G00211482

Cool Vendors in Identity and AccessManagement, 2011Published: 21 April 2011

Analyst(s): Ray Wagner, John Girard, Gregg Kreizman, Ant Allan, Earl Perkins, Perry Carpenter

Several segments of the identity and access management (IAM) marketcontinue to experience significant innovation in technology, product andservice offerings. Chief information security officers and other securityprofessionals should familiarize themselves with Gartner's 2011 CoolVendors in IAM, and with the potential business benefits they offer.

Key Findings■ Startups and other niche vendors, rather than established major players, continue to drive much

of the innovation in the IAM market. These aggressive, newer vendors offer innovative andenhanced technologies, but the usual concerns about new market entrants' capabilities andviability may limit enterprises' willingness to commit to their offerings.

Recommendations■ Consider innovative products and services — including those from Gartner's 2011 Cool

Vendors — when evaluating products and services to address IAM requirements. However,recognize that these offerings are not appropriate for all enterprises or all implementations.They are likely to be more suitable for Type-A Gartner clients (technologically sophisticatedearly adopters) than for more risk-averse Type-B or Type-C clients.

■ Choose IAM products or services for their real-world workability, vendor capabilities andviability, as well as for their technological innovation.

Table of Contents

Analysis..................................................................................................................................................2

What You Need to Know..................................................................................................................2

AuthenWare.....................................................................................................................................2

ForgeRock........................................................................................................................................3

UnboundID.......................................................................................................................................4

Veriphyr............................................................................................................................................5

Where Are They Now?......................................................................................................................6

Lumidigm...................................................................................................................................6

Recommended Reading.........................................................................................................................7

AnalysisThis research does not constitute an exhaustive list of vendors in any given technology area, butrather is designed to highlight interesting, new and innovative vendors, products and services.Gartner disclaims all warranties, express or implied, with respect to this research, including anywarranties of merchantability or fitness for a particular purpose.

What You Need to Know

Gartner has once again identified a set of very strong Cool Vendors in IAM. These up-and-comingtechnology providers offer IAM products and services based on a broad range of technologicalapproaches and delivery models. One trend that is clearly identifiable throughout their offerings is aserious attempt to deliver IAM components that enhance the user experience to support mission-critical business decisions. These vendors' highly innovative technologies and business models maynot be suitable for every enterprise's needs — all enterprise must deal with the usual challengeswhen facing new market entrants and new technologies — but their offerings are well worthevaluating. For assessments of Cool Vendors in three other important security market segments,see "Cool Vendors in Cloud Security Services, 2011," "Cool Vendors in Infrastructure Protection,2011" and "Cool Vendors in User and Data Security, 2011."

AuthenWare

Miami, Florida (www.authenware.com)

Analysis by Ant Allan and John Girard

Why Cool: AuthenWare offers a practicable, behavioral, biometric authentication technology basedon typing rhythm (also known as keystroke dynamics) — i.e., the cadence of a user's typing. Thistechnique is rather attractive because the keyboard is a ubiquitous capture device and requiresminimal change in user behavior. Other vendors offer this authentication method, but AuthenWareTechnology is differentiated by being simple to implement (scalable AuthenWare claims more than75 million users) and robust (for example, it has a built-in defense against software "mimic" attacks,it evaluates additional user behavior, as well as contextual information, and it is the only typingrhythm product that can claim Common Criteria certification at Evaluation Assurance Level 2+), aswell as providing good user experience (it is transportable across different endpoints, whichextends its sampling techniques to touchscreen interactions on smartphones and tablets, and itoffers a low false nonmatch rate).

Page 2 of 8 Gartner, Inc. | G00211482

Although it is a U.S. company, AuthenWare began building its market in Europe, where it has gainedseveral clients, notably the multinational telecommunications carrier Telefonica and two Spanishgovernment agencies. It has also expanded internationally, with government, media and bankingclients in South Africa and Latin America. It has been increasingly active in marketing and sales inthe Americas through 2010. The management team has substantial experience in technologymarkets (with backgrounds in companies such as BEA Systems, Citrix Systems, Fuego andPlumtree Software). Many Gartner clients report that they have a positive view of AuthenWare.

Challenges: AuthenWare's biometric authentication method adds a true second authenticationfactor to an existing legacy password, without adding another device or agent, and withoutadversely impacting user experience. Nonetheless, it remains unclear whether it provides the highlevel of assurance that some enterprises will need in some high-risk use cases. An enterprise couldlayer AuthenWare Technology with another vendor's method to increase assurance, but that wouldadd cost and complexity and would erode the user experience. However, like other biometricauthentication methods, AuthenWare's approach hinders account sharing and, thus, provides ahigher level of accountability than, for example, personal-identification-number-protected smartcards with public-key infrastructure credentials. AuthenWare is one of more than a hundredauthentication vendors that focus on a single class of authentication method. Such "pure play"vendors face the challenges of competing with established vendors that offer a broad portfolio ofauthentication methods to meet varied needs. A partnership with such an established vendor —which would typically lack a biometric authentication offering — could be fruitful for AuthenWare. Ifthe company wishes to target financial services and adjacent markets, then it will also need toestablish partnerships with Web fraud detection vendors. AuthenWare must also pursue an agent-based solution to the client-side interaction to ultimately become part of the login defense formobile devices, because without an agent, its use will remain limited to online services.

Who Should Care: Information security and IAM leaders may want to evaluate AuthenWare as analternative to traditional medium-assurance authentication methods for Web applications andSecure Sockets Layer virtual private networks. AuthenWare is of particular interest in use caseswhere user experience is particularly important and intrusive authentication methods are a problemfor users — especially across varied endpoint devices — and where the costs of acquiring anddistributing tokens would be prohibitive. Another potential benefit is that AuthenWare Technologycan, in "silent" mode, provide additional input to the dynamic risk assessment used in Web frauddetection and other misuse management tools.

ForgeRock

Oslo, Norway (www.forgerock.com)

Analysis by Gregg Kreizman

Why Cool: ForgeRock supports directory, user provisioning, Web access management (WAM) andportal products based on and extending Sun Microsystems' very capable open-source softwareproducts. Prior to Sun's acquisition by Oracle, Sun's IAM stack was widely deployed and well-regarded by its customers. Oracle made Sun's role life cycle management product strategic, and

Gartner, Inc. | G00211482 Page 3 of 8

incorporated some elements of Sun's other IAM products into its established products. However,Oracle is expected to phase out development of most of Sun's products over time.

ForgeRock has been able to attract former Sun developers, and has also created partnerships withestablished integrators who are experienced with Sun's products. The company has added and"road mapped" significant new features. These enhancements emphasize platform independenceand the use of protocol and interface standards to support a world that is increasinglyinterconnected by services. ForgeRock is building its customer base, and has already landed somelarge customers — most of which are not former Sun customers.

Challenges: ForgeRock offers a mostly complete open-source IAM software stack, including WAM,federation, security token service, user provisioning, directory and virtual directory products.However, almost all this functionality is also available from other vendors with mature productofferings. ForgeRock also faces competition from open-source point solutions, and from OpenIAMfor user provisioning, WAM and federation capability. "Open source" is not synonymous with "free,"and most enterprises will need support, particularly if they choose to use commercial versions ofthe products that ForgeRock extends with new functionality. Sun's products were full-featured, butalso complex to deploy. ForgeRock's marketing and sales have been focused on a technicalaudience, and this message will need to be adapted to resonate with CIOs, as well as personnel inenterprise lines of business, who increasingly influence IAM decisions.

Who Should Care: IAM leaders who are planning new initiatives, and who work within a corporateculture with a preference for open-source software, may wish to consider ForgeRock. They shouldpay particular attention to support pricing, and the potential hidden costs of customization andintegration with established enterprise systems.

UnboundID

Austin, Texas (www.unboundid.com)

Analysis by Perry Carpenter

Why Cool: Traditional directory environments are built on the assumption that they should supporta large number of "read" transactions, but a relatively low number of "writes." In many cases, thisassumption is valid, but in large environments, the number of authentication attempts — and eventhe demand related to synchronization of attribute-level changes — can cause the directory tobecome sluggish or contain unreliable ("stale") data. This problem can impact enterprises and theircustomers in a number of ways. For example:

■ Sluggishness may cause customer-facing application login attempts to be unacceptably slow.

■ Sluggishness in "real time" look ups to determine security authorizations to application featuresmay make the application seem slow or time out in some circumstances.

■ Stale data may cause customer preference settings to be inaccurate.

■ Stale data may impact regulatory compliance, if latency allows a user to access data afterpermission for that data was supposed to be removed.

Page 4 of 8 Gartner, Inc. | G00211482

UnboundID creates reasonably priced next-generation directory service (LDAP, proxy andsynchronization) products built from the ground up, with massive scalability, security and highperformance in mind, and is especially suited to the growing identity and personalization demandsof Web-based, cloud-based and mobile computing backbones. UnboundID's offering is specificallybuilt to support multitenancy, advanced replication/synchronization options, SQL-like "join"functionality, granular logging and tracking, as well as advanced options for data security andprivacy.

Challenges: UnboundID faces two main obstacles:

■ Convincing customers to choose a "best-of-breed" (or "off brand") directory server to meettheir identity repository needs. Since many IAM solutions include their own LDAP directories orhave preferred directories, some customers may never consider a vendor such as UnboundID.

■ While UnboundID has already attained a respectable client base (13 companies comprising 350million licenses) and impressive year-over-year growth (400% from 2009 to 2010), it focusesonly on directory services, rather than on a broad range of IAM-related products and services,and this may limit its number of prospective customers.

To be truly successful, UnboundID needs to be seen as the "Rolls-Royce of directories" — butwithin the price range of a Kia and with the service reputation of a Honda.

Who Should Care: Enterprises or service providers that need to break traditional paradigms relatedto LDAP should consider UnboundID. This is especially important for enterprises with large-scale,transaction-heavy, customer-facing applications. For this reason, UnboundID is particularly well-suited for telecommunications, e-commerce, software-as-a-service (SaaS) and cloud environments.

Veriphyr

Los Altos, California (www.veriphyr.com)

Analysis by Earl Perkins

Why Cool: IAM systems need intelligence to function and to be relevant to the enterprise. Thisintelligence must be derived from the many disparate sources of IAM information — from directoriesand policy repositories to event and information logs generated by access and administrationactivities. If it is properly gathered and analyzed, then information can provide the answers requiredfor a compliance audit, or prevent a disastrous access breach. Unfortunately, most enterprises haveneither the time nor the resources to devote to the detailed data cleansing, collating, correlation,aggregation and analytics necessary to derive these benefits. This is where Veriphyr steps in.

Veriphyr isn't cool because it is an identity and access intelligence (IAI) provider, but rather becauseit delivers IAI using a SaaS model. A client delivers specific identity information to Veriphyr based onits reporting and analysis needs, and Veriphyr responds with a set of reports and analyses on topicsranging from dormant, orphaned and underused accounts to shared logins, and from patterns ofactivity behavior that imply common roles for groups of users to correlations of users to their manyIDs. Veriphyr's premise is that users are what they do (that is, their activities and accesses), not

Gartner, Inc. | G00211482 Page 5 of 8

what their managers think they do. Combining activity and access information from IAM and othersystems makes it possible to discern patterns and make decisions based on the maximumintelligence possible. Many IAM vendors are able to offer parts of these capabilities, but Veriphyr'sapproach as a service-based intelligence provider — with a pay-for-use pricing model — iscurrently unique in the market.

Challenges: Veriphyr depends on the information it receives from its clients. That information mustbe available, and the client is assisted in extracting it and sending it. Initially, that assistance isminimal, but it can grow based on client needs. The process of preparing the data for analysis cansometimes reveal "gaps" that Veriphyr analysis must accommodate. Other types of analysis doneby the company are performed by humans, rather than by analytics software, so scalabilityconcerns will emerge as the company grows, and also if customer requirements become morecomplex. Veriphyr also faces the challenge of clients that are reluctant to allow sensitive identity-based information to be sent to an "outside agent" for analysis.

Who Should Care: Audit and compliance reporting providers in the enterprise are particularlyinterested in the nature and type of analysis and reporting provided by Veriphyr. Program managersengaged in large-scale merger-and-acquisition efforts find the quick turnaround time of service-based analysis valuable in consolidating the access profiles of employees. IT security architects andplanners are also interested in tools that help to build access profiles based on actual activities, notjust on the access as it has been defined.

Where Are They Now?

Lumidigm

Albuquerque, New Mexico (www.lumidigm.com)

Analysis by Ant Allan

Why Cool: In 2004, Gartner profiled Lumidigm in "Cool Vendors in Security and Privacy" andidentified it as a Cool Vendor in authentication because of its novel biometric technique of skinspectroscopy, based on the discovery that every human being's skin has unique opticalcharacteristics. We noted then that Lumidigm's challenge would be to gain credibility for its uniquebiometric technology in a market dominated by fingerprint, face topography and iris structuretechnologies.

Where Are They Now? Lumidigm reports that, before it could gain market traction, it repurposedits technology — at the request of a U.S. government agency — to develop a new kind of fingerprintsensor (capture device) using multispectral imaging. The claimed advantages of this technique arethat it captures superior images quickly, on all people, in all environmental conditions. According toLumidigm, unlike other common sensor types, performance isn't affected by moisture, dry or dirtyskin, or bright ambient light. Unlike some other sensor types, multispectral imaging capturessurface and subsurface ridge patterns, and analyzes the spectroscopic characteristics of thesurface, thereby making it less vulnerable to facsimile attacks.

Page 6 of 8 Gartner, Inc. | G00211482

Who Should Care: A client told Gartner that one particular advantage of the Lumidigm technologyis its ability to capture a fingerprint image through a medical glove. Ultrasound sensors can also dothis, but they are far bulkier and more expensive, which should make Lumidigm sensors appealingto healthcare delivery organizations. Other enterprises selecting fingerprint biometric authenticationalso may benefit from Lumidigm's ostensibly superior performance.

Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Application Security Technologies Enable Enterprise Security Intelligence"

"Identity and Access Intelligence: Making IAM Relevant to the Business"

"Prepare for the Emergence of Enterprise Security Intelligence"

"Q&A: Biometric Authentication Methods"

Acronym Key and Glossary Terms

IAI identity and access intelligence

IAM identity and access management

SaaS software as a service

WAM Web access management

This research is part of a set of related research pieces. See Cool Vendors 2011: Delivery andConsumption of Services Is Empowering, and Cool for an overview.

Gartner, Inc. | G00211482 Page 7 of 8

Regional Headquarters

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Japan HeadquartersGartner Japan Ltd.Atago Green Hills MORI Tower 5F2-5-1 Atago, Minato-kuTokyo 105-6205JAPAN+ 81 3 6430 1800

European HeadquartersTamesisThe GlantyEghamSurrey, TW20 9AWUNITED KINGDOM+44 1784 431611

Latin America HeadquartersGartner do BrazilAv. das Nações Unidas, 125519° andar—World Trade Center04578-903—São Paulo SPBRAZIL+55 11 3443 1509

Asia/Pacific HeadquartersGartner Australasia Pty. Ltd.Level 9, 141 Walker StreetNorth SydneyNew South Wales 2060AUSTRALIA+61 2 9459 4600

© 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in thispublication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness oradequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publicationconsists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressedherein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does notprovide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and itsshareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.

Page 8 of 8 Gartner, Inc. | G00211482