Choosing the right identity and access management (IAM) solution is an important task. Organizations need to properly manage user accounts and other identities and ensure they have exactly the appropriate access to data, applications and other resources. After all, if users do not have all the rights they need, they cannot do their jobs and business processes suffer. And if accounts have too many permissions, they can be misused, either by their owners or by adversaries who compromise them, leading to security breaches and compliance violations.
Since manual processes are highly prone to errors and simply cannot scale to meet the needs of modern organizations, organizations need a purpose-built IAM solution. This article details the key identity access management questions to ask when you evaluate candidate IAM tools.
What to Look for When Choosing an IAM Solution
To choose the most suitable IAM solution for your organization, be sure to assess the following key aspects of each prospective tool:
- Deployment model
- User onboarding, offboarding, and reprovisioning
- Role-based access control
- Automated workflows
- Support for Zero Trust
- Password management, including self-service
- Broad application support plus APIs
- Authentication methods, including passwordless authentication
- Support for single sign-on (SSO)
- Bring-your-own-device (BYOD) support
- Impact on the user experience
- Availability and reliability
- Monitoring, auditing and reporting
- Adherence to compliance mandates and industry standards
- Ability to meet future needs
- Pricing model
Deployment Model
One of the first IAM questions to consider is the deployment model: Is the solution on-premises, cloud or hybrid? Each approach has its pros and cons.
On-prem versus cloud
Here are some of the key differences between on-premises and cloud IAM deployment models:
| On-Premises | Cloud | |
| Capital expenditure | You need to supply the server, hardware, and software needed to host the solution. | None |
| Maintenance | You need to manage solution updates, server hardware and software, storage, and data backups. | The vendor maintains the IAM solution and underlying infrastructure. |
| Control | The IAM solution and underlying infrastructure are entirely under your control. On-premises security software gives organizations complete control over their security infrastructure. They can customize configurations, policies, and settings according to their specific needs and requirements without relying on a third-party provider. | The vendor determines when to roll out updates and modify the infrastructure. |
| Access | You access the solution locally, with no internet required. | You can access the solution anytime through a web browser, so a reliable internet connection is needed. |
| Deployment time | Deployment is slower since you need to prepare one or more servers and install the solution. However, the time varies dramatically by vendor. | Deployment is much faster but still requires feature enablement and configuration. |
| Customization | On-prem solutions are highly customizable. | Cloud solutions are less customizable. |
| Data Sovereignty | Organizations have full control over their data and where it resides. This is particularly important for businesses operating in industries with strict regulatory compliance requirements or concerns about data privacy and sovereignty. | Data is kept in the cloud and it may be stored in multiple locations around the world, depending on the provider’s infrastructure. This can raise concerns about compliance with data sovereignty laws and regulations, as data might cross international borders. |
| Security Compliance | On-premises solutions may offer easier compliance with industry regulations and standards because organizations have direct oversight and control over their security measures. This can simplify the audit process and provide assurance to stakeholders. | Organizations are responsible for ensuring that their use of cloud services complies with industry and regulatory standards. |
| Network Performance | On-premises security solutions can offer faster network performance since they operate within the organization’s local network infrastructure. This can be advantageous for latency-sensitive applications or environments where network bandwidth is a concern. | Cloud-based solutions might introduce latency compared to on-premises solutions, especially if the cloud services are hosted in distant data centers. |
| Data Isolation | On-premises solutions keep data within the organization’s physical boundaries, reducing the risk of data exposure or unauthorized access that may be associated with transmitting data over the internet to a cloud service provider. | It depends on the cloud provider’s ability to safeguard the data from external and internal threats. |
Hybrid
Hybrid IAM solutions combine aspects of both on-premises and cloud-based IAM approaches to meet the needs of modern organizations. They facilitate directory synchronization between on-premises identity stores (like Active Directory) and cloud-based identity repositories (such as Azure AD and AWS Directory Service), and offer centralized user lifecycle management for both on-premises and cloud environments. This option helps minimize costs while preserving local control of regulated or otherwise sensitive data.
User Onboarding, Offboarding and Reprovisioning
A primary function of any IAM system is to ensure that each user has appropriate access to resources so they can perform their job while minimizing security risks. Accordingly, assess whether a candidate solution enables efficient and accurate onboarding of new users and prompt removal of access rights when users leave the organization by removing or disabling their accounts or by revoking access permissions for applications, file shares, databases, and other resources.
In addition, check whether the solution facilitates adjusting access rights as users change roles or new technologies are adopted. Also, look for an attestation process in which appropriate parties can easily review and modify access rights to the resources they own in order to ensure ongoing compliance with security policies and regulations.
Role-Based Access Control
Be sure to check whether a prospective IAM solution offers role-based access control (RBAC). RBAC is a widely used strategy that makes provisioning much simpler and far more accurate. With RBAC, you do not assign access rights directly to users, which is complex and often leads to excessive permissions. Instead, you create a set of roles that represent job functions, responsibilities, or groups of users with similar access needs. Examples of roles include Admins, Helpdesk Technicians, and Managers. Each role is assigned a set of permissions; for example, the Helpdesk Technician’s role might be empowered to read and modify certain data, reset user passwords, and so on.
With that framework in place, granting rights to users is as simple as assigning them the appropriate roles. As a result, new users can swiftly be given exactly the access they need to do their jobs. Similarly, when a user changes job functions within the organization, reprovisioning requires simply changing their role assignments. And when a new application or data store is added or an old one is removed, updating the permissions for the relevant roles ensures that access is updated for all the right users.
Automated Workflows
Workflows are valuable in an IAM system because they automate processes like user provisioning and deprovisioning, access request and approval, and access reviews. Look for a tool that offers predefined templates or customizable prebuilt workflows for tasks that you need. For example, an access request and approval workflow might enable users to submit access requests through a self-service portal or ticketing system and provide customizable request forms with required fields for specifying access requirements, justification, and duration.
More broadly, ensure that your administrators can define workflow steps, conditions, decision points, and actions without coding. Also, make sure they can integrate workflows with HR, ticketing, and other systems to automate cross-functional processes.
Support for Zero Trust
Zero Trust is a modern security model that requires users to re-authenticate regularly instead of only upon initial access. Accordingly, look for an IAM system that incorporates adaptive authentication mechanisms and facilitates federated identity management. In addition, be sure it offers privileged access management (PAM) capabilities to provide extra management and monitoring of accounts with elevated access rights, such as administrators and system accounts.
Password Management, including Self Service
IAM solutions need robust password management features. Key capabilities to assess include:
- Ability to enforce strong password policies, including complexity and disallowance of common, easily guessable, or compromised passwords
- Ability to maintain exclusion lists for prohibited passwords
- Self-service capabilities that allow users to reset forgotten passwords, change passwords, and unlock accounts
- Support for helpdesk-assisted password resets in cases where self-service options are not feasible
- Integration with MFA solutions to enforce multi-factor authentication for password resets, changes, or recoveries
- Ability to set thresholds for failed login attempts that trigger notifications to enable quick response to brute-force attacks
Broad Application Support Plus APIs
Before investing in an IAM solution, make sure it supports all the applications that your various teams use, both on-premises and cloud-based. In particular, ensure compatibility with:
- Directory services such as Active Directory, LDAP or Azure AD for user authentication
- Business productivity tools
- CRM systems
- Collaboration platforms
- Custom applications
- Cloud services such as AWS, Entra, and Google Cloud Platform
- SaaS applications like Salesforce, Office 365, and G Suite
Also, be sure the IAM solution offers APIs that adhere to REST principles to enable easy integration and interoperability with other systems and services. It should support industry-standard protocols and formats such as OAuth, OpenID Connect, SAML, JSON Web Tokens (JWT), and SCIM.
Authentication Methods, including Passwordless Authentication
Look for a solution that is not limited to simple username + password authentication. Some IAM solutions offer 10 or more different MFA methods, such as authentication apps and biometrics like fingerprints, facial recognition, and retina scans. Check for options that are easy and convenient for your users. Ideally, MFA should be adaptive, challenging users for additional authentication only when contextual factors indicate increased risk.
Adversaries often gain their initial foothold in a network using compromised credentials, so some organizations are looking to eliminate passwords altogether. Some IAM solutions now offer passwordless authentication, which authenticates users based on MFA factors like biometrics along with contextual details like physical location, device information, and IP address.
Support for Single Sign-On (SSO)
Choosing an IAM solution that supports SSO will enable your users to use one set of login credentials to access multiple systems. This feature streamlines business processes and relieves users from the burden of remembering multiple passwords.
However, since SSO increases the risk of improper access, be sure it can be combined with an adaptive approach to MFA.
BYOD Support
Many organizations today have a bring-your-own-device (BYOD) policy that allows employees to use their own devices for work. If you have a BYOD policy or might adopt one, make sure that the IAM solution supports a wide range of operating systems, including iOS, Android, and Windows.
Impact on the User Experience
Most people today expect quick and hassle-free results from technology. To speed user adoption, look for an IAM solution that delivers a seamless experience for users. In particular, check for self-service options that allow users to update their personal information, reset their own passwords, unlock their accounts, and so on. This functionality not only enhances business productivity but also reduces helpdesk workload.
Availability and Reliability
If your IAM solution has availability issues, users won’t be able to log on and access the network resources they need to do their jobs, disrupting vital business projects. To avoid problems, look at the following:
- Support for redundant components and failover mechanisms to ensure continuous availability
- Integration with load balancers to distribute incoming traffic across multiple IAM servers or instances, optimizing resource utilization and mitigating performance bottlenecks
- Support for containerized deployment of IAM components using container orchestration platforms, such as Kubernetes or Docker, to enhance agility and resource utilization
- Capability to perform regular backups of IAM configuration data, user profiles, and access policies, as well as restore functionality in the event of data loss or system failure
Ask the provider for a free trial of the product and test it thoroughly to be sure it meets your reliability and availability requirements.
Monitoring, Alerting, and Reporting
Make sure the IAM solution provides real-time monitoring of activity along with anomaly detection techniques that reliably identify suspicious actions or patterns, such as multiple failed login attempts or access from unusual locations or devices. Check that you can set up alerts on potential security incidents or policy violations. Ensure that the logs capture important details such as user identifiers, timestamps, IP addresses, and actions performed
Look for the ability to easily generate reports on user entitlements, permissions, and role assignments, as well as interactive analytics dashboards and visualization tools that make it easy to quickly understand important information.
Adherence to Compliance Mandates and Industry Requirements
Ensure that the IAM solution complies with all regulatory frameworks your organization is subject to, such as GDPR, HIPPA, PCI DSS, SOX, FERPA, and CCPA. Common requirements include protection of personal data (including user credentials) both in transit and at rest, and protection of the confidentiality, integrity and availability of sensitive data in the IAM system. In addition, the solution should securely manage access to data through strong authentication, access controls, and encryption. It must maintain a comprehensive history of IAM policies, procedures, configurations, and security controls to support compliance reporting and regulatory inquiries.
Ability to Meet Future Needs
When you adopt a core solution like IAM software, you want to be sure it will continue to deliver value even as your IT environment, security needs, and the threat landscape evolve. Here are some key questions to ask when evaluating a solution:
- Is the vendor stable and trustworthy?
- Do they have the requisite technical capabilities?
- Can more servers or nodes be added to easily scale to handle increasing loads and user volumes?
- Is the vendor prepared to offer excellent support throughout the product’s lifecycle?
- Will the solution receive regular patches and enhancements?
- Will it be cost-effective over the years?
Pricing Model
IAM solutions have different pricing structures. Two common models are:
- Per-user licensing fee — You pay only for the number of users actually working for your organization, so as your user base grows or shrinks, so does your cost. However, keep in mind that some solutions have a minimum number of users.
- Predefined packages — You pay for a particular number of users. In this case, consider keeping a margin for new employees because upgrading to a different package can take time.
How Netwrix Can Help
Netwrix GroupID is a leading identity and access management solution that offers a wealth of valuable functionality.
Here are some features that make Netwrix GroupID stand out from the crowd:
- Seamless user onboarding — Netwrix GroupID can automatically provision new users in your directory in minutes from your HR database or other source, with the utmost reliability and accuracy.
- Immediate user offboarding — When a user leaves the organization, you can quickly suspend all their access to data, applications, and other IT resources.
- Smart authentication and SSO — Netwrix GroupID offers strong authentication and supports single sign-on.
- Self-service — A self-service portal enables business users to keep their profiles up to date, reset their passwords, unlock their accounts, and more without the hassle of contacting the helpdesk.
- Automatic disabling of inactive accounts — You can require users to validate their profiles at regular intervals; if they fail to do so, Netwrix GroupID will automatically disable and lock their accounts.
- Password complexity options — Netwrix GroupID allows you to set password complexity requirements at the level that works for your organization, from easy to remember to nearly impossible to recall.
- Detailed reports — Netwrix GroupID includes more than 100 reports on users, groups, and computers, along with many more reports on user activity.
- BYOD support — Users can perform common tasks on their devices, including Android and iOS devices: validate profiles, manage accounts, approve workflow requests and more.
- Streamlined user experience — A self-service portal enables business users to keep their profiles up to date, reset their passwords, unlock their accounts and more, without the hassle of contacting the helpdesk.
- High availability and reliability — See for yourself with a free trial.
- Ability to meet future needs — Netwrix is a top vendor with a long track record of keeping solutions updated to meet evolving business needs and emerging threats.
To learn more or start your free trial, please visit https://www.netwrix.com/group_and_user_management_software.html.
