Identity and access management (IAM) systems allow organizations to manage identities and access rights for different systems and programs through one central platform. The two most dominant product categories of IAM software are data governance solutions and more complex enterprise IAM solutions.
In this article, we are going to compare both options and examine which IAM system is best suited to which business type. Read on to learn which IAM tool is the right fit for your organization.
The term “IAM software” does not refer to a specific product or a specific set of features. While most IAM solutions cover a similar set of core functions, different products will offer a slightly different set of features, plugins and tools.
What all Identity Access Management tools have in common, however, is that they help companiesmanage usersandprivilegesefficiently. In many cases, this applies not only to internal privileges, but also to external ones (partner, supplier, client privileges).
IAM software is built on digital user identities. Its main focus is authenticating and authorizing users in the local network (and in the cloud) and managing the privileges associated with these users both in the company network and in external applications.
All IAM tools strive to provide one thing: security. By offering a central platform for managing access rights in all systems, they help you eliminate security risks posed by unnecessary permissions, while also freeing you from the workload involved with tracking and changing privileges for each individual application.
IAM Software and Active Directory Integration
As 99.9 percent of IT departments currently run on Microsoft® Windows, it is absolutely essential that your IAM software integrates smoothly with the Microsoft infrastructure. A connection with the Active Directory is necessary, as otherwise you will not be able to standardize and automate frequently used functions and processes.
Without an interface between your IAM software and Active Directory and other on-prem services, such as Exchange and SharePoint, your IAM product will not be able to adequately model any joiner-mover-leaver processes. Integration with Microsoft’s infrastructure is also necessary to guarantee optimal user lifecycle management.
IAM Software Must Be Cloud-Compatible
Microsoft’s cloud-only or cloud-first approach has once again raised the bar for IAM systems. Whereas in the past all services ran on premises and “only” had to protect data within the corporate network, most companies today rely on various cloud services.
To ensure users are able to continue accessing data and programs as they work from home, many companies have chosen to either move their infrastructures to the cloud entirely or have at least expanded their use of cloud applications. Modern Identity Management systems now have to cope with these new and considerably more complex IT structures:
Hybrid environments: IAM software must support hybrid environments that use both on-premise systems and SaaS applications.
Internal and external access management: IAM software must enable organizations to manage not only their internal users’ permissions, but also those of employees working from home and various freelancers and external contractors who need access to company files.
Operating systems: IAM software must facilitate centralized access management for IT architectures where different operating systems and/or end devices are in use (e.g., UNIX, Windows, iOS, Android, Apple devices).
Azure AD Integration
A modern IAM system must guarantee automated and policy-compliant management of privileges, both within your corporate network and in the cloud. With this in mind, you must understand that the connection between your chosen IAM software and your on-premises AD is just as important as a connection to Azure AD.
Azure AD is Microsoft’s cloud-based directory service in which you can manage the permissions and identities of your Microsoft services as well as external SaaS (Software as a Service) applications. However, to be able to do this, you usually need the Azure Portal or PowerShell. Unless…
…you have an IAM solution with an interface to Azure AD and other cloud services such as Exchange Online and Sharepoint Online. This will save you from having to take the detour via the Azure Portal or PowerShell.
What ultimately sets apart different IAM solutions is their unique feature set. The range of different tools and functions that IAM products provide is vast: The sky really is the limit here. However, while certain sparkly and shiny features might sound good on paper, it is important to ask yourself which of these options you actually need. Quite often, the features provided are simply not applicableor necessary at all.
To give you an idea of the core features most IAM solutions will provide, this list will give you a brief summary of each individual function:
What It Does
The user must be able to prove their identity. This can be achieved using a combination of username and password (e.g. during login), biometric data (e.g. fingerprints), keycards or tokens. The latter three are mostly used by larger enterprise solutions. A combination of password/PIN and a physical object such as a keycard is known as two-factor or multi-factor authentication (MFA).
After successful authentication, the user is granted certain rights as part of the authorization process. Authorization determines which resources users will have access to in the network. This applies to systems, applications, data, shared elements, etc. The rights themselves are assigned as part of the provisioning process.
Provisioning takes place on the basis of workflows and policies and is the process in which resources, such as user accounts and privileges, are created and/or assigned to users automatically.
SSO means users only have to authenticate themselves once. This one-time authentication is then valid for a variety of systems. Users do not have to sign in to every application or system individually.
Identity federation ensures that identity information can be exchanged between parties across technical boundaries (e.g., between PCs and the cloud). To do this, both sides must be able to explicitly identify the user in question, even if the username used on either side is different.
Users can submit requests for resources and services themselves via a self-service portal. Such requests may include privileges, changes to user data or password-resets.
Data ownership offers the option of appointing managers/admins, also referred to as data owners, who are in charge of certain resources and have the authority to decide who should get access to these resources and who should not. Any changes to access privileges are to be implemented via approval workflows.
In IAM software products, workflows control processes. Generally, there are two types of workflows: approval workflows and provisioning workflows. The former is the process in which the person responsible for a resource (data owner) must decide whether access to this resource shall be granted or rejected. Provisioning workflows, on the other hand, set technical processes in motion which provide access to the resource once the data owner has approved it.
Role-based access control ensures users are automatically given the privileges they require for their position. Roles also ensure these privileges are automatically removed once they are no longer needed. Roles are determined and used on the basis of an organization’s structure.
User Lifecycle Management
The term user lifecycle management means that permissions are monitored and managed automatically for the entire duration of a given user’s (i.e. from joining to leaving date).
IAM Software and Compliance
Cybersecurity and the protection of sensitive data is governed by increasingly strict regulations, from industry-specific security standards like TPISR and TISAX to national and international legislation like HIPAA, the SOX Act or the GDPR.
Many of these compliance regulations require companies to actively manage user privileges and ensure that access to critical data is granted based on the Principle of Least Privilege. Additionally, businesses are required to regularly review existing permissions and document all relevant changes. These records are used to show compliance during audits.
Even in mid-sized companies, manually tracking and managing all the permissions needed for daily operations is a time-consuming and error-prone process. An IAM solution helps you achieve your compliance goals by automating many of the tasks involved through full documentation or notifications for user access reviews.
IAM Software Solutions Compared
The market for identity and access management software solutions is rapidly expanding. However, overall there are basically two product categories of IAM software, each of which is aimed at different target audiences:
Simple data governance solutions
Advanced enterprise solutions/IAM suites targeted at large corporations
Data Governance Software
The main focus of data governance solutions is managing unorganized data. Data governance solutions bring temporaryorder to your file servers and help automatecertainoperations. However, when it comes to standardizing and automating workflows, you quickly reach their limits.
The better option here would be a solution with a connection to the HR database. Creating a new user would then automatically trigger joiner-mover-leaver processes in all connected systems.
Why Is User Lifecycle Management Important?
As the name indicates, ULM is about managinguser lifecycles, from start to finish (i.e. joining to leaving date). ULM ensures that users are equipped with the accounts and permissions they need at any given stage during their time at the company.
ULM also ensures that users neverhave more permissions than they need to perform their jobs. This approach is known as the need-to-know principle or Principle of Least Privilege (POLP). ULM further ensures that:
user identities are created.
privileges are assigned and revoked.
user accounts are deactivated.
Enterprise Solutions/IAM Suites
Enterprise solutions or IAM suites are highly complex. However, this should not to be perceived as a negative attribute! Identity Access Management suites at this level are designed to meet the demands of large corporations with highly complex structures. Theoretically, enterprise solutions are able to model any number of processes and complicated functions. For a more detailed overview of what can be done with IAM solutions in enterprise environments, read this article.
Look out though! While the prospect of having access to an unlimited palette of functions and features may make your eyes water with excitement, you should keep your hat on for now. Just because you have all the features does not mean you will actually be able to put them to good use. Read on to learn why.
Companies Just Don’t Know What They Need
For a long time, Identity Management tools were eyed with great suspicion by the IT world. The reason being that there were numerous horror stories circulating – of companies who had invested great deals of time and money into implementing an IAM product that they were then unable to use productively.
But don’t let these ghost stories get the better of you. We now know that the main reason why projects fail is that businesses are unaware of what they actually need and end up choosing the wrong product. And by wrong, we mean software not suited to the company’s structure and scale.
Medium-sized companies especially should carefully examine the functional scope of their preferred IAM solution and check whether the product can be integrated into their existing infrastructure and made ready for use within a reasonable time (and financial) frame.
[FREE WHITE PAPER] IAM Software Products Compared
Read our white paper to learn about the different types of IAM products available on the market.
Let’s assume a mid-market company opts for a data governance solution because it wants to solve issues it has been having with permissions on their file servers. The software swiftly goes about bringing order to the file servers. However, this newfound peace doesn’t last very long because all the software has done is address the symptoms of the problem and not its root cause: decentralized access management.
Data governance solutions are simply not complex enough for midsize companies. They are unable to model processes, policies and roles in such a way that it would lead to realand lasting improvement.
Enterprise IAM: Too Complex
Sophisticated IAM suites, on the other hand, have the opposite problem. These products are not designed to be deployed quickly and in adherence with best practices.
Enterprise Access Management often consist of several individual products, the implementation of which usually exceeds the administrative and financial resources available to IT departments of mid-sized companies. And that is not to mention the time it takes to implement these solutions, which can be months or even years.
When midsize organizations make the mistake of selecting an oversized IAM tool, they often end up with only a fraction of thefunctionalities they had planned to implement, because there simply aren’t enough resources (and time, and money) available to complete the implementation.
As you can see, the efforts and finances invested into continuous support and maintenance of such grand solutions bear absolutely no relation to the actual benefits you get from them. You’re basically paying for a tool you cannot use properly or effectively.
Customized Programming: Yay or Nay?
Many vendors of enterprise IAM software products focus on individualized programming. This sounds great at first. In practice, you quickly run into problems with this approach. First of all, implementing even just the standard interfaces you need to ensure processes run smoothly (e.g. your interface to the AD) consumes an enormous amount oftime.
Secondly, the level of customization necessary in order to meet individual customer demands is exorbitant, which in turn drives up the costs for ongoing maintenance. Specialized IAM projects thus often stagnate and end up not fulfilling the expectations and hopes of their clients in terms of functionality.
How Do I Choose the Right IAM Software Product?
Don’t be blinded by a fancy name! You should select your identity and access management software according to whether it suits your company, and not because of the name behind it. The functionalities and features it should cover depend entirely on the goals you want to achieve and what your existing IT infrastructure looks like.
IAM Software for Large Corporations
Most large enterprises are structurally complex and therefore require an equally complex IAM system. Unlike small and midsize organizations, big corporations often employ complex, special processes.
The ability to model such individual processes is not an out-of-the-box feature, but requires individual programming, tailored to the customer. Therefore, big corporations need enterprise IAM solutions that are able to model any process (at least in theory).
IAM Software for Medium-Sized Businesses
Unlike in large corporations, 90 percent of processes in most midsize companies can be standardized and thus modeled automatically via an appropriate IAM solution. Special processes, which cannot easily be standardized, only account for about 10 percent of operations at a typical midsize company.
The conclusion of this simple calculation is that it makes no sense for midsize companies to invest in complex enterprise IAM solutions. Due to the low rate of special processes that need modeling, it is simply not economical to spend large amounts of money on these rare edge cases.
What midsize companies need is software that is able to implement standard processesquicklyand out of the box, while offering extensions for the few special processes you’ll come across every now and then. This approach is referred to as bottom-up vs. top-down.
Bottom-Up vs. Top-Down
Identity and access management software for small and medium-sized businesses should work bottom-up. This means that the standard set of functionalities should initially cover the most important and most frequently used processes (the 90 percent rule).
Once the standard toolset has been exhausted and there are still important workflows the software is unable to model, it should provide means of extension to cover these special cases: from the bottom up.
Roles? Yes, Please! But Within Reason
Roles are an essential component of IAM solutions. However, you need to make sure they don’t get out of hand. If your Identity Management solution does not allow you to assign and manage individual privileges alongside the predefined roles, you will soon have more roles than users. And if that happens, it means your role concept has missed the mark.
IAM software must be user-friendly to succeed. If your employees, regardless of their department and level of tech skill, are unable to use the tool, they will not acceptit and the entire project is doomed to fail. A key factor of usability is its configuration. Configuration must be kept as simple as possible and should be accessible to users via the user interface.
IAM Software Compared – Conclusion
By now we have learned that data governance solutions help reorganize unorganized data on file servers. The downside, however, is that they do not come with features that bring long-lasting improvements to structures and processes. Thus, chaos will soon reign again.
Large-scale IAM solutions, on the other hand, are too flexible. They are so complex in terms of structure that it can take years to implement them. Maintaining these systems is time-consuming, difficult and pricey. Every little change or adjustment to settings requires outside expertise (and, of course, time and money).
So, what is the solution then? The answer is: a product that can be implemented quickly, much like data governance solutions, but which is also flexible enough to provide the functionalities required by each individual organization and structure. This solution is tenfold.
tenfold – An All-In-One Solution
Many software resellers using the term “IAM software” are actually selling a collection of several individual products to cover all the features required. tenfold offers all of these functions in ONE product. The advantages of this approach include:
Users require training for one application only.
No data synchronization between different products required, which in turn
eliminates several sources of errors.
Data is kept up-to-date and accessible.
The user interface and all terminology are consistent.
You are only required to provide the infrastructure for an application server.
tenfold – Pioneers in the Midmarket Segment
tenfold is the next generation of access management. It is designed to meet the demands of midmarket organizations who are looking for more and better features and flexibility than data governance solutions can provide, yet for whom sophisticated IAM suites are too much to tackle.
tenfold takes a pragmatic approach that translates complexity into usability. We want all users, from IT to HR staff, to be able to use our product easily and effectively.
With its wide range of features and competitive price point, tenfold is the best IAM solution for midmarket organizations.