How do I select an identity management solution for my business?
According to a recent survey, the pandemic-driven shift to remote work has significantly changed how companies are investing in identity and access management capabilities and zero trust security.
A large number of companies will continue to have a majority of their workforce working remotely, prompting an increase in IT and information security investments in the form of staff and technology.
To select a suitable identity management solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Larry Chinski, VP of Global IAM Strategy, One Identity
IAM projects continuously evolve and span multiple departments in an organization. Therefore, before technology is selected, it is important to have executive buy-in, a solid programme management team in place and a clearly defined plan of what the programme aims to solve within the organization.
This means identifying the highest priorities: whether it is Lifecycle Management, which gives an understanding of and secures who has access to what systems and corporate resources; password management, provisioning and deprovisioning; protecting administrative accounts with privileged access management; or governing access to comply with SOX, HIPAA, or PCI regulations.
Once priorities are determined, organizations should consider their cloud strategies. Many will have a “cloud first” approach, while others may wary of the cloud and want to maintain these important security functions on-prem and others will take a hybrid approach. Whatever is chosen, ensure the deployment model gives full functionality and addresses the full scope of the business, now and into the near future for each IAM technology component.
Finally, prepare for change – if the past year has taught us anything, it’s that change is inevitable. Choose an IAM solution that is flexible, robust and stable enough to continue to provide value when the inevitable, unforeseen change happens – whether that’s a pandemic, natural disaster, mergers and acquisitions, or ideally, rapid growth and embracing new technologies.
Nelson Cicchitto, CEO, Avatier
With the pandemic, identity management has become a weak point in enterprise security. There will be a new focus on making identity management simpler giving users more control to improve security and productivity.
Work-at-home employees need fast, secure access to the cloud and enterprise access wherever they are to maintain productivity. At the same time, IT and infosec managers have less control over remote users. Your best strategy is to simplify identity management for users and give them more control while making them less susceptible to phishing and spoofing attacks.
The best approach will be to secure remote enterprise access through an identity-centric, standardized framework. Expect to see identity management move out of the data center to better support remote employees. Workers will be able to manage their own credentials such as password resents without assistance from the help desk.
You also can expect to see IAM deployed as part of the same collaboration platform remote workers are already using, such as Outlook, ServiceNow, or Teams.
To reduce demands on IT you also can expect to see user-initiated workflows to manage access requests. Department managers will assume more responsibility for granting access to enterprise assets using IT service management (ITSM) tools, although auditing and governance will remain in IT control.
Leigh Dastey, CTO, My1Login
An identity management solution should be easy to deploy, easy to use, and should scale, but what key characteristics should you evaluate when selecting an IAM solution?
Comprehensive integration: It should integrate with all applications (e.g. web apps, legacy desktop apps, token based) and work across your existing IT landscape whether you have physical devices, on-prem VDI infrastructure or a cloud-based Windows desktop experience. It also needs to integrate with other key operational solutions (e.g. SIEM).
Passwordless experience: The IAM solution should enable the move to passwordless authentication, replacing passwords (e.g. using SAML, OIDC) where supported by the service provider, and automating password authentication where third-party apps aren’t yet ready to support passwordless.
Encryption security for protecting user credentials: Many enterprise IAM solutions encrypt user credentials on their servers, using keys that they have access to, creating a fundamental security vulnerability. Select a vendor that utilises client-side encryption, where the vendor has no access to the keys that protect your data – these vendors are often suppliers to security and defence industries.
Zero user interface: Solve the competing needs of improving security without impacting user experience by seeking out a solution which is not user intrusive and can be deployed without the need to change user behaviour or require training.
David Higgins, Technical Director, CyberArk
The last 12 months have put into sharp relief the fact that someone, somewhere, is accessing your organization’s sensitive assets – without ever crossing the traditional network boundary – at any given moment. Identity security tools that secure and control this access are, consequently, critical to enterprise cybersecurity policies. There are three key considerations when determining what the right approach is for your business.
The first is how identity security tools handle access to privileged data and assets. Most IAM tools already include MFA, identity lifecycle management and basic access governance capabilities. But the most effective platforms extend their reach with a privilege-centric approach to securing identities, embedding verification and authentication of users for privileged account access via single sign-on (SSO) and MFA from AM tools, session isolation, and control of endpoint privileges.
Second, consider the process of authentication. Enterprise access requirements have radically evolved, but many authentication processes still rely on password-based controls. AI comes into its own here, gathering and analysing intelligence on user behaviour to visualize and contextualise risk. An example: the ability to create policies that prevent high-risk users from launching applications with customer data without further measures to validate their identity.
Finally, look for a cloud-native solution. These are scalable, robust, and deploy easily, giving users the one-click SSO access to all the apps they need.
Greg Jensen, Sr. Principal Director of Cloud Security, Oracle
As organizations shift to distributed computing environments with hybrid cloud architectures, so have we seen a shift to the new “perimeter” – the user. Identity management is critical in placing controls around not only the user, but the applications, infrastructure and devices in which they access.
A recent report found that the single greatest challenge CISOs are facing with their IAM strategy is managing multiple identity repositories and no central approach to managing them across cloud and on-premises. With nearly half of CISOs indicating they have been compromised by misuse or stolen privileged credentials, organizations are looking to reduce the management aspect of identity and consolidate into a unified platform across the organization.
As few organizations are 100% cloud supported and often have a mix of on-premises and as many as 1,000 cloud services in use, it is imperative to look at flexible identity solutions that can manage the complete lifecycle of the identity and ensure rapid provisioning and deprovisioning of access and services.
Vendor options are important to ensure your IAM provider can meet you where you are today, and support you as you continue to expand your needs into the cloud, while ensuring one unified identity and one unified identity framework across your IT footprint.
Ben King, CSO EMEA, Okta
In today’s fragmented work environment, success depends on an organization’s ability to securely connect its people and technology. This makes choosing the right identity management solution paramount, now more so than ever.
To protect employees, particularly while we’re seeing heightened cyber risks due to remote work, leaders should aim for an identity provider that has a security stack that focuses on the end user, not the network, VPN or firewall, which are now redundant to protect in a perimeter-free world. It needs to be flexible, work for every device, and in every location. And it needs to do so without adversely affecting the end user experience.
The best options will preserve choice and flexibility, enabling the business to choose the technology that works best for them and not their identity provider. Without being tethered to the success of proprietary applications, business leaders can future-proof by keeping their stack dynamic.
As new and better tools come onto the market, you want your identity solution to support them. Business leaders should also aim for a solution that has the capabilities to support millions of employees, contractors, partners and customers, and automate how all users access the tools that make them most productive, regardless of who they are or where they work. For this, leaders should opt for a single, centralised identity solution.
Debbie Maiorani, IAM Technical Manager, Micro Focus
In a connected, digitally transformed world, managing enterprise risk through identity is essential to a balanced security plan. If identity management is done correctly, business value is the result and some of the bases you want covered to establish a strong identity-centric ecosystem are:
- Centrally managed identities to provide a single view
- Multiple delivery models (on-prem, SaaS, hybrid)
- Clear roles and relationships modelled
- Unified identity and social registration
- Risk based adaptive security
- Clear consistent governance, privacy controls and privilege management
Keep some other things in mind, aside from basic provisioning (adding/moving/disabling) capabilities that are handled by traditional identity management solutions, some additional aspects you also want to consider are:
- Facilitate self-service: Make everyone’s life easier with self-service functionality that includes flexible options for end users to choose their own policy-approved authentication method combos like username/pw and OTP, SMS, etc. You get the enhanced identity assurance and your users feel empowered.
- Manage privileged access: A robust privileged access management solution can greatly reduce the likelihood of bad actors doing bad things to your data and causing great harm to your business.
- Address emerging privacy concerns around data subject privacy/transparency, informed consent, right to be forgotten.
Greg Pearson, Director of Solutions Engineering, Identity Automation
When selecting an identity management solution, ensure you select a vendor that is a trusted advisor and has the interest of your organization in the forefront of the solution. When researching a vendor, verify that they will evaluate your existing processes to understand how your organization operates.
Furthermore, confirm that their solution is flexible enough to implement the logic your organization’s business processes require. This will allow the vendor to map their products to your processes, rather than requiring you to change your organization’s processes due to the limitations of the solution. While a slight process modification may be required, organizations should not have to completely change their business logic to conform to an identity management solution.
In addition, implementing an integrated identity management framework or platform as opposed to multiple point solutions will help ensure long term success. While specific identity management point solutions may address certain needs now, such as for single sign-on (SSO) or password management, these solutions likely will not scale to meet the needs of tomorrow.
Leveraging a complete platform that enables the integration of multiple identity management components provides the flexibility to build a framework that will scale to your needs as they continue to grow and evolve.
Yash Prakash, Chief Strategy Officer, Saviynt
We see enterprises centering their identity management solution decision-making on three key drivers.
The first is future-proofing their identity deployments as they continue to move more of their business-critical operations to the cloud. This means moving towards a cloud-native identity platform from on-premises environments in order to ensure business agility.
Second, we see enterprises going all-in on zero trust, which has put identity governance center stage. Enterprises are moving away from standing access and “super users” and replacing it with zero standing privilege and just-in-time provisioning. Companies are seeking identity solutions that automate the reduction of “always-on” privileges and ensure right-sized access for all human and machine identities.
Finally, the industry is increasingly turning to AI/ML technologies to improve risk awareness and decision-making for identity-related business processes. Specifically, they want to take advantage of intelligent risk scoring based on usage data and peer group analysis to optimize access certification, requests, role management, and other access governance processes.
Identity management solutions that dynamically share this information with other security solutions – and across an ecosystem of devices, cloud workloads, and user types – are critical for enterprises so that every decision made is intelligent and contextual.
Mark Ruchie, CISO, Entrust
Protecting employee identities is key to preventing uncontrolled access and data breaches. That’s why it’s crucial for businesses to pick an identity management system that secures digital identities and corporate assets, while also improving workforce productivity and reducing friction for end users.
An identity management solution for a business should be dynamic, but also easy to issue, revoke, and manage. A dynamic identity can be revoked and replaced, reducing inconvenience or effort on the part of the business. It’s also critical for organizations to look for cloud-based solutions that can be quickly scaled up or down, ensuring IT teams can pivot based on business needs.
Lastly, a best practice in enterprise security is to use more than one factor to verify a user’s identity. Identity factors are not reliant on data like an address, telephone number, or Social Security number – these are static pieces of information that are easy for a hacker to discover. Instead, a business should look into more sophisticated factors like fingerprints and facial recognition.
Behavioral attributes and verifications via mobile device are also in wide use. Ultimately, individuals should have the ability to select which and how many factors to use, giving them control over how they secure and manage their identity.
Morten Boel Sigurdsson, President of North America, Omada
As more businesses leverage hybrid IT environments in their digital transformation journey, many are confronting challenges with managing identities and access across multiple applications, clouds, networks and servers.
Managing identities has become even more difficult with a remote workforce; the top contributing factor was the need to support access to a range of applications. With increased complexity comes an accelerated need to put strong identity management and governance in place.
To ensure quick implementation, many organizations are looking at full-featured, cloud-based identity governance and administration (IGA) solutions.
Scalability is essential. If a solution can’t expand and meet the future needs of the business, it will end up being more of a problem than an answer. Be sure to pick a solution that doesn’t hamper agility and growth.
Another critical factor is time to value. For an enterprise cloud deployment, your chosen IGA solution should deliver value in under 12 weeks.
Complexity is only increasing in our digitized world. Cybercrime is too, with identity theft a perennial favorite. Modern solutions today offer full-featured IGA that is cloud native, enterprise-ready and can be deployed rapidly.
Dave Taku, Director of Product Management, RSA
Identity has always been the cornerstone of information security. And now that we’re entering a work-from-anywhere chapter, it’s critical that organizations employ identity management solutions that can evolve with the needs of the business.
You shouldn’t have to choose between security, convenience, and cost. Securing access without impeding user productivity—that’s the foundation for a thriving mobile workforce. Users need the right level of access to the right resources at the right time, regardless of the user’s device or location.
At minimum, identity management should answer the five W’s of identity: who is the user, what can they access, why do they have those entitlements, and when and where are they using them? But that’s just a starting point.
Organizations should move on to creating frictionless experiences by eliminating passwords and using the authenticators their users already have: their mobile phones. Businesses should also emphasize least privilege: it’s not enough to just enforce security – you need the right tools to govern compliance and intelligently identify violations and risks.
Finally, with a dynamic remote workforce, our assumptions about what constitutes typical user behavior have ceased to exist now that we’ve all become “a branch office of one.” Identity management needs to adapt dynamically to learn each user’s “normal” in a way that ensures security without interfering with legitimate requests.
Nadav Well, Sr Director of Go To Market, PlainID
When considering an IAM solution, usually the focus narrows down to security features alone. But an often overlooked aspect is how to evaluate an IAM solution from a business perspective.
An IAM solution needs to be a business facilitator and enable users to be productive by making sure they have access to what they need, and when they need it.
Different identities require a different management processes:
- Workforce – Identities of individuals that are part of your company
- Customers – End users with access to your digital assets
- Partners – Users that belong to another organization that is engaged in your business activities (resellers, distributors, dealers, agencies…)
Define the outcome that the IAM solution should achieve. For example, an IAM solution for partners’ identities needs to support quick onboarding of new partners and give them a great user experience (they might simply not use it, or work with your competitor instead…).
Map out the end-to-end process that is involved in managing the different identity types. Different types of identities require different processes for various management steps. For example, onboarding of a partner to your system is different from onboarding an internal employee. Or, maybe you might want to give an organization delegated admin abilities to manage their own partners who are onboarding to your applications.