Market Guide: Identity & Access Management (IAM)

This guide to Identity & Access Management tools is the first in a series of Market Guides looking at technologies and services that sit adjacent to ITAM in large enterprises. The purpose of this series is to provide an introduction for ITAM professionals to the tools used by their key stakeholders. By doing so, we will identify areas of overlap in tooling and further opportunities for collaboration. ITAM starts with Trustworthy Data, so it makes sense to look at the market for tools which may provide data and services of use to ITAM teams.

What is Identity & Access Management?

For the purpose of this Market Guide we define Identity & Access Management (IAM) in accordance with ISO/IEC 24760-1:2019 – full document download available here. In short, this standard defines IAM in terms of a lifecycle and actions (referred to as transitions in the standard). Tools in this Market Guide will manage the full lifecycle:

And support the required lifecycle transitions.

Why is IAM important for IT Asset Management?

Quite simply: we’re moving to a per-user subscription licensed norm. This doesn’t fit the traditional way of managing IT assets as well as per-device licensing does. In part, we as ITAM managers pay attention to hardware devices because of per-device licensing. We’re incentivised to do so because hardware may be consuming a license which can be harvested and reissued, resulting in a cost saving or cost avoidance. With the move to user-based subscription licensing we now have a reason to pay closer attention to who is using a particular software application – because they’re consuming a license which could be harvested and reissued.

However, our existing tools don’t necessarily have the rich user data we need to efficiently optimise subscription licenses. We don’t own the IAM process, the IAM team does. Remember, ITAM tools often grew from tools used by IT Ops to manage hardware – such as Altiris or other Service Desk tools, and it is the same for managing subscription licensing. Enterprise SaaS Management providers often provide direct connections to IAM providers, enabling enhanced discovery, inventory, and optimisation of SaaS subscriptions.

Mapping the IAM lifecycle to the ITAM lifecycle

There is a close mapping between IAM and ITAM, meaning it is relatively easy to integrate tools and processes between these management domains.

All IAM lifecycle steps are of relevance to ITAM teams, but the ‘Active’ and ‘Suspended’/’Archived’ stages are of most importance as those stages typically involve license or subscription consumption. For example, a license to access Office 365 will be allocated (Established) by the IAM team and becomes Active on first login. From an ITAM perspective the subscription at that point becomes a candidate for optimisation – and the IAM system can provide key data such as whether the application is in use, which can then be used to optimise subscription allocation.

Beyond this core interaction IAM tools are also important from an operational perspective for ITAM. One of the key capabilities many of these tools offer is Single Sign On (SSO) – centralising both the login process and the allocation of login accounts. In this way IAM tools support potential ITAM deliverables around application deployment and onboarding/offboarding. For example, IAM tools can effectively deprovision (Suspend/Archive) accounts automatically when an employee leaves an organisation.

Market Overview

IAM as a concept started on-premises at the dawn of client-server computing with technologies such as Kerberos & NTLM built into Windows NT/Windows Server. These on-premises tools enabled IT departments to use the user’s Windows Login/password to authenticate compatible client/server applications, reducing the need for multiple accounts and passwords and improving application security. Alongside this account management capability, solutions were built to improve authentication in the form of proprietary Two Factor Authentication (2FA) solutions such as RSA SecurID. Currently, the market is built around open standards developed in the mid-2000s with SAML & OAuth being particularly important. Most internet users will be familiar with smartphone authentication apps built around such standards, which provide 2FA login tokens (usually a 6-digit number) via app or text message.

Growth in this market has accelerated alongside the growth of SaaS and IaaS. The need to secure the large number of SaaS applications (on average 88 apps across all company sizes, and 175 in larger enterprises) mandates the use of new tools. Imagine trying to onboard each new employee with access to even a quarter of those applications, and, more importantly, making sure that they’re offboarded immediately when they leave the organisation. This is a very different proposition to managing desktop applications where a typical user may have accessed most of their productivity apps simply by logging in to their PC. Removing access in that case wasn’t as critical as physical security (the user no longer having access to the office) ensured data and applications were secured when the employee left.

Other growth factors include a rise in regulatory obligations – PCI-DSS, HIPAA, GDPR, and so on – and also a recognition that cyber-attacks are becoming more prevalent and more damaging. Use of personal devices, particularly in today’s “work anywhere” approach to business is a further growth factor, as is the erosion of the secure IT perimeter due to the internet replacing the corporate network.

In preparing this guide we reviewed other analyst reports and on average the IAM tools and services market is expected to double in size by 2025. This is still a niche area – total revenue expected to be in the range of $20-$30bn by then, but the addressable market is large. Such imminent growth will attract new entrants, perhaps focusing on the mid-market whilst the major players carve up the lucrative enterprise sector.

Inclusion Criteria

In compiling this guide, we sought to include a wide variety of solutions in terms of cost, target organisation size, and geographies. If you are a vendor with a IAM solution that integrates with ITAM tools and processes and are not included, please contact us for possible inclusion in a later revision.

Over to you

We’d love to hear your views on the vendors listed in this Guide. To submit a review, click the links in the product listings below.

Representative Vendors