Gartner Blog Network


End-of-Year Musings: What Do IAM Vendors Think About?

by Earl Perkins  |  December 10, 2009  |  2 Comments

As the year begins to draw to a close, I have been talking to a number of IAM vendors about their plans for the future. They in turn have been talking to me about Gartner’s view of customers future IAM plans. We often compare notes on what their customers are saying vs. what Gartner hears customers from everywhere saying. All of this information is funneled into the planning process for roadmaps for 2010 and beyond.

These kinds of talks are intriguing for me, because they not only reveal what IAM vendors think are the ‘next big thing’ to conquer in this market, it also forces analyst and vendor alike to really think outside of the box on how to solve them. This is a classic example of trying to determine whether there is another way to address core customer concerns rather than the way we have been addressing it. Maybe a little heresy is needed here: sometimes you don’t give customers what they want, you give them what they need– IF you can be relatively sure of the real need vs. the perceived need.

Take a look at the history of IAM. What are the key problems that have been around for decades that are constant, even though there may have been two or three different attempts by vendors to address them? What has changed to (a) make new problems or (b) make the old problems worse? What is available now that can address the new face these problems present without layering or adding on a new application to the IAM portfolio or a new series of services yet again for customers to buy?

Some IAM vendors believe that one constant problem is ensuring secure access to important data– period. In their view, data is the atomic target, i.e. the smallest building block IAM must address as a distinct element when delivering services to access it securely. They also believe that the changes in business that have caused that data to be so ‘dispersed’ and so varied from its original starting point (e.g. extracts of databases, content created from different data elements) and how it can be accessed in so many ways (e.g. mobile, desktop, laptop) that this mission of securing access is more complex than ever.

Other vendors believe that the key to really effective IAM is knowing everything about the access event, i.e. having the pulse of identity and access events so that assessing secure access is straightforward and thorough, that reporting who has access to what, when, where and how can be done and done quickly, that finding bad guys doing bad things faster and stopping them faster is true IAM strategy. They obsess over how their products and services might create monitoring and reporting capabilities for identity actions to address such concerns. And doing that while making money too and while customers don’t go bankrupt buying the solutions. 

So are these both truly chronic problems? I think the answer to that is easy– yes! And these aren’t the only old problems that remain unsolved– I’m sure the conversations on how to solve these and others will continue.

I have one last musing, if you don’t mind. My colleagues and I were discussing the results of these vendor conversations and comparing them with our research, and we noticed how much alike the IAM market is to other IT markets. You see folks with specific ideas about how to solve specific IAM concerns (a “problem-let”?), and out of that arises an IAM startup that produces (with its solutions) one view of solving those specific concerns. If enough of them try to solve the same concerns, a market is born. Eventually a consolidation occurs where those concerns may be combined with related IAM concerns and an IAM suite is born. You can use whatever analogy suits you (e.g. big fish eating small fish, cells that combine into organs) but you see this cycle repeated quite often. This is free enterprise at its finest.

But vendors and analysts alike also think perhaps there is a limit to how this model serves the ultimate goal of solving long-term, chronic core problems that IAM is supposed to address. Are we really being efficient (or effective) in the way we solve chronic problems by being so focused on specific concerns that we fail to uncover a more elegant means to solve the larger problem? I’m not coming down on the side of suite vendors, and I’m not advocating some kind of monolithic think tank to bring entrepreneurs together to discuss how their particular solutions fit a broader picture, but as a customer it wouldn’t hurt next time you talk to any IAM vendor to get their opinion on the “grand vision” of IAM as delivered by their solutions. The answer may surprise (or scare) you.

And now that I’ve probably depressed everyone, Happy Holidays!

Category: 

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio


Thoughts on End-of-Year Musings: What Do IAM Vendors Think About?


  1. Earl,
    I read with some interest your latest blog. As you know, my colleagues and I have lived in the world you painted about the IAM marketplace – with its customer needs, chronic problems, and potential futures – for over a decade now. (I think you’ve been there as long as we have, as I recall!). As a co-founder of two start-ups focused on various aspects of identity management over the last decade, I was especially intrigued by your last observation about the repeating cycle of start-up to consolidation that we’ve seen occur, not just in the IAM market, but in multiple technology markets across the board. In my opinion, there are a set of natural (or in some cases, unnatural) circumstances that create the environment that lends itself to this cycle.
    First, for this situation to unfold, there has to be some set of rapidly evolving customer needs. In the management arena, this is often driven by rapidly evolving technology adoption (witness the markets that sprang up to support client-server architectures, the corporate use of the web, and virtualization of computing resources). It can also be driven by new security threats, regulatory requirements to which companies must adhere (witness Sarbanes Oxley), or competitive pressures that force companies to look for ways they can quickly arrive at a more efficient operating model. These are just a few examples of drivers for rapidly evolving technology needs, but the market response to them is pretty consistent and predictable. Once the emerging need is recognized by companies, their first reaction is generally to look at their existing vendors to see if something they’ve already bought will be sufficient to address the new challenges. But, because the requirements to solve these challenges are, by definition, new (and quickly evolving), rarely do existing solutions fit the bill adequately. So a “market-needs” void is created. Into this void steps a new set of vendors, typically start-ups, who rapidly develop solutions to specifically address the unique characteristics of the new market requirements.
    Why don’t the existing vendors fill this void themselves? For one thing (and I’ve worked at some large software vendors, so I’ve seen this first-hand), they are very focused on attempting to address the needs of their customers with their existing product lines and technologies. As a result, innovation – especially rapid innovation – is actually a pretty elusive thing for them to achieve. (By the way, there are many other contributing factors to this reality, but that’s a topic for a different day…). So, the new vendors appear on the landscape to address the emerging requirements, and pretty soon, the market figures out that trying to bend and stretch their legacy solutions to fit new needs isn’t a viable option. If the market is real (meaning that the needs are legitimate and broad-based), the new vendors start to gain ground and continue to innovate at a pace which is only possible in nimble, adaptable start-up companies. At some point, the larger vendors recognize that, in order to solve their customers’ needs and compete effectively for new business, they need to gain entrance into the market through the acquisition of one or more of the newer vendors. Of course, this assumes that the newer vendors want to be acquired in the first place, and that the timing is right for all involved. When these conditions are met, the consolidation cycle begins. In my opinion, we are still in the early phases of the latest rapid-innovation cycle for the IAM market, focused on Identity Governance, so it will likely take quite some time away before we see this cycle emerge again.
    Finally, given my experience in both start-ups and the large companies who acquire them, this cycle is not a bad thing. This process works very well, allowing emerging market needs and real company pain points to be satisfied in the most expedient and efficient manner. It also results in newer technologies finding their way into large software companies who have world-wide channels to take them into broader markets. Start-ups have positive outcomes, large companies acquire new technologies rapidly and efficiently, and customers have their needs met on a broad, global basis – a win-win-win situation for all. What a great industry!
    Kevin

  2. […] hubub – this stuff nearly writes itself. Speaking of which, Earl Perkins at Gartner put up an interesting question the other week that prompted some soul-searching. He wants to know what identity access management […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.