Burton Group Identity Blog

Blogger: Lori Rowland   

Provisioning products were introduced to the market almost a decade ago.  At that time, vendors promoted products on the premise of improved security (zero day start and zero day stop), cost reduction (remember those ROI charts demonstrating the cost of a password change through the helpdesk), and operational efficiency (no more messy flow charts). Provisioning was really about automated user account provisioning.  The introduction of the Sarbanes Oxley Act significantly changed the dynamic of the provisioning market.  The business driver for provisioning deployments quickly changed from a security and operational efficiency focus to a compliance focus.  Provisioning products were “flying off the shelf” as organizations scampered to answer the ever probing question “who has access to what?”  Customers began changing their expectations.  No longer was provisioning just about automated user account provisioning, but it was about accountability. Customers (and auditors) wanted to know how access was granted, who approved it, when it was approved, if it was still valid, etc.  Provisioning systems were not originally designed for this functionality; therefore, provisioning vendors began adding new features (both through in-house development and acquisition).  The original, core value proposition of a provisioning solution had succumbed to “compliance.” 

Recent headlines have once again rattled the provisioning market.  Hardly a day goes by that we do not hear of mergers, acquisitions, bankruptcies, businesses closing down, bail outs, job cuts, etc. In these tumultuous times, there is also an increase in security breaches, data loss, and insider threats. This has been somewhat of a perfect storm, highlighting the need for effective identity management systems.  More than ever, it is imperative that organizations control users’ access to sensitive data, terminate access as soon as an employee leaves the organization, absorb identities and credentials obtained through acquisition, and integrate multiple identity systems into a single authoritative source. IT budgets are without a doubt being cut, however early indications show that organizations view security and identity management (and more specifically provisioning) as a high priority and are continuing investments in these technologies. Organizations that have implemented an effective provisioning solution are breathing a sigh of relief, while those who have not are scrambling to do so. 

In these turbulent times, the business justification for provisioning deployments is returning back to its original value proposition: cost reduction, increased security, and improved operational efficiency. This is good news for the provisioning market (for customers and vendors alike).  As provisioning technologies morphed into compliance offerings, the industry abandoned provisioning system fundamentals and traded them for bells and whistles.  For example, vendors have added workflow, self-service, delegated administration, audit, reporting, access review and certification, and role management.  All of these are nice features, but development and investment dollars have been allocated to adding new features rather than on improving the ease of deployment, usability, performance, and scalability of the core provisioning system.  A singular focus on new features is not sustainable as customers continue to report failed deployments and frustration with the usability of products.  This is, however, changing. The feature set of provisioning products has reached a level of maturity. Vendors are now re-focusing on provisioning fundamentals, interoperability, and improving the usability of their products while reducing the total cost of ownership (TCO).  This is good news for customers who, in tough economic times, need to do more with less.

As the saying goes, every dark cloud has a silver lining.  IdM vendors will most certainly feel the effects of the down economy. However, a handful of vendors have seen increased sales in their provisioning products despite the economy.  Burton Group is aware of at least one pure-play provisioning vendor that saw record third and fourth quarter profits in 2008. There is a spike in interest in provisioning technologies as the economy has exposed inefficiencies in business process and IT security systems within some organizations.  There is also an increased interest in on-demand or cloud identity services and managed service provisioning offerings as many organizations are considering outsourcing their provisioning deployments.  This and other market trends and considerations are discussed in detail in the Burton Group, Identity and Privacy Strategies Market Landscape document, Provisioning Market 2009: Divide and Conquer  (note: client login is required for access to this document).

Burton Group consistently encourages our customers to conduct a proof of concept when selecting a provisioning vendor.  As the provisioning market has matured, it is increasingly difficult to compare vendors based on a check list of features.  Product differentiators are found not in if a feature is supported, but how it is supported.  Recently, Burton Group decided to “eat our own dog food” and conducted a competitive analysis of the provisioning market.  As part of this analysis we invited vendors to complete an exhaustive survey, provide reference customers, and conduct a use case-based demo.  This effort confirmed to us the importance of the POC process. 

As analysts, we are continually briefed on vendors’ products, roadmaps, and strategies.  We also regularly talk to customers regarding vendors and their products and we have conducted comprehensive evaluations of provisioning deployments in customer environments. These conversations give us great insight into product strengths and weaknesses.  Still, the demo process allowed us to see a feature to feature comparison of products based on our own set of criteria. Vendors were asked to show us a common set of functions --- not just the functions that made them look good.  This required a great deal of effort on the part of the vendor, as do POC’s in customer environments.  These efforts were, however, validated as we gained a new level of understanding and respect for each of the vendors participating, regardless of how they fared in our analysis.  That said, by conducting an RFP and POC-like process, we were able to identify product strengths and weaknesses as weighted against our criteria. As the market has stabilized and matured, clear market leaders have emerged.  The results of our competitive analysis are detailed in the above mentioned Market Landscape document.

2009 will most certainly prove to be an interesting year for provisioning.  We will likely see continued expansion and growth, albeit at a slower pace than years past.  Microsoft and SAP are set to release much anticipated updates to their provisioning products, more and more vendors will be showcasing their integrated role management and provisioning solutions, and other vendors will be releasing products highlighting improved architecture and usability.  Stay tuned for further developments as this market never ceases to surprise us.