Skip to main content
Table of Contents
< All Topics
Print

Will the Thoma Bravo portfolio become the next IAM/IGA Platform?

Published 28 February 2023

Abstract

Most large enterprises need to solidify their Identity and Access Management (IAM) platforms to be competitive, responsive and secure in a world that is becoming largely digital. To that end, this is the third in a series of research reports that provides independent analysis of the leading IAM platform providers. Our first report was on Microsoft’s Entra program, our second IAM platform report focused on Okta and this report focuses on three major IAM/Identity Governance vendors under the control of the private equity firm Thoma Bravo. Thoma Bravo is one of the largest software investors in the world with a 40+ year history and over $120 billion in assets under management as of Q3/22. The company made significant waves in the IAM software sector in 2022 by acquiring three foundational IAM companies that many of our enterprise customers have used over the years. They are:

  1. SailPoint: acquired for approximately $6.9 billion in August 2022.
  2. Ping Identity: acquired for approximately $2.8 billion.in October 2022.
  3. ForgeRock: acquisition to be completed in early 2023 for $2.3 billion, announced in November 2022.

In this in-depth report, we’ll review Thoma Bravo’s current portfolio of IAM and related products/services, then evaluate these offerings as specific IAM capabilities within the TechVision Reference Architecture for IAM. We’ll also explore how these assets can be optimized in building a next generation IAM/IGA platform. We close with recommendations for organizations considering Ping, ForgeRock or SailPoint as key, foundational vendors to support the execution of their IAM strategies.

 

Authors:

Doug Simmons

Principal Consulting Analyst

[email protected]

Gary Rowe

CEO/ Principal Consulting Analyst

[email protected]

 

Executive Summary

Thoma Bravo (TB) is one of the largest software investors in the world. Through its private equity, growth equity and credit strategies, TB describes their investment focus as growth-oriented, innovative companies operating in the software and technology sectors. They claim to have pioneered the “buy-and-build” investment strategy, and they first applied this strategy to the software and technology industries over 20 years ago. Since then, Thoma Bravo has acquired or invested in more than 420 software and technology companies representing over $235 billion of value.

Thoma Bravo made significant waves in the IAM software sector in 2022 by acquiring three foundational IAM companies that many of our enterprise customers have been familiar with for many years:

  1. SailPoint was acquired for approximately $6.9 billion in August 2022.
  2. Ping Identity was acquired for approximately $2.8 billion.in October 2022.
  3. ForgeRock was to be acquired in early 2023 for $2.3 billion, announced in November 2022.

Thoma Bravo’s buy-and-build strategy appears to differ from traditional private equity firm strategies that typically act as turnaround specialists: people who acquire “distressed” companies to save businesses, lay off employees, and then either save the business or sell it off in pieces. Conversely, the focus of Thoma Bravo’s buy-and-build strategy is to create more collaborative partnerships with good-but-not-yet-great performing companies.

TB’s first acquisition we are covering is SailPoint. SailPoint was founded in 2003 and is headquartered in Austin, TX. The company’s pedigree is noteworthy in that it was founded by members of the team that had founded a leading IAM software vendor, Waveset, which was acquired by Sun Microsystems – who were then acquired by Oracle and became a foundational piece of Oracle IAM suite that was very popular in the mid-2000s to mid-2010s. SailPoint focused on what then was considered an important niche within IAM – Identity Governance and Administration (IGA). As a result, SailPoint became one of the first notable pioneers and is a leader in the identity governance market and has an integrated set of cloud-based services that include compliance controls, separation of duties, access certifications, access modeling and recommendations, provisioning with workflows, password management, and cloud access governance and non-employee lifecycle management.

TB’s second acquisition we are covering is Denver-based Ping Identity; they have been an IAM market leader for over two decades and TechVision team members first worked with Ping Identity more than 20 years ago during the original “SAML federation era”. In the early 2000s, the Secure Assertions Markup Language (SAML) became the de facto internet standard for federated web single sign-on (SSO). Ping is now a leading provider of enterprise IAM software “serving more than half of the Fortune 100 and protecting over 3 billion identities. Of interest in the context of this report is the fact that Ping acquired a small but interesting startup called ShoCard in 2019, expanding their vision of customer centricity and the Decentralized Identity (DID) model.

The third acquisition is ForgeRock; the company was founded in Norway in 2010, by former Sun Microsystems employees after Sun was acquired by Oracle. ForgeRock is an identity and access management software company that develops commercial open-source identity and access management products for Internet of Things, customer, cloud, mobile, and enterprise environments. The ForgeRock acquisition is not yet finalized and there are questions as to whether the acquisition of Ping and ForgeRock may trigger a federal anti-trust investigation. TechVision believes that Thoma Bravo will be able to avoid such a development because we think there is reason to be optimistic that some combination of the best of the capabilities supported by SailPoint, Ping and ForgeRock will be brought to market with a similar passion Thoma Bravo has exhibited with most of their acquisitions. How this will occur remains to be seen, of course, but we have laid out in this report how these three popular IAM solutions may become an example of the sum of the parts being greater than the whole. On the surface, it may seem these three vendors compete head-to-head (especially Ping and ForgeRock), but our analysis shows that there are definitely strengths and areas of focus that each vendor possesses. Our view is that Thoma Bravo will do the following:

  1. Position SailPoint as the pre-eminent leader in IGA software and SaaS for the Enterprise IAM market (EIAM).
  2. Work with Ping to further their customer IAM (CIAM) SaaS offering to compete head-to-head with industry CIAM leaders SAP/Gigya, Akamai/Janrain and Okta’s Customer Identity Cloud (formerly Auth0). The ShoCard DID acquisition may play a key role in this direction.
  3. Focus ForgeRock more on the EIAM market by expanding their “lightweight IGA” and access management capabilities to work closely with SailPoint. This may bring a more palatable IGA solution to the EIAM market – both as software and as a SaaS, in that it may provide capabilities that span the complexity spectrum from simple to advanced.

Of course, we will be watching these developments very closely and will keep our customers clearly informed as these plans materialize and become public. If your organization is considering either of these three vendors – or already has one or more in operation, it will be important to follow Thoma Bravo’s strategy and subsequent actions. TechVision generally recommends a structured approach to such a critical infrastructure element like IAM and has developed a reference architecture that may be useful in evaluating the set of capabilities necessary for your future state IAM foundation. TechVision can help with this process. By doing this, you can better ensure portability of important IAM (and IGA) capabilities should product directions shift as we have estimated.

Introduction

Thoma Bravo is one of the largest software investors in the world with a 40+ year history and over $120 billion in assets under management as of Q3/22. It is the successor to the firm Golder Thoma & Co., which was established in 1980 by Stanley Golder and Carl Thoma. Currently, the estimated net worth of Thoma Bravo, LLC is at least $7 Billion USD.

Through its private equity, growth equity and credit strategies, TB invests in growth-oriented, innovative companies operating in the software and technology sectors. They claim to have pioneered the “buy-and-build” investment strategy, and they first applied this strategy to the software and technology industries over 20 years ago. Since then, Thoma Bravo has acquired or invested in more than 420 software and technology companies representing over $235 billion of value.

Thoma Bravo has been in the IAM space since the 2018 with a majority stake acquisition in Centrify, later sold in 2021 to TPG Capital (who then combined their own holdings of Thycotic with Centrify to form Delinea). Thoma Bravo made significant waves in the IAM software sector in 2022 by acquiring three foundational IAM companies that many of our enterprise customers have been familiar with for many years:

  1. SailPoint was acquired for approximately $6.9 billion in August 2022.
  2. Ping Identity was acquired for approximately $2.8 billion.in October 2022.
  3. ForgeRock was to be acquired in early 2023 for $2.3 billion, announced in November 2022.

While this report focuses on Thoma Bravo’s IAM acquisitions and subsequent portfolio, it is important to note that the company has a large number of cyber security vendors in its stable, as well. These include Barracuda, Imprivata, McAfee, ProofPoint, Sophos, TripWire, Venafi (machine identity management) and others.

Thoma Bravo’s buy-and-build strategy appears to differ from traditional private equity firm strategies that typically act as turnaround specialists: people who acquire “distressed” companies to save businesses, lay off employees, and then either save the business or sell it off in pieces. Conversely, the focus of TB’s buy-and-build strategy is to create more collaborative partnerships with good-but-not-yet-great performing companies. In their own words: “We are a passionate group of individuals who share one mission: to buy great software companies, spend time with them operationally and make them the best at what they do.”

That being said, there is reason to be optimistic that some combination of the best of the capabilities supported by SailPoint, Ping and ForgeRock will be brought to market with a similar passion. How this will occur remains to be seen. Before diving into this topic, however, we’ll assess the core capabilities and direction for SailPoint, Ping Identity and ForgeRock to provide a level set for our discussion, speculation, and enterprise recommendations.

SailPoint Overview

SailPoint was founded in 2005 and is headquartered in Austin, TX. The company’s pedigree is noteworthy in that it was founded by members of the team that had founded a leading IAM software vendor, Waveset, which was acquired by Sun Microsystems – who were then acquired by Oracle and became a foundational piece of Oracle IAM suite that was very popular in the mid-2000s to mid-2010s. SailPoint focused on what then was considered an important niche within IAM – Identity Governance and Administration (IGA). As a result, SailPoint became one of the first notable pioneers and is a leader in the identity governance market and has an integrated set of cloud-based services that include compliance controls, separation of duties, access certifications, access modeling and recommendations, provisioning with workflows, password management, and cloud access governance and non-employee lifecycle management.

IGA is an important segment within IAM because it focuses specifically on access control and answers the key question “who has access to what”? In most organizations today, application and system ‘owners’ / lines of business generally have the responsibility to manage access to their environments and data within, but this capability becomes extremely onerous as time progresses. This is largely the fundamental reason that the specialized segment of IAM emerged nearly 15 years ago. In a nutshell, IGA combines entitlement discovery, the decision-making process, and the access review and certification of access governance with the identity lifecycle and role management of user provisioning. For many organizations today, IGA has become a critical service that provides improved regulatory compliance, operational management, application integration, information security and overall access control integrity for an enterprise IAM program. We recommend reading the TechVision report titled “Establishing a Modern-Day Identity Governance and Administration (IGA) Framework” for a much more in-depth look at IGA, key vendors and deployment best practices.

SailPoint, as an early leader in the IGA space have well-established customers. These clients include (per SailPoint) eight of the top banks, four of the top five healthcare providers, six of the top seven property and casualty insurance providers and five of the top pharmaceutical companies.  SailPoint’s Identity Security Platform, an evolution of their IdentityIQ IGA suite – supports a wide variety of complex hybrid IT environments with unified identity and access management processes across cloud, mobile and on-premises environments.

Below is an illustration provided by SailPoint that shows how its IGA solution functions at a high level:

Figure 1: SailPoint’s IGA Architecture Overview (Source: SailPoint)

Perhaps one of the most important things to recognize from the illustration above is that SailPoint is enterprise (workforce) focused. While the other two IAM vendors we discuss in this report (Ping Identity and ForgeRock, respectively) have focused on both workforce and consumer IAM, this is not the case for SailPoint. That is an important distinction we will discuss later in this document.

The SailPoint Identity Security platform exists as a cloud based, subscription SaaS solution as well as a suite of software products its customers can deploy on premises or in their own hybrid environments. Its burgeoning cloud-based model can be thought of as IGA-as-a-Service. The various IGA services described below are deployed on Amazon Web Services (AWS) regions around the globe, including locations in Frankfurt, London, Montreal, Sydney, Tokyo and two in the United States. This deployment model provides a more highly available, multi-tenant SaaS environment, which is completely isolated from other regions, so that no data will be replicated, backed up, or stored in any other region.

The platform boasts artificial intelligence (AI) integration within its logic in order to assist in critical IGA capabilities such as Access Modeling, Access Insights and Access Recommendations. For anyone who has ever designed and deployed access control policies in a reasonably complex IT environment, these capabilities are crucial to helping codify runtime application and data access rules.

The SailPoint Identity Security platform also assists in the often time consuming and error prone role management tasks. With the help of machine learning (ML)-generated insights, its customers can build and maintain user roles a bit more thoughtfully and rapidly. Secondly, by using an AI-driven process to review, evaluate, and refine roles, enterprises can:

  • Grant and modify access appropriately for onboarding, internal transfer, and offboarding,
  • Create fewer, high-quality roles requiring less maintenance,
  • Continuously improve the veracity of existing roles,
  • Automate the analysis of user access patterns,
  • Support a least privilege model.

Access certifications are key to regulatory compliance for many organizations, especially those in healthcare, financial services and any field that relies on personal identifiable information (PII) that is protected by various privacy directives. Often, business managers often do not have the time or insight to review access properly and so they often bulk-approve access (i.e., “rubber-stamp”) to get the job done. By leveraging AI based access recommendations, reviewers using SailPoint can potentially make more informed access decisions and focus on the high-risk access that requires attention. These capabilities can go a long way to prevent audit issues by enabling more accurate access certification decisions. AI capabilities has (based on both what SailPoint has told TechVision and our observations) been a major area of investment and focus at SailPoint.

The SailPoint Identity Security platform also includes a popular tool called File Access Manager, which many customers use to govern access to sensitive and regulated unstructured data across applications, files, and storage devices — whether on-premises or in the cloud.

Because a viable IGA system must have visibility into numerous applications, systems and databases, the SailPoint Identity Security platform includes tools, connectors and workflow logic to help enterprises with access provisioning. They include out-of-the-box connectors for key target systems like SAP, ServiceNow, Microsoft Azure, AWS, Workday, ADP Workforce Now and many others in order to facilitate access provisioning. Similarly, a robust provisioning environment must have connectivity with source identity systems, such as HR environments to prompt identity lifecycle management activities in concert with IGA. In this way, the SailPoint Identity Security platform provides a reasonable end—to-end (i.e., source-to-target) access control lifecycle management ecosystem. This is especially true when customers make use of the SailPoint API to tailor their provisioning logic specifically to their own business processes.

Another major enhancement to the SailPoint suite is called SailPoint Cloud Access Management, which enables more informed IaaS access decisions, detect potential risks, and uniformly enforce access policies for all users. This allows enterprises to discover, model, manage, and govern access to cloud platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). This feature helps enterprises certify and provision cloud infrastructure-as-a-service (IaaS) access for individuals, machines, and instances in the same way they govern and secure access for applications and data via SailPoint. We would be hard-pressed to find any IT leader that doesn’t struggle with access governance and compliance across a multi-cloud footprint.

Lastly, SailPoint announced in January 2023, that they had acquired SecZetta, a provider of third-party identity risk solutions. TechVision has written extensively about the challenges with governing modern IT infrastructure that is managed by numerous, often remote 3rd party managed service providers (MSPs) and similar 3rd party IT technicians, contractors and consultants. In fact, nearly half of today’s enterprises are comprised of non-employees, meaning these people often do not receive the same provisioning/de-provisioning and access governance/certification management as regular employees do. For a much more in-depth discussion on this topic, please refer to our document titled “Digital B2B Requires Updated IAM”.

With SecZetta, SailPoint will attempt to expand its capabilities to help companies gain better access visibility into all types of identities, across both employee and non-employee identities – from third-party contractors to temporary workers. We expect this acquisition will give enterprises the centralized approach to identity proofing required to fully validate non-employee identities across their businesses.

To get a first-hand perspective on the impact of the Thoma Bravo acquisition of SailPoint, TechVision was fortunate to be able to interview Matt Mills, SailPoint’s President of Worldwide Field Operations. In describing the IGA environment prior to the acquisition, Matt stated that this category has not had a lot of change and was “ripe for something”. He added that SailPoint has not changed their existing strategy or 5-year plan, but this acquisition gives them a lot more flexibility. Specific areas of focus include continuing to accelerate investments in AI and automation and he believes that this acquisition drives SailPoint’s mission to “discover, manage and secure all identities.”

Ping Identity Overview

Denver-based Ping Identity has been an IAM market leader for over two decades, with Andre Durand founding Ping Identity in 2002. His mission was to “secure the internet through identity.” We first worked with Ping Identity more than 20 years ago during the original “SAML federation era”. In the early 2000s, the Secure Assertions Markup Language (SAML) became the de facto internet standard for federated web single sign-on (SSO). Ping is now a leading provider of enterprise IAM software “serving more than half of the Fortune 100 and protecting over 3 billion identities.” Ping began investing several years ago to become a cloud centric IAM platform, building their own multi-tenant IDaaS offering and then tailoring their software to become more cloud workload centric in terms of extensibility, scalability, and resilience.

Ping’s PingOne Cloud Platform today provides key IAM capabilities including single sign-on (SSO), multi-factor authentication (MFA), centralized, fine-grained access control, identity verification, large-scale directory services, threat protection services, and no-code orchestration and integration capabilities, including out-of-the-box workflow templates for key identity use cases. Ping’s services can be consumed as multi-tenant SaaS, or single-tenant SaaS through PingOne Advanced services. Ping’s containerized software can be deployed and managed by customers in any environment (on-prem, cloud, multi-cloud). Ping’s SaaS offerings are packaged in two solutions:

  1. PingOne for Workforce
  2. PingOne for Customers

In the following sections, we dive a little deeper into the capabilities of each.

PingOne Workforce

Ping’s cloud identity solution for the workforce orchestrates adaptive authentication and access services to connect employees across multiple applications, directories, and any devices. This is to provide a centrally managed authentication authority, which acts as a hub for SSO. This hub is called an employee dock and it supports federated SSO via MFA, passwordless or password-based user authentication. The hub includes support for adaptive and contextual authentication policies to assess risk in the background and potentially reduce login friction. Ping’s high-level architecture for the authentication authority is shown below.

Figure 2: Ping Authorize/Authentication Authority Architecture Overview (Source: Ping)

Applications are onboarded to the hub via centralized management, self-service, and delegated administration interfaces. PingOne for Workforce offers DaVinci, a no-code identity orchestration engine, with a drag-and-drop interface, workflow templates and out-of-the-box connectors to a broad range of third-party business applications, including other identity and access management vendors. These connector integrations enable more simplified integration with SaaS or cloud applications such as Zoom, Slack, ZScaler, SAP, Microsoft Active Directory and so forth. Through DaVinci, Ping has more than 300 connectors, thousands of integration points, and guides customers with best-practice starting points through out-of-the-box workflow templates that customers can modify to meet their needs.

The PingOne for Workforce platform includes native support for popular identity standards including OAuth, OpenID Connect, SAML, SCIM, LDAP, RADIUS, HTTP, WS-Trust, WS-Federation, FIDO and JSON Web Tokens (JWT).

The directory service is a lightweight directory with SCIM and REST APIs that supports integration with Microsoft AD and 3rd party LDAP directories. Built on then UnboundID directory, it offers impressive scalability, including unlimited custom user attributes and responding with low latency and user profile synchronization with custom attribute mapping across multiple directories and user databases. The platform’s management console includes visual dashboards, performance reporting and audit trails.

PingOne for Customers

As we reported 18 months ago, Ping Identity had a reasonably strong Customer Identity and Access Management (CIAM) solution leveraging their traditional capabilities as well as the past acquisition of UnboundID. Given that more than half of their customers are in the Fortune 100, Ping has a strong footprint in the largest US banks, pharmas and retail organizations. The CIAM market share for Ping is growing around their Ping Cloud offering, which exists in both a public and private SaaS model and is built on the PingOne platform. They have a sizeable number of channel partnerships, including Accenture, PwC, Deloitte, Optiv – reporting over 300 such partnerships worldwide.

PingOne for Customers supports similar capabilities to its workforce centric version. These include:

  • No-code identity orchestration for rapid customer IAM deployment, encapsulated within their DaVinci toolset.
  • Centralized authentication services to connect a user to applications across on-premises, cloud-based, SaaS environments, enabling customer SSO and adaptive authentication across all integrated customer facing applications.
  • The ability to embed MFA in custom apps or use SMS or email one-time passwords (OTPs).
  • Developer “self-service” SSO integration and delegated administration for application teams to integrate with the PingOne CIAM platform more uniformly.
  • A single view of customers across all applications by unifying disparate customer identity silos and datastores.
  • Fine-grained, centralized authorization to enforce access to resources, data-sharing (including enforcing consent), and high-value transactions.
  • Identity verification services to ensure that digital identities are connected to real-world identities when necessary.
  • Threat protection capabilities that assess risk during authentication and beyond to protect against account takeover (ATO) and fraud.
  • Support for international data residency requirements with logic to store data in local regions (e.g., regional, non-Ping cloud or on-premises data centers).

Adaptive authentication features allow customers to link and manage trusted devices so they can securely login to applications using a face scan, fingerprint and other authentication methods. Using their mobile SDK, Ping’s customers can use their own branded mobile applications to enable passwordless sign-on without having to download or use a third-party MFA application.

Expanding their vision of customer centricity, Ping, who acquired ShoCard in 2019 is investing in Decentralized Identity/Verifiable Credential model. This culminated in the recent release of PingOne Neo which focuses on decentralized identity-based verified credentials and is now available for early access.

ForgeRock Overview

ForgeRock is an identity and access management software company that develops commercial open-source identity and access management products for Internet of Things, customer, cloud, mobile, and enterprise environments. The company was originally founded in Norway in 2010, by former Sun Microsystems employees after Sun was acquired by Oracle. At that time, Sun had created an open-source community for IAM development on its platform called OpenSolaris. This set of libraries was based on the very popular Netscape LDAP directory (later becoming Sun iPlanet Directory) that Sun had acquired a decade earlier.   The ForgeRock founders/former Sun employees used this open-source fork as the foundation for the development of the ForgeRock suite of IAM capabilities.

Today, ForgeRock offers a comprehensive IAM suite that includes a Web Access Management platform (OpenAM), Identity management/provisioning platform (OpenIM), an LDAP directory (OpenDJ) and an identity gateway/ API stack called OpenIG. ForgeRock also offers a Profile and Privacy Management Dashboard for compliance with the EU General Data Protection Regulation (GDPR) and provides support for the User-Managed Access (UMA) 2.0 standard. From an MFA standpoint, ForgeRock has been offering an SDK that can be integrated with its access manager, OpenAM for the past several years.

The ForgeRock Access Management solution (i.e., OpenAM) has four modules:

  1. Intelligent Access – this module supports centrally managed single sign-on services. Its authentication management integrates delegated authentication chains with many authentication methods supported by default. Authentication trees (see below) store authentication sessions in the client as a cookie, or in the CTS store. If the AM server goes down or the user is redirected to another AM while authenticating, the new AM server can obtain the authentication session and continue the flow. All authentication-related events are logged for auditing and reporting purposes.
  2. Authorization – this module assists in the creation of context-based policies with a GUI-based policy editor and REST APIs to control access to online resources. Resources can be URLs, external services, or devices and things. Authorization management supports managing policies centrally and enforcing them locally through installable agents, or through REST, C, and Java applications. Authorization management is extensible, making it possible to define external subjects, more complex conditions, and custom access decisions.
  3. Federation – This module enables extending SSO capabilities across organization boundaries based on federation standards such as SAML, Active Directory Federation Service (ADFS), OpenID Connect, OAuth and social login.
  4. User Managed Access (UMA) – This module consists of a consumer-facing implementation of the User-Managed Access (UMA) 2.0 standard. The standard defines an OAuth 2.0-based protocol designed to give individuals a unified control point for authorizing who and what can access their digital data, content, and services. For example, Developers can use this module to build a solution where end users can delegate access through a “share” button, and then monitor and change sharing preferences through a central dashboard.

Authentication Trees are made up of authentication nodes, which define actions taken during authentication. In this way, important functions such as ‘step up authentication’ can be invoked, such as when an end user attempts to access an application or service that is deemed higher risk. In this scenario, the end user would be required to re-authenticate with a stronger credential, such as MFA, including FIDO 2 web authentication. Authentication trees can also factor in geo-location, device type, and additional data/insights to tailor the authentication experience to the end user’s current environment. Lastly, progressive profiling can be enabled to gradually add the base of user information each time that user logs in. This can help to establish a common, standardized view of the end user that can both be used to enable more seamless access capabilities and determine anomalies in user behavior that might trigger an alert.

The ForgeRock Identity Management (OpenIM) solution has seven modules:

  1. Identity Synchronization – this module serves as the foundation for provisioning and identity data reconciliation. Synchronization capabilities are available as a service and through REST APIs to be used directly by external applications. Activities occurring in the system can be configured to log and audit events for reporting purposes.
  2. Self Service – This module can be used to allow end users to manage their own passwords and profiles according to predefined policies.
  3. Workflow – this module can be used to visually organize identity synchronization, reconciliation, and provisioning into repeatable processes with logging and auditing for reporting purposes.
  4. Social Identity – this module allows users to register and authenticate with specified standards-compliant social identity providers, such as Facebook and Google. These users can also link multiple social identity providers to the same account to establish a single consumer identity that can leverage the attributes collected from each user profile to authorize access to applications and resources, including lead generation tools.
  5. Identity Lifecycle and Relationship – This module provisions user identities into the ForgeRock Directory, and includes the capability to manage roles, relationships between identities, and entitlements.
  6. Access Request – This module helps users search for and request entitlements for themselves, as well as on behalf of other members of the organization. Users can also view the status of existing requests and act on pending work items. Requests can be automatically approved or can require one or more approvals.
  7. Access Review – This module provides user certification, role management, policy enforcement, and reporting.

The ForgeRock Directory Service (OpenDJ) serves as a foundation for LDAPv3 and RESTful directories. The Directory Service provides data replication to enable highly available directory services. It also offers fine-grained access control, password digests, encryption schemes, and customizable password policies. Data may be accessed using LDAP or REST with the same level of security constraints and access control. The Directory Proxy Server – an offshoot of the Sun Directory Proxy that was very popular in the 2000s, increases the availability of a Directory Service deployment, providing a single point of access to a large-scale distributed data store. The module offers a choice of strategies for request load balancing and failover.

The ForgeRock Identity Gateway IG integrates web applications, APIs, and microservices with the ForgeRock Identity Platform, without modifying the application or the container where they run. Based on reverse proxy architecture, IG enforces security and access control in conjunction with Access Management modules.

ForgeRock highlighted in their briefing with TechVision that they are ultimately cloud-enabling all of their software capabilities and are creating ‘turnkey’ solutions that are more easily deployed on their client’s cloud vendor of choice in highly available multi-zone Kubernetes clusters. TechVision has worked with several clients that have leveraged various elements as well as ForgeRock’s entire IAM suite with largely positive results. ForgeRock illustrates their Identity Cloud “architecture” below.

Figure 3: ForgeRock Identity Cloud (Source: ForgeRock)

The ForgeRock Identity Cloud solutions is comprised of two products:

  1. Identity Cloud as a Platform-as-a-Service (IDPaaS), – ForgeRock’s identity platform delivered as a service.
  2. ForgeRock Identity Cloud Express – a developer-focused, more lightweight SaaS solution for embedding identity capabilities into applications, such as social login and UMA.

The Identity Cloud allows customers to run their own full suite of IAM capabilities – from the user interface (UI) to the data store – as an isolated tenant. Via isolated tenancy, compute resources are never shared with other tenants, which can be a relief for enterprises that regulatory compliance constrained.

Now that we’ve combed over the key components of some of Thoma Bravo’s key IAM offerings within its portfolio, let’s see how these fit into the TechVision Research IAM Reference Architecture.

Thoma Bravo’s IAM Portfolio and the IAM Reference Architecture

There are a lot of capabilities within the Thoma Bravo IAM portfolio as we have just seen.  In this section, we will map the combined Thoma Bravo IAM capabilities with the TechVision Research Reference Architecture for IAM, which is a master template that identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions. These functions can then be refined over time, and the purpose of the Reference Architecture is to maintain a “living, breathing” representation of the organization’s IAM strategy. Please note that considerably more information is available in the many TechVision Research documents that encapsulate the Reference Architecture for IAM within discussions about authentication, identity lifecycle management, IGA, and application development. The overarching TechVision Research document titled “IAM Reference Architecture” is recommended as a good starting point to gather more information.

­­­The following high-level template starts the IAM journey:

Figure 4: Top Level IAM Reference Architecture Template

These IAM capabilities are described at the highest level as:

Interact: Interact is a layer of user interaction (UI) and application programming interfaces (API) that simplify end user and application developer interaction with the rest of the IAM infrastructure. In this way, non-experts can follow the best practices of IAM without having to be experts in the field.

This allows the enterprise to:

  • Incorporate new security capabilities without having to reengineer applications.
  • Increase speed to market by removing security from the critical path of service development.
  • Enhance security through the automatic adoption of best of breed security and privacy components.
  • Decrease on-boarding friction by isolating complex security infrastructure through intuitive user interfaces.

From the Thoma Bravo perspective, the Interact layer includes capabilities from Ping, SailPoint and ForgeRock, via their exposed APIs related to these functions.

Access: Access is the layer that answers the “Who has access to what?” question. It ensures customers can confidently exchange information and get the services they need to buy and use your products. It ensures employees and partners have all the digital resources they need to get the job done, nothing less and nothing more.

This allows the enterprise to:

  • Ensure the right people have the right access to the right resources at the right time.
  • Protect the assets of the company and its customers.
  • Reduce productivity drains and costs caused when people can’t access the resources they need.

SailPoint focuses mainly on the reporting of “who has access to what?” via access certifications and remediation and overarching IGA capabilities. Both Ping and ForgeRock support the runtime capabilities of managing authentication and access control via policies – though both do support some IGA capabilities, they are not as mature as SailPoint’s, in general.

Change: Change manages the relationships between all the moving parts within the digital environment. Change establishes the connections between people, devices, applications, and data when they enter the environment, manages the connections while the relationship exists, and disconnects when access is no longer necessary.

This allows the enterprise to:

  • Establish and maintain the proper rights, entitlements, and restrictions in order to reduce your attack surface, because Users and their identities are the most vulnerable link in a network.
  • Orchestrate identity across device, network, and application boundaries because in the absence of the traditional security perimeter, identity is the common denominator across the entire digital environment.
  • Prevent toxic combinations through transparency of entitlements across business processes.

SailPoint, Ping and ForgeRock each support these capabilities through the data integration, synchronization and connector functions supporting identity lifecycle and workflows, IGA and self/delegated administration services.

Manage: Manage is where the administrators of the IAM platform upgrade, configure, tune, troubleshoot, document, and audit the platform and its components.

This allows the enterprise to:

  • Incorporate new security capabilities without having to reengineer applications.
  • Increase speed to market by removing security from the critical path of service development.
  • Enhance security through the adoption of best of breed security and privacy components.
  • Increase agility through isolating security software releases and patches to the underlying infrastructure components.

These capabilities are enabled by the SailPoint, Ping and ForgeRock’s inherent platform management, dashboard, configuration, and management capabilities.

Measure: Measure is the lens into the digital environment. It allows live behavior observation, anomaly detection, platform health checks, and deeper analysis of usage and threats. It also provides the audit and reporting capabilities necessary to prove you are performing your duty to protect.

This allows the enterprise to:

  • Understand behavior to improve the customer experience.
  • Detect vulnerabilities before they are crises. The costs of prevention are much less than the costs of a breach.
  • Prove compliance as required by law.

These capabilities are enabled by the SailPoint, Ping and ForgeRock’s inherent platform management, dashboard, configuration, and management capabilities.

Store: Store is the shared place where the identity profiles, attributes, and relationships are kept and maintained. It may be physically centralized or distributed and contains the map which defines “who has access to what?”, often in the form of an entitlements catalog or database.

This allows the enterprise to support two important groups:

  • For customers, it becomes the backbone for the entire customer experience; the customer data layer where all your interactions are captured.
  • For employees, it becomes a user-centric view of entitlements across the entire digital environment.

These types of capabilities are supported via the PingOne Directory/UnboundID and ForgeRock Directory Services/OpenDJ. SailPoint leverages enterprise directories, including Active Directory/Azure AD, and maintains its own entitlements database in conjunction with these general purpose, LDAP-oriented directories.

We will now dissect these IAM capability descriptions in more detail below.

Capabilities of the IAM Functional and Technical Landscape

Now, let’s look at the next level of the architecture, which we subtly tailor to identify the functional capabilities that are the foundation for a best-in-class IAM Reference Architecture. Each category is broken up into multiple capabilities at a level of greater detail. For example, interfaces can be for applications / developers (APIs, messaging services), lines of business/LOBs, self-service, or even robotic processes. This applies to each category and, based on stakeholder input, use cases and priorities can be further developed into Reference Architecture patterns or templates for specific services.

Remember, at this level the Reference Architecture is not focused on the actual implementation of things that carry out these controls. Rather it is a model of what the controls are, how they work, and how they interact to assure the utility of content.

It is important to understand that these functional capabilities consider all type of objects and use cases within the IAM foundation. As ultimately implemented, different enterprises enable different IAM capabilities in different ways to meet different protection needs. And they do so differently for different content and business functions because of the different risks and potential consequences associated with failures and costs associated with protection. And they may do so with hybrid solutions that simultaneously run on-premises and in the cloud. One size does not fit all.

The next layer of the TechVision Research Reference Architecture for IAM (see below) allows us to identify the IAM capabilities that are to be supported in the hybrid IAM infrastructure.

Figure 5: IAM Capabilities Within Reference Architecture

With this information, technical architects can rapidly zero-in on the current options (technology and process) their IAM architecture should encompass to achieve the required capabilities for the business. In the form of architecture considerations, each of the options available is then described in more detail to help identify the right approach for an optimal IAM architecture and deployment strategy. In the subsequent section, we’ll look at sample IAM Reference Architecture patterns and map them to some of the key capabilities enabled by Thoma Bravo’s SailPoint, Ping and (pending) ForgeRock.

Sample “Thoma Bravo” IAM Reference Architecture Patterns

Generically, the IAM capabilities are used as input to the development of the Reference Architecture pattern illustrated below:

Figure 6: Typical IAM Service Pattern

It is important to note that much of the overall IAM infrastructure supports or consumes the provisioning, workflow, and IGA processing output. For example, the “login service” in the upper left corner relies on the IGA policies, birthright access provisioning, workflow, and approvals and so on to be able to function appropriately and securely through the “App Dashboard” (PEP, for policy enforcement point) – which interacts during runtime with the access policy repository (PDP, for policy decision point), the enterprise Active Directory and/or Enterprise LDAP and the entitlements catalog.

Now, let’s take a look at this IAM architecture pattern when the enterprise determines that it wants to leverage one or more of the solutions within Thoma Bravo IAM portfolio.

Thoma Bravo IAM Portfolio Pattern Example

Below is an illustration of the “Thoma Bravo IAM portfolio” solution functions at a high level:

Figure 7: IAM Reference Architecture Using Thoma Bravo IAM Portfolio Capabilities

As this modified pattern shows, just about all the standard, required IAM capabilities as defined by our Reference Architecture are supported across the Thoma Bravo IAM portfolio. The administrative and self-service interfaces along with the associated service request/response workflows are supported natively by the various components of SailPoint’s, Ping’s and ForgeRock’s platforms.

Summary and Recommendations

SailPoint appears to be firmly in the enterprise (‘workforce’) IGA market. Saviynt is their closest competitor. Though Ping and ForgeRock have invested in IGA over the past few years, they are sometimes considered ‘lightweight’ IGA and lag behind SailPoint, who had almost a 10-year running start in the IGA market. But it should be mentioned that many of our customers have struggled to fully deploy SailPoint, as it can be complex, time consuming and costly. Therefore, a more lightweight approach to at least some aspects of IGA appears to be in demand.

Ping Identity has moved to becoming more consumer/CIAM focused. Competitors such as SAP/Gigya, Akamai/Janrain, to some degree Microsoft and ForgeRock are focused in similar areas. Evidence includes Ping’s SaaS cloud focus, which is very much consistent with SAP/Gigya’s Customer Data Cloud (CDC). Even more compelling may be Ping’s previous acquisition of ShoCard a few years ago, which would definitely lend itself to an industry-leading decentralized identity (DID) solution that appeals predominantly (at least initially) to the CIAM market.

ForgeRock might be considered a bit more EIAM centric, as their strengths have been very API and source code focused. Their lightweight approach to IGA may be a perfect fit for incorporation into the more advanced and complex SailPoint solution. Perhaps a merger between SailPoint and ForgeRock will make sense in order to get the best features of both solutions working together to be as formidable an enterprise IAM solution as key competitors like Microsoft and Okta. Ping could also provide value to its enterprise customers with greater IGA capabilities as offered by SailPoint.

Thoma Bravo’s buy-and-build strategy appears to differ from traditional private equity firm strategies that typically act as turnaround specialists: people who acquire “distressed” companies in order to save businesses, lay off employees, and then either save the business or sell it off in pieces. Conversely, the focus of Thoma Bravo’s buy-and-build strategy is to create more collaborative partnerships with good-but-not-yet-great performing companies.

That being said, there is reason to be optimistic that some combination of the best of the capabilities supported by SailPoint, Ping and ForgeRock will be brought to market with a similar passion. How this will occur remains to be seen, of course, but we have laid out in this report how these three popular IAM solutions may become an example of the sum of the parts being greater than the whole. On the surface, it may seem these three vendors compete head-to-head, but our analysis shows that there are definitely strengths and areas of focus that each vendor possesses.

Remember that while the ForgeRock acquisition is not yet finalized, it is important to consider that the acquisition of Ping and ForgeRock might trigger a federal anti-trust investigation. TechVision believes that Thoma Bravo will be able to avoid such a development.

Our view is that Thoma Bravo will do the following:

  1. Position SailPoint as the pre-eminent leader in IGA software and SaaS for the Enterprise IAM market (EIAM).
  2. Work with Ping to further their customer IAM (CIAM) SaaS offering to compete head-to-head with industry CIAM leaders SAP/Gigya and Akamai/Janrain. The ShoCard DID acquisition may play a key role in this direction.
  3. Focus ForgeRock more on the EIAM market by expanding their “lightweight IGA” and access management capabilities to work closely with SailPoint. This may bring a more palatable IGA solution to the EIAM market – both as software and as a SaaS, in that it may provide capabilities that span the complexity spectrum from simple to advanced.

Of course, we will be watching these developments very closely and will keep our customers clearly informed as these plans materialize and become public. If your organization is considering either of these three vendors – or already has one or more in operation, it will be important to follow the Thoma Bravo strategy. We will continue to update our clients as we gain additional as changes occur with respect to Thoma Bravo’s investments, strategy and execution in the IAM/IGA platform space. TechVision generally recommends a structured approach to such a critical infrastructure element like IAM and has developed a reference architecture that may be useful in evaluating the set of capabilities necessary for your future state IAM foundation. TechVision can help with this process. By doing this, you can better ensure portability of important IAM (and IGA) capabilities should product directions shift as have indicated.

 

About TechVision

World-class research requires world-class consulting analysts, and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

 

About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and leading global identity management/security consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include:

Identity and Access Management, business/technology trends, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

Prior to starting TechVision Research he was President of Burton Group from 1999 to 2010, the leading technologyinfrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton Co-President (now Gartner for Technical Professionals) at Gartner.

Tags:

We can help

If you want to find out more detail, we're happy to help. Just give us your business email so that we can start a conversation.

Thanks, we'll be in touch!

Stay in the know!

Keep informed of new speakers, topics, and activities as they are added. By registering now you are not making a firm commitment to attend.

Congrats! We'll be sending you updates on the progress of the conference.