KuppingerCole Report

EXECUTIVE VIEW by Richard Hill | September 2018

Evidian Identity & Access Management

With the continually evolving security requirements and challenges IT faces today,
the capabilities of IAM must also advance to keep up. Evidian meets these
modern IAM requirements by integrating Identity Governance and
Administration, and Analytics & Intelligence into their IAM suite.

by Richard Hill
rh@kuppingercole.com
September 2018

Content

1 Introduction ................................................................................................................................. 2
2 Product Description ...................................................................................................................... 3
3 Strengths and Challenges .............................................................................................................. 5
4 Copyright ..................................................................................................................................... 6

Related Research
Executive View: Evidian Enterprise SSO - 70823
Leadership Compass: IAM/IAG Suites - 71105
Leadership Compass: Identity Provisioning - 71139
Leadership Compass: Adaptive Authentication – 71173

KuppingerCole Executive View

Evidian Identity & Access Management
Report No.: 70872
1 Introduction

Identity & Access Management has come a long way since the inception of directory services and it is
still activity evolving.
KuppingerCole’s view of IAM over time begins with an IAM in whose primary purpose was to prevent
unauthorized access to secure resource. With its focus on access administration, the IAM core
technology started to include Identity Provisioning as well as the core capabilities to authenticate,
authorize and audit.
A further generation of IAM not only tried to prevent unauthorized access to a resource, but it also
added the capability to detect it. Access Governance was included as a core technology for IAM with a
focus on administration with business participation, and the ability to detect was partially due to
integrations with Security Information and Event Management (SIEM) products making its way onto the
stage.
In this latest iteration, IAM adds to its ability to prevent and detect by also providing the ability to
respond to the security threats. New IAM technologies included Access Analytics and Intelligence.
Analytics gives the ability to perform data analysis of historical data and uncover trends or pattern that
can be used to improve the decision-making process, while Intelligence gives the ability to make access
decisions that can be acted upon based on the patterns and trends found through data analytics.
Together, access analytics and intelligence provide the ability not only detect, but to also respond to
unauthorized access attempts. These new capabilities helped to fulfill the requirements of not only
business but governance, compliance, and administration too. Integrations with Adaptive
Authentication & Authorization, Real-Time Security Intelligence, Software Defined Environments and
Privilege Management also needed to be supported by IAM today.
As the landscape of information security threats changes, so do the IAM capability requirements.

Figure 1 – Reference Architecture – IAM Building Blocks

Founded in 2000, Evidian is the Identity and Access Management (IAM) software suite of Atos Group.
Atos Evidian has more than 900 customers with over 5 million users within the Finances Services,
Manufacturing, Retail, Transport, Telecom, Media, Utilities, and Public Health sectors.

KuppingerCole Executive View

Evidian Identity & Access Management
Report No.: 70872 Page 2 of 7
2 Product Description

Evidian Identity & Access Management is a mature solution providing the IAM capabilities needed to
prevent, detect and respond to the current IT information security challenges. The IAM suite offers both
on-premises and cloud deployment option and offers an integrated modular system which includes:
• Authentication Manager

• Enterprise SSO
• Web Access Manager
• Analytics and Intelligence

• Identity Governance and Administration

Authentication Manager
The Evidian Authentication Manager module of their IAM suite covers multiple assurance levels of
authentication. At the most basic and lowest assurance level, username & passwords are supported as
well as knowledge-based questions and answers authentication.
Evidian also offers a self-service password reset tool called QRentry, which can be downloaded onto a
smartphone and used when a user loses their password or smart card for example. This allows them to
unlock their PC by scanning a QR Code at login using the QRentry mobile application which generates a
one-time passcode.
Beyond username/password authentication, Evidian offers authentication at higher levels of assurance
by provides a range of strong Multi-Factor Authentication (MFA) methods, which include:
● Smart Card (with or without certificate) ● QRentry
● Secure USB (with or without certificate) ● Finger Vein
● RFID Badge & PIN (also NFC compliant) ● Finger Print
● OTP (SMS, E-mail, or Push Notification) ● Wearable Devices (RFID, Bluetooth)

For smart cards, the Authentication Manager can manage its entire life cycle including card assignment,
replacement, blacklist, data, and certificates. Other MFA management options support the management
of centralized access policies, group-based authentication profiles, and centralized auditing of user
access attempts.

In addition to their MFA options, Evidian Authentication Manager also provides Fast User Switching
capabilities that provide a personalized session in shared workstation environments (e.g. public
workstations at hospitals, manufacturing plants, etc.) and, the other way around where centralized
authentication is available for several workstations used by the same user (e.g. traders).

Enterprise SSO

KuppingerCole Executive View

Evidian Identity & Access Management
Report No.: 70872 Page 3 of 7
Evidian’s Enterprise Single Sign-On (SSO) module of their IAM suite provides secure access to
applications from desktops and mobile devices. Their SSO capability allows the user to conduct a single
authentication to access applications that are either internal or external to the organization. The
authentication methods are the same as listed above in the Authentication Manager section of this
report, such as password, smartcard, or biometrics.
The Enterprise SSO can also be extended to provide SSO capabilities to both Android and iOS mobile
devices, Mac OS workstations and Windows for workstations/servers.
The mobile SSO features include automatic password entry for user applications as well as their eWallet
that can store a user’s confidential data.
Account delegation is also supported, which allows users to delegate their access to each other within
the boundaries of the organization’s security policies.
IT can also benefit from the combination of the Authentication Manager and the Enterprise SSO
components to perform automation of password management tasks.
Web Access Manager
Evidian’s Web Access Manager (WAM) module gives Identity Federation and policy-based authorization
capabilities to the IAM suite offering.
Evidian WAM can allow for the use of multiple user directories simultaneously and supports LDAP,
Active Directory, and ADLDS directories.
Identity federation protocols such as SAML (v1 & v2) as well as OpenID Connect can be used for Web or
Cloud SaaS applications. Federated connections to other WAM systems via SAML, WS-Federation, OIDC,
and OAuth are also possible.
Evidian WAM is also capable of performing OAuth/OpenID Connect based API authentications. It
supports, as well, mixed SAML and OpenID Connect use cases, where a user is primarily authenticated
with SAML and then given access to the target API using an OAuth token.
The WAM authentication methods include basic HTTP auth, X509v3 certificates, Kerberos, RADIUS in
addition to the other authentication methods outlined earlier in this report, as well as support for social
logins such as Facebook, LinkedIn, Twitter, and FranceConnect.
Their WAM component includes Context-Aware Authentication. Their Adaptive Authentication can
evaluate common risk factors, such as device fingerprint, time of day/week, IP address, geo-location,
geo-velocity, as well as user attributes.
An interesting capability is support for dynamic authorization management. The IAM suite contains an
XACML based authorization server as a Policy Decision Point (PDP) and a centralized policy repository
that provides fine-grained access control in which their WAM can be connected to. The PDP is fully
SAML 2 and XACML 2 compliant and provides a RESTful Java API to allow Policy Enforcement Point (PEP)
integrations. Evidian also supports the more traditional role-based access control model.

KuppingerCole Executive View

Evidian Identity & Access Management
Report No.: 70872 Page 4 of 7
Analytics and Intelligence
Evidian Analytics and Intelligence (A&I) module is integrated with the rest of its IAM suite (IGA,
Enterprise SSO, Authentication Manager and Web Access Manager) and uses analytics to track trends in
user access and entitlements giving an overall view of risks and suspicious events. Evidian A&I collects
data from the components of the IAM suite to provide actional information to support compliance (e.g.,
GDPR), security policies and to meet an organizations risk management objective. A web dashboard is
provided that can give an overall or ad-hoc view of the analyzed data. Audit analysis capabilities are also
available through the use of is the audit database. Reports can be generated in formats such as PDF,
CSV, XLS, XLSX, DOCX, RTF, HTML, ODT, ODS.

Identity Governance and Administration

Evidian’s Identity Governance and Administration (IGA) capabilities cover the areas of IAM identity,
access, policies, and processes. Earlier versions of their IGA provided the ability to conduct access
certification campaigns by user & organization, organization lifecycle management, and business
context inheritance. More recently IGA has extended its capability by adding the ability to direct access
certification campaigns by user application and permissions as well, providing an additional set of
governance reports, and organization-based life cycle process parametrization (mutualization). Their
access analytics and intelligence have also become more integrated with their IGA capability. Evidian
IGA also provides ready to use workflows, AD provisioning, and an Office 365 connector, among others.
Integration with customer environments is possible with ITSSM Integration Toolkit, as well as
provisioning connectors to CyberArk and Wallix PAM tools.

3 Strengths and Challenges

Evidian has a comprehensive portfolio in the area of Identity & Access Management.
The Evidian Authentication Manager module of their IAM suite provides a good list of authentication
MFA methods as well as a more unique, yet useful QRentry tool for self-service password resets.
Evidian’s Enterprise SSO gives users access to their applications using consistent authentication methods
provided by their Authentication Manager module, which demonstrates good integration between most
of the components in their IAM suite. User account delegation and possible automation of account
management tasks are also provided as well as the extension of SSO to mobile devices with features like
their eWallet data vault.
The Evidian Web Access Manager component offers a mature Adaptive Authentication capability with
its risk engine able to evaluate common risk factors, although more advanced user behavioral analysis is
currently unavailable. Evidian WAM can act either as a federation IdP or as a reverse proxy.
The use of analytics and intelligence are an expected extended capability in modern IAM solutions.
Evidian provides an integrated analytics and intelligence capability with the other modules in their IAM
suite. It provides a user-friendly web interface, reporting, and auditing.

KuppingerCole Executive View

Evidian Identity & Access Management
Report No.: 70872 Page 5 of 7
Identity Governance and Administration (IGA) is another capability that is becoming core to IAM.
Evidian’s IGA is continuing to evolve by providing more capabilities and integration with their access
analytics and intelligence.
Evidian has a significant number of system integration partners within Europe, but few in other regions.
Overall, Evidian delivers a well-rounded offering and has kept current with the evolving IAM capabilities
organizations expect today.

Strengths Challenges

● Good MFA options ● FIDO support not currently available but

planned
● Support for social logins
● Cyber threat intelligence integration is
● Supports dynamic authorization
currently unavailable but is on their roadmap
● Good SSO features for both desktop, mobile
● Limited presence and partner ecosystem
and Cloud
outside Europe
● Access analytics and intelligence
● Comprehensive IGA capabilities
● Modular architecture with strong integration
between components (e.g. Auth Mgr., SSO,
WAM, IGA, A&I)

4 Copyright

© 2018 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless
prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole’s initial
view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to
refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of
this information. Even if KuppingerCole research documents may discuss legal issues related to information security and
technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such.
KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion
expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks
of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Executive View

Evidian Identity & Access Management
Report No.: 70872 Page 6 of 7
The Future of Information Security – Today

KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in

relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand
vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions
essential to your business.

KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on

Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise,
thought leadership, outstanding practical relevance, and a vendor-neutral view on the information
security market segments, covering all relevant aspects like: Identity and Access Management (IAM),
Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well
as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting,
Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com

KuppingerCole Analysts AG Phone +49 (211) 23 70 77 – 0

Wilhelmstraße 20-22 Fax +49 (211) 23 70 77 – 11
65185 Wiesbaden | Germany www.kuppingercole.com