[podcast] The 2019 Gartner IGA Magic Quadrant
We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #16 Full Transcript:
Identity at the Center #16: The 2019 Gartner IGA Magic Quadrant
Jeff: Welcome to Identity at the Center podcast, I'm Jeff and that's Jim.
Jim: Hi, everyone.
Jeff: Hey Jim, how you doing?
Jim: I'm doing great. I mean, considering it's a Monday and considering I'm at home, I'm looking around and asking, do I recognize this place? I haven't been here very much last month.
Jeff: What is this strange place? Four straight weeks on the road, that's a pretty good stretch for us.
Jim: It's good stretch for us. It worked, and then on the road again next week and then a little bit of a reprieve. Well, you do have it. I do, anyway. You'll be next to for.
Jeff: We have a company meeting. Have something that we're trying to light up special for the podcast and want to ruin it. I'm not going to jinx it here, but if everything works out the way they're looking for, then we might have a pretty special episode, which was pretty cool.
Jim: I think the thing that people who don't podcast probably don't realize is that when you say things need to work out, you're mostly talking about the recording being cleaning up to be worth listening to. That's the huge technical challenges recording something.
And then obviously as it's recording, you're not sure that it's going to sound will sound decent until afterwards.
Jeff: Plus, there are always the things that content. And so I'm a bit of a perfectionist when it comes to stuff like this. So, I want to make a good showing of it, the recording quality is always an issue and a challenge to address as best as you can. It's a little bit tougher sometimes depending on the environment you're at. So I was looking for quiet spots when we're when we're remote and traveling.
Jim: But if you have a lot of people joining either in-person or even by phone, I mean that, their Internet connections, like I was connecting from my hotel quite a bit last week and my goodness, hotel Wi-Fi service are spotty.
Jeff: Yeah, they're pretty terrible for the most part.
Jim: It can be really bad.
Jeff: I mean it’s fine for e-mail and stuff like that. But anything you do that requires bandwidth, high quality voice or even video certainly poses challenge. You get those drop outs like that, but, exactly. Yes. I don't think anyone is really listening to us for our take our hot takes on a hotel Wi-Fi quality or the lack thereof. What we want to talk about today is Gartner and their recently updated Identity Governance and Administration Magic Quadrant, the IGA MQ, something they put out every year and like it or not, has become the starting and sometimes the ending point for organizations when it comes to short listening products in the IGA space. that being said, there are plenty of other products that are out there and I don't think Jim or I would recommend that you only focus on Gartner MQ, but it is a pretty good start as to what you're where to look for a specific set of products when you want to get started and you're not sure where to go.
Jim: I think one of the things so, working with clients it feels like, OK, we could use the MQ, we usually do use the MQ is kind of a reference point, but anybody can redeem curer. So providing would provide value above and beyond that. But I mean, Gardner is a really good job of inventorying the space and kind of helping to define the population of what's out there and giving a decent overview of the products and how they fared over the past year, what their strategy is going forward.
So it's a really valuable piece for somebody who's doing an evaluation, let's says most of our clients anyway, hoping just to do this evaluation one time. Really look at space, choose a vendor to go forward with and hope the vendors around and in a commanding position 10 years into the future, but, I think that the challenges that most vendors all maintain that pole position for that long and so it's a challenge. I mean, you look to the leaders in this space were 10 years ago. They're not leaders anymore. They're really falling off that workflows, CA you still see IBM holding a pretty commanding position, that's kind of impressive and say they're the only big time legacy vendor who is still in the leader quadrant. But, even for the most part, when you look at IBM, this solution that has gotten there into that leader quadrant today is not the product that they had 10 years ago or so. But I still think if you're aligned with the right vendor, you're going to be in a much better position going forward.
Jeff: Ten years is a long time that I speak.
I mean, we've seen over the last couple of years vendors go from one quadrant to another to not even being raided. I guess let's touch on maybe some of the highlights that we've noticed as we kind of read through this. The first thing and I'll point out is that there are fewer vendors in the leader quadrant this year. We've got SailPoint. You've got IBM, as you mentioned, got OneIdentity, Saviyant and Omada, which is a newcomer to the leader quadrant. They've been kind of hanging around in the challengers and the kind of the visionaries’ area, but they've pulled forward into the leader's quadrant, and we've seen, like you mentioned, a couple step back. Oracle and CA have taken pretty large steps back. Actually, if you look at it, Oracle moves back into the challenge quadrant basically kind of like right dead center of the graph. And CA has moved all the way back into the niche players. So there's definitely been a separation of traditional leaders and more separation now taking place even within the leaders quadrant.
Jim: I agree. I mean, you look at where SailPoint is. Obviously, I guess not, obviously, but there. They have the pole position right now. They're the leaders in terms of the ability to execute and completeness of vision, which is that's what the matrix is kind of based on. When you look at Magic Quadrant and I'd say there is still there game to lose. Saviynt is a vendor that has made tremendous strides, they're I'd say their overall looking like the number two ranked vendor here within the quadrant. IBM has a higher completeness of vision.
But I think, what's interesting is what I keep seeing from Saviynt is they're pushing the boundaries into some of the other areas of IAM such a privilege access management. So I think their completeness division is going to continue to grow. As you mentioned, Omada, that's it. It's kind of a vindication from my perspective in that we look at all these products and we had dummies of all these products. And that's one of the great things about being in advisory services is that we get to see so much.
And I think you and I identified Omada pretty early, about as high as a pretty damn solution, the user experience is at the forefront.
I think the investment they've made to integrate with the Microsoft platform and, to design around integration with Azure AD, that's their kind of their product differentiation, but vindication in the standpoint that we'll get all these products. I thought to myself, Omada is one that people need keep an eye on.
Jeff: There is the European based company that's definitely made a lot of strides to try and break more into the US market.
I think that's why you've seen them jump up kind of going up, that ability to execute, trying to get more partners, to be able to leverage professional services against them. But, I think you and I both agree. It’s been it's been a couple of years now since I've seen Omada and continue to see their product. And every time, you know, it shows really well, same thing for Saviynt. I was like what they see from them. I think they've grown quite a bit on their on their ability to deliver as well. They do a lot of changes and a lot of kind of like DevOps when it comes to their own products will be interesting to see how they continue to keep pace with that as they grow their customer base. But, I think the one that continues to impress me, SailPoint they've been in the leader quadrant and the leader quadrant, really the pole position of that leader quadrant for years now, what, four or five years at least.
Jim: Something like fifteen.
Jeff: And that's tough to do, right, to stay ahead. You've got a lot of these different products. And I think Saviynt is starting to kind of nip at their heels a little bit. But that's good for customers because it drives innovation then and having competition the marketplace. So I think that's impressive to kind of be up there for so long and to maintain that leadership is is a good sign.
Jim: I think there's a good place to start was kind of one the positive one that's kind of on the negative side is, first Microsoft. Microsoft used to be listed here. They are not.
Jeff: Yeah. They have fallen off completely.
They do not have a true IGA product, I think that meets the vision here when they deprecated the behold acquisition and the technology is there as part of it and so forth, I think that really hurt them and they know that. I mean, they're working on getting Azure back up to speed. So I think they're taking a strategic step here where they know that on-premise type technologies that they have set with men maybe aren't the future. They're really trying to leverage Azure. And I think they're gonna be poised for a pretty big comeback because they have such a large installed base already with Azure for people. People are using Office 365 and as they get that component of their IGA component of Azure back up to speed. And so you don't feature complete or not complete, but feature parity with men moving forward and adding continue to add additional features would surprise me to see them back up into the leader’s quadrant or close their quadrant over the next few years.
Jim: I agree and I think that the big thing with Microsoft is that they can move into this quadrant and move to the upper right very quickly. We did see some previews of their IGA capabilities at the Gardner IAM summit last December. I'm hoping that to get a refresh view of that, and just as some with this coming December kind of seen some things I don't want to call the member roadmap, because I don't think that's really what Microsoft is calling it, kind of a vision for where men is heading. And, , my take away from it was that I don't believe that Microsoft is going to heavily invest in men. They're not going to change the products that they're looking at it more as like an on premise provisioning and identity administration tool. But they're their focus and their investment is going to be on Azure AD capabilities. This support for men service pack to goes all the way out to I think it's like twenty, twenty six. So you're going to be supported for quite a while if you build your infrastructure on men. And the reason I think that's important is that if you've kind of built your infrastructure on men and you're thinking about moving into this IGA space, you probably are the type of organization I want to know, whereas Microsoft heading right up to at least look at Microsoft's capabilities before writing and not be on the magic quadrant, and from that perspective, but I think if I was in a customer position where I was replacing many infrastructure, I want Microsoft to come in and kind of talk to me about where they're going with the Azure AD, IGA capabilities and timeline and roadmap.
My feeling is that there's still going to be a couple of years behind the SailPoint and Saviynt to the world and Omada. And those guys also therefore provide a tremendous value add on top of what Microsoft is bundling in the EMS package. Otherwise, why would anybody go out there, Meyer? I mean, almost there, I should say a large percentage of organizations are going out and having to buy at least some level of the mass if they're using Office 365 for e-mails and for office. Why not kind of leverage the services kind of being thrown to them? Well, that's the reason to not leverage it would be if you have a lot of security features available in another package, say SailPoint, for example, that just makes it a compelling system that you need to move toward.
Jeff: I think the key part of what you mentioned there is the timeline, right. When are they going to be including these kind of standardized features now at this point that make IGA what it is? If it's going to be two, three years, can an organization wait that long? You're right. Maybe they're trying to address something from a compliance perspective or a more immediate need. They may not be able to wait. I think it's a kind of an interesting track to follow because we saw something similar in the access management space with Microsoft being not really kind of considered a player. And now they've moved up into the leader quadrant after a couple of years of investment on their Azure access management side. So I have a feeling we'll see the same on the IGA side. I just wonder when it'll take place and if organizations can wait that long. One thing to consider would be there is strategic guidance from Gartner. And I think this is something that we've seen as well, is that you want a clean system going in any talk sort of IGA implementation. So, I think this is an opportunity for vendors that have a very good access certification process that layers on top of what's already out. There might be a way for some of these products to kind of make an inroads against men and things like that where it's like, hey, let's get SailPoint or Saviynt or Omada and help us out with some access reviews and access revocations to make sure that access appropriate. And that's sort of a door that gets opened up. OK. Hey, we could do these other things. And then you start to look at, well, does it make sense to using them over? Do we shift over to, one of the newer products out there in the IGA space to just leverage technology that we're already using for the server occasion side of things?
Jim: I think that's a great point, Jeff, so, a couple they're just things they have noticed in terms of vendors, you're missing Aveksa and Core security. Aveksa used to be They're neck and neck with SailPoint in terms of kind of 1 and 2 in the IGA space, Core security formerly Courion they've been in the identity shape prior to the IGA quadrant, Figures for IGA call Quadros or is going back probably a decade. These guys have been the main players I know, at least in one of the quadrants or upper right now they have some divestiture and MNA that took place in anyway; they're not even covered at this point. So I found that kind of interesting.
Jeff: Yeah. Courion is where I cut my teeth. That was the first IGA album, probably IAG at that point mentation that I went through; bring it into a couple of organizations, actually.
But they have certainly kind of fallen off from your idea. I haven't really seen as much of a focus on the IGA component. Now they're doing some other things around security and learning and events and stuff like that. So, yeah, as you mentioned, they went through different acquisitions and mergers and divestitures and stuff like that. So I think they're still kind of working through that process, but, little is my first one fall off the table. But that's what's going to happen, hurry up with it.
Jim: Well, my first two were Oracle and CA. And there we're working their way out selling, but, I think what it is, is it just goes to show you, you don't pick a vendor that is going to be on here, you may wind up psycho or something that you know, you need to get off of quickly. And so what can you actually do about that? I think the only thing you can do is, one of your evaluation criteria has to be how forward looking is this company? Or are they just kind of, doing kind of meet to follow the leader or are they the leader? Are they the ones who are pushing the boundary? I know that SailPoint is that they're coming out with like a risk engine and integrating identity analytics into the access requests and access certification process. They're doing that before I really saw anyone else kind of going after that. And that tells me that they're. They want to be leaders in this space. And, that kind of stuff is, I'd say like a risky investment for a vendor because they're trying to roll out functionality before the market may be demanding it before there is a fully mature market for it. But it puts them in the position of being the first mover. And I think that’s indicative of them being a thought leader and somebody who will be around in the leaders in a leadership position for years to come, Jeff.
Jeff: it's an interesting question because you know what? What happens if you pick something?
But let's say you pick a product that is not a leader. What is the risk of it falling off completely, not making the meet strategic needs down the road or what is the projected path of it moving forward? I think saviynt would be a good example of that where they weren't a leader for a few years, kind of a newer product, but their path has been up versus these other paths like Oracle, CA , Microsoft and Core, who have continued to trend down and even off in some cases. It's an interesting thing because a lot of times these products are very sticky and you end up forgetting something and you hope it’s great. You hope it's there for ten years or longer. But that may not be the case, things change, etc. And a lot of times that's a definer when it comes to a program, success or not, if the technology is continuing to keep pace with the program needs for the organization, so, what do you do when you’ve got a product that is good now, but let's say in five years isn't meeting your needs anymore. Making that shift out of a product is sometimes a nuclear option. And I think a lot of people kind of recognize that and they end up sticking with something longer, hoping it makes a rebound or at some point, they kind of bite the bullet and decide, OK, now it's time to make a change.
And then another vendor was kind of swoops in and tries to take the business.
Jim: And I think a lot of times that decision comes down to like how quickly company will move on, that is how happy they were with the solutions if they had it rolled out. Very happy then, and it's like, well, they're still alive and they're still offering support and we're happy. But if you were never that happy with it in the first place and it kind of expedites the decision. This is we're talking, though. I was thinking of a couple of things you're saying.
You mentioned Saviynt and they started outside the leader. They've been in the leader quadrant for a while. And you know what we'll do when they're outside the leader quadrant? They were up and coming and they were the company that was going to be there. And let's be honest, there are probably a lot more a lot less expensive. I mean, once you get that pole position in the leader quadrant, you put yourself in a position where you command a premium price. And whether you're looking at IGA or access management, we hear that from clients a lot. Is that, well, they don't put it in these terms, but when they talk about the vendors who are in these leadership positions, is that their extent, their solutions are very expensive. And so when you have very expensive solutions, I think, obviously you're paying for the success that has already been there and projected future success. But if you can get in on one of these non-leaders who are going to move in to the leadership position, then I think you can get a better you can look on a better price. So, Jeff, I'm going to challenge you and say look at the quadrant. Who do you think? if you're a betting man, you can't pick SailPoint. If you're a betting man, who's going to move the furthest to the right and who would be the vendor that you think is going to get maybe the dark horse.
Jeff: So I was at a SailPoint is can we consider Saviynt? That was as saving in a dark horse at this point. I think they continue to grow by. I like what I'm seeing from them.
Jim: Well, I think you can. I think you can look at Saviynt as a dark horse. I mean, it's a safe bet they're going to give you too much credit for that, but, honestly, I was going to go with Omada just because I like what I've seen. And I think that, there's still quite an issue between Omada and SailPoint. I'm not saying they're going to catch them, but I think Omada gives you the opportunity to kind of still get in early.
Jeff: I think there's just as a visibility problem. I don't think people really know about Omada. I think they're trying to make strides again in the U.S. market, But when you mentioned Omada to someone, everyone's know SailPoint, people are starting to become familiar with Saviynt and other kind of legacy big vendors, but no one really knows in the US at least what Omada is or what it does. I think that's the challenge that they face is can they get into more people's faces and at least get into the demo kind of cycle of a company. Most companies are going to take a look at one, two, maybe three products and then kind of go from there. If they're able to make that shortlist, I think they're going have a much better time.
I do like what I see from them, but I think so you put me on the spot and I remember I put you on the spot several episodes ago and you gave me a cheesy answer. So I'm going to give you a cheesy answer right back. I think you're going to continue to see SailPoint and Saviynt stretch leads. And I think you're going to see just further differentiation between SailPoint and Saviynt maybe Omada and IBM. I think IBM will be an interesting one because I don't think people truly kind of look at them as, hey, we're going to put something brand new in and they have a lot of different products that kind of cobble together to create the right solution. So I think they'll just continue to hang around very similar to kind of like what Oracle has done for years, where they have a lot of features, but it may be a little more difficult to implement. But my cheese answer will be that I think you just continue to see the separation of SailPoint, Saviynt, and I think maybe some other ones will kind of come up a little bit forward and you'll see the bottom left start to move even further down.
Jim: Is there any it will end the quadrant, anyone missing from the quadrant that you think?
Jeff: There's always blockchain. You'll see a blockchain vendor out here too soon for that, I mean, I think there are some other ones that have gotten some honorable mentions since it was in the past. Like Turbo things that I don't know if there's anything that's truly kind of jumped out yet. I think maybe when we get to Gartner; maybe we'll see some new products there, if they have a booth. But, I think it takes a lot to break into this quadrant. These are well established organizations right there adding I think at a minimum inclusion is you have to add 50 new customers net new in a year. So that precludes a lot of smaller vendors who are just kind of starting out.
Jim: You mentioned Turbo. I think that's a really cool solution. But I think by the time they get to 50 new customers a year, it's going to be a couple of years down the road. I look; obviously, I mentioned Microsoft as a Microsoft will be in the leader quadrant within two years. That's my crystal ball answer. But I've already seen kind of the, the show Intel last year or they had some identity governance. They've already got the identity. So we're going past management. It's just kind of taking that next step into, having a good access request workflow. I mean, look, it's not simple. Maybe it's simple, but they've got the resources to really track those. The other one that I see making strides into user management, user provision, user lifecycle management, what they call it is off that I know they want to be in this space. And, you know, I think a good customer base, they've got their hands on a lot of identities. And now it's just kind of taking that mix shift. I think the thing for Omada to really move up until the right is exactly what you said in terms of exposure, visibility. It's also they've got to show that they have value add over what Microsoft, terrorism, the EMS, which I think they're way ahead in in those terms. But I think that has to continue to be the positioning because there's such a Microsoft focus, their partnership with Microsoft is kind of the focus of their solution. So they either would have changed the messaging that to become more of a heterogeneous play like I think SailPoint and Saviynt or if we're going to say, look, Microsoft gets you, so far that's not far enough. We get you the rest of the way.
Jeff: When you talk about Microsoft and Okta, I think it's really interesting because they are both focused on cloud based solution, cloud based provisioning. And as organizations shift away from those on premise applications, I think that becomes kind of a doorway to having more cloud provisioning. So I don't see, in the short term Okta being able to do an on premise SAP integration as well as the leaders right now that are out there. But once I say, if they have stopped moving from cloud mainframes into cloud-based solutions, those sorts of things. And that really is going to be the kind of door to let Cloud IGA really take off.
Jim: I think that there's probably going to be a shift in the provision space.
I mean, again, crystal ball here is I remember the Web access management space 10 years ago. The big focus was what agency have? So do you have a Lotus domino agent, Javison agent, IS agent and all these things. You could integrate your web apps back to the mothership and then a Loncom, Okta , Ping, and all the web’s best. So verandahs and they're saying integrate, with SAML and now and so integrate with OpenID Connect. And so it's a shift toward open centers. And you know, I could see provisioning moving toward open center. So we lost the connectors you going to find with even Sailpoint, Saviynt and then the other top vendors are going to be. RDBMS connects a relational database or a flat-ball connector, eldership Connector was then we'll also have SAP Connector or Collapse Connector, an epic connector and healthcare.
I don't see Okta really moving in that proprietary connector space, but more say we have open source connector. You want to use our system to provision again this crystal ball. This is having a vision to the company strategy here. But if I was good, the integration for which I would favor would be a risk connector relationally believes. Alba has open standard based connectors or will shabbiest standards not proprietary connectors for applications, which limit you somewhat. But again, I think what happens is that it puts the onus back on the applications to come halfway. You meet you halfway, and that's really what happened with SAML, I remember in my early days in access management, it was like, we wanted all these connectors because we didn't want to have to force the application to change. And what happened with Samuel and organization standing up. So SAML systems what we support and you need to change your application to integrate. If you don't currently support SAML and there are a lot of solutions out there that up SAML and maybe build their applications. But it wasn't just that you guys had to change. We're going to give you an easy way to integrate with our solution. It was our standard and you're going to find a way that you're going to have to change your application.
Jeff: And it's such a plan, what drives inclusion of standards into applications? If I'm building a new app today, I want to build it on standards SAML, SSO, SCIM and those sorts of things and make my app very extensible APIs and that is an API as they have a well documented API. I think that's something that sets Okta apart from a lot of different vendors as they have a really good developer portal right where there's a lot of documentation and a lot of stuff that is done with them. Is does API driven and can be API driven? So I think that's important from an application standpoint. As you start to look at the IGA vendors, at what point does it matter for custom connectors or client server connectors, things like epic and the ones that you mentioned? Are people going to care? Does it make sense to buy a product that is still looking at kind of legacy connections? And if you know, who cares? Focus on the other things. Work on things that are standards based and the things are not standard base. You figure out whether or not it makes sense to include IGA or not.
Jim: Exactly, one of the last things I wanted to talk about was within this report, Gartner kind of kicked it off by saying is different strategic planning assumptions and that there's a big focus on analytics and machine learning and artificial intelligence.
I think that what that means is the ability for applications to do predictive analysis in terms of are you have these entitlements on the shoes or already, based on what other people have, you may also want to request this. So it's kind of like, when you go to Amazon, it's kind of trying to steer your path toward what you might really need to simplify your identity provisioning process. I think also, in terms of access certifications being doing micro certifications, so mostly organization with that we come into contact with are doing actual certifications on an annual basis or quarterly basis and they're much more static. But I think there is a shift. We’ve been talking about it for a long time. Like, this is great functionality that you can have it, which is based on the event, I just lock out my password, and you unlock it. So reset education based on that, just for that one user, just to make sure that they didn't get walked out another they're locking out their password and resetting or something like that, And the third thing that I think vendors will start to query, we've already seen it I mentioned earlier on cell point side is evaluating risk. What is the risk of that a user possesses? You can use that for certification or access for cost processes. What is the risk of the entitlements that they're attempting to be provision to? And so using risk as an element to drive workflows for reviews and recertification. I think that's kind of the the next big thing when it comes to identity governance. Because what do we keep hearing clients is like rubber-stamping because of the overload associated with too many approvals, too much data coming their way. So how can you reduce the amount of things that they need to process or is, I sending them less suddenly, doing fewer things to read, fewer things going through and what you need? The way to do that is by sending them the high risk things and maybe the low risk things, you don't recertify as much or ever. Maybe you don't even really need to have an approval. If if the risk is so low, why bother a manager with having to approve it and potentially creating a fatigue associated with having too much to approve?
Jeff: I agree with all that. It makes a lot of sense and I think that is probably a good spot where we can leave it for this show.
Where do you get this report? I think that the best answer for that, because I don't want to promote any specific vendor, would be just does it any of the leaders. I'm sure they'll have a plaster on their front page, an exchange of email address. I'm sure they'll be happy to give you a link for it.
You can also get it from Gartner directly if you got a Gartner subscription or if you want to purchase important specifically, but I got mine from one of the leaders, so I won't say which one in exchange for my e-mail address.
And here we are.
Jim: Jeff, the report was called the Gardner Magic Quadrant for Identity, Governance and Administration, who published on October 9th of 2019,Apparently, it's a 64 minute read.
Jeff: Yeah, and then they cover each of the vendors kind of cover strengths and weaknesses on each and kind of where they're out in the market, sounds about right.
Jim: I just think it's very interesting how they can lose sixty four minutes. It must be a algorithm.
Jeff: machine learning, everything of machine learning. Most people are just going to pick it up. Look at the Quadrant, OK, and then pick up the vendors that they care about and then read this those sections.
I read the whole thing, there’s obviously a lot of other vendors that are out there that are worth the time consideration because this quadrant does focus more on mid and large sized businesses. So you feel about smaller or maybe smaller mid may be a better fit out there. So I would encourage folks to do their due diligence, take this with as as a data point, but not necessarily make it your sole data point making a decision.
Jim: Good advice Jeff
Jeff: Let's call it for this week. And thank you all for listening. If you've got questions, feel free to e-mail firstname.lastname@example.org. If you're looking for show notes, we typically will put them at the bottom of the podcast description. Each of different services handles a little bit differently. So it's tough to say where they'll be.
But if you visit identityathecenter.com we’ll have a list of all different shows and underneath each of those will be the show notes. You can always find them there as well. Take care and thanks!