Planning for the Future of IAM This year’s Magic Quadrant opened by highlighting “strategic planning assumptions,” which closely align to Ping’s investment roadmap, including:
“By 2022, 60% of access management (AM) implementations will leverage user and entity behavior analytics (UEBA) capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up from less than 10% today.
“By 2022, 60% of all single sign-on (SSO) transactions will leverage modern identity protocols like SAML, OAuth2 and OIDC over proprietary approaches, up from 30% today.
“By 2024, the use of multifactor authentication (MFA) for application access through AM solutions will be leveraged for over 70% of all application access, up from 10% today.”(1)
These assumptions make it clear that identity and security teams are demanding access management solutions that are smarter (identity intelligence), provide greater interoperability through open standards, and offer broader coverage for all of their use cases across their hybrid IT environments. We’ve built capabilities reflecting each of these assumptions into the Ping Intelligent Identity platform, which we believe to be a driver of our leadership position in the Magic Quadrant.
Defining the IAM Market: An Enterprise View To address fluctuating market requirements and their most common client inquiries, Gartner defined core functionality that impacted the criteria for inclusion in this report. The requirements didn’t include anything out of the ordinary (see below), but the devil is in the details, which are provided in the report under Context: Important Decision Factors for Vendor Selection, with our commentary on these sections below.
Support for modern identity protocols such as SAML, OAuth2 and OIDC
SaaS-delivered or Software-delivered AM & Use Case Considerations Customer, workforce, partner and IoT use cases share requirements for the “core functionality” noted in the report, but for large enterprises, they also come with diverse requirements surrounding performance, scalability, security, customization, control and regulatory compliance. Satisfying these needs generally requires the ability to deploy and manage identity flexibly to support hybrid IT deployments. For example, many large enterprises have significantly higher standards for performance and uptime for customer-facing applications than they do for their employee-facing applications. As such, they may choose to host customer-facing authentication and authorization in public clouds with auto-scaling capabilities (e.g., AWS), while also leveraging multi-tenant, identity-as-a-service (IDaaS) solutions for their employees. If regulated customer data is involved, requirements might also include deploying these capabilities in on-premises datacenters.
Target System Support Enterprise application portfolios are growing exponentially, with new applications built to natively leverage authentication standards like SAML and OpenID Connect. Per Gartner’s assessment, these represent only 30% of today’s SSO transactions, with the balance being proprietary methods of authentication. Regarding vendors listed in the report, Gartner noted that
“Differentiation is most often found in vendors’ abilities to directly support applications that require reverse proxy and HTTP header-style authentication. There are also commercial applications that can’t easily support externalized AM, and they are integrated into AM tools with ‘agents’ or ‘integration kits.’”(2)
The importance of the quote above has been reflected in our partnership with Microsoft, which is confiugured in Azure AD for providing reverse proxy and HTTP headers-based authentication to such applications, which may be hosted in on-premises datacenters or in multi-cloud environments including Azure, AWS, Google Cloud and others. Additionally, last mile integrations like the ones mentioned above provide rapid time to value, abstracting away the complexities of developing custom integrations for each application with language, API and server operating system based integration kits.
CARTA (Continuous Adaptive Risk and Trust Assessment) Risk-based identity intelligence is implemented to support continuous authentication and authorization processes, with the goal of reducing risk from stolen credentials and devices as well as from session hijacking. To accomplish this, Gartner recommends that
“AM tools will need to add additional controls like integrations with WAFs, CASBs and other complementary platforms.”(3)
Requirements to integrate identity solutions with a variety of risk sources, as well as alternative enforcement points, have been a common theme in our conversations with customers. Some of these risk sources are related to devices, such as device posture and reputation, while others surround network reputation and identity verification. Leveraging these risk signals can provide a higher level of confidence when making continuous authentication and authorization decisions, and can also be the reason for a trust elevation challenge (e.g., multi-factor authentication). On the flip side, building integrations that allow alternative enforcement points such as WAFs and CASBs to leverage identity-based risk signals (e.g., authentication details) is another area in which CARTA approaches can be supported.
IoT, API Protection and Lifecycle Management Providing increased protection for IoT devices and APIs is the next frontier for identity and access management solutions providers. According to Gartner, most of the vendors evaluated in the report are able to support basic use cases for IoT, summarized as “managing access to support the relationships among people, their smart devices and the target resources that must be accessed.”(4) However, Gartner outlined that few vendors today are able to protect device-to-device interactions, describing these efforts as a “niche pursuit.”(5)
API security coverage by IAM vendors is often provided natively, as well as through integrations with API Gateway technologies. Duties are commonly split between the two technologies, with IAM tools handling authentication and session management, and API gateways performing authorization functions and evaluating requests, user attributes and security tokens to allow or disallow access. On top of traditional access management functionality, Gartner recognized Ping’s “expanded security capabilities in this area with PingIntelligence for APIs,”(6) a solution that applies artificial intelligence and machine learning to continuously inspect, report and act on all API activity.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.