In looking at the current state of IAM, older identity and access management (IAM) solutions continue to be a viable for enterprises, however, a shift to the cloud is a time for mature organizations to evaluate new IAM solutions. Leading providers in
the space have advanced and broad capabilities that may offer better mid- to long-term options for organizations considering a new approach.
Changes in the IAM Landscape
We see some definitive shifts in IAM occurring in the marketplace. In the past, IAM encompassed centralized authentication, single sign-on (SSO), session management and authorization enforcement for target applications (often tied to some role/privilege
management).
While this has not changed, modern IAM solutions also include adaptive and contextual authentication (which allows context, such as a user’s specific mobile device or location, to dynamically update authentication options or requirements) and support
for modern identity federation/integration protocols such as SAML, OAuth2 and OpenID Connect (OIDC). All these features are important for improving federation and cloud service integration, as well as reducing the risk of attacks with an increasingly
mobile workforce.
With the shift to hybrid cloud and widely expanded types of end-user access models, IAM solutions increasingly also encompass:
- Basic user self-service identity administration, such as self-service registration and profile management.
- API authentication and authorization (using OAuth and OIDC primarily).
- Password management.
- Basic identity and directory synchronization.
- Social ID integration (less common).
READ: Centralized IAM Best Practices
IAM Provider Options
Several IAM providers could be serviceable for a mature organization that needs a broad suite of IAM capabilities, relative ease of use and deep integration with both on-premises and cloud-based systems and services. Highly regulated organizations can also consider:
Okta: Okta provides a software-as-a-service (SaaS)-delivered IAM solution that includes deep authentication and adaptive authentication capabilities, as well as SSO, directory services, multifactor authentication (MFA) and broad API support. Okta also provides threat intelligence and much-improved session management, along with a relatively recent reverse proxy solution for integrating legacy and non-standard applications.
Microsoft: Azure Active Directory (AD) is highly capable within Microsoft and more support for third-party applications and services is emerging all the time. Licensing can also be somewhat complex, but the pace of updates and new capabilities, particularly in Azure AD adaptive and contextual authentication through
conditional access rules, is good.
Ping Identity: Ping is considered among one of the most complete solutions available today, however, depending on your business' needs you might have to buy numerous packages to get there. Ping also offers threat intelligence and robust directory services
Other service providers also offer relatively complete IAM portfolios, including IBM and Oracle, with other options in the form of solutions from ForgeRock and OneLogin.
READ: How to Create an Effective IAM Program
Moving to a New IAM Solution
When considering a move to a new IAM solution, organizations should be careful to thoroughly evaluate all the different use cases currently in place for application and user access and authorization. Federation, SSO and application integration to cloud
services are now priorities, and flexible options with MFA and mobile access are also key considerations. We suggest taking the following into account:
- Identifying all end-user and enterprise use cases: Enterprises often have a wide variety of legacy and newer IAM scenarios to consider, so be thorough.
- Considering feature maturity: IAM is a large, complex area, and most providers are better at some things than others. Carefully evaluate how well each provider can handle the myriad requirements of a comprehensive IAM platform.
- Comparing on-prem to SaaS: In short, many SaaS (IDaaS) options aren’t up to par with the on-prem alternatives offered by providers with traditional on-premise solutions.
Looking at both financial and operational costs for each solution. Be sure to ask providers what the expected deployment and maintenance overhead will be because these can be significant.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.