Magic Quadrant for Web Access Management, 2H06

Web access management market growth was robust in 2005, with larger vendors capitalizing on installed customers and smaller vendors beginning to focus on midsize businesses. Enterprises should strategically consider centralized control of authentication and authorization policy in the midterm.

WHAT YOU NEED TO KNOW

The Web access management (WAM) marketplace has recently exhibited better-than-expected growth – near 10%. The previous lack of visionary leadership in the WAM market was undone in 2006 as several well-known vendors showed either significantly more vision and innovation in WAM systems (IBM, Novell) or significantly better execution in the marketplace (CA, RSA Security, Oracle). While higher-end offerings are usually supported by full identity and access management (IAM) suites, visionary vendors continue to add more fully featured identity administration, stronger audit capabilities, and even simple user-provisioning features to WAM products to create lower-cost, lower-end alternatives to IAM suites. Differentiation has also increased as some vendors bundle Web services and identity federation support. We also see early indications of further differentiation: Vendors are working hard to position their WAM products as general enterprise authentication and finer-grained authorization systems, while also starting to integrate WAM with network access control systems. Many enterprises will develop, in the longer term, centralized access control policy repositories for new enterprise applications (Web and non-Web) and for advanced network access control. WAM tools are strong contenders to become the administrative systems for such initiatives.

Several negative issues are facing WAM vendors:

• We question whether the market can support the current number of vendors making offerings; support for competitive product enhancements is likely to lag if lower-performing vendors do not generate significant sales growth in the next 12 to 18 months.
• The use of WAM (or other) tools for centralizing fine-grained authorization will require a significant shift in thinking by enterprises. While many see the benefits of a standardized access control policy repository, few organizations have the drive to implement centralized authorization today.
• There is some erosion in the value proposition of WAM tools, especially for internal use, in the face of competition from SSL virtual private networks (VPNs) and resurgent interest in enterprise single sign-on (ESSO) tools.

STRATEGIC PLANNING ASSUMPTIONS

By 2009, most WAM systems will incorporate identity federation and security token service capabilities, integration with network access control systems, and better application integration technologies in an attempt to become the central authentication and authorization infrastructure for the enterprise (0.9 probability).

By 2011, 50% of Global 2000 organizations will use centralized access control policy repositories for at least 70% of all enterprise applications (0.7 probability).

MAGIC QUADRANT

Market Overview

The term "identity and access management" covers the spectrum of tools and processes that are used to represent and administer digital identities and access for those identities. The term "Web access management" (formerly "extranet access management") applies to access control engines that are designed to provide centralized authentication and authorization capabilities for Web-delivered applications. WAM products also traditionally provide proprietary integration points for non-Web applications, although the use of WAM for non-Web application access control has not been historically widespread. Gartner has changed the designation of this type of product in recognition of its increasing importance as an enterprise IAM infrastructure element, both externally and internally. WAM products may also include identity administration, role/rule management, audit and federation capabilities; in addition, they generally incorporate some level of user-provisioning functionality or integration with a user-provisioning tool, and they may incorporate integration with other IAM tools, such as ESSO, public-key infrastructure (PKI) or strong authentication mechanisms.

Review of Market Trends in 2005

We recognized three significant market trends in late 2005: acquisitions, commoditization and penetration. The acquisition trend has cooled now that most larger platform vendors – with the notable exceptions of Microsoft and BEA – have WAM offerings in place. Acquisitions by CA (Netegrity), Oracle (Oblix) and BMC Software (OpenNetwork Technologies) have induced some integration pains and, in the case of BMC and CA, some slowing of growth. Most recently, EMC has acquired RSA Security; however, this event does not present the same kinds of challenges as earlier acquisitions, because EMC has no significant IAM offerings to be integrated with RSA products.

The trend toward commoditization has weakened, with increased awareness among vendors of potential value-added technologies (such as federation, network access control integration, Web services support and so forth) that can and should be included in WAM offerings. Downward pricing pressure continues to be a factor, however, and bargain-hunting customers can now find excellent offerings at better-than-competitive prices. List pricing of less than $4 per user at 50,000 users and approximately $1 or less for 500,000 users and up is not uncommon. Entrust and Novell are examples of providing excellent functionality combined with "best buy" pricing, while BMC and Oracle can also be considered strong bargains at the larger-user-base end of the spectrum. Most vendors will offer site license pricing at the 500,000-to-1-million-users level.

Growth numbers were excellent in 2005 – close to 10%; therefore, high penetration has not yet become as significant an issue as we predicted. Some of this growth may be attributed to divisional rather than enterprise sales and to replacements. However, we still believe this market to be between 60% and 80% penetrated, which should begin to affect smaller players in the near future.

Market Trends in 2006

Trends in 2006 include the following:

• IAM overall growth – Significant interest in IAM systems, resulting in major part from regulatory compliance initiatives, has spurred strong growth in several product areas. This has resulted in direct and indirect effects on WAM purchases. Most vendors have shown at least 9% to10% growth in 2005 and 2006.
• Web services support – Several solution providers, including Entrust, Evidian, HP, IBM and RSA, now bundle IAM functions for Web services, which may include authentication and authorization support as well as security token services, and most other providers have at least an additional integrated product in this area.
• Federated identity and provisioning – Nearly half the vendors in the WAM marketplace (BMC, Entrust, IBM, Novell and Sun Microsystems) now offer some identity federation capabilities as part of their core WAM product. Customers see Web identity federation as an obvious feature of WAM systems, and vendors are responding. Early efforts at SAML- and SPML-based federated provisioning are also beginning to appear, most notably from Novell and IBM.
• Active Directory Federation Services (ADFS) – Released in late 2005, ADFS provides a direct connection to Active Directory for identity federation (although it achieves this by using WS-Federation, a protocol that is still in draft specification, not yet released to a standards organization and not yet universally supported by identity federation vendors). ADFS could potentially be used as a WAM tool if ADFS support were to be built into non-Microsoft Web and application servers. We believe most of these products will incorporate ADFS support by 2008.
• Midsize-business focus – Smaller market share vendors BMC, PassGo Technologies, Entrust and RSA have reaffirmed their commitment to midsize businesses, which often struggle with the cost and complexity of larger platform offerings. Future growth in the WAM market could come significantly from this area, but the threat of "good enough" functionality from Microsoft (see previous ADFS discussion) is strong here.
• Non-seat-license pricing – Vendors have offered different kinds of pricing options for different customer situations. Most of the large providers offer bundled pricing for their IAM suites, for example, and Sun has experimented with free downloads of its IAM products (not including support and maintenance). Perhaps the best option has been the processor-based pricing offered by Entrust, RSA and others. This pricing structure, which could bring license costs down to $1 to $2 per user for numbers as low as 25,000 users, will appeal to an organization that manages a large body of users who rarely access WAM-protected resources, as is often the case with service providers and smaller companies.

The term "Web access management" (which we formerly referred to as "extranet access management") applies to access control engines that are designed to provide centralized authentication and authorization capabilities for Web applications. WAM products may also include identity administration, role/rule management, audit and federation capabilities, as well as standardized or proprietary integration points for non-Web applications. In addition, they may incorporate some level of user-provisioning functionality or integration with a user-provisioning tool and integration with PKI or strong authentication mechanisms.

Inclusion and Exclusion Criteria

Included in this market are general-purpose authentication and authorization engines whose main purpose is to allow single or reduced sign-on to multiple Web applications in a clientless fashion. A traditional WAM product consists of a policy/administration function and an enforcement function and is usually deployed in a proxy or agent architecture.

ESSO products, as well as SSL-based and other clientless remote-access products, also offer some form of access control to Web-based applications and certainly are strong alternatives to WAM in some cases. These tools differ from WAM tools, however, mainly because they generally are not true access control enforcement points, but also because:

• They generally do not integrate complex identity administration capabilities, such as workflow, approval processing, directory management and role management.
• They generally have not been shown to scale to large extranet-type populations, with hundreds of thousands or millions of users.
• In the case of ESSO, a client is usually required.

Dropped
This Magic Quadrant includes all the vendors that appeared in the previous iteration; no vendors were dropped. This section discusses vendors that, while not appearing in the previous Magic Quadrant, should be discussed.

Ping Identity, the focused identity federation vendor, is considered a new entrant in the WAM market. Ping Login is a simple authentication-only product designed for high-scale situations in which there is no requirement for authorization and little or no requirement for user or role management. The product is targeted at very large extranets serving a single application (or a very few applications) to a highly homogeneous group of users. Enterprises with complex management requirements most likely would not find Ping Login appealing.

Siemens also plans an offering in the WAM market in 2H06, in part to replace a partnership with Oblix, which was acquired by Oracle.

Microsoft has continued to support WAM-like functionality in Microsoft-only environments with Active Directory, Authorization Manager and now ADFS, while leaving WAM functionality in heterogeneous environments to vendors such as BMC and RSA. BEA Systems does not offer a competitive product in this market, although it does offer a sophisticated IAM framework for pure WebLogic and AquaLogic deployments.

Evaluation Criteria

Ability to Execute
Gartner analysts evaluate technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, as well as to positively affect revenue, retention and reputation. Ultimately, technology providers are judged on their ability and success in capitalizing on their vision. The ability to execute in the WAM product space takes into account the technology provider's sales performance and recognition from competitors and Gartner clients. Other major factors in execution include the depth of the product offering, with regard to what Gartner considers to be baseline functionality for any current product. These features in 2006 include fine-grained access control capabilities for Web and non-Web applications, access control policy administration features, global session management, reporting/audit, multirepository support, and interface with IAM suites and ESSO products.

Completeness of Vision
Gartner analysts evaluate technology providers on their ability to convincingly articulate logical statements about current and future market direction, innovation, customer needs, and competitive forces, and by how well they map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunity for the provider. When evaluating the technology provider's completeness of vision in the WAM product space, Gartner analysts consider not only their vision for the WAM product, but also their vision for associated IAM; additional major factors evaluated include unique business models or focuses and breadth of the product with regard to what Gartner considers to be new, unique, differentiating or nonbaseline functionality. These features in 2006 include bundled support for identity federation, dynamic access control rules (time-, situation-, or other dynamic data-based), integration with network access control systems, and support for multiple security zones or multiple per-user roles.

Leaders

Acquisition integration has progressed, larger platform vendors have exploited their advantage in leveraging their own customer bases, and the lack of differentiation so glaringly illustrated in the leaderless Magic Quadrant in 2005 has ended. Vendors have found several different ways to establish leadership, including bundling identity federation and Web services IAM capabilities. Visionary companies in WAM also are looking into integration with network access control products. Fine-grained and non-Web authorization support is also a major focus, although currently few enterprises have deployed these functionalities. Gartner has, however, noted increased discussion of the possibility of a centralized authorization policy repository to be used by all applications – which WAM products are well-positioned to provide.

Challengers

Challenger organizations have shown significant growth that is on par with that of the leaders, but they have not been as visionary. Challengers have solid products, but they have not been able to keep pace with their strategic objectives and the product innovations now offered by the leaders. While challengers' products are strong, they are not as significantly differentiated, and they may also suffer from poor integration with companion IAM products.

Visionaries

Visionary companies in the WAM market have consistently defined and met strategic objectives in differentiating their offerings from the pack, but they have not shown the kind of execution capabilities of leaders or challengers. These companies have appealing products from a functional standpoint and exhibit innovative business strategies, but they have not been able to translate these strengths into the customer base and revenue growth that characterize leaders and challengers.

Niche Players

Niche vendors in the WAM market have solid products but have not been able to distinguish themselves with customers through product differentiation or execution. Niche products, however, have the potential to be good-enough products at a reasonable price for some or many potential WAM customers.

Vendor Comments

BMC Software

Product: Web Access Manager

BMC Web Access Manager might be characterized as a "sleeper" solution: less well-known and with fewer customers, but consisting of solid functionality at a low price point. BMC has characteristics of both independent and "stack" vendors: multiple IAM products (suite), but significantly less platform lock-in and more commitment to Microsoft-centric organizations. BMC has some traction as the "default" Microsoft partner because that was the position of OpenNetwork Technologies when it was acquired by BMC, and because Oblix has been acquired by Oracle. However, BMC offers a Java and a .NET framework solution, which also appeals to customers worried about lock-in. The "Microsoft effect" may increase with the acquisition of RSA by EMC because RSA may no longer be seen, either by potential buyers or by Microsoft, as an independent offering. However, BMC has failed to make a name for itself or to attract significant numbers of customers since acquiring OpenNetwork, while Oracle and CA, which also acquired WAM companies in the same time frame, are now executing better. BMC must focus on the midmarket and on making some significant wins in the enterprise market against the larger platform vendors to prove that Web Access Manager is a worthy product.

CA

Product: eTrust SiteMinder

CA has continued to integrate the former Netegrity technology into the eTrust security suite. While growth in the customer base was flat for a period after the acquisition, CA has added customers recently, although not yet at a rate commensurate with that of some competitors. Still, it is an encouraging sign that CA has been able to calm fears and present a coherent strategy. CA's strong showing in user provisioning and platform-specific access control products for non-Web environments is also a positive. Although SiteMinder is still a very strong product, other competitors have added functionality to their offerings, leaving SiteMinder less differentiated than in earlier Magic Quadrants.

Entegrity Solutions

Product: AssureAccess

AssureAccess is a pure Java WAM tool, with a relatively robust access control policy capability but few other differentiating characteristics. Entegrity has suffered from low visibility and almost zero customer growth for some time. Gartner clients and WAM competitors do not recognize Entegrity as a significant alternative in the WAM market, although Java-centric organizations needing a highly customizable solution may wish to consider this option.

Entrust

Product: GetAccess

Entrust is another smaller vendor, with versatile, fully featured technology at a low price for the midmarket and beyond. Entrust has abolished per-user pricing for a per-CPU model, which appeals to many organizations – especially those with large groups of rarely connecting users (retirees, consumers and so forth). However, Entrust benefits from having a larger customer base than BMC or Evidian, and it has recent growth numbers that are almost on par with that of the growth leaders. GetAccess is one of the WAM offerings that includes strong identity federation capabilities as part of the base product, as well as more-comprehensive identity administration capabilities. GetAccess also benefits from close integration with Entrust's traditional PKI, TruePass roaming PKI and IdentityGuard authentication offerings. However, Entrust continues to suffer from its lack of an identity management/user provisioning offering, as well as from significantly lower visibility in most markets beyond Canada, even though Entrust's PKI offering is strongly represented in large-scale projects worldwide, especially in government sectors.

Evidian

Product: Secure Access Manager (SAM) Web and SAM J2EE

Evidian (a division of Bull) is a France-based company offering a complete IAM suite of products. SAM Web and SAM J2EE are average-functionality WAM products that appeal mostly to users of other Evidian IAM products. Like the few other smaller vendors still left in the IAM market, Evidian has significantly fewer customers and seats sold. Evidian is the only "local" offering in Europe and has expanded into Asia/Pacific through a partnership with NEC. The company has virtually no presence in North or South America, but it has been moderately successful in competing with global vendors at home and in Asia/Pacific.

HP

Product: OpenView Select Access

HP has long suffered from an inability to project an image and market presence for its identity management offerings that is consistent with the size and presence of the company as a whole. Select Access is a solid and stable product, with some large deployments, but it lags behind even many midtier offerings in number of sales. Although Select Access does not stand out in any particular category, HP received strong marks for support of visionary functionality, such as associated (but not bundled) federation capabilities (HP bought federation vendor Trustgenix in late 2005), support for non-Web applications, multirepository support, access policy administration and fine-grained access control.

IBM

Product: Tivoli Federated Identity Manager (TFIM) and Tivoli Access Manager for e-business (TAMeb)

IBM now considers TFIM its main WAM offering, with TAMeb considered merely a stripped-down, low-cost alternative (TAMeb is now bundled with TFIM). TFIM is a highly sophisticated offering, with built-in capabilities for simple federated provisioning and Web services security, as well as one of the most-versatile identity federation capabilities available, supporting SAML 2.0 and WS-Federation. The combination of versatile, visionary functionality and IBM's marketing muscle and professional services capabilities make TFIM a definite leader in the WAM market. IBM also offers a suite of well-known companion products, such as Tivoli Identity Manager and Tivoli Access Manager for Operating Systems for platform-specific environments. However, IBM's pricing structure makes TFIM (and even the lower-priced TAMeb stand-alone) one of the most-expensive solutions to buy. Gartner clients and other users of IBM/Tivoli IAM products often complain that they are complex and difficult to deploy, and that they are suitable only for heavy WebSphere/IBM infrastructure environments. Not only does IBM rarely win with Gartner clients outside these environments, but competitors are quick to tout their not-insignificant number of wins against IBM even in these "home" situations. Of course, IBM is recognized as a major competitor by nearly every surveyed vendor and by a large majority of Gartner clients, which gives it the benefit of being well-known and the liability of being everyone's target.

Novell

Product: Novell Access Manager

Although Novell claims that Access Manager has nearly as many customers as more-familiar offerings from Sun, IBM and CA and that it has sold a huge number of seats, it remains surprisingly unrecognized as offering an enterprise-class WAM solution. Consequently, Novell rarely appears as a finalist with Gartner clients. The company seems to have successfully leveraged its longtime customer base and has made significant efforts to attract new customers. It has also made a strong commitment to IAM, listing IAM as second only to Linux in its importance to the company's future, and it has extremely competitive pricing, even at lower numbers of seats. Novell has the distinction of being the only large vendor to have developed its IAM suite almost completely in-house – which may give Novell an edge in responding to future market demands. Access Manager includes a number of visionary functionalities, including a relatively strong federation capability built in, as well as simple federated provisioning capabilities and integration with SSL VPN for access to non-Web resources.

Oracle

Product: Oracle Access Manager

Oracle continues to pursue its strategy of integrating its several best-of-breed IAM acquisitions into a complete identity infrastructure. Of all the large platform vendors, Oracle, Novell, CA and BMC seem the most committed to providing significant support for heterogeneous environments. Oracle's advantage is that, through its database, application server and enterprise software products, as well as through PeopleSoft, the company has a huge number of potential prospects for upselling who already have a significant commitment to Oracle infrastructure. Also, Oracle had significant growth in customers for Access Manager in the last year. Access Manager ranks as one of the more fully featured WAM products, although Oracle has yet to bundle federation capabilities at no extra cost. Notable differentiators for Access Manager include early integration with network access control technologies, which Gartner believes will become much more important for WAM and other IAM products in the near future. Oracle has also put significant effort into positioning Access Manager as a central facility for authorization policy and decision making for non-Web applications and for fine-grained authorization.

PassGo Technologies

Product: Webthority

Webthority is a relatively simple product that complements other PassGo products for strong authentication, ESSO and SSL VPN . Webthority does have some interesting attributes, most appealing being the number of back-end authentication sources it supports via pass-through authentication, including IBM RACF, CA-ACF2 and CA-TopSecret. PassGo is not currently a major force in the WAM market.

RSA Security

Product: RSA Access Manager

RSA has been a consistent visionary in the WAM market and has shown relatively robust customer growth in each of the past several years, even in the face of stiff competition from larger vendors. However, price competition has made Access Manager less of a bargain, especially given that RSA Federated Identity Manager is a separate product and not included with Access Manager (while similar offerings, such as Entrust GetAccess and Novell Access Manager, have bundled this capability). Lack of a companion user provisioning/identity management offering certainly hurts RSA (and Entrust) in some sales opportunities. Gartner recommends keeping a close watch on the recent acquisition of RSA by EMC because EMC's effect on RSA strategy and the EMC commitment to smaller revenue products such as RSA Access Manager is currently somewhat unclear.

Sun Microsystems

Product: Java System Access Manager (JSAM)

The JSAM product has been known as a solid if not fully featured product in the WAM market. JSAM has relied on the Java System Identity Manager for identity management capabilities, as well as on the reputation of SUN One as one of the premier large-scale extranet directories. Sun's support of the OpenSSO project and the 'free download' of JSAM has garnered some interest among WAM buyers, and JSAM is appearing in more final selection processes among buyers. JSAM now bundles federation capabilities and is used in the largest extranet projects Gartner has tracked. JSAM has become a significant competitor in many sales opportunities, especially those in which the organization is also buying associated identity management functionality.

Gartner RAS Core Research Note G00142612, Ray Wagner, 13 October 2006

© 2006 Gartner, Inc, and/or its Affiliates. All rights reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.