What are IAM tools?
Identity and access management tools are security software that permit access to networks, servers, services and other business-related resources employees need to perform their work. These IAM tools, which reside between systems and target resources, are the backbone of user authentication and access and are used in local and remote scenarios. Because remote work has gained popularity due to the pandemic, comprehensive and reliable IAM software has become especially critical to ensure successful and secure business operations.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How does IAM software work?
IAM software works by using a set of tools to facilitate, control and monitor authentication mechanisms. This involves account and password utilization and role-based access using single sign-on, multi-factor authentication – most commonly consisting of a password combined with a hard or soft token providing a rotating PIN used for authentication – or integration with large-scale directories such as Active Directory for ease of implementation and administration.
IAM solutions are implemented on both the source – such as client workstations, mobile devices and local servers – and target systems – such as company VPNs and networks, local or remote servers and applications, and network devices – so that access is based on a sort of “handshake” linking the two via permitted access. A common method to deploy IAM tools is to set up company-based access to the appropriate apps in the iOS App Store or Google Play Store, then instruct users on how to download and configure these apps.
Monitoring, logging and alerting features enable company staff to keep track of user access, identify access history and trends, and take action when critical events occur to maintain secure operations.
Top IAM tools and software
SolarWinds Access Rights Manager
The SolarWinds Access Rights Manager relies on Microsoft Active Directory. While this IAM tool runs on Windows and integrates closely with SharePoint, Exchange and OneDrive, it can also safeguard access to other server and client operating systems joined to the domain and accessed through means such as secure LDAP. That’s common across all the IAM solutions featured here – “platform” doesn’t just refer to what type of operating systems can be protected but rather to where the software resides.
ARM doesn’t just control access. It can also identify vulnerable accounts and detect changes and anomalous activity. It’s easy to see who has access to what at a glance through automatic mapping and visualization tools.
ARM is strong with reporting capabilities and compliance requirements, adhering to standards such as GDPR, HIPAA and PCI DSS.
Price: The product is licensed based on active user accounts in the Active Directory, and subscription and perpetual licensing options are available. Solarwinds states ARM starts at $1,838 but recommends requesting a quote.
Platform: Cloud servers
Auth0 is a cloud authentication provider that handles web application authentication.
The Basic version provides access for up to 7,000 users, permits 1,000 machine-to-machine authentications, two social media connections and an Auth0 database connection for authentication.
The Essential version, described as “best for simple projects or applications,” includes the free features, providing access to 10,000 users and unlimited social media connections.
The Professional version, described as “best for teams and projects that need added security,” includes the Essential features and expands machine-to-machine authentications to 500 connections and adds external database and cross-app single sign-on features.
The Enterprise version, described as “best for production applications that need to scale,” includes the Professional features and allows unlimited user access, enterprise connections, unlimited organizations, home realm discovery and long-lived sessions. Curiously, this version only permits 1,000 machine-to-machine authentications, likely because this is more of a user-access-based product.
Price: The Basic version is free, the Essentials version costs $23/month per user, and the Professional version costs $240/month per user. Auth0 recommends requesting a quote for pricing for the Enterprise version cost.
Platform: AWS cloud servers
Okta’s strength lies in its ability to be a single pane of administration to connect any person with any application on any device. Any number of target resources can be configured for access. Okta is credited with being able to integrate with over 4,000 applications.
Okta includes single sign-on, multi-factor authentication, identity lifecycle management, API access management and advanced server access management. You can utilize an access gateway for hybrid cloud environments, rely on B2B integration and utilize workflows for automation and orchestration methodologies.
Okta is tied closely into Microsoft products, making it a good choice for Office 365, Azure Active Directory, Sharepoint, Intune and Windows-based access.
Price: Pricing varies based on the service involved.
Platform: Cisco cloud servers
Duo adheres to the “zero trust” concept, focused on establishing user and device trust, then invoking adaptive policies to provide access on a “least privileges needed” principle.
The free version is largely mobile-based, providing multi-factor authentication for iOS and Android for up to 10 users via Duo Push application, utilizing security keys, U2F, OTP, phone callback, SMS and hardware tokens. Unlimited application integrations are allowed.
The MFA version is the next step up, offering the same options as the free version and adding on passwordless authentication to SSO applications, 100 telephony credits per user per year, user self enrollment/management and a Duo Central dashboard of all devices.
The Access version includes all the options in the MFA version along with device monitoring, security health checks, risky access analysis, location-based user policies, the ability to block Tor and anonymous networks and device trust policies based on security health checks.
The Beyond version provides all the features of the Access version and adds the ability to distinguish between corporate and private devices, identify third party agents, limit device access to applications based on their enrollment in endpoint management systems and provide secure access via their Duo Network Gateway to internal company web applications, SSH servers and loud applications.
Price: $3/month per user for MFA, $6/month per user for Access and $9/month per user for Beyond.
Platform: Cloud servers
Like Duo, JumpCloud also follows the “zero trust” model. Its focus is on identity, device and location policies for granular access with or without Active Directory integration. It integrates well with Google and Microsoft productivity suites and utilizes a multi-protocol, vendor independent approach.
JumpCloud seeks to eliminate shadow IT, recognizing the risk such workarounds entail and ensuring users have access to the tools they need.
Price: Pricing varies based on the service involved.
Platform: Cloud servers
OneLogin is widely touted for its focus on workflows to keep authentication setup and functionality as simple as possible based on a foundation of single sign-on, though it lacks robust auditing and monitoring features.
OneLogin features two versions: Advanced and Professional. The Advanced version includes single sign-on, advanced directory and multi-factor authentication. The Professional version includes the Advanced features and adds identity lifecycle management and HR driven identity features. OneLogin has a narrower focus than some of its competitors but does its job well.
Price: Pricing varies based on service.
Platform: Cloud and on-premises servers
ForgeRock is one of the more comprehensive and feature-driven products in this roundup with a heavy focus on enterprise integration and management. Their AI driven platform is intended to be a comprehensive solution for all types of identities, access needs and use cases across industries.
I’ve worked with ForgeRock to integrate authentication with Java applications and found it worked seamlessly in my environment. The implementation effort was steep, but once I configured it to my role as a system administrator, the app took over and never needed anything further from me. ForgeRock is one of the most developer-oriented products showcased here, featuring numerous APIs and SDKs for ease of use.
Price: ForgeRock recommends requesting a quote for pricing.
CyberArk’s primary focus is on single sign-on, adaptive multi-factor authentication and user provisioning across a variety of services such as their privileged access manager, vendor privileged access manager, cloud entitlements manager, endpoint privilege manager, workforce identity and customer identity. All of these products perform the functions for which they are named, and you can pick and choose which solutions are the right ones for your business.
Price: CyberArk recommends requesting a quote for pricing.
IBM Security Verify
Platform: All major operating systems
IBM’s Security Verify offering is AI-based with a SaaS approach which provides in-depth user authentication, access policy management, granular authorization control, single sign-on, passwordless access, session management, security token services and access event logging and reporting. It supports over 5,000 applications and more than 600 federated client companies and their related workforces.
Price: IBM recommends requesting a pricing estimate.
Platform: Cloud servers
Ping Identity connects any user to any app on any device. No-code automated workflows help orchestrate the authentication setup process, and they unify remote access based on identity intelligence, passwordless sign-on and centralized authentication. Ping is a good option for financial institutions due to the large number of accounts supported.
There are three versions: Essential, Plus and Premium. Essential offers the basics of a no-code identity orchestration engine, single sign-on and authentication policies, customizable registration and sign-on experiences, a unified customer profile, self-service preference management, secure user management, the ability to connect to any app with open standards, a unified administration portal and RESTful APIs.
Plus offers the features of Essential and adds adaptive multi-factor authentication which can be embedded in mobile apps, customer device management, passwordless authentication, LDAP access and transaction approvals.
Premium contains everything found in Plus and adds scalability, support for extreme demand traffic spikes, connections to multiple data stores, compliances with strict security policies and advanced authentication capabilities.
Price: Ping Identity cites a starting price of $20,000/year for the Essential version and $40,000/year for Plus. Pricing for Premium is not listed, but you can request a custom quote.
How to pick the IAM software that’s right for you
Company and user needs as well as regulatory requirements will always be the key foundation of the decision making process to select the right IAM product. However, your primary focus should be on the product which can best satisfy the requirements of account verification, role and privilege assignment from a least-privilege-needed perspective and monitoring of access in order to reduce risk.
Make sure your chosen product can support any governance requirements your business is subjected to. You should also ensure that the right IAM tools enable the application, network and resource authentication your business needs using policy-based controls which can interface with all systems the business relies upon, handling all of the accounts needed for access. Active Directory or LDAP are two common authentication mechanisms so ensure that the access methodology is supported by whatever IAM toolset you decide upon.
It’s worth noting that while all the products reviewed here have a rich purpose and good user satisfaction, CyberArk, ForgeRock, IBM, Okta, Auth0, OneLogin and Ping Identity appeared in Gartner’s Magic Quadrant for Access Management in 2021. That doesn’t mean Solarwinds or Duo are necessarily inferior products — just that they’re not on the wide-scale radar map the others appear on.
While Auth0 is mainly a web authentication product, and therefore best suited for organizations with this singular requirement, the other products would work well across all business sizes and industries. However, I myself would consider ForgeRock and IBM more geared toward large-scale global enterprises with a diverse set of IAM needs.