WEBINAR B2E Cloud IAM Forrester Wave™: What’s Hot And What’s Not? Andras Cser, Vice President, Principal Analyst Merritt Maxim, Senior Analyst November 12, 2015. Call in at 10:55 a.m. Eastern time

Access anywhere, anytime

Authentication is a difficult balance Operational efficiency Asset security Customer satisfaction Image source: Property Manager (http://www.propertymanager.com/) and Smiley Faces (http://www.smiley-faces.org/)

Digital operational excellence It’s not an “or” but an “and” relationship between customer experience and operational excellence Digital operational excellence Customer experience + Image source: Wikimedia Upload (https://upload.wikimedia.org/) and PDPics.com (http://www.pdpics.com/)

B2B relationships enable the firm

IAM plays a paramount role Website login Password recovery Master data management Preferences management Customer experience

Cloud IAM (IDaaS) reduces complexity and cost Allows for managing employee identities across cloud environments Limits complexity of IAM solutions Reduces license and ongoing maintenance costs Supports legacy apps on-premises, as well as for SaaS Supports SSO from and on mobile devices Image source: Wikimedia Upload (https://upload.wikimedia.org/)

IDaaS flavors On-premises (MSSP) background Born in the cloud IBM Microsoft Ping Identity Born in the cloud Bitium Centrify Okta OneLogin Salesforce SailPoint Technologies Image source: Pixabay (https://pixabay.com/)

Forrester Wave™ evaluation: inclusion criteria Productized solution True multitenant SaaS B2E cloud IAM offering Authentication against on-premises AD At least $1 million B2E cloud IAM solution revenues in 2015 At least 40 paying customer organizations in production Mindshare with Forrester’s customers on inquiries Mindshare with other B2E cloud IAM competitive vendors

The Forrester Wave™: B2E Cloud IAM, Q2 2015

Forrester Wave™ evaluation: current offering User directory support Access management policy administration User account provisioning policy administration End user self-service from the solution’s web portal End user self-service from the solution’s mobile application API security and solution APIs Reporting and scalability

Forrester Wave™ evaluation: strategy Future product development and market plans Customer satisfaction Security implementation service and OEM partnerships Development, sales, and technical support staffing Pricing flexibility and transparency Customer reference scale and coverage

Forrester Wave™ evaluation: market presence Revenue Install-based Vertical and geographic presence of the cloud IAM solution

SSO portal, SAML, and mobile access are table stakes All vendors provide the following functionality features: Employee portal to log employees into SaaS apps. Optional on-premises agent. SAML SSO and single sign-out. Native iOS and Android mobile app for login. 2FA mobile app.

Forrester Wave™ evaluation: high-level results OneLogin and Okta lead the pack. Centrify, Microsoft, SailPoint Technologies, Salesforce, Ping Identity, and IBM offer competitive options. Bitium lacks broad install-based but has potential.

The Forrester Wave™: B2E Cloud IAM, Q2 2015

Vendor profile: OneLogin Strengths User directory configuration and integration Access management policy administration End user self-service from the portal Weaknesses Provisioning policy administration No own MDM solution

Vendor profile: Okta Strengths Simplicity Large installed base User directory integration End user self-service from the mobile interface Own MDM Weaknesses Reporting and scalability User account provisioning and policy management

Vendor profile: Centrify Strengths End user self-service from the mobile application Own MDM Nice dashboards Weaknesses No user provisioning for on-premises apps No attestation No workflow

Vendor profile: Microsoft Strengths Policy administration Bundled own MDM (Intune) Nice end user interface and mobile app Large SI ecosystem and internal development force FIM bundled Weaknesses No access recertification End user self-service portal No end user management of own experience No ad hoc report definitions

Vendor profile: SailPoint Technologies Strengths End user customization of the SSO portal System administration policy management for attestation campaigns for SaaS and on-premises apps Weaknesses Admins can’t create ad hoc reports. No way to limit who can see what report Customer satisfaction: “meets expectations” Weak SI ecosystem

Vendor profile: Salesforce Strengths Solution is free or at a discount to clients. Access policy and detailed provisioning policy management Workflow Weaknesses More complex interface than other solutions Small development team Small customer base

Vendor profile: Ping Identity Strengths Strong SI partner ecosystem Large developer base Great penetration in communications, high-tech, and finserv verticals Broad deployment coverage Weaknesses PingOne requires bundled PingFederate and PingAccess for certain use cases.

Vendor profile: IBM Strengths Lighthouse Gateway has powerful policy management (based on ISAM). Coverage of on-premises apps Weaknesses No GUI workflow Mobile app is behind other vendors.

Vendor profile: Bitium Strengths Lots of potential User customization of the portal Weaknesses Lacks provisioning policy administration capabilities compared with other vendors Lacks access management policy authoring capabilities compared with other solutions No MDM or 2FA Reporting lags Install base is small.

Image source: Trace One (http://www.traceoneview.com/)

Vendors’ future plans Extended support for both cloud and on- premises applications Built-in support for attestation campaigns Access request management interfaces and workflow User store support for IaaS workloads EMM capabilities

Ten commandments of modern identity management — thou shalt support: A lot of endpoints: on-premises and cloud apps, and directories and SCIM. Customizable and flexible workflow. Mobile application for reviewers and requestors. Shopping cart in access request management. Access information-aided attestation. Bulk access reviews. Cloud (true multitenant) and on-premises delivery options. A slick user interface for business users and admins. Customer-facing IDM tasks out of the box. Ad hoc reporting and clickable dashboards. +1: Customers’ requirements 

Ten commandments of modern access management — thou shalt support: In-line, network, and protocol-level behavioral intelligence before authentication Device fingerprinting built-in into access control. Risk-based and context-aware authentication with machine learning models. Web and mobile application SSO-blended: session transfer. 2FA supporting FIDO (UAF and U2F) and biometrics on an as-needed basis. Continuous authorization-based applications’ entitlements’ risk. Federation (SAML), OAuth, and OpenID Connect. Easy embedding into the secure payment ecosystem. Cloud IaaS readiness. Support for open source packages. +1: Customers’ requirements 

Forrester’s people and process recommendations for IAM Present your case to the LOB, CMO, and CDO people for why CIAM is not employee IAM. Present your business case to IT security on B2E IAM. Hammer out agreement on formal levels of risk. Map tasks and channels to the formal levels of risk. Use the Forrester IAM maturity assessment. Seek the highest security maturity scores for the most important tasks and channels. Image source: Salary.com (http://www.salary.com/)

Andras Cser +1 617.613.6365 acser@forrester.com Merritt Maxim +1 617.613.6153 mmaxim@forrester.com