Welcome to the KuppingerCole Analyst Chat. I'm your host. name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. My guest today is John Tolbert. He is the Research Director Cybersecurity for KuppingerCole Analysts and he's hailing from Seattle. So it's late for me and early for him. Hi, John. Good to see you.
Good afternoon, Matthias, good to see you again, too.
So good morning to you. We want to cover a topic that we have done quite some times before. So this is the third or the fourth episode on a topic which is really interesting, which is the consumer identity and access management market. And you just completed research in that area. So we want to focus on what's new, what's updated, what has happened in the market of consumer identity and access management. Yeah, what's new?
Well, thank you. Yeah, you know, it's an interesting and always growing field. We've been covering this subject for going on a decade now. CIAM has emerged or emerged as a specialty before that time even. So we've seen the numbers of companies in the field increase. This time we had 24 different vendors in the report. So that I think is a record for us. And some of them are brand new, not only in the business, but they're first time appearing in our report also.
So if you say there are new vendors, can you name a few, who are the new entrants?
Sure, well they're not new to the market but first time appearing in our report. We've got Amazon Cognito And Descope, so those are a couple that are new. We also have some that appeared in the last edition that are smaller regional vendors DruID, ReachFive, TrustBuilder, Xayone, and we've covered those and other kinds of reports as well. So we're really happy that we've got a large number of vendors that really represents, I think, the state of CIAM today.
Right, but a growing market, a growing number of vendors seems that on the one hand it's a dynamic field and on the other hand is the market capable of dealing with these large numbers of vendors? Where are they located? How do they specialize? How do they find their customers, their audience?
Yeah, I think the market does very well at accepting new vendors for probably a couple of different reasons. There are some that specialize in specific market segments, like maybe they'll focus on particular industries. And then they really build up very thorough coverage for the use cases there. And the use cases might be a bit niche. We have a couple of vendors that specialize in, let's say, the media subscription market. And for that, you'll see a strong need for integrating with what I've been calling consumer IoT devices, things like smart TVs and set-top boxes. So you need a very well-developed device identity management regime in order to be able to really serve those kinds of markets. Then there are those that are sort of regionally focused or even country focused. We see that pretty commonly across Europe where a CIAM vendor will become quite strong in a specific country or a couple of countries because of probably several different reasons there too. There can be language, can be culture, of course, privacy regulations or other regulations, developing specialties that are helping customers in those specific countries adhere to those regulations. So I don't think we're done yet. I think we're going to continue to see over the next three to five years, there will be even more new vendors in the CIAM market.
You've mentioned the new entrants, and if you look back on to the last one or two years there has been a reduction of the number of vendors just because of mergers. Everybody of course who's had a look at the IAM sector looked at at ForgeRock and Ping merging together and driven by their investor. Both were highly ranking if I remember correctly in earlier editions of your research. So These quite big ones and quite to the right upper corner of our Leadership Compass. So how does that influence the market that we have these mergers, and there are more.
Well, yeah, you know, that's a really good observation too. So we have a large field, but in some ways it's shrunk because of mergers and acquisitions. And, you you talked about one of the more recent noteworthy ones there, Ping and ForgeRock. They were both acquired by Thoma Bravo. While the companies are emerging, the products are still somewhat distinct. And there's, believe, an intention to keep them that way so there won't be any near-term pressure on customers to have to integrate or deal with significant changes there. So yeah, that was a pretty big move in the market. We also saw almost a year and a half ago, I think, Thales acquiring OneWelcome, OneWelcome having been also a leader, a product leader, innovation leader in many of the earlier editions of this report. They were headquartered in the Netherlands and they Specialized consent, privacy management, and providing advanced features in those areas. And then with the Thales acquisition, it's been interesting to see really how smoothly that seems to be going. So, Thales had a good reputation in traditional IAM and catering to very high security IAM environments. So this is a good move for both of those companies. And it's resulted in even more stronger placement in our charts. We also had SecureAuth acquire Cloudentity. SecureAuth, sort of similar to the last situation where they had been well known, had good products for high security environments, traditionally for workforce. And Cloudentity had been in multiple of our earlier editions in the CIAM report, and they had always done very well too. So Cloudentity brings additional very fine-grained authorization use case support, as well as many other CIAM-related features that I'm sure SecureAuth will benefit from. So yeah, those mergers helped the placement for those three sets of combined offerings.
Right, I assume that they are also with the combined products and the combined vendors that they are not getting down the drain when it comes to the positioning in the Leadership Compass, but they are still also highly ranking within the new report?
Yeah, yeah, think these moves have been good from a market position as well as technology capability inclusion. Definitely think this has been good from that perspective.
Right. And so we've talked about new entrants. We talked about the mergers in the market. And I said in the beginning, we want to look at what's new. OK, what's new? What are the new features that have made their way into the CIAM products, into the technologies, into the services that companies want to provide towards their end users?
Well, you know, I've been talking about this for a few years, the need for building in capabilities or offering integrations to third party services for identity verification. Originally that had mostly come from the financial industry needing to do anti-money laundering and Know Your Customer initiative support. But we find that more and more industries are looking for at least some degree of identity verification when users are creating new accounts. An example of that that gets tossed around quite a bit is the short-term rental market. So these companies want to be able to collect a bit of identity assurance information at the time of creating the account and maybe even to be able to do follow-up IDV as well. So identity verification is growing in importance specifically for CIAM and I think B2B CIAM, which we'll talk about later if we have a chance as well. But then also, beyond just identity verification, full on integration with what we call fraud reduction intelligence platforms, because fraud, as everyone knows, is a huge problem in the consumer space. So we really need to see more and more integrations there. And most of the vendors have been doing that. They're building out connectors to enable their customers to use the fraud reduction intel platforms of their choice. Then other integrations are really the big key here. So there are third party consent and privacy management platforms. A lot of organizations, specifically those that are operating within Europe, have adopted CPM, the Consent and Privacy Management Platform solutions. If you have a CIAM, you need to be able to integrate with that. We've also seen on the innovative side, a few CIAM solution providers integrating with things like AI-powered chatbots, customer data platforms, and even payment services to make it easier for the consumers to connect to payment services. So this particularly applies in cases where a CIAM solution is maybe specializing in the retail or e-commerce or markets like that.
Right, if I talk, I'm an advisor at least half of my time, if I talk to end user organizations, no matter if it's IAM or CIAM, most questions or many questions are around the topic of deployment models. So usually they are a bit hesitant to immediately start with a cloud service or that can be the case. So they ask for hybrid capable solutions. And that of course is something that needs to be reflected in technology and architecture and yeah, in architecture decisions. Is this something that you see in the CIAM market as well? Are they supporting many different deployment models and the migration between A and B?
The default, I would say, in some areas of the world is to go with a cloud-hosted service. But you're right. There are certain industries, certain locales that want on-premises options or hybrid options as well. So there are fewer. companies in the CIAM market that offer on-prem only or on-prem plus hybrid plus cloud options. So I would say organizations that have those requirements have to drill down a little bit deeper to see if the solutions that have on-prem options are the ones that might be most appropriate for them. You know, one thing I can say about deployment is everybody does seem to be moving to the microservices container model, you know, kind of in line with what we've been calling for years, the Identity Fabric. And I think that's a really good thing because, you know, if you're running your own private cloud, you know, be it in a data center or elsewhere, then this new architectural model, I think, makes it easier for you to move to the cloud because you've already got your own infrastructure sort of aligned with that model. And like I said, most of the solutions that are out there today have taken this approach. So they're all pretty modern in that regard. On the cloud side, maybe sort of an in-between ground, we see a few more vendors offering single tenant options. A lot of the turnkey, identity as a service solution providers that are out there have been offering multi-tenant for years, but now, some of the vendors are offering single tenant options, too, for those that would feel like that would help with complying with their own security policies, better options for data residency and so forth.
One aspect that was always built into CIAM was progressive profiling, understanding users better over time. On the other hand, I see that many organizations when it comes to consumer identity are asking for more control over these users. So not only collecting data, but better understanding where they are in their journey, in their life cycle. And when it comes to these features, is this something that is added to the otherwise only very flat and simple data structure of the consumer identities? Is there access governance? Is there identity lifecycle management at least tailored for consumers and customers?
Yeah, that's kind of a two-part question, I think. Progressive profiling and orchestration definitely have become very important requirements, I believe, for most organizations that are, let's say, looking to improve their CIAM. So the best approaches are those which aren't sort of tacked on. I think it really takes a good redesign of, say, the onboarding process. And to facilitate that, you really need a visual editor that makes it easy for business people, not necessarily technical IAM staff, to build onboarding workflows. So a good orchestration interface that's no code, low code, which allows them to sort of drag and drop different tasks into a workflow, whether that be identity verification as we've been talking about or other aspects of an onboarding workflow. And then the identity governance and lifecycle. It's great that you brought that up because I have heard from customers and vendors that they're getting more requests into those areas. Because, you know, it's very easy in a lot of cases if you're doing progressive profiling to sign up for a basic account and bots have been doing that. I mean, a lot of sites have to deal with, you know, not necessarily fraudulent just yet, but using bots to create hundreds and hundreds or thousands of accounts. So you want to be able to get rid of those accounts if they're not legitimate. And then also, to be able to get reports about the status of accounts that have been created as well. know, there are lots of different sites, different businesses that, you know, maybe a consumer or a citizen only interacts with once or twice a year. And then you want to be able to track, well, if this person hasn't interacted with this account in three to five years, what should you do with it? You need lifecycle management options. And, you know, you can't… You can't set that at the product level. That's something that each individual tenant or customer needs to be able to customize for themselves, whatever is right for their business.
Exactly. I think that that's important. It's a process and this is something that they need to be able to weave into the solution, but it will be individual for the individual organization that provides this service to their customers. You've mentioned growing demand for features and you've mentioned that before and it's a bit of my thing to ask for that in these podcast episode around CIAM. I get asked again and again from enterprise users or organizations that run IAM that they want to have a B2B functionality. So either dealing with larger structured customers or the same functionality for partners, which is, then it's even not CIAM anymore, but very, very same or similar way of dealing with identities. Is this B2B aspect also coming into the solutions that you had a look at? I'm desperately waiting for good solutions there.
Yeah, well, I think there's some really good news then. At least for the last three or four years in doing this report, I've heard customers, vendors saying that they are seeing increased adoption by businesses that are trying to use the CIAM products for B2B use cases. And in response to that, think I've seen Maybe 25 - 30 % of the products that are out there really start to specialize and offer detailed features in those areas to help manage those B2B CIAM kinds of relationships, including partners, contractors, gig workers, use cases that aren't easily served by traditional workforce IAM, and also maybe not as well served by older generation CIAM solutions. So you're right. There are new use cases with different kinds of requirements for the accounts. And this time around, I did try to ask a lot of questions about that. There's a part of the spider chart in the report where you can see how well different vendors address these B2B CIAM use cases. And as part of that analysis, some of the things we were looking for were being able to support delegated administration, attribute-based access controls, doing compliance checks and sanction screening, looking for the use of compromised credentials, and then the ability to communicate directly to, let's say you're a prime in a supply chain and you want to contact individual contractor companies, you need separate communications channels, you need separate administration capabilities, you may want to be able to do things like offer per customer terms of service, you may want to offer different consent options based on where those companies are located, and then you'll want to be able to manage those users either in groups of companies, again, maybe based on location and what regulations that they're subject to. And also, there's a really useful feature that some of these solutions now have around time-limited accounts. So maybe you're using something like SAML to do a just-in-time account creation, but you also want to put a very strict time limit on how long that will be active. So there's a number of features in that area and I would say, know, maybe around a third of the solutions that are out there today have really good support for a broad selection of those use cases.
You've at least convinced me to read your report, so that is interesting for me and I really want to follow up on that because there was really a gap in the market for that. So we could close down here, but we don't because we are post EIC and if we look back to the EIC conference in Berlin in early June, there were two main topics and of course these two main topics I have to ask you as well if they are reflected in CIAM products as well. First thing is decentralized identity, second is AI. So let's start with decentralized identity. Is it yet there?
It's there in a few products. I was a little surprised. We did ask pretty good questions on our survey about that. I would say that maybe 25 % of the products have DID support. When queried about it a bit further, they say they're not really getting any customer demand except in a few specific locations. So that doesn't mean that they're not willing to build it. I think they're just prioritizing based on customer need.
But I think that also reflects clearly what I've heard during EIC when I talked to individual stakeholders from different countries. Those from the US were a bit more hesitant and since many organizations, many vendors are developing in the US or are based in the US, maybe that also reflects that. So that market unusually is a bit more hesitant when it comes to decentralized identity other than European countries like the Nordics where decentralized identity is much more common and in use. So maybe that is also a reflection of that. Second, AI. Apart from, you've mentioned the chatbots supporting here a bit, but more deeply woven into the architecture, is there something where AI or machine learning really supports the customers, the organizations in getting better, getting better services?
Yeah, yeah, you're definitely right there on chatbots. A few of the solutions have integrations with third party AI chatbot service providers. That's not really widespread yet. But I can say I think the most pressing and the best use of AI within CIAM is, for those that are offering a bit of fraud detection, fraud prevention, the machine learning detection models are really essential for helping to reduce fraud. So you can operate or build a CIAM without fraud prevention, fraud detection capabilities, but you're going to be relying on ML-powered third-party services to do that, which this is a really important piece of overall CIAM landscape. So yeah, definitely AI, mostly in the form of ML for fraud prevention is pretty key for CIAM.
Great to hear that. And your report is out, it's available. It's the Leadership Compass, CIAM. And I think there's also a Market Compass, if I remember correctly, in that area as well. I always mix them up, sorry for that. But it's the document that supports you in asking the right question towards your potential vendors. And maybe for some of the questions that you used for the Leadership Compass afterwards.
It's a Buyer's Compass. A new Buyer's Compass.
So both the reports are out there. They can be downloaded at kuppingercole.com. For the audience, if you have any questions to John or to me or regarding that podcast or anything that we talked about or anything we did not talk about, leave them in the comments and we will be happy to answer them or reach out to John and me via email. We are easy to find with our email addresses. We are happy to get in touch and learn more from you. Thank you, John, for being my guest today for telling the next important facts about the CIAM market. I'm looking forward to having you soon again in this podcast.
Thanks, Matthias.
Thank you and bye bye.
