The New Access Management Magic Quadrant: Did Gartner Get it Wrong?

Earlier this week, Gartner released its latest and greatest Identity Management Magic Quadrant: the 2017 Access Management (AM) Magic Quadrant (MQ). We covered a few key takeaways from the report, and moved on, as we usually do. But after spending some time with the report, and seeing some of the interesting reactions coming from vendors featured in the report, we’ve decided to revisit a few of the key changes to the way Gartner is approaching access management.

Abandoning IDaaS

Gartner has previously covered the Access Management market in Magic Quadrants such as the Web Access Management (WAM) MQ and last year’s Identity as a Service (IDaaS) MQ, which positioned popular IDaaS vendors Centrify, Okta, and Microsoft as leaders.

However, this year, Gartner has retired its IDaaS Magic Quadrant, instead choosing to cover the access management market from a broader perspective, including vendors from both the Web Access Management (WAM) and IDaaS market. To me, that’s a bit of a total about-face for a group of analysts that previously predicted that 40% of IAM purchases will use the identity and access management as a service (IDaaS) delivery model by 2020.

Now, this could have happened because Gartner recognizes that cloud-based Identity solutions now meet the full-range of web access management needs and capabilities, but when we look at the way the new Magic Quadrant combines the old discipline of Web Access Management and the new way (IDaaS), that doesn’t seem to be the case.

Of the six vendors in the leader’s quadrant, three (CA Technologies, IBM, and Oracle) were criticized for low-feature IDaaS offerings. And, in what might be the oddest placement of all, ForgeRock, who does not offer any IDaaS solutions at all, was rated as the second most “visionary” vendor in the report. Apparently, IDaaS is now officially a blind spot in Gartner’s “vision.”

Thankfully, there are other analysts picking up the slack Gartner is putting down, and there are still quality reports on IDaaS available from Forrester and KuppingerCole.

Where’s the PIM?

It’s been proven time and time again: unmanaged, unmonitored privileged accounts are an easy target for both external attacks and malicious insiders — just take a look at some recent data breaches and chances are high the malicious party used a compromised privileged account to increase their permissions.

Due to this common practice Privileged Access Management or Privileged Identity Management (We’ll call it PxM) — the monitoring and protection of super user accounts — has emerged as one of the most important aspects of IAM, and cyber security writ large, today.

In fact, 80% of security breaches involve privileged credentials, according to Forrester’s PIM Wave report.

So it comes as some surprise that Gartner’s new MQ almost completely ignores PxM. Especially considering the fact that PxM is a $1billion market that 80% of IT security professionals consider a high priority (you can get a full set of statistics on the importance of PxM here).

It’s odd, to say the least, that Gartner hasn’t tried to cover that market, which has been covered at length by their competitors at Forrester.

Is it just a nod to legacy vendors?

Hot take time: Is it possible that Gartner consolidated the Access Management market as a way of consolidating (and placating) its own market? That is to say, the vendors who pay Gartner to be evaluated in their reports. When Gartner made the switch to the IDaaS MQ, a lot of large, legacy WAM vendors lost standing in the report, and it’s likely that those legacy on-prem vendors weren’t very happy with the not-so-positive coverage in the IDaaS MQ.

Of course, there’s now way to tell what kind of influence those vendors have over Gartner, or whether they have any influence at all, but they are, for the most part, back in the “Leaders” quadrant. By and large, leaders in this new MQ have $100M or more in revenue, mostly from older products brought to market in the 90’s.

The real questions is this: In consolidating their coverage of Access Management, is Gartner helping buyers evaluate WAM and IDaaS offerings, or are they merely muddying the waters?

Read the full report, available here, and make your own call.