Magic Quadrant for User Provisioning, 1H06

User-provisioning implementations are increasing due to regulatory compliance needs. Enhancements in role management, reporting, industry support and products for small and midsize businesses are required. Expansion to other identity and access management markets is crucial for pure-play survival.

WHAT YOU NEED TO KNOW
User-provisioning (UP) implementations are growing in number and complexity, largely because of regulatory pressures. Gartner estimates that there are approximately 1,200 production deployments that are significant: These implementations are enterprisewide, and they use multiple connectors, workflow and approval processing. Most implementations are in enterprises with workforce head counts of 5,000 and larger. Implementations of smaller workforce count are new, most within the past 12 months, as they too feel regulatory compliance pressures.

As one customer reference stated, "When you screw it up, everyone knows because nothing works; but when you do it right, no one notices because access is seamless." The following messages were consistently heard about successful and unsuccessful UP projects and act as advice directly from deployed production customers:

  • They can generate a tremendous amount of business process change, and therefore, politics, within the enterprise. Therefore, do not think of a UP project as a technology-only project. You must continually communicate the project's goals, deliverables and new processes to the enterprise – including IT and the business units, to diminish the political backlash (people don't like change and they can put up roadblocks if they think their job is threatened).
  • During the design phase of the UP project – long before you start your technology selection process – you must do the following two things:
    • Document your current access request fulfillment processes and your desired state, including goals, deliverables and new processes. In doing this work, you will select the right product for your enterprise; never select a product that forces you to change your access request fulfillment processes.
    • Define what an "identity" means to your organization (for example, what pieces of information about an end user make up your organization's user identity profile). The identity mapping results directly feed your data synchronization process (for example, how often will you synchronize user profile information, how do you discover and resolve mismatches of attribute values, and so on). This "identity mapping" effort involves the following steps:
      • Define the user identity profile attributes.
      • Define the authoritative sources of each attribute.
      • Map the attribute to each target system (platform or application) that requires the attribute value for the target system to make an access control decision about the user.
      • Document the access control decisions that each attribute is involved in and what the impact will be if one attribute value is out of sync with the authoritative source.
  • With all the progress made during the past few years in the UP market, there is a consistent message from UP customers that UP products are still too complex to implement and maintain on an ongoing basis and, therefore, require too much technical support from the vendor and/or systems integrator (SI) – for example, a change to an approval workflow, an upgrade to a target system and therefore a change to the connector, unique access request business rules that require customized scripting, and so forth. UP vendors must update their products to provide simple implementation, deployment and maintenance capabilities, therefore reducing the dependence on and expense of professional services. These changes are especially important for enterprises with workforce head counts of fewer than 5,000. Service-oriented architecture (SOA) products have an advantage over the older UP products in the market in this area.
  • With the above said about complex implementations and the need to simplify the UP products, UP projects must also be simplified. The easiest way to do that is to phase the implementation in "digestible" pieces (for example, start with one target system in one location for one business unit). Although this approach to simplification might sound like overkill, the political repercussions of the project not going well because of loss of access or cost overruns requires a clearly documented implementation road map that all partners – internal and external – can agree with. It might take you longer to reach your goal, but the deployment will be more thoughtful and better managed.
Two fundamentally different ways to solving the security administration problem are the UP (middleware) approach and the enterprise access management approach. All vendors, except Microsoft, are taking the middleware approach, which addresses the management of the complex authentication environment (for example, a user ID on every unique target system used by the enterprise) that has evolved during the past 20 years with the growth of computing platforms other than the mainframe. On the other hand, Microsoft and its partners are solving the enterprise access management problems – authentication and authorization as well as user account management.

As long as enterprises are willing to make Active Directory their central authentication service (a result that will take many years for most enterprises) and rely on the access control infrastructure of the Windows server, fewer user IDs will be needed, and those that remain can be managed as an Active Directory account. This approach does not preclude the use of non-Microsoft development platforms because Microsoft partners, such as Centrify and Quest Software, are building tools to provide the translation of Unix, Linux, Mac OS, VMware, WebSphere, WebLogic, JBoss and Apache accounts so that they can be managed as Active Directory accounts. Microsoft Identity Integration Server (MIIS) is required to provision user accounts and synchronize user profile information between target systems (until such time that only one Active Directory user account is needed), and additional components, such as BizTalk for workflow and partner products, are required. Gemini, the next release of MIIS in the second half of 2007, will integrate the ability to perform complex workflows. To fully support the heterogeneous IT infrastructure and see this approach grow, Microsoft's partners need to expand into the legacy environment with mainframe, iSeries and relational database management system (RDBMS) support.

Microsoft is also keen to solve the authorization problem. It has had the "plumbing" – (Authorization Manager, commonly known as AzMan) – for some time, and we expect it to focus more on this in the future. Active Directory wasn't designed for real-time application authorization access, so Microsoft has kept application authorization access out of Active Directory for the most part. AzMan is a way to externalize an application's authorization requirements using XML. One of AzMan's deployment alternatives is to keep this in Active Directory, but Active Directory isn't required – Active Directory in this case is just a potential repository.

This means that Microsoft would:

  1. Own the strategic user repository (Active Directory) in most accounts
  2. Drive the primary authentication for both network operating system (NOS) and Web connections
  3. Drive the application-level authorization schemes
Clearly, this is a lot to accomplish – especially No. 3 – but no other vendor is in a position to pull this off; perhaps Oracle or Sun could, but they would need a very aggressive road map to do so and could not force Oracle Internet Directory (OID) nor Sun ONE Directory Server as the central authentication service.

The enterprise access management approach is not for everyone, especially if enterprises have a need right now for managing and reporting on the messy, complex user accounts environment that currently exist. This approach is also not for those enterprises that want to maintain an "open" authentication and authorization infrastructure. However, even though there are many components to assemble with the Microsoft enterprise access management approach, all customers spoken to that have taken this approach report a much less expensive implementation. Lower cost and the growth of Active Directory as the central enterprise authentication service will make this approach a compelling choice within the next 24 months.

No enterprise should choose any vendor and product based solely on one criterion. Therefore, choosing a UP vendor should not be based solely on the quadrant in which the vendor is placed. A number of evaluation criteria might not make the leader as attractive as a challenger or niche player. These criteria could include:

  • The product's development/runtime environment – .NET might currently be a better choice for the small and midsize business (SMB) market.
  • Availability of specific geographic or industry support (Europe has more-complex workforce labor regulations than the United States)
  • The enterprise needs to automate its security administration function only – therefore, it doesn't need a full identity and access management (IAM) suite offering.
  • The enterprise wants to reduce its technology partner choices and therefore favors a UP vendor with which they already have a relationship (an evaluation criterion growing in importance for UP vendor selection).
  • There is limited need for complex workflow.
  • Integration with Information Technology Service Management (ITSM) products is required, and so forth.
Document and prioritize your overall evaluation criteria (not just product requirements) before choosing a vendor.

STRATEGIC PLANNING ASSUMPTIONS
By 2008, investments in user-provisioning solutions will increase 60 percent to address regulatory compliance requirements (0.8 probability).

User-provisioning products will continue to be used to manage and report on internal user access through 2010 (0.8 probability).

By 2008, only 10 percent of enterprises will require support for incoming (from a target system to the user provisioning product) SPML requests (0.7 probability).

MAGIC QUADRANT
Figure 1. Magic Quadrant for User Provisioning, 1H06

Source: Gartner (April 2006)

Market Overview
UP is one product market in Gartner's definition of the IAM product area. IAM solutions solve two main functions: administration of user attributes, credentials and privileges; and real-time enforcement of assigned privileges. UP solutions are the main engine in support of administration activities, and Web access management (WAM) solutions – Gartner recently renamed this market from extranet access management (EAM); are the main engine in support of real-time enforcement activities. Both tools are used to address the broader identity management (IdM) goals of the enterprise.

In this Magic Quadrant, Gartner ranks vendors based on product capability and market performance through March 2006. This Magic Quadrant considers which vendors will likely dominate sales and influence technology directions through 2006, as well as considers which vendors are most visible among clients, generate the greatest number of requests for information and contract review, and account for the most new and ongoing installations in Gartner's client base.

Market Definition/Description
UP solutions address the enterprise's need to administer (create, modify, disable and delete) the following identity objects across the heterogeneous IT system infrastructure environment (operating systems, databases, directories, business applications and security systems):

  • User IDs associated with each user
  • Authentication credentials – IT and facility
  • Roles (for example, enterprise-level and target system specific)
  • Entitlements (for example, assigned via roles or explicitly to the user ID at the target system level)
  • User profile attributes (such as name, address, phone number, title and department)
  • Corporate policies (for example, time-of-day restrictions, password management policies, business relationships that define users' access to certain IT resources and segregation of duties [SOD]).
Ensuring a complete audit trail of administration activities associated with each of these objects, and reporting on these activities for compliance purposes – regulatory, internal and business relationship – are also key activities that are required for a successful IdM project and process.

Gartner distinguishes an IAM suite vendor from a pure-play UP vendor. An IAM suite vendor is one that has, at a minimum, both UP and WAM products. Common additional IAM components to a suite can include federated identity management (FIM), enterprise single sign-on (ESSO), and audit and compliance reporting. Rarely does an IAM suite vendor have a strong authentication product, preferring to partner with those vendors rather than owning them.

This Magic Quadrant does not focus only on core UP capabilities (for example, connector breadth, delegated administration, self-service, HR application support), because some of these capabilities are largely commoditized with little differentiation between the products. Rather, the additional focus of this Magic Quadrant is in two areas:

  • Ease of ongoing maintenance – How do UP vendors deliver core UP capabilities as an enterprise management system in support of an ongoing, changing business environment? For example, it is not how many connectors the vendor supports, but rather, how easy it is for the customer to create and maintain those connectors in a changing IT infrastructure; it is not the inclusion of workflow functionality, but rather, how easy it is for the customer to make changes to the workflow to support changes to business policies and practices.
  • Vendor vision – What is the vendor's vision in support of broader enterprise provisioning needs, such as asset management, configuration management and facilities management – not just IT resources.
Inclusion and Exclusion Criteria
Inclusion Criteria
UP vendors were considered for the document under the following conditions:
  • They support the minimum core UP capabilities (defined above in the Market Definition/Description section) across a heterogeneous IT infrastructure.
  • Products must be deployed in 10 customer production environments.
  • Deployed production customer references must be available.
  • Gartner analysts are actively tracking and doing research on them based on client demand.
  • Gartner analysts consider that aspects of the company's product, execution or vision are noteworthy.
Exclusion Criteria
UP vendors that were not included in this Magic Quadrant might have been excluded for one or more of the following conditions:
  • Vendors did not meet the inclusion criteria.
  • Vendors supply UP capabilities for a specific technical environment only – for example, Windows, iSeries, and so on.
  • Vendors are not the original manufacturer of UP products – this includes value-added resellers (VARs), which repackage UP products that would qualify from their original manufacturers, other software vendors that sell IAM-related products but don't have a UP product of their own, and external service providers (ESPs) that provide managed services – for example, data center operations outsourcing.
Vendors not included in the Magic Quadrant but worthy of mention are:
  • Bull Evidian offers an IAM suite that includes an integrated set of products for UP (including Identity Manager, Provisioning Manager and Approval Workflow) as well as WAM and ESSO products. The UP product set implements a highly developed role-based provisioning model. Although it has international UP customers, Bull Evidian is not well-known outside of Europe, and it is best-known in its home country, France. It faces a continued struggle to enter the North American IAM market. Gartner doesn't have enough information to rate this vendor.
  • Open Systems Management (OSM) is best-known for its Unix-based access control offering. It also has a UP product – COSuser – that supports the heterogeneous IT infrastructure. Gartner doesn't have enough information to rate this vendor.
  • Proginet (no workflow) is best-known in the market as an original equipment manufacturer (OEM) vendor of password synchronization software. With its acquisition of Blockade in January 2005, it acquired a UP product along with some mainframe access control products. Its UP offering has limited capability overall, including no workflow, no approval processing nor attestation reporting. Proginet wants to continue its OEM software strategy with its UP offering.
  • Safestone Technologies' (no workflow) UP offering is a basic security administration tool that works well for the SMB market. However, it doesn't have the breadth of capability that one would want in a complete UP offering – there is no workflow and approval processing, nor is there attestation capability. It interfaces with IBM's EIM framework for ESSO. It offers a subscription pricing model with a three-year minimum.
Added
This is the first UP Magic Quadrant. Therefore, all vendors are considered new.

Dropped
Not applicable.

Evaluation Criteria
Ability to Execute
Gartner considers the UP market to be a maturing market. Therefore, many Ability to Execute subcriteria were ranked, but the following most influenced our ratings.

Product/Service

  • Support for a heterogeneous runtime environment – Diversity is good (for example, the UP product runs in a Java 2 Platform, Enterprise Edition [J2EE] environment and is certified to run on a number of application servers and operating systems), and the UP product can use different technologies for the authoritative repository (such as Lightweight Directory Access Protocol [LDAP], RDBMS, Active Directory/Active Directory Application Mode [AD/ADAM]). Running on only one operating environment (such as operating system and application server) is a negative.
  • One product vs. multiple purchased components that make up the UP offering – Packaging core UP capabilities as one product is good (for example, workflow is not a separate product, provisioning capabilities are not separate from deprovisioning, and so forth). This subcriterion is not meant to detract from vendor products that are modularized (for example, a Web service, or another workflow engine that could not be used, or a module that stands on its own and can be sold separately – for example, password management).
  • Workflow – Automating business rules is complex, and none of the UP vendor offerings in this area are perfect. UP product workflow should: support "nested" workflows and subworkflows; be persistent (for example, does the product know on its own that a follow-up e-mail to the hiring manager is required 60 days into a contingent worker's employment); provide an approval framework (such as serial, parallel [all], parallel [any one], parallel [quorum] processing); provide notification within UP tool (via e-mail, via pager, via SMS, escalation); and provide templates of common UP activities (for example, add a user, disable a user, and so on). Coding and scripting should not be required except in the most unique business policy/rule automation case. A graphical interface is a positive.
  • Connectors – There should be a graphical interface to manage and maintain connectors, and a wizard to create new connectors. Having to write a Perl script or C++ code is a negative. The connector should contain only the actions required to do account management on the target system and not be tied to workflow. The workflow should call the connector to provision a role/identity.
  • User account management – As noted above, administering users via roles is not the only method to be used. UP products should support: direct user setup, cloning of user access, and role-based provisioning (with explicit roles, inheritance, and so on). UP products should also have certain routines out-of-the-box that most implementations require (for example, unique ID generation, user profile attribute synchronization, user ID correlation and mapping, and access reconciliation and synchronization in response to changes made at the target system).
  • Role-based provisioning complexity – Roles alone are not enough: You need to fine-tune roles by applying rules to reduce the number of actual roles required. Access should be provisioned using attributes that have their values derived during the provisioning process rather than using hard-coded attribute values. For example, instead of using two roles to distinguish between locations for users with the same access, you need only one role and one rule that provisions the user to the correct e-mail server based on the user's location attribute value. The product should not force the customer to implement roles to provision user access; rather, the product should allow for manual provisioning of a user, cloning of a new user from an existing user, and role-based provisioning.
  • Derived attribute values – Hard-coding attribute values (such as a list of approvers), is a bad technique and makes the management of the UP implementation more difficult in response to changing business needs. Deriving the value of an attribute by using a formula or parameter list while processing a workflow or rule is good.
  • User interfaces – The UP product is accessed by a number of people in a number of ways. Support should be provided for: self-service access request initiation; delegated administration with no limit to the number of levels; an administrative graphical user interface (GUI); and a management GUI for request approval; attestation reporting; and so on.
  • Virtual directory support – Virtual directory technology allows enterprises to aggregate identity information from multiple sources into a single logical view, instead of having another physical repository of identity information. It also enables information to be exposed in controlled subsets, allowing identity information to be more easily transported across legal or national boundaries. The virtual directory could be used as the UP tool's authoritative repository.
  • Reporting – A number of reports should be supported by the UP product out-of-the-box, including: by user, resource, role, rule, location, policy, event log entries (UP events, including user access changes, workflow management and workflow execution actions), role management actions, product administrative changes, configuration changes, and attestation reporting for regulatory compliance that uses core provisioning applications' workflow and includes exception reporting and management sign-off (attestation).
  • Integration with other IAM components – Administrative integration with other IAM tools, such as ESSO, WAM, and strong authentication, is important, especially if the UP vendor has its own offerings in any of these areas.
Sales Execution/Pricing
  • Pricing – Core per-user pricing, including different license types (perpetual, subscription, package pricing), and additional (hidden) costs for software and hardware to support the UP implementation.
Table 1. Ability to Execute Evaluation Criteria
Evaluation CriteriaWeighting
Product/Servicehigh
Overall Viability (Business Unit, Financial, Strategy, Organization)standard
Sales Execution/Pricingstandard
Market Responsiveness and Track Recordstandard
Marketing Executionstandard
Customer Experiencestandard
Operationsstandard
Source: Gartner (April 2006)

Completeness of Vision
Completeness of vision for this Magic Quadrant has two main focuses: UP vendors are looking outside of the core IT account marketplace and integrating with the broader provisioning capabilities of the enterprise (for example, asset management, software distribution, facilities management, vertical markets), and they are broadening their sales channel by working with SIs and other partners. Again, because the UP market is considered a maturing market by Gartner, many Completeness of Vision subcriteria were ranked, but the following most influenced our ratings.

Market Understanding

  • Role management for enterprises (RME) – Full RME capabilities don't have to be native capabilities within the UP product. Partnering with an RME vendor, in addition to the role-based provisioning features defined under Ability to Execute, are considered positive.
  • Resource access management (RAM) – Partnerships with RAM vendors, and better yet, capabilities from the UP vendors that address a particular system, are considered positive.
  • Service Provisioning Markup Language (SPML) support – Although not a big demand from customers at this point in time, SPML will become a key requirement when federated identity management and Web services have more traction in the market.
  • ITSM support – Looking beyond the workforce identity context to expand into a broader provisioning context means linking to asset management, configuration management and help desk management products, and so on. Such integration is a positive.
  • Facilities management – With the market seeing some overlap between information security and physical security, a number of enterprises are expanding their IdM processes to physical access to corporate facilities.
Sales Strategy
  • Business development – If the provider doesn't have its own offering outside of UP, what type of partnerships it is forming within the IAM market, for WAM, ESSO and RME, and outside the IAM market, for asset management, configuration management, encryption key management, handheld device management and facilities management. These partnerships allow the UP implementation to expand into synergistic relationships for user access management. Examples would be a new laptop issued for a new hire, confidential information not downloaded to the user's handheld device, the generation of a facility access badge, and so on.
  • Partnerships with SIs – Implementing a UP product is not simple. The technology is the easy part, whereas the processes around managing workforce access are not. Technology providers of UP software should focus on what they do best – software development – and bring in SIs with process re-engineering expertise for the implementation. Support by Tier 1 SIs, along with the associated investment by that firm in that vendor, is a demonstration of market presence for that vendor.
Vertical/Industry Strategy
  • SMB support – The pool of UP prospects is increasing because enterprises with smaller user counts (fewer than 2,500) want to implement UP tools.
  • Industry-specific support – Industry-specific knowledge of IdM processes can lead to one UP vendor garnering a larger share of that market than others. Providing connectors for industry-specific applications, and providing templates for roles and workflows are good entry points into a specific market.
Geographic Strategy
  • Home market support – Some vendors know their limitations and are focused on their own home market only. We give them credit for that.
  • International distribution – The North American market is more active in UP than the rest of the world. However, many opportunities exist in Europe, South America, Australia and Asia/Pacific. Selling to these markets is different because they don't have as strong a regulatory push as does the North American market from the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act. Vendors outside North America face these challenges and must compete in the more active North American market against strongly positioned domestic vendors. All vendors should have international support through direct sales support, SIs, VARs and managed service providers (MSPs).
Table 2. Completeness of Vision Evaluation Criteria
Evaluation CriteriaWeighting
Market Understandinghigh
Marketing Strategystandard
Sales Strategyhigh
Offering (Product) Strategystandard
Business Modelstandard
Vertical/Industry Strategyhigh
Innovationstandard
Geographic Strategystandard
Source: Gartner (April 2006)

Leaders
Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should buy only from the Leaders quadrant. Some clients may actually feel that leaders are spreading efforts too thinly and not pursuing their special needs.

Sun Microsystems and IBM Tivoli have dominated the UP market for the past two years. Of all the UP vendors, they have the largest installed bases, and they have leading product capabilities. Also, they both have strong sales and marketing teams that have made them the winners they are. Oracle now has an extremely strong UP product through the Thor Technologies acquisition and the organizational force behind it, so that it will be the IAM force to be reckoned with. Thor on its own could not have achieved the same success.

Challengers
Challengers have solid products that address the typical needs of the UP market, with strong sales, visibility and clout that add up to higher execution than niche players. Challengers are good at winning contracts, but they do so by competing on basic functions rather than on advanced features. Challengers are efficient and expedient choices to narrowly defined access problems. Many clients consider challengers to be the conservative safe alternative to niche players.

Challengers in this Magic Quadrant all have strong product capabilities, but they have fewer production deployments than the leaders. Their business model, overall product strength, marketing strategy and business partnerships vary and, hence, has kept them from breaking into the Leaders quadrant. Courion has demonstrated consistent vision and execution in meeting the needs of the UP market, especially in the area of role management. Beta Systems, BMC Software, CA and Novell have been in the UP market for some time and have been making steady progress, albeit with a bump or two along the way. M-Tech has been succeeding in the UP market in a more tactical manner. M-Tech has been building special features based on specific customer demand (for example, organization chart generation, rather than broad usage, such as role management). HP is new to the UP market, but it has the organizational strength to make much progress during 2006. It is this set of vendors from which Gartner expects the greatest amount of progress during the next 18 months.

Visionaries
Visionaries invest in the leading/"bleeding"-edge features that will be significant in the next generation of products and that will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver challengers and leaders. Clients pick visionaries for best-of-breed features, and in the case of small vendors, they may enjoy more personal attention.

In this Magic Quadrant, there are no visionaries, because no vendor has introduced such leading-edge capabilities for how UP or IdM activities are performed without having the market execution to show for it; hence, they would be a challenger or a leader. Providing a product whose architecture is a SOA is innovative, but it is one of a number of criteria that makes a vendor be visionary.

Niche Players
Niche players offer viable, dependable solutions that meet the typical needs of buyers, especially in a particular industry or geographic region. Niche players are less likely to appear on shortlists but fare well when given a chance. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market, and often they can do so more efficiently than the leaders. Clients tend to pick niche players when stability and focus on a few important functions and features are more important than a "wide and long" road map.

Niche players in this Magic Quadrant comprises the following vendors:

  • MaXware, nCipher, Siemens and Voelcker Informatik have been in the UP market for some time, but they have limited market presence because of limitations in their product capability or business strategy, or both.
  • Avatier and Fischer International are new entrants to the UP market, and because of their SOA UP product architecture, they are expected to make good progress in 2006.
  • Sentillion has a strong UP offering developed for and marketed to the healthcare industry only.
  • Microsoft has a basic UP product in MIIS and relies on partners to round out its offering. However, lower costs and the growth in Active Directory as the central enterprise authentication service will likely propel Microsoft into the Leaders quadrant within the next 24 months.

Vendor Comments
Avatier
Avatier Identity Management Suite (AIMS) – Account Creator, Account Terminator and Identity Enforcer – v.6.0 – 15 August 2005
Avatier (pure play) started in the password management market and developed its Microsoft .NET and Sun Java SOA architecture UP offering through tactical customer requests, as is reflected in its current multiple module configuration: Account Creator, Account Terminator and Identity Enforcer. Avatier's road map for the products includes merging the three modules under a common graphical interface during the second half of 2006 and adding support for the following functions currently missing in their product: a multilevel approval processing workflow engine, SOD, attestation reporting and SPML support. A unique feature of the Avatier UP offering is real-time multilingual support. The current (and future) offering only runs on the Microsoft .NET platform with an MS-SQL repository for its audit repository (it uses an existing Active Directory deployment for the authoritative repository); however, their use of Web services for connector development will ease support for the heterogeneous IT infrastructure. Avatier's pricing is well-suited for the SMB market. Its ease of implementation as a result of the SOA product architecture should be of interest to all enterprises. With only one SI partnership (started in January 2006), Avatier needs to expand their business partners – SIs and non-UP IAM component vendors – to ensure growth in large enterprises and internationally.

Beta Systems
SAM Jupiter – v.3.4 – August 2005
The Beta Systems' (pure play) Java-based SAM Jupiter product, developed by Schumann Security Software, was one of the earliest shipping security administration products released in 1994. Schumann was sold to Systor, a Swiss consulting firm, in January 2000. Because of the insolvency of Systor's German consulting division, the UP division was sold in February 2003 to Beta Systems, best-known as an IT operations software vendor. Beta Systems' marketing efforts and resulting UP sales have been stronger in Europe than in North America. To add to its UP offering, Beta acquired Focal Point from Okiok in December 2005 for ESSO. SAM Jupiter has the best role-based provisioning support in the market, including a role-mining module. It is one of the few vendors that can perform RAM on a number of target systems, and it also has SPML support. Beta has expanded from its original mainframe-only runtime environment to a Unix-based offering. It also offers a Windows version of SAM Jupiter and a special pricing program for the SMB market. SAM Jupiter does not take advantage of Web services within the architecture, and it has no out-of-the-box attestation reporting support. Beta must enhance its sales and marketing efforts, especially in North America, to be back on the shortlist of large enterprises.

BMC Software
BMC Identity Management Suite – BMC User Administration and Provisioning – v.5.0 – 30 September 2005
BMC Software's (suite) acquisitions of Calendra (January 2005) and OpenNetwork Technologies (March 2005) demonstrate its commitment to the IAM market. The acquisitions were much-needed because BMC had lost significant "mind share" during the past three years or so because of its lack of useful workflow and other IAM components, primarily WAM. With Calendra, BMC acquired good workflow, white and yellow pages capability as well as a directory-centric application development environment. With OpenNetwork, BMC acquired WAM and UP products for both the Microsoft and heterogeneous IT infrastructure. The Microsoft-focused OpenNetwork UP offering was very beneficial; BMC used this technology and introduced a .NET offering in January 2006, making it the first suite vendor to have both Java and .NET UP products. This .NET offering makes BMC a good choice for a UP enhancement module, compared with Microsoft's MIIS UP offering, for functions such as workflow, role management, SPML support and connectors, which MIIS doesn't currently support. BMC also has partnered with Consul Risk Management to deliver broader audit and compliance reporting capability than most other UP vendors. And, BMC markets its UP offering with integration to some of its business services management product line for ITSM support. Even though BMC has its own dedicated IAM international sales force, it must establish a partnership with a Tier 1 SI to ensure entry to large IAM enterprise deals.

CA
CA Identity Manager r8 (Integrated CA eTrust Admin and Netegrity IdentityMinder) – January 2006
CA's (suite) acquisition (November 2004) of Netegrity mainly for WAM and federation left CA with two UP offerings: eTrust Admin (frequently reported as one of the hardest UP products to implement) and Netegrity's eProvision (Netegrity acquired Business Layers, a pure-play UP vendor, in December 2003). With the Netegrity acquisition, the CA IAM product management team has stabilized with a combined CA, Netegrity and Business Layers team, and Netegrity personnel is leading the team – a good result. However, in addition to regulatory limitations that restricted, and therefore delayed, communications between the two companies, CA was slow to articulate to the market its integration road map for the two UP products. This resulted in a bit of confusion and mind share gap for the direction of the CA UP offering. But, in January 2006, CA released a combined Java-based UP offering, newly named "Identity Manager r8," with better end-user interfaces and SPML support. This new offering has both a software perpetual license and subscription-based pricing model. All core connectors are bundled into the base offering, with CA charging extra only for Resource Access Control Facility (RACF), SAP, Oracle applications, and so on. CA is also an ITSM vendor, and it is the only vendor that currently has a common workflow module across its IAM and ITSM products. A connector development wizard capability is in development for General Availability (GA) in the third quarter of 2006. eTrust Directory is required for the "identity map" – a mapping of users to all of their IT accounts. CA needs to continue its product modernization efforts and focus on developing stronger SI partnerships. With a new CEO in John Swainson from IBM, CA is successfully changing its corporate culture and improving it market reputation as a software vendor. Therefore, CA is well-placed to become a UP market leader within the next 24 months.

Courion
Courion Enterprise Provisioning Suite – AccountCourier – v.7.30 – December 2005
Courion (pure play) entered the IAM market with PasswordCourier, a password management product. As with M-Tech, it logically expanded into the broader IAM market with UP. Courion has come a long way from its early days when its marketing was better than the product. Although it doesn't have a large number of production deployments, Courion has demonstrated consistent execution of its product vision, especially in the area of role management, with both role mining and role development. Courion is also the vendor that has best articulated the business benefits of automated UP. Its industry-focused marketing strategy is a demonstration of this point. Courion is one of only a few vendors (Sentillion and Siemens being the others) with strong support for the healthcare industry, where deep application provisioning is required. As a UP pure-play vendor, Courion integrates with a number of ITSM products, including Remedy, Peregrine and MRO. AccountCourier has SPML support, but it does not take advantage of Web services, and it has no version control over workflow (a growing need for audit/compliance). Although Courion runs in a Windows environment (it plans a Unix release in the second half of 2007), it is not a common add-on to Microsoft's MIIS UP product. For Courion to remain independent, it needs to deliver a Unix-based UP offering and develop its international distribution through VARs and SI partnerships. It also needs to have a strong WAM go-to-market partner for broader sales opportunities.

Fischer International
Fischer Identity Suite – Fischer Provisioning – v.2.2 – December 2005
The newest vendor in the UP market, Fischer International (pure play), owned by Addison Fischer – an early expert in the information security field – introduced its UP product in May 2005. The UP management team is very strong, with members having a variety of industry IT experience. The product has been designed and developed from "the bottom up" using Java and an SOA framework. The company has been very aggressive in pricing – a tactic often seen in early vendors trying to obtain market share and, therefore, very attractive to the SMB market. The UP product has the ability to discover resources on the network (IT resource discovery), and it has PDA support for approval processing. Limitations in the current UP offering include: no out-of-the-box attestation reporting, no enterprise-level role management and no SPML support. Because of its SOA architecture and the financial strength of the company, Fischer has the potential of becoming a UP challenger during the next 24 months. But it must move quickly on the business partnership front, including a Tier 1 SI partner (an activity that it has just started to do), international sales channels (Fischer currently sells into the North American market only), and other IAM component vendors.

HP
HP OpenView Identity and Access Management – HP OpenView Select Identity – v.4.0 – 31 January 2006
HP (suite) is one of the newest vendors that has been buying its way into the IAM market with the acquisitions of: the Select Access software from Baltimore for WAM (July 2003), TruLogica for UP (March 2004), and TrustGenix for federation (December 2005 – following a prior OEM agreement going back to November 2004). So far, it has executed successfully with no missteps along the way. Fortunately, it has changed the original TruLogica marketing message that the product was a "context identity management" tool, a distinction that the market did not understand. HP now refers to the unique approach to packaging its policies, workflows, forms, roles and rules as business service identity management. HP's IAM sales are split 50-50 between North America and Europe, demonstrating its strong organization sales, marketing and consulting support. Because of the integration with OpenView, Select Identity can play a role in ITSM, such as service life cycle management, resource discovery, help desk and configuration management database operations. HP will include its new Select Audit module (June 2006 GA) for attestation reporting and extended SOD support in the core suite pricing. SPML support is available today. HP – with a strong IAM suite – has strong SI partnerships that now need to be further mined for international distribution and entry into large-enterprise deals. HP will add more focus to the SMB market later in 2006 when it adds JBoss as a platform for its solution – consistent with HP's strong commitment to the Java application development environment, although an offering based on a Microsoft platform seems to be the current direction for this market.

IBM Tivoli
IBM Tivoli Identity Manager (ITIM) – v.4.6 – 28 June 2005
IBM Tivoli (suite) was a very early buyer of IAM technologies: Dascom in September 1999, Metamerge in June 2002 and Access360 in October 2002. IBM's acquisition of Metamerge for virtual directory technology, now renamed Tivoli Directory Integrator (TDI), was a good move, and many of the Access360 connectors have been replaced with TDI connectors. IBM had one significant misstep after the acquisition of Access360 – trying too quickly to convert to the WebSphere application server environment; resulting in customers suffering through those implementations, although IBM was "at their side" throughout. Even so, it has become a leader in the UP market because of strong workflow, connector management and production deployment change management features, the number of "blue" shops (ITIM has been developed using a J2EE/WebSphere platform) and enterprise software deals. Attestation reporting, called "recertification," is built into the core UP product, as is SPML support. ITIM has no core product SOD support; partners such as Vaau and Eurekify provide it. To further enhance its role management capabilities, it is partnering with Bridgestream. In March 2006, it announced ITIM Express – a UP product for enterprises with fewer than 5,000 users. Thirty connectors are available with the core Express offering, and applications such as SAP are available for an additional fee. SMBs can trade up to the full ITIM product if they so desire. IBM Global Services is IBM's premier SI, but IBM has other strong Tier I SI partnerships.

M-Tech
M-Tech Identity Management Suite – ID-Synch – v.4.0 – 29 September 2005
M-Tech (pure play) is a privately owned business that had its start in the IAM market with a password management offering – P-Synch. As with Courion, it needed to expand into other areas of IAM, so UP was a logical area into which to expand. M-Tech has been a very consistent vendor in both product development and deployment. Innovation has come through add-on modules, such as ID-Org (an organization chart generation tool good for smaller firms that don't have an organization chart reporting capability), ID-Certify for audit/compliance attestation reporting, and ID-Access for Windows RAM. M-Tech also has SPML support. With the acquisition of Thor by Oracle, M-Tech has been working with RSA Security for RSA deals that require UP (Thor was RSA's UP partner until the acquisition). ID-Synch, a Windows-based runtime environment, is the most proprietary application infrastructure of all the UP vendor products. However, customers report that it is easily configurable, lowering implementation costs and making it a good choice for outsourcing and MSP companies that need fast and multiple deployments. This Windows-based platform has contributed to M-Tech's partnership with Microsoft. Although strong in business development, M-Tech must develop SI partnerships to get more market share. It should consider re-architecting its UP product on newer technologies (for example, .NET), and expand its IAM business partners to win larger IAM deals.

MaXware
MaXware Identity Center – v.8.0.687 – 26 August 2005
MaXware (suite) is a vendor that started in the metadirectory market and evolved its offering into a UP product. It has other IAM components as well (such as federation and a virtual directory). The product is developed in a Java architecture with some Web services support. It is the only vendor that reports using LAMP – an open-source application development platform that includes Linux, Apache, MySQL and PHP (also known as Hypertext Preprocessor). It has SPML support, but there is no out-of-the-box attestation reporting; however, its attestation template has recently been available since March 2006. To make MaXware a well-known IAM vendor, it must enhance its SI partnerships with Tier 1 players and follow through on its recent reinvestment in their worldwide marketing program.

Microsoft
Microsoft Identity Integration Server
Microsoft's (suite) UP offering, developed on the .NET platform, was originally built as a metadirectory product that now supports much of the heterogeneous IT infrastructure (connectors for SAP, PeopleSoft, CA-ACF2 and CA-Top Secret are in the works) and provides RAM for all Microsoft systems, LDAP v.3 and RDBMS. However, it is a set of modules that must be integrated to make up a basic UP product. For example, workflow capability comes through BizTalk, with Visual Studio required for complex workflow and rule support, and Unix support comes through Services for Unix. There is no support for SPML, role management nor out-of-the-box reporting of any kind, although customers can use their existing reporting products to get access to the data in the MS-SQL database. Gartner's assessment of MIIS as a UP offering is that it is very much a consulting engagement. However, customers report that the software license fees and integration costs are so much lower than other UP product deployments, that it is worth the effort. Microsoft has not productized capability (for example, workflow templates, developed by Microsoft Consulting Services from its deployments). Microsoft's next planned release in the second half of 2007 will be comparable with today's UP product offerings, with workflow provided at the Windows server level. Add-on products from M-Tech and BMC can be currently used to round out the UP offering for workflow, role management and connectors that are not currently available through MIIS. However, for enterprises (such as K-12 education market) in which there is little need for workflow and more-sophisticated UP capabilities, MIIS is adequate.

But because the two different strategies to solving the security administration problem – middleware vs. enterprise access management – are not well-articulated nor understood in the market, comparing MIIS with a middleware UP product will result in MIIS not measuring up 100 percent. However, through business partners, lower software and professional services costs, and the growth of Active Directory as the central enterprise authentication service, the Microsoft approach will likely be a compelling choice within the next 24 months.

nCipher
nCipher Provisor – User, Group and Compliance Manager – v.5.3.1 – 3 February 2006
nCipher (pure play) bought its way into the UP market with the acquisition of Abridean in October 2005. nCipher brought to the table a larger channel to sell in to and sell from. The Abridean product management team currently is still intact, and the Abridean sales team has been integrated into an overlay team with the existing nCipher sales force. The February 2006 announcement that SafeNet planned to acquire nCipher is no longer in play, eliminating the potential risk to existing Abridean customers of such an acquisition. The nCipher strategy of expanding UP with credential management, database security and digital rights management is irrelevant for most enterprises in the short term (less than three years); the limited current market need is mainly for the Payment Card Industry (PCI) and California Bill 1386 (CA-1386) support. The product is a good Java-based UP product, with SPML support, and success has come mainly in the SMB market. One feature that Abridean had before most of the other UP vendors was Windows RAM – shares, folders, printers, e-mail distribution lists. The product's ability to split Active Directory into multiple management domains is a valuable tool when needing to have different people, perhaps from different companies, manage just their slice of Active Directory. Pricing is done on a per-user basis as well as a subscription basis. For enterprises with a workforce of fewer than 5,000 employees, there is a flat-fee pricing of $50,000, making this product a good choice for the SMB market. The Compliance Manager product is an add-on module. nCipher must beef up its project management methodologies and partner with a Tier 1 SI to succeed at larger UP deals.

Novell
Identity Manager 3 – December 2005
Novell (suite) was one of the vendors that took its meta directory product and evolved it into a Java-based UP product. Because earlier versions of its UP product were based on the meta directory product, it has strong data synchronization and RAM capabilities, but it lacked certain core UP functions, such as self-service password reset and workflow, and it required a fair amount of consulting work for implementation. Novell has continually enhanced its UP offering (for example, graphical interface for connector management and SPML support), and with the introduction of Identity Manager 3, it has a product that provides very good UP capabilities, albeit with a few oddities (such as, template workflow by the number of approval steps rather than UP function, for example, add a new user). The workflow module is priced separately from the core UP module. Identity Manager 3 has attestation reporting, but it does not use workflow, so that attestation reporting is its own integrated process for management review and follow-up actions. Novell has done a good job in focusing on the federal and state government sectors with their IAM offerings, and overall customer satisfaction is high. To be the success it wants to be, Novell must be more strategic by adding capabilities around RME, ensure it has a Tier 1 SI (many of its implementations are done by Novell Consulting) and provide a solution for the SMB market. Novell has done a good job selling its UP solutions to its target customers; however, Novell's target audience is too narrow. Gartner wants Novell to expand its marketing and sales efforts to a broader range of customers.

Oracle
Xellerate Identity Manager – 31 January 2006
Oracle (suite) bought into the IAM market with acquisitions of Phaos (May 2004), Oblix (March 2005), Thor Technologies (a small, pure-play J2EE UP vendor in the UP market for eight years that catered to large financial services organizations, December 2005) and OctetString (December 2005). In a short time, it has amassed a very strong management team and IAM technology portfolio. Adding its January 2005 PeopleSoft acquisition for HR management, Oracle is positioning itself to be the "mover and shaker" in the IAM market. To date, Oracle is fulfilling on its strategy in delivering an integrated product suite. Its IAM road map looks the best of all vendors, including an offering for fine-grained authorization (only BEA Systems and Securent currently have such an offering). Pricing for the IAM suite includes the following modules: federation, access manager, virtual directory and OID, UP, and the Audit/Compliance Manager module for attestation reporting. Oracle's acquisition of Thor was a good move because it had no UP product outside of its own Oracle product suite. It also left RSA Security with a gap in its IAM suite because it had a strong partnership with Thor before the Oracle acquisition. Administrative SOD enforcement is native to the UP product (through the "explicit deny" access policies function), with violations reporting through the Web application. Reporting of SOD violations will be available in the second half of 2006. Real-time enforcement of SOD policies is available through Oracle's Internal Control Manager (ICM) product, which currently supports the Oracle eBusiness Suite. The product has good production deployment change management features and has SPML support. Oracle partners with Bridgestream for RME capability. With PeopleSoft being a leading HR application, we will continue to look for progress on Oracle selling its IdM suite through this channel.

Sentillion
Vergence – v.1.8 – January 2006
Sentillion (suite) has been dedicated to the healthcare industry from its inception – no surprise given the background of its founder – a good thing for healthcare because the industry's needs are unique. What makes healthcare so different from other industries from the IAM perspective is the need to provision deeply into the application, and the healthcare industry has very complex role relationships and delegated administration needs (for example, a doctor is a contractor from an employment perspective, a patient for personal medical services, a faculty member if the facility is a teaching hospital, a grant worker if the hospital is an R&D facility, and so forth). Sentillion can provision to every one of the major healthcare applications and suite. Sentillion's open-source community, IdMPOWER, provides members with the ability to share IdM software adapters for all types of clinical and nonclinical applications. Combined with its other IAM offerings (which provide in essence a "physician's portal"), including single sign-on and HL7 Clinical Context Object Workgroup (CCOW) support, Sentillion is a lead choice for healthcare enterprises. However, the UP product does not offer attestation reporting nor SPML support. Reporting of historical views of access must be done by copying the information to an SQL database and reporting from there. There is no version control on workflow. For Sentillion to grow (80 percent of its business is in the United States and 20 percent in Canada), it must have business partnerships with leading healthcare SIs and software vendors – it can no longer rely on its direct sales channel. Sentillion also needs to watch other UP vendors, such as CA, Courion and Siemens, which sell successfully into the healthcare market, by having relationships with their own medical software businesses, their own medical consulting practices or healthcare software vendors.

Siemens
HiPath SIcurity DirX – v.7.0 – August 2005
Siemens (suite) is another vendor that started in the metadirectory market and evolved its offering into a J2EE UP product. Currently, it is better known in Germany and Europe than in other regions, and it recently enhanced its U.S.-based sales and marketing program. The September 2005 announced agreement with SAP for UP should make it much better-known. And in March 2006, it announced the acquisition of Okiok's "Global Trust" WAM product, thereby enhancing its HiPath SIcurity DirX Access product. Siemens is unique in that it offers a UP product specific to facilities management (partnering with its Siemens Building Technologies [SBT] division) – a development that Gartner will be watching closely, given all the discussion on the overlap between information and physical security. It also has partnered with its Siemens Medical Solutions division to offer a UP product that is integrated with its healthcare software. As with the other German-based UP vendors, Siemens has strong support for role-based provisioning; it also has SPML support. Current product feature limitations include: no out-of-the-box attestation reporting support, no Web services support, little UP product event logging and no version control on workflow. Its success will depend on continuing management focus and investment in geographic regions other than Germany. To do this, it must have at least one Tier 1 SI. Siemens has no SI partnerships today.

Sun Microsystems
Sun Java System Identity Manager – Identity Manager – v.6.0 – 20 January 2006
When Sun (suite) acquired Waveset in December 2003, it stated that it would retain its heterogeneous runtime environment. It did. Sun also executed on its IAM road map, putting it in the lead with a Java Platform, Enterprise Edition (Java EE) product with strong workflow, connector management and end-user interfaces. The UP product also has SPML support. The Sun IAM management team is very strong. As with Oracle, it is partnering with Bridgestream for RME. Sun offers a perpetual pricing license and a subscription model ($50 per user per year, with no discounting for the Identity Management Suite). However, Sun deeply discounts its perpetual license deals, especially if enterprises run the product on Sun hardware. Its Identity Auditor module is priced separately. For enterprises with fewer than 5,000 users, Gartner advises enterprises go with the subscription pricing model, or look to a vendor with a more SMB-friendly price point. Sun is introducing a telecommunications industry focus, a potentially huge market for data and services provisioning to millions of cellular phones. Other vendors' customer references report that Sun can be heavy-handed when pitted against Microsoft, and this behavior has lost Sun a deal or two. Sun has a strong global business partner and SI presence that can continue to be successful.

Voelcker Informatik
ActiveEntry – ActiveEntry 3.1 – 1 April 2005
Voelcker (pure play) is a .NET and Mono UP vendor that currently markets its offerings in only Germany, Austria and Switzerland. Its UP product is part of a broader ITSM suite covering asset management provisioning and software management provisioning. It has a UP offering specific to the education market, can perform IT resource discovery and has the lowest maintenance of all vendors at 10 percent. The European regulated labor market creates a complex role and rule approval relationship (for example, union influence over workforce changes). As such, Voelcker has strong role management support in that it can bridge the gap between the business role and the IT role, especially as it relates to the mapping between IT and ERP systems. SPML support will be in the product by midyear 2006. It has sold mainly to the SMB market in Germany, Austria and Switzerland and has good SI partnerships there as well. To grow its business outside of this region, it must partner with other IAM vendors and SIs, and expand its sales channel through VARs.

Evaluation Criteria Definitions
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Gartner RAS Core Research Note G00138621, Roberta J. Witty, Ant Allan, Ray Wagner, 25 April 2006

top
The Magic Quadrant is copyrighted April 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

© 2006 Gartner, Inc, and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.