This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.
Cyber risk, compliance, and IoT have lit a fire under identity and access management. Here are 10 questions to consider and five vendor profiles to help you zero in on the best solution.
At first glance, identity and access management (IAM) might seem like a rather dull IT administrative function. But within the current disruptive tech environment, and due to the justified concern over network security, both interest and activity in the IAM space are growing.
According to CrunchBase data, IAM startups raised $350 million in venture capital in 2014, compared to $178 million in 2013 — close to a 97% increase. Q2 2014 saw some major deals, including Okta and Centrify, whose solutions are profiled below.
CrunchBase also conducted a recent poll about market predictions and asked, "In which of these markets (Wearables, Cannabis, Drones, Identify Management) do you expect to see the greatest growth in 2015?" The overwhelming winner was identity management, with 68% of the vote.
Gartner's definition of IAM encompasses its security role and compliance ramifications:
"Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise."
Enjoying this article?
Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.Join Premium Today
Let's not forget what I have called the "800-pound gorilla" of tech disruption: the Internet of Things. Last August, Ben Kepes wrote in Forbes that:
"...the growth of the 'Internet of Things' with a massive amount of sensors and other devices connected to the internet also add to the things that identity management solutions need to wrangle. Add to that the fact that much of this is being done in the cloud and you have a changing face of IM generally."
With IAM solutions taking on critical importance in such a rapidly changing environment, IT decision makers need answers. This Tech Pro Research article seeks to provide some, along with useful questions to ask your own enterprise and potential vendors.
Caveat emptor: let the IAM buyer beware (and ask questions)
The Solutions Review website has a page dedicated to identity management. Its current Buyer's Guide offers a review of IAM solutions and a well-designed list of 10 questions — five that the enterprise should ask of itself and five that it should pose to a potential solution provider. Let's look at the first set.
Five questions an organization should ask itself
1: On-premise or cloud-based? On-prem offers greater perceived control and security; cloud solutions offer cost savings and faster implementation. Nor are the two mutually exclusive. Hybrid solutions are available and for some could be a better choice.
2: What apps does the IAM solution need to integrate with or support? SaaS applications have become a part of the enterprise IT fabric. They also make it more complicated. Firms planning to implement an IAM solution need to determine what apps they want their staff to have access to and then ask what apps the IAM provider supports.
3: Point solution or full platform? Point solutions provide SMEs with the IAM essentials and can be integrated with existing systems more easily. Full platforms offer more robust functionality and deeper integration but are more expensive and have higher switching costs.
4: What trends are we facing now — and how will it look in five years? The arrival of BYOD in the workplace has had a dramatic effect on the IAM space. Dramatic changes and innovations are going to continue. What will an enterprise need in an IAM solution down the road? Is it easy to implement? Is it modular and scalable with regular updates? Is it cost-effective and developer-friendly?
5: What size company should we work with? As with all enterprise solutions these days, providers range from large established companies to startups. There can be quite a different dynamic and approach between these two categories. Will the provider you choose today still be around in a few short years? Will it be able to innovate effectively?
Five questions an organization should ask IAM providers
1: What authentication types does your solution support? Those authentication types can include password, soft-token, hard-token, biometric, adaptive, certificate, and out-of-band. Different providers do it differently; ask potential IAM partners to clearly explain their approach.
2: How does your solution handle or improve single sign-on (SSO)? The benefits of SSO are reduced "password fatigue" among staff members, time savings for entering passwords, and IT cost savings due to less required support.
3: How does identity federation fit into your solution? The need for federated IAM solutions derives from third parties having to securely access internal applications and from employees accessing external systems, such as an HR solution. An enterprise may not need this right away, but will a provider be able to deliver it?
4: How do you handle mobile access and what operating systems do you support? If a company is committed to permitting mobile access for its employees, customers, and vendors, it has to understand what an IAM provider can and can't support regarding mobility. Relevant operating systems include iOS, Android, Blackberry, and Windows.
5: How do your price your solution? Solutions Review quotes Forrester Research on this: "IAM solution pricing has traditionally been more complex than other middleware pricing." It recommends gathering all the line item costs and information from potential providers to produce an apples-to-apples monthly cost model.
Profiles: Top five IAM solutions
Last year, Gartner published its 2014 Magic Quadrant for Identity and Access Management solutions, naming 13 companies to the list (Figure A). For this review I profile the top five firms: the three in the Leaders Quadrant, Okta, Ping Identity, and Covisint, and the next two, CA Technologies and Centrify.
Description: "Okta is an integrated identity and mobility management service. Built from the ground up in the cloud, Okta securely and simply connects people to their applications from any device, anywhere, at anytime. Okta integrates with existing directories and identity systems, as well as thousands of on-premises, cloud and mobile applications, and runs on a secure, reliable and extensively audited cloud-based platform. The thousands of enterprises and cloud vendors, as well as the millions of people using Okta, are the foundation of the industry's fastest growing IT network for the cloud and mobile world."
- Application network: "Connect all your apps in days, not months, with instant access to thousands of pre-built integrations. Integrations support authentication and provisioning, and are easy to set up, constantly monitored and proactively repaired."
- Universal directory: "Extensible user profiles, app-specific profiles and custom mapping of attributes between profiles to support provisioning. Secure and instantly scalable. Store employee or partner profiles, transform data or store users for your own online product."
- Directory integration: "The easiest way today to authenticate and manage users in the cloud, based on AD. Centrally configured with automatic failover and no firewall changes."
- Single sign-on: "All your apps in the cloud or on-prem, from any device. The Okta Application Network works behind the scenes so your users can always get into their apps."
- Federation: "Secure authentication using federation standards such as SAML, WS-Federation and WS-Trust. Easily set up Okta to be a federation identity provider (IdP) or service provider (SP)."
- Provisioning: "Automatically provision and deprovision users based on changes in AD. Create custom data transformations with an easy to use rules engine."
- Multifactor authentication: "Enable a mobile workforce and protect company data without a complete lockdown of your employee's lives. Deploy and secure native mobile apps, streamline native app authentication and enforce device PIN policy."
Product: Next Gen Identity Platform
Description: "Ping Identity believes secure professional and personal identities underlie human progress in a connected world. Our identity and access management platform gives enterprise customers and employees one-click access to any application from any device. Over 900 companies, including 45 of the Fortune 100, rely on our award-winning products to make the digital world a better experience for hundreds of millions of people."
- Federated architecture: "Federation is necessary to connect disparate identity stores."
- Web, mobile, API security: "Companies can now create a path from their legacy web access management solutions to their next-generation mobile and API needs."
- Unified management: "Reduce the complexity and risk associated with managing public and private cloud environments."
- Cloud centric: "The need for private and public cloud interoperability is a business requirement."
- Self service: "IT organizations benefit from a self-service model as they add new applications and integrate with legacy and cloud environments."
Product: B2B Cloud Platform
Description: "For most organizations, enabling secure anytime, anywhere access across any device is not a core competency. And, for those who have tried to establish security protocols and procedures in-house, it is a time-consuming, expensive proposition that takes your IT personnel away from focusing on core business initiatives. Covisint's B2B Cloud Platform insulates you from the cost and complexity of the do-it-yourself approach to security. We centralize and automate the process of securing and managing digital identities inside and outside your organization. This enables you to manage and control access to internal and cloud applications and information for your network of business partners and customers, as well as your own enterprise."
- Provisioning: "Powerful identity lifecycle and access management capabilities for partners, suppliers, contractors and employees that isn't just synching data from your HR system."
- Mobile identity: "Manage any mobile device access to your data whether personal, corporate, tablet or smartphones."
- Identity analytics: "Enterprises can ensure compliance with regulatory requirements via the built in attestation and audit capability—extends visibility into portfolio of managed applications and systems by providing utilization for both provisioning and usage information."
- AppCloud: "Integrate your back-office or third party business applications as a secure, integrated and personalized web experience."
Product: CA Identity Manager
Description: "Managing the identities and access of users to on-premise apps and in the cloud is a critical function for today's IT organizations that are under increased pressure to improve operational efficiencies while still remaining compliant. CA Identity Manager delivers a unified solution for user provisioning and user management that manages users' identities throughout their entire lifecycle, providing them with timely, appropriate access to applications and data. The user provisioning and identity management solutions that we offer can give users access to what they want when they need it."
- User provisioning and deprovisioning: "Automates account provisioning and removal throughout the user's entire lifecycle."
- Customizable approval workflow: "Flexible workflow for provisioning activities can support the unique way each organization approves, alerts, and schedules identity-related activities."
- User self-service: "Enables users to manage their own identities, reset passwords and request access to resources, easing the IT and help desk burden."
- Mobile app: "Native mobile application that enables business users perform common identity tasks such as e workflow approvals requests and password self-service operations from convenience of a smart phone."
- Customization without custom code: "Powerful features such as ConfigXpress, PolicyXpress, and ConnectorXpress let you customize your identity management infrastructure without custom code."
- Broad application support: "For on-premise apps and cloud services."
Product: Centrify Server Suite
Description: "Centrify Server Suite secures the industry's broadest range of mission-critical servers from identity-related insider risks and outsider attacks, making security and regulatory compliance repeatable and sustainable. The solution leverages existing Active Directory infrastructure to centrally manage authentication, access controls, privileged identities, policy enforcement and compliance for on-premises and cloud resources."
- Privileged user sessions: "Centrify captures and stores a detailed recording of privileged user sessions on Windows, UNIX and Linux systems. Unique audit policies can easily be configured with options to leverage video capture only on the most critical systems, or for users in a specific role, and to audit Centrify administration activity such as the management of Centrify Zones."
- Visual replay with indexed search: "You can see what happened in a specific session at a high level by viewing a command/event summary, or you can replay the video to see every action taken by a user and every system response. This unique playback feature gives IT... the ability to proactively identify insider threats, and perform forensic investigation into which privileged user did what after an incident occurs."
- Queries and reporting: "Out-of-the-box queries and compliance reports provide information on both active and historical sessions. The flexible query builder supports the creation of customized reports based on search options including by user, computers, time period, type of event, and role."
- Third-party reporting: "User session metadata is captured to enable integration with reporting tools. Centrify stores audit information in an SQL database, which enables robust querying by log management tools, and an event serialization service enables integration with SIEM and alerting tools."