Cloud-Native Identity Management Is Suddenly Looking Like A Winner


Doing access management with the help of cloud-based services is a pretty comfortable proposition by now. For more than a decade, we've been doing federated single sign-on to and from apps that are themselves in external domains. Looking at the recent Forrester Wave™ on enterprise cloud identity and access management, all three vendors we identified as leaders specialize in various kinds of cloud-app SSO and access control -- the cloud identity 1.0 ur-scenario. (Join us tomorrow, September 20, for a client webinar to review this Wave!)
What about identity management in the cloud? It's been harder to find. Two other vendors we looked at in the Wave provide cloud interfaces to familiar on-premises provisioning solutions such as the IBM and Oracle suites. And all the vendors rely on hooking into an organization's on-premises directory as the single source of truth.
Okay, then, what about putting that single source of truth into a store with a cloud-native interface, as my colleague Andras discussed on our Security & Risk blogs recently? That’s even more rare -- but the writing is on the wall. Microsoft went bold with its Windows Azure Active Directory moves, providing non-LDAP RESTful interfaces. Cool. (I’d like it to support SCIM as well, though, since you ask.)
Two even newer cool examples of a cloud changeup in identity storage and management: On September 5, Okta announced a partnership with Workday that enables it to offer employee identity management as a cloud-native proposition. And today, announced what looks to be an insanely comprehensive V1 of a cloud-native IM+AM offering, with provisioning workflow and reporting options that leverage the increasingly mature Salesforce Platform. Other service providers we consider to be cloud IAM dark horses, given these recent moves: Google, Intuit, and Amazon.
Here’s what we at Forrester think this all means:
  • Enterprise IT gets more choices. Credible, comprehensive cloud-native IAM will put serious pressure on the classic on-premises suites, increasing choice for enterprises bitten by the SaaS bug.
  • LDAP’s hold on IT begins to weaken. LDAP as the standard directory interface just became “legacy,” though it won’t be disappearing anytime soon. While SCIM is no more than an 80/20 replacement at the moment, it gains significant momentum from’s backing. (Hey, wasn’t LDAP the 80/20 point for X.500?)
  • The federation broker landscape will broaden. We believe many of the SaaS players managing significant business-user populations will find it attractive to move into a horizontal federation broker role, joining Ping Identity with its PingOne service.
What do you think? Let us know in the comments!


A question I keep hearing

A question I keep hearing goes something like "why can't I use my google docs on my dropbox account". I know people who keep skydrive inside dropbox inside google drive...consumers are starting to demand separation of identity and data from applications. The players to watch are the ones who understand and facilitate this. I don't know much about Intuit but the other companies you mention seem to be hoping for complete control & vertical integration. Consumers want things that are easy-to-use but that should be balanced with facilitation of choice.

Identity isolationism

Hi Mark-- Thanks for your comment. It's true that the big vendors strive for vertical integration, or at a minimum a "better with" proposition that attracts adopters to more and more of some singular platform. I don't think we'll ever see this go away. But we also see plenty of signs of a factoring-out, if you will, of unique value and a willingness to connect to external sources that specialize in their own information and services. I agree with you that the players comfortable with being clients of others' APIs are doin' it right, and this goes for the consumer and commercial worlds alike.

CIS Enables Workday as Cloud Based Authoritative IAM Source

Contact me for details.