate success. Minimal success. Figure 7 Forrester TechRadar™: Decline Phase Technologies Metadirectories Why the Decline phase? Business value-add. Metadirectories were popular before virtual directories could meet performance requirements of enterprises. Password management’s main business value is the reduction of password-related help desk call volumes — representing a subset of provisioning’s business value. Forrester Research. Reproduction Prohibited . workflow-based data synchronization. and request approvals have made metadirectories obsolete. Password management has often served and will continue to serve as the initial project for organizations implementing identity management. It can rarely be used to address audit findings and continues to decline due to user account provisioning taking center stage.

Forrester performed a total of four of these detailed interviews. Reproduction Prohibited June 18. and parts of PUPM that allow temporary elevation of users’ permissions to make them short-term system administrators. Forrester interviewed experts on each technology. but integrated into IAM stacks. identity audit and access certification. developers. Forrester interviewed current and potential customers and users for each technology to understand current and prospective uses for the technologies and their impact on the customers’ businesses and the users’ work. providing user-centric features. Access management will eventually comprise Web SSO. Identity federation solutions will continue to develop into lightweight standalone products (though they will also integrate cleanly with Web access management solutions).Forrester TechRadar™: Identity And Access Management. E-SSO. · User account provisioning will continue to improve in ease of implementation. 2008 . · Current and prospective customer and user interviews. SUPPLEMENTAL MATERIAL Online Resource The underlying spreadsheet that exposes all of Forrester’s analysis of each of the 14 technologies in the TechRadar (Figure 2) is available online. Forrester Research. · Directories will incorporate virtualization services. especially for B2C deployments. Q2 2008 For Security & Risk Professionals 21 W H AT I T M E A N S MAJOR CENTERS OF GRAVITY WILL FORM IN IDENTITY AND ACCESS MANAGEMENT IAM will present fewer implementation challenges and IAM stacks will coalesce around four centers of gravity. Directories will continue to serve as trusted user repository technology. fine-grained authorization and entitlement management. business value adjusted for uncertainty. including scientists in labs. Forrester interviewed a total of 15 experts. and protocol translation for easier integration. · Access management will expand. risk-based and adaptive authorization. academics. and trajectory: · Expert interviews. expanded federated provisioning. time to reach next phase. © 2008. Data Sources Used In This Forrester TechRadar Forrester used a combination of two data sources to analyze each technology’s current ecosystem phase. In addition to continuing to provide user self-service and delegated administration functionality. Forrester expects products within these centers of gravity to be standalone and integrated offerings built on a common — and in many cases shared — identity backbone. provisioning will integrate enterprise IT and business role management. and parts of PUPM which allow fine-grained definition and enforcement of policies that determine what systems administrators can do. Inc. and evangelists. Directory evolution will focus on performance improvements and will incorporate features of virtual directories. · Federation will remain separate.

Technologies move naturally through five distinct stages: 1) creation in labs and early pilot projects. We plot each of the 14 most important technologies for IAM on one of the three trajectories to help enterprise architects allocate their budgets and technology research time more efficiently. 2008 © 2008. Of course. complementary services organizations.7 The highest point of all June 18. and 3) minimal success and a medium to long lifespan.4 · The y axis: We measure customer success with business value-add. If the technology and its ecosystem are at an early stage of development. end users. and evangelists. 2) survival in the market. 2) the investment required.22 Forrester TechRadar™: Identity And Access Management. Reproduction Prohibited . Forrester placed each of the 14 identity and access management technologies in the appropriate phase based on the level of development of its technology ecosystem. Here’s the detailed explanation of how the TechRadar works: · The x axis: We divide technology ecosystem maturity into five sequential phases. but all technologies will fall into one of five windows for the time to reach the next technology ecosystem phase: 1) less than one year. and 5) more than 10 years. this allows them to plan not just for the next year but for the next decade. 4) criticality to business operations. We make these predictions based on the best information available at a given point in time. Enterprise architects need to know when a technology and its supporting constellation of investors. hardware moves more slowly than software because of its physical production requirements. 2) moderate success and a medium to long lifespan. which includes customers. 4) between five and 10 years. Forrester Research. Inc. 3) the potential to deliver business transformation.6 · The curves: We plot technologies along one of three possible trajectories. and 5) decline into obsolescence as other technologies take their place. developers. 3) between three and five years. vendors. 6) network effects. All technologies will broadly follow one of three paths as they progress from creation in the labs through to decline: 1) significant success and a long lifespan. Forrester then discounts potential customer business valueadd for uncertainty. vendors. and the emergence of new complementary organizations and business models. 2) between one and three years. and services firms will be ready to move to the next phase. Seven factors define a technology’s business value-add: 1) evidence and feedback from implementations. 4) equilibrium from the installed base. adjusted for uncertainty. Q2 2008 For Security & Risk Professionals The Forrester TechRadar Methodology Forrester uses the TechRadar methodology to make projections for more than a decade into the future of the use of technologies in a given category. 3) growth as adoption starts to take off. we have to assume that its potential for damage and disruption is higher than that of a betterknown technology.5 · The z axis: We predict the time the technology’s ecosystem will take to reach the next phase. and 7) market reputation. Forrester intends to update its TechRadar assessments on a regular schedule to assess the impact of future technical innovation. changing customer and end user demand. 5) change management or integration problems.

reduced operational risk. Inc.Forrester TechRadar™: Identity And Access Management. technologies with more than 10 years until they reach the next phase will appear close to the beginning of their ecosystem phase. Thus. not only with the technical implementation. the adjustment for uncertainty is relatively minimal because the technology is mature and well-understood. we’ll represent them side by side. Reproduction Prohibited June 18. IT and business benefits are clearly in evidence. © 2008.5 years. are both in the Survival phase. However. If technology A is likely to only take 1. In contrast. Forrester Research. and higher compliance. if technologies A and B are truly at equal positions along the x. but in maturing their identity related policy and management processes and strengthening interdepartmental relationships. 2008. IT benefits are easier administration and outsourcing of IAM functions. those with less than one year will appear close to the end. See the April 2. technology A will appear further along on the curve in the Survival phase. and z axes. and architectural flexibility to support mergers and acquisitions and other organizational changes. IAM functionality needs to be increasingly externalized from business applications. Although there are early examples of organizations gaining such benefits by adopting an identity-as-a-service (IDaaS) framework. this is the peak of business value-add for each of the trajectories — and at this point. Q2 2008 For Security & Risk Professionals 23 three of the curves occurs in the middle of the Equilibrium phase. we use this to fine-tune the z axis. y. and to keep administrative costs down. reduced application development cycle times through code reuse.5 years and technology B is likely to take 2. When this task is completed successfully. Business benefits include deeper insight into the effectiveness of policy management. 2008 . · Position on curve: Where possible. Experts Interviewed For This Document Aveksa CA Courion Covisint Deloitte Energy East Eurekify ENDNOTES 1 Fischer International IBM KPN International Novell Oracle Radiant Logic Sun Microsystems Redesigning the enterprise architecture for identity and access management (IAM) is an important task. “Identity-Management-As-A-Service” report. organizations should look at IDaaS as a long-term strategic effort and proceed incrementally. and will both take between one and three years to reach the next phase. We represent the time a technology and its ecosystem will take to reach the next phase of ecosystem development with the five windows above. As organizations’ requirements become more complex. let’s say we have two technologies that will both follow the moderate success trajectory.

from products to managed services. and data systems security in an efficient manner. See the August 1. The identity management — or identity and access management (IAM) — market will grow from nearly $2. improve efficiency and effectiveness. 2008. We outline the detailed questions we ask to determine business value adjusted for uncertainty in Figure 4 of the introductory report. 3 4 5 6 7 June 18. See the August 1. Forrester Research. Expect to see these 10-year-plus technologies only in the Creation phase for fundamental hardware innovations and in the Equilibrium and Decline phases for hardware and software on the “great success” trajectory. “Introducing Forrester’s TechRadar™ Research” report. “Introducing Forrester’s TechRadar™ Research” report. data accuracy. See the August 1. 2008 © 2008. 2007.3 billion in 2014 (including revenues from both products and implementation services). Even after years of healthy adoption rates. see Figure 3 in the introductory report. Inc. IAM helps extend business services. For the typical technology ecosystem profiles for each of the five phases. Meanwhile. to a lesser extent. “Introducing Forrester’s TechRadar™ Research” report. Reproduction Prohibited . repackaged in the form of identity-asa-service (IDaaS). Note that the five phases are not of any prescribed length of time. and allow for better governance and accountability. vendors will decompose products into service-oriented architecture (SOA)-enabled functions. Moreover.24 Forrester TechRadar™: Identity And Access Management. See the August 1. We provide details on how we predict the amount of time that a given technology will take to reach the next phase of technology ecosystem evolution in the introductory report. See the February 2. Provisioning accounts for half of IAM market revenues today. we will also see buying behavior migrating from point products to identity suites — and. during the next seven years. 2007. We provide detailed information and examples of how we predict the amount of time that a technology will take to reach the next phase of ecosystem development (alternatively called “velocity” or “velocity rating”) in the introductory report. spanning multiple identities and establishing the relationship among these various identities with the goal of improving data consistency. “Introducing Forrester’s TechRadar™ Research” report. Forrester will include relatively few technologies that we predict will take more than 10 years to reach the next ecosystem phase. but it will account for nearly two-thirds of all IAM revenues by 2014. the IAM market is actually just beginning its trajectory toward broad adoption and deep penetration. See the April 14. Q2 2008 For Security & Risk Professionals 2 Identity and access management (IAM) is the entire aspect of maintaining a person’s complete set of information. 2008.6 billion in 2006 to more than $12. 2007. “Topic Overview: Identity And Access Management” report. 2007. “Identity Management Market Forecast: 2007 To 2014” report.

Israel Japan Korea The Netherlands Switzerland United Kingdom United States Forrester Research. For information on hard-copy or electronic reprints.617. +1 617. For more than 24 years.forrester.Making Leaders Successful Every Day Headquarters Forrester Research. events. Inc. (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. We offer quantity discounts and special pricing for academic and nonprofit institutions. Forrester has been making leaders successful every day through its proprietary research.7378.5000 Email: forrester@forrester. 45768 .5730.com/about. please contact the Client Resource Center at +1 866. or resourcecenter@forrester.6000 Fax: +1 617.613. For more information.forrester. visit www. and peer-to-peer executive programs. Inc.forrester.com Nasdaq symbol: FORR www.com Research and Sales Offices Australia Brazil Canada Denmark France Germany Hong Kong India For a complete list of worldwide locations. MA 02139 USA Tel: +1 617.367.613.com.com. 400 Technology Square Cambridge. consulting. visit www.

Sign up to vote on this title
UsefulNot useful