Identity and Access Mgmt. Observatory Panel

ITDM Feedback on the State of IAM

Erik Bradley | ETR Research 

| March 22, 2024

ETR Insights presents a panel discussion with four security executives exploring the rapid transformation within identity and access management (IAM). This panel discusses the state of identity and access management, gathering feedback from security experts and discussing ETR’s proprietary Market Array data. The experts discuss IAM’s role in implementing zero-trust models, the balance between security and user experience amidst the transition to cloud computing, the impact of product spending intentions on security architecture, and the complexities of calculating ROI for identity and access management tools. The panel of experts addresses the impact of high-profile breaches, highlighting the importance of MFA, directory tie-ins, and password management solutions and notes the importance of seamless updates and per-user licensing to accommodate growing device numbers.

Vendors Mentioned: 1Password / BeyondTrust / Cisco / CyberArk / Delinea / HashiCorp / IBM / JumpCloud / Microsoft / Oasis / Okta / OneLogin / Oracle / Ping Identity / RSA / SailPoint / Splunk / Thoma Bravo

Read on to learn more about the strategic positioning of specialists versus generalists in identity management, why niche vendors must innovate to stand out, what product features these executives consider “table stakes” for any vendor, and why there may be a coming convergence of IAM and PAM tools.

Panel Commentary

State of IAM Overview. A CISO and Vice President of IT for a travel and hospitality enterprise describes a rapidly evolving identity management landscape, which now incorporates services, APIs, and third-party integrations. “The need for evolution and innovation in the identity space is going to become more and more paramount for these companies to be able to compete.” Another CISO at a large business services firm points to convergence within the security sector simplifying security management, versus traditional model of integrating “best-of-breed” solutions, although, “In the short run this creates a lot of uncertainty in which provider to go with.”

For the Head of Identity and Access Management at a large financial institution, identity management is a critical part of cutting-edge concepts like zero trust, though they note many organizations are still grappling with fundamental challenges like single sign-on and multi-factor authentication. “There is a huge divide where vendors are solving the third generation of problems, while companies still struggle with sometimes the first generation of problems.” The CISO and Vice President of IT at a defense manufacturing firm is balancing security and user experience. “It seems like every time we put another layer of security in place, it makes it more difficult for the end user.” For them, the transition to cloud computing has added another layer of complexity to identity management.

Product spending intentions within identity access. One CISO is leveraging its existing E5 and G5 licenses to take advantage of multiple Microsoft services, from encryption and virus protection to mobile device management. “We have all of our US employees on the government level M365 cloud, so we've been trying to move towards Microsoft for more and more packages, as we feel as though the product is mature enough.” They are presently testing Azure Active Directory and expect to adopt it shortly. Another attributes Microsoft's dominance in directories and conditional access policies to their market penetration and established relationships through Active Directory. “Renaming Azure Active Directory to Entra ID is a controversial topic, but I think it's a masterstroke. With more and more companies using cloud, there has to be some sense of control over client or cloud identities – and Entra ID, using the federation feature, really does a great job of that.” They have seen the use of CyberArk, SailPoint, and Okta fluctuate. “SailPoint has started getting some stiff competition. So does CyberArk, with workload identity management coming in.”

Another VP is similarly positive on Entra ID. “I'd say not only does Microsoft do a great job with bundling to make it kind of a no-brainer, but it's actually a pretty good product as well.” Their peers have already begun to abandon “legacy” RSA, Oracle, and IBM for identity access. “On the flip side, the numbers for Okta were a little surprising to me. I know that they've suffered few breaches, and I'm sure a lot of that is related to nervousness after those breaches, but [the attrition] is a little higher than I even expected.”

A CISO within travel and hospitality notes a universal uptick in spending intentions within the identity management space; identity remains a cornerstone of security architecture, particularly in the context of zero-trust models. “[With zero trust], we’ve established a stronger perimeter around identity, so naturally, it's going to be targeted.” They point out that people were once skeptical of Microsoft’s ability to dominate endpoint encryption and that the company might employ a similar strategy within identity management. “We used to all pay for endpoint encryption, and then Microsoft just made it part of the packaging, and it became free and commodity. [Maybe] they are going to go after some of those other enterprise technologies.”

ROI for identity and access management tools. These experts share their thoughts on the complexities of calculating ROI and the factors influencing technology adoption. “For certain aspects of identity, the ROI can be exceptionally long, especially on the IGA side. If you ask someone what the average time is to deploy a product like SailPoint, they'd probably say three years right before you're fully deployed.” Another panelist agrees. “The IGA space is taking more time to really prove their return of investment, like SailPoint and Saviynt. Every tool across IGA, you would see a five to seven-year timeline around that as well.”

One executive again notes the value of Microsoft’s E5 bundled services, though these may be costly for companies not already on this tier. Another CISO feels there is a natural advantage to solutions like 1Password and JumpCloud, which provide a lot of value for money. “Even if [legacy players] are giving you the value that you need, it's coming at a higher cost, which makes the ROI lower, which is where I put things like IBM, Oracle, and SailPoint.”

Microsoft is seen as an enduring solution, versus services like Ping—now merging with ForgeRock—which have shorter anticipated lifespans. “We went with Ping, and it was short-term, and I knew it would be short-term until we figured out what we really wanted to do,” says a manufacturing CISO. But when you get into companies like Microsoft and Oracle, you think of them as more long-term, more bundled services, more enterprise-level.”

That's where we will stop for now, but our clients can read the entire expert feedback panel report on the ETR platform for more direct vendor evaluation, discussions about IAM features, the impact of security breaches on the marketplace, and much more. The Observatory for Identity and Access Mgmt. Tools can be accessed here, but the supporting Market Array data is available by subscription only.

If you're not yet an ETR Member, you can reach out to us for this report at service@etr.ai or request your own free trial and gain access to our entire research platform, which includes data coverage of more than 700 enterprise technology vendors and technologies, industry-leading market research, and a library full of end-user commentary and vendor evaluation. If you have any involvement in the enterprise technology sphere, you need to check it out.

Enterprise Technology Research (ETR) is a technology market research firm that leverages proprietary data from our targeted IT decision maker (ITDM) community to provide actionable insights about spending intentions and industry trends. Since 2010, we have worked diligently at achieving one goal: eliminating the need for opinions in enterprise research, which are often formed from incomplete, biased, and statistically insignificant data. Our community of ITDMs represents $1+ trillion in annual IT spend and is positioned to provide best-in-class customer/evaluator perspectives. ETR’s proprietary data and insights from this community empower institutional investors, technology companies, and ITDMs to navigate the complex enterprise technology landscape amid an expanding marketplace. Discover what ETR can do for you at www.etr.ai