Customer Identity & Access Management (CIAM)
,
Security Operations
Consumerization of IT Has Brought CIAM Methods, Technologies to Workforce IAM Space
Perennial leaders ForgeRock, Ping Identity and IBM, along with a surging Okta, set themselves apart from the pack of CIAM vendors in the latest report by KuppingerCole analysts.
See Also: Building a Secure IoT Deployment Using 5G Wireless WAN
Ping Identity leapfrogged ForgeRock to capture the gold in product leadership, and IBM once again took the bronze. ForgeRock, Ping Identity and IBM maintained the gold, silver and bronze, respectively, in innovation leadership. And in the market leadership category, Microsoft again took gold, Auth0 catapulted from seventh to second place in market leadership due to becoming part of Okta, and SAP fell from second to third since the last report in late 2020, KuppingerCole found.
“The trend toward digitalization of consumer experiences was well underway in the late 2010s, and the COVID pandemic forced more businesses and other organizations to expedite digital transformation,” John Tolbert wrote in the 120-page report. “With every iteration of this report, we observe significant acquisitions of CIAM specialists by others in the market, and entry into the market of new vendors.”
Microsoft, Okta and IBM were the three market share leaders in the broader $13.6 billion identity and access management category last year, while Ping Identity and ForgeRock captured ninth and 10th place, according to IDC. Thoma Bravo has acquired SailPoint and plans to buy Ping and ForgeRock. Should the three companies be combined, it would take the bronze in market share, narrowly edging out IBM.
“Innovation in CIAM drives the wider IAM market,” Tolbert wrote. “The ‘consumerization of IT’ is exemplified by the push to use CIAM methods and technologies for registration, authentication, and authorization in workforce IAM. Features that were considered innovative in the previous edition of this report are going mainstream.”
Outside of the top four, here’s how KuppingerCole sees the CIAM market:
- Leader: SAP, LoginRadius, Microsoft, Transmit Security, OneWelcome, WSO2;
- Challenger: Cisaas, Cloudentity, Optimal IDM, 1Kosmos, Simeio, Synacor, CoffeeBean, Xayone, Nevis Security, NRI, ReachFive, Fusion Auth, DruID.
The latest rankings represent a drop for SAP and WSO2, which fell from third to fifth and eighth to 10th, respectively. Microsoft and OneWelcome leapt from ninth to seventh and 10th to ninth, respectively. LoginRadius held steady in sixth place, while Transmit Security – which raised $543 million last year – is new to the list.
“The CIAM market is growing and there is room for much further expansion, with many vendors offering mature solutions providing standard and deluxe features to support millions of users across every industrial sector,” Tolbert wrote. “Some vendors have about every feature one could want in a CIAM product, while others are more specialized, and thus have different kinds of technical capabilities.”
How the CIAM Leaders Climbed Their Way to the Top
| Company Name | Acquisition | Amount | Date |
|---|---|---|---|
| ForgeRock | None | N/A | N/A |
| IBM | Lighthouse Security Group | Not Disclosed | August 2014 |
| Okta | Auth0 | $5.67B | May 2021 |
| Ping Identity | UnboundID | Not Disclosed | August 2016 |
ForgeRock Looks to Thwart Account Takeover Fraud
ForgeRock in April refreshed the user interface around its authentication app to improve the customer experience, add functionality for facial biometrics, and leverage capabilities from Apple and Android, according to CEO Fran Rosch. He says ForgeRock has sought smarter ways to identify legitimate users and give them access by leveraging AI to collect signals of typical user and device behavior.
Once ForgeRock has collected patterns around a typical positive user experience, the company develops a risk score to give customers more confidence about whether a legitimate user is attempting to log in. To prevent account takeover fraud, ForgeRock has factored in both known threats and threats projected via AI into its risk score and has incorporated more information about device behavior into its app (see: Thoma Bravo Identity Push Continues With $2.3B ForgeRock Buy).
“CIAM has got a strong security component, but also a strong usability component,” Rosch tells Information Security Media Group. “And we’ve always worked to embed that capability of self-service and ease of use into the platform.”
KuppingerCole criticized ForgeRock for implementation challenges around the on-premises version and a lack of native marketing analytics, marketplace integrations and certification around FIDO. Rosch says ForgeRock has focused on simplifying the deployment of its on-premises offering by crafting DevOps capabilities for implementation, simplifying upgrades and creating new configurable AI for the platform.
“Every company’s got room to improve,” Rosch says. “Generally, we would agree with those areas identified by KuppingerCole. We’re continuing to work and to improve.”
Ping Identity Embraces CIAM in the Cloud
Over the past five years, Ping Identity has migrated all of its core capabilities to the cloud, meaning customers don’t have to deal with infrastructure, management or upgrades and can focus on the user experience, says Dustin Maxey, vice president of product and solutions marketing. Having everything available as a multi-tenant, SaaS-based offering means Ping can support customers’ various deployment options, he says.
Maxey says Ping has defined and developed workflows for CIAM scenarios such as account registration and fraud detection that incorporate both native and third-party capabilities and are easy for customers to use. Over the past year, Ping has made real progress on decentralized identity and combining multiple fraud signals in one place so that risk and fraud can be assessed at the point of authentication, he says (see: Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition).
“A lot of competitors will have orchestration platforms, but Ping really differentiates in that we fully embrace this open mentality,” Maxey tells ISMG. “If you want to use competitive services – if you want to use ForgeRock authentication or Okta authentication – we can plug that authentication service into our orchestration platform that we created.”
KuppingerCole criticized Ping for its inability to collect device attributes, customization requiring for consent handling, and lack of simple connectors for BI, CRM, marketing analytics and automation. Maxey says Ping has focused on building the most important connectors first and wants to create deep integrations within its existing connectors before pivoting to construct new connectors.
“We are on a tear to build connectors that are deep, that are numerous and that are the ones that represent the services that our customers work with,” Maxey says. “And we are moving very, very fast at that.”
IBM Ensures Legacy Apps Don’t Get Left Behind
IBM has actively participated in committees and bodies that manage protocol support to help clients better manage API and authentication requests in applications, says Wesley Gyure, director of product management for IBM Security. Offering support for both old and new protocols gives clients a seamless experience across apps in legacy infrastructure as well as modern web-based applications in the cloud.
Gyure says the company has integrated its CIAM offering with threat intelligence to get more visibility into everything from compromised passwords to potential malicious account takeover and the opening of fraudulent accounts. Identity threat detection and response starts with determining whether to block or challenge a registration request based on if the IP address is known and if the device could be malicious (see: IBM Buys Startup Databand.ai to Address Data Quality Issues).
“We have very large Fortune 500 clients that are using our systems, both legacy and off-prem,” Gyure tells ISMG. “Auto manufacturers, retail, state and local government – they all have millions of users that are authenticating to our system, and they’re doing so in a frictionless way and they’re doing so with high throughput.”
KuppingerCole chided IBM for complicated licensing, limited configurations for family management, and no built-in identity proofing or out-of-the-box consumer device management portals. The complexity stems from thousands of customers already using CIAM in large deployments, and Gyure says a pricing calculator for the newest tools should give clients visibility and transparency into how IBM licenses.
“We’re not going to be the experts in every area,” Gyure says. “Customers already have investments in solutions that they’re using, and those investments have to integrate into whatever CIAM solution they may choose. This is not a rip-and-replace conversation. We want to make this easy and consumable, and to do that means to leverage capabilities and investments that they may already have.”
Okta Scales Authentication to the Masses
Okta has made strides to enable app builders to better manage user authentication at scale by enabling developers to add another layer of access controls that’s more fine-grained and consistent across apps, says Matt Duench, senior director of product marketing. The company’s flow editor allows for no-code integration with firms such as Duo directly into the platform by leveraging a drag-and-drop interface.
Duench says the company has debuted a deployment option in Microsoft Azure so that customers in Europe and elsewhere can deploy in the environment that makes the most sense for them. Okta has strengthened its account takeover prevention capability through investments in Credential Guard and has reduced bot attacks by 79% by incorporating machine-learning upgrades in its bot detection engine (see: Okta-Auth0 Sales Integration Falters, Fueling Staff Turnover).
“We were born in the cloud, and so we’re really well suited for companies that are focused on digital transformation and cloud migration versus more of an on-prem system,” Duench tells ISMG. “And that’s because a lot of the flexibility that now you get from a cloud-based system you can get within our platform as well.”
KuppingerCole criticized Okta for a lack of built-in behavioral biometrics, FIDO certification, and ability to collect device intel via mobile SDK. Okta says there are regulatory, privacy and technology constraints around capturing device intel via mobile SDK in consumer applications and that the company chose to allow customers to integrate Okta’s CIAM tool with the behavioral biometrics technology of their choice.
“You need a cloud-based platform that is extensible, that is unified and that is neutral so that you can really allow the application builder to build those use cases in the way and using the methodologies that they’re traditionally used to,” Duench says.