Microsoft, Ping, Okta Dominate Access Management Gartner MQ

The access management market grew 17.6% to $5.85 billion in 2023 as organizations look to replace homegrown customer identity and access management solutions with commercial products, enhance admin and user interfaces and replace siloed approaches with centralized processes, according to Gartner. Microsoft, Ping Identity, Okta and IBM remain atop the Magic Quadrant in 2024 after Thoma Bravo merged ForgeRock into Ping (see: Microsoft, Okta, CyberArk Lead Workforce Identity Rankings).

Gartner said modern access management features aim to reduce attack surfaces and mitigate risks from compromised credentials. Vendors now provide identity threat detection and response to automate alerting and anomaly detection, conduct AI/ML-driven attack simulations, and quarantine suspicious activity in real-time. They aim to minimize disruptions and boost operational continuity.

“Access management is a critical part of an organization’s cyber-resilience strategy,” Gartner analysts wrote in December’s Magic Quadrant. “Organizations use access management to significantly reduce their attack surfaces and limit damage from compromised credentials by controlling access to sensitive data and systems.”

The rise of machine users due to cloud adoption, API enablement and automation increases the need for robust access management capabilities tailored to devices and workloads, Gartner found. Bots and AI agents require specialized features that extend beyond human-centric IAM systems. Gartner found some vendors excel in specific machine identity capabilities, and some don’t.

The SaaS subscription pricing model dominates the access management market with workforce and customer identity typically priced per named or active user, based on authentication frequency. Machine identity pricing is often tied to the number of machine accounts, but Gartner said the pricing models are inconsistent.

FIDO2 passkeys are increasingly integrated into access management offerings, and Gartner said most vendors support FIDO2 via WebAuthn APIs but lack support for native smartphone apps or fully segregating passkey types. Device-bound passkeys are suitable for workforce scenarios requiring high security, while multi-device passkeys are ideal for customer-facing use cases, according to Gartner.

Vendors are simplifying administrative interfaces and enhancing developer tools to make access management solutions more user-friendly and efficient. Firms are consolidating consoles for centralized management, using AI-driven tools for policy creation and risk analysis, using APIs for secure integration, and simplifying visual orchestration for managing user journeys.

“Vendors have considerably reduced time frames for administrators for complex configurations, such as AI assistance with creating and configuring an access policy for protected resources, and reducing complexity when creating, updating and managing external authorization management policies,” Gartner wrote. Gartner analysts were not available to speak with Information Security Media Group.

How the Access Management Vendors Stack Up

Gartner rated Ping Identity as having the most complete vision for access management, with Okta taking the silver, Microsoft taking bronze Thales and IBM took fourth and fifth place, respectively. That’s fairly similar to October 2023, when Ping also got the gold from Gartner, Microsoft took the silver, Okta got the bronze, and IBM, ForgeRock and Thales took fourth, fifth and sixth place, respectively.

From an execution ability standpoint, Microsoft snatched the gold, Okta took silver, Ping got the bronze, and CyberArk, Entrust and IBM captured fourth, fifth and sixth place, respectively. That represents a change atop the leaderboard from 2023, when Okta took the gold, Microsoft got silver, Ping got bronze, and ForgeRock, CyberArk, IBM and Entrust captured fourth, fifth, sixth and seventh place, respectively.

Outside of the leaders, here’s how Gartner sees the access management market:

• Visionary: Thales;
• Challengers: CyberArk, Entrust;
• Niche Players: One Identity, OpenText, RSA;
• Missing the List: Alibaba Cloud, Amazon Web Services, Exostar, Fortinet, Google, Imprivata, Salesforce, SAP, SecureAuth, Transmit Security, which didn’t meet the customer or revenue inclusion criteria.

Microsoft Takes on Passwordless Authentication for Customers

Password-based identity attacks remain a significant threat, with threat actors exploiting predictable user behavior such as password reuse or falling for phishing schemes, wrote Alex Simons, Microsoft corporate vice president for product management and identity security in a December blog post.

Microsoft advocates for passwordless authentication to enhance security and cut reliance on traditional passwords, with device-bound passkeys stored on FIDO2 keys and Microsoft Authenticator helping staff authenticate without usernames or passwords. Embedding Microsoft Security Copilot in Entra helps administrators complete complex tasks such as log analysis and incident investigation systems, Simons wrote (see: How Microsoft Is Beefing Up Security With 34,000 Engineers).

“More than 99% of identity attacks are password attacks – often due to predictable human behaviors like easy-to-guess passwords, password reuse, and falling prey to phishing attacks,” Simons “That’s why comprehensive, integrated identity and access management (IAM) should be a core part of any organization’s threat-informed defense.”

Gartner criticized Microsoft for offering multiple workforce license portfolios, confusing and complex product administration, and requiring significant customization and configuration around its B2C tool. Microsoft declined to make a spokesperson available to ISMG for an interview.

Ping Merger With ForgeRock Brings IGA, MFA to Organizations

Merging with ForgeRock significantly bolstered Ping’s ability to manage complex identity requirements through the addition of identity governance and administration, multi-factor authentication and identity verification, said Dustin Maxey, Ping vice president of product and solutions marketing. Joining ForgeRock’s single-tenant cloud architecture and Ping’s multi-tenant SaaS approach aids diverse deployment models.

Ping has pushed to eliminate traditional central repositories when verifying user identities, saying that a decentralized approach offers enhanced security and user autonomy. Competitors often require separate platforms for workforce and customer identity management, he said a unified solution reduces complexity, while expertise in orchestration and identity verification also set the vendor apart (see: CEO Andre Durand on Why Ping, ForgeRock Are Better Together).

“Having all of your identities, any identity type – whether it’s employee, B2B, the complex relationships that we talked about, and your customers, their business customers or individual consumers – all managed from a single place, I think that we’re really uniquely positioned to do that,” Maxey told ISMG.

Gartner chided Ping for below average SaaS growth, subpar support in APAC and South America, having fewer features for small businesses, and above average pricing for workforce and partner cases. Maxey said the higher pricing reflects the value and complexity of Ping’s solutions, low SaaS growth stems from Ping’s commitment to deployment flexibility, and investments for APAC and South America are planned.

“With our deep expertise in identity, we really do focus on some of the more complex identity problems that organizations have, and a lot of larger enterprises have those,” Maxey said. “So that is where we made a lot of investment in, that expertise.”

Okta Takes on Emerging Threats With AI, Machine Identity Bets

Today’s corporate networks combine on-premises systems, cloud application and APIs – a complex set up that’s led to more identity-based cyberattacks, prompting investments from Okta around AI, machine identities and global interoperability, said Harish Peri, Okta senior vice president of product marketing. The company uses AI to monitor customer signals and proactively identify potentially risky activity, Peri said.

The company has extended SSL for service accounts to address new attack vectors in settings where machine identities play a growing role, and has debuted authorization mechanisms to govern the access of AI agents and prevent unauthorized data use. Peri said the company has also worked with the OpenID Foundation to create a unified language for identity security across devices and workload (see: Okta CEO: Fix Identity Security to Prevent Most Cyberattacks).

“Companies should not have to choose between subpar applications that are secure versus fantastic applications that deliver a great experience,” Peri told ISMG. “We believe that companies can choose the exact app that they want, and we can integrate into that to keep any of those extremely secure.”

Gartner criticized Okta for high prices, sales challenges, a high concentration of customers in North America and a lack of timely response to cybersecurity incidents. Peri said Okta is exploring bundled pricing or suites to enhance value perception, plans to expand internationally, has adjusted go-to-market strategies to address the growing role of engineering teams, and has boosted internal security efforts.

“We looked at what happened from our past incidents, and we said, ‘We have a double responsibility,'” Peri said. “We have a responsibility not just to put out the most secure products, but we also have responsibility as a cybersecurity company that is protecting our customers from some of the most heinous cybercriminals out there. And so we codified that with the Secure Identity Commitment.”

IBM Leverages Generative AI to Better Understand Identity Data

IBM has integrated generative AI into its identity and access management products to automate policy creation, threat detection and reporting, said Wes Gyure, IBM director of product management. The firm’s generative AI capabilities enable companies to make sense of vast amounts of data generated by diverse and often siloed identity systems, helping to detect anomalies and potential compromises, Gyure said.

Gyure said IBM differentiates itself from rivals through its hybrid licensing model, which allows clients to increase flexibility and cost-effectiveness by combining cloud and on-prem deployments under a single pricing structure. IBM can integrate seamlessly with existing identity tools, which he said is particularly valuable in environments where organizations face challenges from shadow IT and fragmented systems (see: 82% Leaders Find It Essential to Secure AI; Only 24% Do It).

“We provided a digital assistant which, utilizing natural language, can help them understand the types of threats that are attacking the identity system, as well as do ad hoc report generation across the system,” Gyure told ISMG. “It’s really about reducing the complexity for IAM administrators to both understand the environment in which they’re working as well as how they start to connect those pieces.”

Gartner criticized IBM for lacking brand recognition in identity, not being a good fit for the SMB, being slow to obtain specialized government certifications, and not changing its cost model in recent years. Gyure said IBM is improving its marketing efforts, emphasizing the ease of deployment of its Verify SaaS solution, and streamlining the certification process to ensure consistency across its product portfolio.

“It’s not an uncommon perception people think IBM is extremely complex and extremely expensive,” Gyure said. “And so if you’re a small-to-midsized business, you have a perception that IBM can neither meet your needs nor meet your requirements for price. That is not true within the respect of Verify, but it is a common perception in market, and sometimes perceptions are reality.”