With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 


Forrester expects that we will see the following in the next 12-18 months:

1) Wave of acquisitions of cloud IAM providers. Those IAM vendors (SAP, Oracle, NetIQ, Quest, McAfee, RSA and even Symantec and Cisco etc.) that have not yet built an IAM framework or don't have on-premise IAM products they could turn into a cloud service will probably want to get into the game sooner rather than later. This will start a wave of acquisitions of cloud IAM providers. Now is the time to acquire and to get acquired in the cloud IAM space.

2) Moving of user stores into the cloud. We predicted this in 2012, but it's becoming a reality now. It is increasingly clear that on premise user directories (AD, LDAP, etc.) are starting to be only used for basic services and there is a great need for cloud based directories to support an increasing number of SaaS applications. Cloud IAM vendors we talk to (UnboundID and Okta) have announced plans to help customers with this migration.  SalesForce.com OEM agreement with ForgeRock to create SalesForce Identity Connect is the first step in this direction. Identity bridges or connectors which connect on-premise user stores to the cloud provider’s user store will play a critical role and be the hardest first step in this transition.  

3) Focus on customer facing and business partner facing IAM use cases. After solving pressing inside-out authentication challenges (“how do my employees access our SaaS apps in a coherent and coordinated way”), we are seeing cloud IAM providers getting into the trust broker model for B2B and B2b (small business user) management. As companies face mounting challenges with customer identity and not just access management, cloud IAM providers are a great position to provide shrink-wrapped IAM solutions to any organization with external facing identity management needs. See Eve’s Brokered Cloud Identity document for more details.

4) Moving beyond SSO to identity provisioning and administration. We hear from all cloud IAM providers that they are planning to create connectors for provisioning into and access governance of on-premise applications and provide much more customization of workflow and identity administration processes. CA's CloudMinder is a great position to lead and we expect that other legacy IAM suites providers will also venture into this space – not just partnerships but offering their own branded IAM services.

Your friendly IAM analysts: 

Andras and Eve