G00211482

Cool Vendors in Identity and Access Management, 2011

Published: 21 April 2011 Analyst(s): Ray Wagner, John Girard, Gregg Kreizman, Ant Allan, Earl Perkins, Perry Carpenter

Several segments of the identity and access management (IAM) market continue to experience significant innovation in technology, product and service offerings. Chief information security officers and other security professionals should familiarize themselves with Gartner's 2011 Cool Vendors in IAM, and with the potential business benefits they offer.

Key Findings

Startups and other niche vendors, rather than established major players, continue to drive much of the innovation in the IAM market. These aggressive, newer vendors offer innovative and enhanced technologies, but the usual concerns about new market entrants' capabilities and viability may limit enterprises' willingness to commit to their offerings.

Recommendations

Consider innovative products and services including those from Gartner's 2011 Cool Vendors when evaluating products and services to address IAM requirements. However, recognize that these offerings are not appropriate for all enterprises or all implementations. They are likely to be more suitable for Type-A Gartner clients (technologically sophisticated early adopters) than for more risk-averse Type-B or Type-C clients. Choose IAM products or services for their real-world workability, vendor capabilities and viability, as well as for their technological innovation.

Table of Contents
Analysis..................................................................................................................................................2 What You Need to Know..................................................................................................................2 AuthenWare.....................................................................................................................................2 ForgeRock........................................................................................................................................3

UnboundID.......................................................................................................................................4 Veriphyr............................................................................................................................................5 Where Are They Now?......................................................................................................................6 Lumidigm...................................................................................................................................6 Recommended Reading.........................................................................................................................7

Analysis
This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

What You Need to Know

Gartner has once again identified a set of very strong Cool Vendors in IAM. These up-and-coming technology providers offer IAM products and services based on a broad range of technological approaches and delivery models. One trend that is clearly identifiable throughout their offerings is a serious attempt to deliver IAM components that enhance the user experience to support missioncritical business decisions. These vendors' highly innovative technologies and business models may not be suitable for every enterprise's needs all enterprise must deal with the usual challenges when facing new market entrants and new technologies but their offerings are well worth evaluating. For assessments of Cool Vendors in three other important security market segments, see "Cool Vendors in Cloud Security Services, 2011," "Cool Vendors in Infrastructure Protection, 2011" and "Cool Vendors in User and Data Security, 2011."

AuthenWare
Miami, Florida (www.authenware.com) Analysis by Ant Allan and John Girard Why Cool: AuthenWare offers a practicable, behavioral, biometric authentication technology based on typing rhythm (also known as keystroke dynamics) i.e., the cadence of a user's typing. This technique is rather attractive because the keyboard is a ubiquitous capture device and requires minimal change in user behavior. Other vendors offer this authentication method, but AuthenWare Technology is differentiated by being simple to implement (scalable AuthenWare claims more than 75 million users) and robust (for example, it has a built-in defense against software "mimic" attacks, it evaluates additional user behavior, as well as contextual information, and it is the only typing rhythm product that can claim Common Criteria certification at Evaluation Assurance Level 2+), as well as providing good user experience (it is transportable across different endpoints, which extends its sampling techniques to touchscreen interactions on smartphones and tablets, and it offers a low false nonmatch rate).

Page 2 of 8

Gartner, Inc. | G00211482

Although it is a U.S. company, AuthenWare began building its market in Europe, where it has gained several clients, notably the multinational telecommunications carrier Telefonica and two Spanish government agencies. It has also expanded internationally, with government, media and banking clients in South Africa and Latin America. It has been increasingly active in marketing and sales in the Americas through 2010. The management team has substantial experience in technology markets (with backgrounds in companies such as BEA Systems, Citrix Systems, Fuego and Plumtree Software). Many Gartner clients report that they have a positive view of AuthenWare. Challenges: AuthenWare's biometric authentication method adds a true second authentication factor to an existing legacy password, without adding another device or agent, and without adversely impacting user experience. Nonetheless, it remains unclear whether it provides the high level of assurance that some enterprises will need in some high-risk use cases. An enterprise could layer AuthenWare Technology with another vendor's method to increase assurance, but that would add cost and complexity and would erode the user experience. However, like other biometric authentication methods, AuthenWare's approach hinders account sharing and, thus, provides a higher level of accountability than, for example, personal-identification-number-protected smart cards with public-key infrastructure credentials. AuthenWare is one of more than a hundred authentication vendors that focus on a single class of authentication method. Such "pure play" vendors face the challenges of competing with established vendors that offer a broad portfolio of authentication methods to meet varied needs. A partnership with such an established vendor which would typically lack a biometric authentication offering could be fruitful for AuthenWare. If the company wishes to target financial services and adjacent markets, then it will also need to establish partnerships with Web fraud detection vendors. AuthenWare must also pursue an agentbased solution to the client-side interaction to ultimately become part of the login defense for mobile devices, because without an agent, its use will remain limited to online services. Who Should Care: Information security and IAM leaders may want to evaluate AuthenWare as an alternative to traditional medium-assurance authentication methods for Web applications and Secure Sockets Layer virtual private networks. AuthenWare is of particular interest in use cases where user experience is particularly important and intrusive authentication methods are a problem for users especially across varied endpoint devices and where the costs of acquiring and distributing tokens would be prohibitive. Another potential benefit is that AuthenWare Technology can, in "silent" mode, provide additional input to the dynamic risk assessment used in Web fraud detection and other misuse management tools.

ForgeRock
Oslo, Norway (www.forgerock.com) Analysis by Gregg Kreizman Why Cool: ForgeRock supports directory, user provisioning, Web access management (WAM) and portal products based on and extending Sun Microsystems' very capable open-source software products. Prior to Sun's acquisition by Oracle, Sun's IAM stack was widely deployed and wellregarded by its customers. Oracle made Sun's role life cycle management product strategic, and

Gartner, Inc. | G00211482

Page 3 of 8

incorporated some elements of Sun's other IAM products into its established products. However, Oracle is expected to phase out development of most of Sun's products over time. ForgeRock has been able to attract former Sun developers, and has also created partnerships with established integrators who are experienced with Sun's products. The company has added and "road mapped" significant new features. These enhancements emphasize platform independence and the use of protocol and interface standards to support a world that is increasingly interconnected by services. ForgeRock is building its customer base, and has already landed some large customers most of which are not former Sun customers. Challenges: ForgeRock offers a mostly complete open-source IAM software stack, including WAM, federation, security token service, user provisioning, directory and virtual directory products. However, almost all this functionality is also available from other vendors with mature product offerings. ForgeRock also faces competition from open-source point solutions, and from OpenIAM for user provisioning, WAM and federation capability. "Open source" is not synonymous with "free," and most enterprises will need support, particularly if they choose to use commercial versions of the products that ForgeRock extends with new functionality. Sun's products were full-featured, but also complex to deploy. ForgeRock's marketing and sales have been focused on a technical audience, and this message will need to be adapted to resonate with CIOs, as well as personnel in enterprise lines of business, who increasingly influence IAM decisions. Who Should Care: IAM leaders who are planning new initiatives, and who work within a corporate culture with a preference for open-source software, may wish to consider ForgeRock. They should pay particular attention to support pricing, and the potential hidden costs of customization and integration with established enterprise systems.

UnboundID
Austin, Texas (www.unboundid.com) Analysis by Perry Carpenter Why Cool: Traditional directory environments are built on the assumption that they should support a large number of "read" transactions, but a relatively low number of "writes." In many cases, this assumption is valid, but in large environments, the number of authentication attempts and even the demand related to synchronization of attribute-level changes can cause the directory to become sluggish or contain unreliable ("stale") data. This problem can impact enterprises and their customers in a number of ways. For example:

Sluggishness may cause customer-facing application login attempts to be unacceptably slow. Sluggishness in "real time" look ups to determine security authorizations to application features may make the application seem slow or time out in some circumstances. Stale data may cause customer preference settings to be inaccurate. Stale data may impact regulatory compliance, if latency allows a user to access data after permission for that data was supposed to be removed.

Page 4 of 8

Gartner, Inc. | G00211482

UnboundID creates reasonably priced next-generation directory service (LDAP, proxy and synchronization) products built from the ground up, with massive scalability, security and high performance in mind, and is especially suited to the growing identity and personalization demands of Web-based, cloud-based and mobile computing backbones. UnboundID's offering is specifically built to support multitenancy, advanced replication/synchronization options, SQL-like "join" functionality, granular logging and tracking, as well as advanced options for data security and privacy. Challenges: UnboundID faces two main obstacles:

Convincing customers to choose a "best-of-breed" (or "off brand") directory server to meet their identity repository needs. Since many IAM solutions include their own LDAP directories or have preferred directories, some customers may never consider a vendor such as UnboundID. While UnboundID has already attained a respectable client base (13 companies comprising 350 million licenses) and impressive year-over-year growth (400% from 2009 to 2010), it focuses only on directory services, rather than on a broad range of IAM-related products and services, and this may limit its number of prospective customers.

To be truly successful, UnboundID needs to be seen as the "Rolls-Royce of directories" but within the price range of a Kia and with the service reputation of a Honda. Who Should Care: Enterprises or service providers that need to break traditional paradigms related to LDAP should consider UnboundID. This is especially important for enterprises with large-scale, transaction-heavy, customer-facing applications. For this reason, UnboundID is particularly wellsuited for telecommunications, e-commerce, software-as-a-service (SaaS) and cloud environments.

Veriphyr
Los Altos, California (www.veriphyr.com) Analysis by Earl Perkins Why Cool: IAM systems need intelligence to function and to be relevant to the enterprise. This intelligence must be derived from the many disparate sources of IAM information from directories and policy repositories to event and information logs generated by access and administration activities. If it is properly gathered and analyzed, then information can provide the answers required for a compliance audit, or prevent a disastrous access breach. Unfortunately, most enterprises have neither the time nor the resources to devote to the detailed data cleansing, collating, correlation, aggregation and analytics necessary to derive these benefits. This is where Veriphyr steps in. Veriphyr isn't cool because it is an identity and access intelligence (IAI) provider, but rather because it delivers IAI using a SaaS model. A client delivers specific identity information to Veriphyr based on its reporting and analysis needs, and Veriphyr responds with a set of reports and analyses on topics ranging from dormant, orphaned and underused accounts to shared logins, and from patterns of activity behavior that imply common roles for groups of users to correlations of users to their many IDs. Veriphyr's premise is that users are what they do (that is, their activities and accesses), not

Gartner, Inc. | G00211482

Page 5 of 8

what their managers think they do. Combining activity and access information from IAM and other systems makes it possible to discern patterns and make decisions based on the maximum intelligence possible. Many IAM vendors are able to offer parts of these capabilities, but Veriphyr's approach as a service-based intelligence provider with a pay-for-use pricing model is currently unique in the market. Challenges: Veriphyr depends on the information it receives from its clients. That information must be available, and the client is assisted in extracting it and sending it. Initially, that assistance is minimal, but it can grow based on client needs. The process of preparing the data for analysis can sometimes reveal "gaps" that Veriphyr analysis must accommodate. Other types of analysis done by the company are performed by humans, rather than by analytics software, so scalability concerns will emerge as the company grows, and also if customer requirements become more complex. Veriphyr also faces the challenge of clients that are reluctant to allow sensitive identitybased information to be sent to an "outside agent" for analysis. Who Should Care: Audit and compliance reporting providers in the enterprise are particularly interested in the nature and type of analysis and reporting provided by Veriphyr. Program managers engaged in large-scale merger-and-acquisition efforts find the quick turnaround time of servicebased analysis valuable in consolidating the access profiles of employees. IT security architects and planners are also interested in tools that help to build access profiles based on actual activities, not just on the access as it has been defined.

Where Are They Now?

Lumidigm
Albuquerque, New Mexico (www.lumidigm.com) Analysis by Ant Allan Why Cool: In 2004, Gartner profiled Lumidigm in "Cool Vendors in Security and Privacy" and identified it as a Cool Vendor in authentication because of its novel biometric technique of skin spectroscopy, based on the discovery that every human being's skin has unique optical characteristics. We noted then that Lumidigm's challenge would be to gain credibility for its unique biometric technology in a market dominated by fingerprint, face topography and iris structure technologies. Where Are They Now? Lumidigm reports that, before it could gain market traction, it repurposed its technology at the request of a U.S. government agency to develop a new kind of fingerprint sensor (capture device) using multispectral imaging. The claimed advantages of this technique are that it captures superior images quickly, on all people, in all environmental conditions. According to Lumidigm, unlike other common sensor types, performance isn't affected by moisture, dry or dirty skin, or bright ambient light. Unlike some other sensor types, multispectral imaging captures surface and subsurface ridge patterns, and analyzes the spectroscopic characteristics of the surface, thereby making it less vulnerable to facsimile attacks.

Page 6 of 8

Gartner, Inc. | G00211482

Who Should Care: A client told Gartner that one particular advantage of the Lumidigm technology is its ability to capture a fingerprint image through a medical glove. Ultrasound sensors can also do this, but they are far bulkier and more expensive, which should make Lumidigm sensors appealing to healthcare delivery organizations. Other enterprises selecting fingerprint biometric authentication also may benefit from Lumidigm's ostensibly superior performance.

Recommended Reading
Some documents may not be available as part of your current Gartner subscription. "Application Security Technologies Enable Enterprise Security Intelligence" "Identity and Access Intelligence: Making IAM Relevant to the Business" "Prepare for the Emergence of Enterprise Security Intelligence" "Q&A: Biometric Authentication Methods" Acronym Key and Glossary Terms
IAI IAM SaaS WAM identity and access intelligence identity and access management software as a service Web access management

This research is part of a set of related research pieces. See Cool Vendors 2011: Delivery and Consumption of Services Is Empowering, and Cool for an overview.

Gartner, Inc. | G00211482

Page 7 of 8

Regional Headquarters
Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Japan Headquarters Gartner Japan Ltd. Atago Green Hills MORI Tower 5F 2-5-1 Atago, Minato-ku Tokyo 105-6205 JAPAN + 81 3 6430 1800 Latin America Headquarters Gartner do Brazil Av. das Naes Unidas, 12551 9 andarWorld Trade Center 04578-903So Paulo SP BRAZIL +55 11 3443 1509

European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600

2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartners prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/ ombudsman/omb_guide2.jsp.

Page 8 of 8

Gartner, Inc. | G00211482