10 Best Identity and Access Management (IAM) Solutions

Identity and Access Management (IAM) once helped IT departments in large enterprises to manage employees in Active Directory. In a modern IT environment IAM plays a far more critical role in authorizing geographically dispersed workforces as they connect to internal resources, cloud resources, and especially software-as-a-service (SaaS) applications.

IT teams can no longer easily manage individual user rights and permissions with the rapid increase in SaaS applications and remote work. IAM offloads the burden of individual access management and automates the onboarding and offboarding processes as well.

To pick the best software for IAM needs becomes complicated as corporate needs surpass the traditional workforce requirements to encompass developers, customers, and even access from other applications.  Many more IAM providers exist than can be covered in this article, but we will highlight key providers, their features, pros, cons, and pricing (when available):

After covering individual tools, this article will cover IAM Service Providers, How the Top IAM Solutions Were Selected as well as an Overview of IAM Trends.

Best Dedicated Identity and Access (IAM) Software

Organizations can deploy different options to encompass the capabilities of identity and access management, but sometimes the best option is to acquire a dedicated solution — such as the five IAM-centric tools in this section. These dedicated identity and access management tools integrate with human resources software and connect to an organization’s critical assets and applications on-prem, in the cloud, and SaaS tools.

CyberArk – Security-Focused IAM

CyberArk looks at identity as the basis for a security strategy and offers a portfolio of tools for identity management, privileged access, secrets management, endpoint privilege security, cloud privilege security, and both workforce and customer access. Behavior analytics set a baseline for users and can trigger alerts and access changes when anomalous behavior is detected.

CyberArk IAM interface

Features

  • Lets users in while using artificial intelligence (AI) to help keep threats out
  • Continuously monitors behavioral signals to make sure users are who they say they are
  • Single sign-on and multi-factor authentication
  • Consolidate key security technologies and simplify policy enforcement
  • A privilege-centric approach to securing identities
  • Option for password management

Pros

  • Great tool for those that want to easily add privileged and secrets management
  • Self-hosting options for tools

Cons

  • Opaque pricing and licensing makes it unclear what licenses may be required to match the capabilities of other IAM products or other pricing details (Per user or per app? Monthly or annual billing? etc.)
  • Organizations that need only IAM features may not benefit from additional security features and options

Price

Cyberark does not list pricing on their website. Instead, the site encourages interested parties to start a free trial, contact the company for a quote, or reach out to resale partners for more information.

JumpCloud – Small Business Friendly IAM

The cloud-native JumpCloud provides IAM and options for device and patch management. The tool has options to implement zero-trust policies, use Cloud LDAP to manage users, and to deploy Cloud RADIUS to issue certificates to devices as one form of multi-factor authentication.

JumpCloud IAM interface

Features

  • Centralized identity control and lifecycle management through the Cloud Directory tool
  • Cloud-based LDAP and RADIUS services
  • MFA, SSO, conditional access, and password management
  • HR system integration
  • API services for custom workflow development
  • Incorporates mobile device management (MDM) and management for Windows, macOS, and linux endpoints.
  • Provides Patch Management and device intelligence

Pros

  • Simplified trouble-shooting and compliance monitoring of user activity
  • Pre-built application catalog

Cons

  • Changes can be easy to make incorrectly or recklessly without training
  • Incorrect connections can overwrite user passwords
  • Strictly a cloud-based tool
  • Requires powershell module to make bulk changes

Price

JumpCloud offers a free version for up to 10 users and 10 devices. Paid versions require the Cloud Directory tool and are priced per user per month. Monthly billing is available but a discount is applied for annual billing.

Service Annual Price Monthly Price
Cloud Directory base $3 $2
Cloud Directory a la carte options
MFA, SSO, user lifecycle management, etc. $3 $4
Device management $5 $6
24×7 support $2 $3
SSO package that bundles MFA, SSO, user lifecycle management $7 $8.50
SSO package a la carte options
Device management $3 $5
Password manager or cloud insights (AWS users) $4 $4
24×7 support $2 $3
Core Directory Package that adds Cloud LDAP, RADIUS and Directory insights $11 $13
Core Directory Package a la carte options
Password manager or cloud insights (AWS users) $4 $4
24×7 support $2 $3
JumpCloud Platform bundle that adds device management $15 $17
JumpCloud Platform a la carte options
Patch management, password manager, or cloud insights (AWS users) $4 $4
24×7 support $2 $3
PlatformPlus that adds support and zero trust options (conditional access policies, device trust, and network trust) $18 $20
PlatformPlus a la carte options
24×7 support $2 $3
Patch management, password manager, or cloud insights (AWS users) $4 $4

JumpCloud offers professional services to help with implementation, migration or technical account management. JumpCloud also offers special pricing and discounts for MSP partners, educational institutions, and Non-profit organizations.

Okta & Auth0 – IAM Category Leader

Okta has long been a leader in access management, authentication and single sign-on. With a simple and easy-to-manage SaaS-based approach, Okta offers IAM solutions that enable zero trust principles with reduced complexity.

Okta recently acquired Auth0 to cement their position as the category leader and offer developers coded IAM solutions for customer IAM and applications. Okta is also an IAM specialist, independent of other major technology companies and publicly traded on the NASDAQ.

Okta IAM interface

Features

  • Securely manage identity for apps and multi-cloud environments
  • Automated lifecycle management for user provisioning and deprovisioning.
  • Secure password-less authentication options
  • Options for multi-factor authentication (MFA) and single-sign-on (SSO)
  • Privileged access management features
  • Tailor Okta using no-code, low-code, or pro-code options
  • Connect to third-party apps and systems to enhance security and user experience
  • Directories securely store users and attributes at scale
  • Okta Insights aggregates, analyzes, and disseminates data from the IAM tool
  • Identity Engine offers customization of authorization, authentication, and registration

Pros

  • More than 7,000 established integrations
  • Options for managing identities for the workforce or customers
  • Developers can use the established Auth0 IAM solution
  • Recognized as a market leader by Gartner, Forrester, and G2
  • 99.99% availability; built with self-healing nodes for greater stability
  • Centralized admin and a single directory to manage users, groups, apps, devices, and policies
  • Unified IAM and governance solution
  • Advanced adaptive SSO and MFA capabilities for enhanced security
  • Auth0 offers 14 pre-built software design kits (SDKs) with language-specific libraries

Cons

  • SaaS app is not very customizable
  • Cloud-based application, no on-premises option (other than agents for integration and connections)
  • Requires multiple tools to be licensed for full identity and access management capabilities
  • Contract minimums will be unsuitable for the smallest organizations

Price

The pricing for Okta can be complex because of the many options Okta offers.

Workforce IAM Options require a minimum $1,500 annual contract and offer volume discounts for enterprise customers with more than 5,000 users. Okta offers various tiers based upon the desired features and are priced per user per month.

Price (USD) Option
$2 Single-sign-on (SSO)
$5 Adaptive SSO
$3 MFA
$6 Adaptive MFA
$2 Universal Directory
$4 Lifecycle management
$2 API Access management
$15 per server per month Advanced server access
$3 Access gateway
Workflows
no cost Up to 5 flows
$4 Light – up to 50 flows
$5 Medium up to 150 flows
$6 Unlimited flows
Identity Governance
$9 Light – up to 50 flows
$10 Medium – up to 150 flows
$11 Unlimited flows

Customer IAM Options support and secure customer interactions are acquired through the Auth0 app for developers.  Auth0 is free for up to 7,000 users with unlimited logins. Paid categories depend upon the use case and the number of active users. Custom quotes for complex use cases and discounts for non-profit organizations are also available.

Customer IAM Plan Price Note
B2B Essential $130 / month Up to 50 organizations
B2B Professional $800 / month Up to 100 organizations
B2C Essentials $23 / month
B2C Professional $240 / month Adds MFA, external database support, admin roles, and consolidated user stores

Customized enterprise plans also are available with custom connections and user tiers, advanced deployment options, enterprise add-ons, and no admin or action limits.

OneLogin – Education Friendly IAM

OneLogin, a division of One Identity which is owned by Quest Software, provides a dedicated identity and access management solution for both the workforce and customers. OneLogin also provides support to developers that want to integrate IAM capabilities into their own applications.

OneLogin offers an unusual option to place an application on the desktop of an endpoint computer. This desktop app launches with the login password and enables a completely controlled environment for all connected applications and users and may not need to use any other passwords.

OneIdentity OneLogin IAM interface

Features

  • Consistent experience with single-click access to SaaS and on-premises applications from any device
  • Manage access for all your apps from a centralized platform with a single UI
  • Offers Federation, single sign-on, and integrates with OneLogin SmartFactor Authentication
  • Balances usability and security with adaptive authentication for dynamic, multi-factor authentication (MFA)
  • Advanced directory synchronizes users across multiple directories such as Workday, Active Directory, G Suite, LDAP, etc.
  • Can control HR data and streamline on- and off-boarding of employees through automation
  • Options to unify and secure remote access through on-prem windows servers and desktops
  • Option for a OneLogin desktop environment where the device login acts as the credentials for all apps
  • OneLogin offers a sandbox feature to test configurations

Pros

  • More than 6,000 integrations
  • Customer IAM can integrate with social media logins
  • Effective alerts and reports of unauthorized login attempts
  • Integrates with Student Information System (SIS) platforms popular for organizations in the education market

Cons

  • Adding users to multiple roles can lead to multiple logins for the same app through each role
  • Prices can add up with multiple a-la-carte options

Price

OneLogin offers a flexible array of offerings for their IAM products, but does not publish their pricing for Customer IAM or Developer licensing. OneLogin offers a self-service portal for technically savvy Small Businesses of less than 50 users, or provides references to certified MSP partners that can assist with deployment, provide day-to-day management, and offer volume pricing discounts.

  • Workforce IAM Bundle Prices / user / month
    • $4 Advanced bundle provides SSO, advanced directory, MFA, and policy-driven security
    • $8 Professional bundle adds identity lifecycle management, and HR-Driven identity.
  • Workforce IAM a-la-carte pricing / user / month
    • $2 SSO
    • $2 Advanced Direcotry
    • $2 MFA
    • $5 SmartFactor Authentication
    • $4 Desktop
    • $4 Identity Lifecycle Management
    • $2 HR-Driven Identity
    • $4 RADIUS
    • $2 Workflows

Ping Identity – IAM Category Challenger

Another publicly traded IAM pure-play on the NASDAQ, Ping Identity offers a range of identity and access management solutions that may be purchased separately.  Ping offers IAM to cover both the workforce and the customers of clients as well as support for developers to add IAM features to websites and applications. Ping Identity lags behind Okta in revenue, but as of 2018, all 12 of the largest banks in the US used the Ping Intelligent Identity Platform.

Ping Identity IAM interface

Features

  • Administer IAM across any cloud or user to manage IAM at scale.
  • Integrate throughout a hybrid IT environment
  • Confirm the identity of users and detect potential fraud
  • Deliver consistent single sign-ons (SSOs) and multi-factor authentication (MFA) with options for dynamic authorization
  • Protect access to resources, data and sensitive actions
  • Continuously monitor risk signals and API traffic
  • No-code drag & drop workflows, pre-built templates, and easy A/B tests to test identity orchestration for different workflows

Pros

  • 99.99% uptime
  • 100+ pre-built integrations
  • Detects threats and anomalous or risky behavior
  • Also available as a
    • Dedicated tenant option managed and hosted by Ping for customers that require data isolation
    • Cloud-ready containers for on-premise or private cloud deployment of some capabilities

Cons

  • Some customers complain of complex role management and entitlement creation
  • Requires multiple tools to be licensed for full identity and access management capabilities
  • Contract minimums will be unsuitable for smaller organizations

Price

Ping offers a free 30-day trial of their product and prices their PingOne Workforce solution based on users per month based on an annual contract with a minimum of 5,000 users.

  • $3 Essential includes identity orchestration engine, SSO, directory, employee dock
  • $6 Plus adds adaptive MFA, integration with Microsoft, passwordless authentication, inbound provisioning, and LDAP
  • Premium requires a custom quote but adds advanced authentication, access security, delegated administration, VPN and remote access integration, API access control, and more.

PingOne for Customers is priced annually in three tiers:

  • $20k Essential includes identity orchestration engine, SSO,authentication policies, customizable registration/sign-on, unified customer profile, self-service preference management, secure user management, connections to apps with open standards, RESTful APIs, and a unified administration portal
  • $40k Plus adds adaptive MFA, embedded MFA for mobile apps, customer device management, transaction approvals, API access management, LDAP, and passwordless authentication

Premium requires a custom quote but adds support for extreme demand spikes, connections to multiple data stores, and more customization.

Best IAM Tools in a Portfolio

Sometimes, identity and access management is only one of the problems an IT team needs to solve. In these cases, working with a vendor with a broader variety of tools can be advantageous because the IAM tool should automatically integrate with the other tools needed by the organization. The five vendors in this category offer a much broader suite of tools that an organization will include in its evaluation of the suitability of the IAM solution.

CyberRes NetIQ – For In-House IAM Installations

CyberRes, by Micro Focus, provides a suite of NetIQ tools for Identity and Access management. Its adaptive identity-centric approach offers an integrated platform for identity, access, and privilege management that integrates with other security and privacy tools in the collection.

MicroFocus CyberRes NetIQ IAM interface

Features

  • The NetIQ Risk Service consumes contextual and behavior risk metrics to adapt the user authentication experience
  • Tunes session authorization levels as needed to protect sensitive resources
  • Provides visibility and control of privileged user activities to deliver actionable security intelligence to address evolving threats
  • Allows configuration policy management and enforcement across critical systems on-premises and in the cloud across Unix, Linux, Windows, Azure, O365, and non-domain joined services
  • Edit, test, review and compare changes before implementing environmental changes to prevent security gaps
  • Automate and streamline access requests, access certification, identity lifecycle management, provisioning, and compliance reporting
  • Policy-based remediation to automatically secure locations or lock down locations
  • Installs within the organization’s architecture (local data centers or private cloud)

Pros

  • Easy, centralized management of self-service access requests and approvals
  • Continuous governance to detect high-risk changes
  • Local installations provide full control to the organization

Cons

  • Performance and uptime depends upon the organization’s infrastructure and resources
  • Requires more management, support, and infrastructure costs than hosted solutions.

Price

MicroFocus offers free trials of their software but neither publishes prices on their website nor notes the nature of the licenses (perpetual, annual, etc.).

IBM – Subtle IAM Security

IBM Security Verify provides identity and access management solutions as part of a broader portfolio of security products. IBM’s IAM portfolio also extends into the related technology categories of governance and privileged access management (PAM).

IBM designs Security Verify to be invisible to users and operate in the background. This approach provides IAM and security with reduced user disruption.

IBM Security Verify IAM interface

Features

  • Discreetly verifies user identities when they log in and throughout the session
  • Uses AI to uncover outliers and dangerous combinations of entitlements
  • Enables access to resources and applications, whether in the cloud, on-premises, or in a hybrid cloud
  • Centrally manages and automates access certifications, on- and off-boarding, and separation of duties violation detection
  • Provides single sign-on and risk-based multifactor authentication
  • Admins can securely grant access rights and entitlements
  • Provision, audit and report on user access and activity
  • Allows self-service options for access request and password reset

Pros

  • Both cloud-based and on-prem solutions available
  • Heavy emphasis on security and governance reporting
  • Integrates tightly into the IBM ecosystem
  • Role-based IAM
  • Can connect with local applications and services such as virtual private network (VPN)
  • Detects and monitors the passwords for high-access accounts

Cons

  • Best suited for high-volume enterprise customers
  • Small businesses will not need many features and tools
  • Not known for a large number of app integrations
  • On-prem management requires much more IT labor than SaaS solutions
  • Customers complain that the interface does not work as well on mobile

Price

IBM offers Security Verify for both workforce IAM and customer IAM (CIAM) with both solutions also available as turnkey consulting and managed services. IBM sells through business partners and also quotes prices through their internal representatives.

IBM provides a cost calculator on their website and sells licenses in one, two, and three-year durations. Costs will vary depending upon the modules licensed. Published examples of pricing include:

  • IBM Website: Example costs for 5,000 users (workforce license)
    • $1.71 / user / month SSO
    • $1.71 / user / month MFA
    • $1.71 / user / month adaptive access
    • $2.01 / user / month lifecycle and provisioning
    • $2.13 / user / month identity analytics
  • AWS Marketplace: Example 12 month contract
    • $15,000 / year / 100 users for Verify Workforce
    • $12,000 / year / 10k consumer users for Verify Consumer

Prices for turnkey consulting and managed services are not published.

ManageEngine AD360 – In-House IAM + PAM

ManageEngine’s portfolio of tools includes several related to identity and access management, but the key tool is ManageEngine AD360. Other tools can add capabilities for privileged management, auditing, active directory management, and key management.

ManageEngine AD360 IAM interface

Features

  • Automated identity lifecycle management
  • Adaptive MFA and secure SSO
  • Approval-based workflows
  • Identity threat protection
  • AI-powered behavior analytics

Pros

  • Local installations provide full control to the organization
  • Quick and easy to install and implement
  • Bundled pricing includes many different capabilities beyond IAM

Cons

  • Performance and uptime depends upon the organization’s infrastructure and resources
  • Requires more management, support, and infrastructure costs than hosted solutions.
  • Requires multiple tool installations to match capabilities of IAM-dedicated tools
  • Companies may not need the non-IAM capabilities that come with the AD360 bundle.

Price

ManageEngine provides a 60-day free trial for AD360 and a price calculator to estimate the licensing costs. Customers can choose between the standard or the professional edition and prices include annual maintenance and support fees.

Minimum prices are $2,870 for Standard and $5,020 for Professional and covers licenses for:

  • ADManager Plus – 1 domain, 2 help desk technicians
  • ADAudit Plus – 2 domain controllers, 2 file servers, 5 member servers, up to 100 workstations
  • ADSelfService Plus – Up to 500 users

Other add ons, onboarding, implementation, and training are also available.

Microsoft – Broadest IAM Coverage

Microsoft’s Active Directory provides the foundation for identity management for many organizations around the world, but does not reach outside of local networks. To embrace the expanded needs for modern IAM, Microsoft offers a collection of tools, called Microsoft Entra, that can be used to implement identity and access management for multi-cloud and multi-network needs.

Launched in May, 2022, the Entra suite of tools now also encompasses Azure Active Directory so that it covers the broadest range of IAM needs when used together. However, some tools only currently exist in preview mode and have not been released commercially.

Microsoft Azure Active Directory IAM interface

Features

  • Azure Active Directory
    • Centralized, cloud-based, unified identity management
    • Simplified identity governance for users and admins
    • Fast, easy sign-in experience across a multicloud environment
    • Secure access through strong authentication policies and risk-based adaptive access policies.
    • Options for SSO, MFA, passwordless, and conditional access
    • Incorporates external identities
    • Automates and simplifies access lifecycle (on- and off-boarding)
    • Embedded privileged access management
  • Entra Identity Governance:
    • Govern access between resources, users, and apps
    • Set up requirements for recurring reviews of users, group membership, and access
    • Automate employee, supplier, or partner access to apps and services both in the cloud and on-prem.
    • Can delegate day-to-day resource access requests to business groups
  • Entra Permissions Management:
    • Unified cloud access policies and infrastructure entitlement management
    • Discovers identities accessing cloud platforms
    • Automates the principle of least privilege
    • Continuous permissions monitoring
  • Entra Verified ID:
    • Verifies and validates identity information and credentials
    • Self-service account recovery
    • Provides digital integration of background checks
  • Entra Workload Identities:
    • Secures identities for apps and workloads for zero-trust
    • Detects compromised workload identities
    • Simplified workload lifecycle management

Pros

  • From one of the most trusted brands in IT and security – Microsoft
  • The broadest perspective on what IAM should encompass to encompass human identity verification (Entra Verified ID) and treating apps and workloads as users to be verified (Entra Workload Identities)
  • Basic identity management is included with other Microsoft subscriptions
  • AAD already manages over 1 billion identities

Cons

  • Requires multiple tools to achieve basic IAM
  • The full suite of tools will be unnecessary for many users
  • Too new to know how well it works compared to competition
  • May be overwhelming for inexperienced IAM professionals
  • Integrations may require significant trouble-shooting

Price

Pricing is not yet available for all tools in the suite, but some are also included with other Microsoft Office 365 subscriptions. Prices are quoted on a per month basis.

  • Azure Active Directory (AAD) – Free version is bundled with the commercial online service such as Azure, Dynamics 365, etc.
    • Includes cloud authentication, AD federated services, SSO, MFA, role based access control, user/group management, directory synchronization, passwordless access, automated user provisioning to apps, and limited end-user self-service.
  • AAD Free with a customizable user sign-in page comes free with some Office 365 subscription levels.
  • $6 / user AAD Premium P1 is included Microsoft 365 E3 or for purchase
    • Adds group assignments to applications, cloud app discovery, application proxies, conditional access, SharePoint limited access, session lifetime management, custom security attributes, advanced group management, global password protection and management, Microsoft Identity Manager client access license, automated group provisioning to apps, and more.
  • $9 / user AAD Premium P2 is included with Microsoft 365 E5 or for purchase
    • Adds identity protection, access certifications, entitlement management, privileged identity management, and more
  • $10.40 / resource for Entra Permissions Management
  • $3 / workload for Entra Workload Identities Premium

Oracle – For Enterprise Multi-Cloud IAM

Oracle’s Cloud Infrastructure Identity and Access Management and Access Governance tools manage identity and access across a variety of cloud and on-premise applications and devices. The context-aware access products integrate with a wide range of applications, servers and systems, including custom applications.

Oracle IAM interface

Features

  • IAM services can be self-managed, co-managed in the cloud, or fully managed via SaaS
  • Cloud-native enterprise access management that supports heterogeneous and multi-cloud needs
  • Governance features provide both a software delivered/self-managed model for managing on-premises and cloud resident identities, as well as running as microservices
  • 33 global data centers provide the capability, scalability, and flexibility to manage access and governance needs
  • Oracle embeds OCI IAM capabilities into its Fusion Application Cloud services to simplify the provisioning and role management
  • Blends with existing cloud frameworks from Azure, AWS, Google and others
  • Automates user lifecycle management across all resources

Pros

  • Admins assign apps to groups and users to groups so that users can easily self-provision available apps without an IT burden
  • Enables an identity-based perimeter for Zero Trust
  • Can provide customer-oriented IAM
  • Integrates with social media platforms
  • Customizable user interfaces
  • Best for large enterprise customers

Cons

  • The complex architecture can be very difficult to learn
  • Does not support many third-party integration tools
  • Pricing can be complex and confusing because it is unclear which licenses grant which capabilities or if multiple licenses may be needed

Price

Oracle posts basic pricing on their website, but customers can also consider going through partner resellers for possible discounts. Pricing is listed per user per month with possible charges for tokens and SMS texts when used in high volume.

  • Identity and Access Management
    • $0.016 per external user (customers, vendors, etc.)
    • $0.25 Oracle Apps Premium
    • $3.20 Identity and Access Management Premium
  • Access Governance
    • $0.69 for first 10k users
    • $0.63 for > 10k to < 50k users
    • $0.54 for 50k users and more

Identity and Access Management (IAM) Service Providers

The hidden assumption in selecting a software solution, even SaaS, is that an organization has access to the time and expertise needed to install, configure, and use the tool. For resource constrained organizations that require IAM, sometimes the best option will be to outsource IAM to a service provider.

For better or worse, the number of service providers greatly exceeds the number of potential IAM tool vendors, so it isn’t possible to create a reasonable list of the ‘best’ 5 vendors without the context of an organization’s needs. Instead, we’ll focus on the type of vendors and what they may offer.

IT Consultants

Many consultant companies offer technology services as part of their service portfolio.  The largest global enterprises may look for global names to provide their IAM services such as KPMG or EY. However, there are consultants of all sizes and an organization with a high comfort level with their local consulting team may be quite satisfied with expanding their services to cover IAM.

IT and Security Specialists

Some organizations prefer to keep their IT and security services with managed IT service providers (MSPs) and managed IT security provider (MSSP) specialists. A wide variety of big and small vendors provide IAM services to an equally broad variety of customers.  Each vendor will have their favorite IAM tools and techniques, so organizations will need to verify that the provider can meet their specific needs and integrate with their critical applications.

Organizations seeking IAM services can start by talking to their current IT and security vendors to explore options. For competing quotes, a quick internet search will unveil IAM service providers such as:

Another good resource is to examine the websites of tools that the organization might consider for their IAM needs. For example, IBM offers managed IAM services and most vendors, such as OneLogin, will list sales and technology partners that can help outsource some or all of the IAM needs.

How the Top IAM Solutions Were Selected

To create the pool of candidates for this year’s top IAM solutions, we consulted a variety of internet sources such as Gartner’s Magic Quadrant for Access Management, the Forrester Wave for Identity as a Service (IDaas), the Identity Management Institute, and customer reviews on websites such as G2. We also checked the vendor websites and examined their capabilities and features.

To remain under consideration, the tool needed to deliver robust capabilities for both identity management as well as access management.  Some otherwise capable tools did not make the cut because they might only deliver some of those capabilities.

Identity management requires the creation, administration, and deployment of identifiers, credentials, and attributes. Access management requires focus on the control of permissions assigned to users and evaluating those permissions against identity whenever information or asset access is requested.

Some tools might deliver the equivalent benefits of IAM, but using other technologies such as controlling remote access. Our assumption is that organizations searching for IAM are looking specifically for IAM solutions so those tools were not included.

Examples of tools that were excluded from this article include:

  • Cisco / Duo – Cisco deploys an impressive array of access control tools from Duo’s MFA, to robust network access control. However, their lack of features for identity management on their website and light documentation of those capabilities meant they did not make the cut.
  • Prove – Prove uses phone numbers to help prove identities and provide robust identity confirmation. However, the tool does not provide access management or true identity management features such as groups.
  • Semperis – Sempris offers very important security tools to protect Active Directory, but while this is identity management adjacent, it does not qualify as IAM.
  • Twingate – Twingate provides the equivalent of IAM for cloud applications by offering a web-based alternative to VPN, however, it does not explicitly offer IAM capabilities.

The remaining tools were compared for capability and we picked the most notable 5 dedicated IAM solutions and most interesting 5 IAM solutions that are part of larger tool sets for this article. Given the number of quality vendors and fast pace of change in this space, we can expect this list to change over time.

Why IAM?

Identity and access management tools become important once an organization has multiple locations, remote workers, and the need to control access to cloud-based resources or SaaS applications. Smaller organizations often manually control access to each resource, but once the cloud resources reach a certain value or the organization reaches a certain size, then delays in lifecycle management become more costly.

Organizations that delay access to applications for new employees wind up wasting time and money. Organizations that delay removing access to employees leaving the organization risk data theft or sabotage. IAM can also provide the basis for implementing other security initiatives such as zero trust or secure access service edge (SASE).

How to Select an IAM Solution

Once an organization recognizes the need, they need to find a suitable solution. The key factors in the decision will likely revolve around:

Integration Capabilities: If you have a critical app a superior application that does not integrate with or support that critical app will be useless. Actual usability is more important than potential capabilities.

User Experience: How much hassle is introduced or reduced by implementing IAM? Many tools introduce self-service application requests, automated approvals, and single sign-on (SSO) capabilities that reduce friction for users to obtain and use internet-based resources. Organizations with heavy mobile users will also need to ensure their solution delivers a smooth mobile experience for their users.

Security Needs: Organizations with advanced security requirements will need to deploy MFA options, execute granular control over access, as well as track and report on access by asset or by user.

Resources Needed: Some tools will be resource-light SaaS solutions and others will require local system deployments. The cost of the required resources to run the tool will also need to be added to the potential personnel costs for installation, configuration, maintenance, and use.

Delivered Value: Ideally, tools don’t just deliver features, they should deliver benefits. The value of additional security and control may be difficult to quantify, but time savings compared to manual execution of IAM tasks has led to Return on Investment (ROI) estimates between 482% and 548%.

Each organization will need to verify that the capabilities of the tools meet their needs and estimate their accompanying resources and ROI. Many tools provide trial periods for testing, but keep in mind that integrations can be time consuming and should be reserved for finalists.

Overview of Identity Access Management Trends

Identity and Access Management and  ID-as-a-Service does not provide a miracle cure for security risk as Okta customers discovered last year. However, IAM done well can reduce the risk of human error and contain the impact of mistakes.

As more organizations evolve, their need to control workforce and consumer access to their applications, identity and access management naturally increases in importance and adoption rate. As adoption of IAM increases, the capabilities and uses of IAM also continue to increase. The big trends in IAM consist of increasing scope, incorporation of artificial intelligence, and enabling new standards for secure access.

Expanding Scope of IAM

Organizations used to only worry about verifying the identity of employees and granting them access to internal resources such as shared servers and network devices (printers, workstations, etc.). However, as IT explodes in scope, the definition of IAM also evolves in definition.

We still secure the workforce, but now IAM can expand the scope of users to incorporate customers and even applications that need to access corporate resources. We still secure servers and network devices, but we also expand IAM to control access to containerized cloud resources and internet based SaaS apps.

AI-Powered IAM

As artificial intelligence improves, more vendors incorporate AI and machine learning to develop behavior analytics modules that detect and warn against anomalous user behavior. These tools improve the overall security for the organization without adding significant requirements for security personnel or other security tools.

IAM: Enabling New Secure Access Standards for Zero Trust and SASE

With more users than ever accessing applications remotely, limiting access for remote employees, partners, and customers has become as complicated as it is critical. A static single sign-on (SSO) or multi-factor authentication (MFA) product isn’t going to cut it at the enterprise level, where the cost of a breach is high.

Breach costs can include lost data, stolen intellectual property, damaged customer trust and reputation, incident response costs, and downtime. Steep fines may even be incurred stemming from breached compliance regulations like HIPAA, GDPR and CCPA if medical or personally identifiable information (PII) is involved.

To reduce risk and secure assets outside of the local network, many organizations turn to secure access service edge (SASE) and zero trust principles. IAM helps to fulfill the requirements of these principles by verifying user identities, managing the principle of least privilege, defining access policies for assets, and complying with the access requirements (MFA, etc.) defined by the policies.

The Future of IAM: Decentralized Identity

Gartner sees the IAM market eventually delivering decentralized identity. Instead of a user-focused system of identity and verification, an “identity trust fabric” will provide a layer of security between users and applications.

However, the current concept of decentralized identity relies upon blockchain technology and is also tied to the still-emerging concept of the cybersecurity mesh that will unify the vast distributed enterprise networks and resources into a centralized policy management and orchestration layer.

Bottom Line: Developing the IAM Ecosystem

The selection of an identity and access management solution can dramatically increase security and control over SaaS and cloud resources. For organizations seeking to further improve security, there are many adjacent technologies that compliment and strengthen an IAM solution.

For example, Privileged Access Management (PAM) provides specialized tools to manage administrator and other elevated and dangerous access levels. Active Directory security, machine identity security, password managers, and encryption key management also address key factors of identity and permissions security that could pose enormous risk to a breached organization.

Although it might seem that there will always be another tool needed to fully secure an organization, implementing broad, fundamental security layers will always be the first important steps to take. For today’s dispersed IT environment, adopting an effective IAM tool should be one of those effective first steps.

Chad Kime
Chad Kime
eSecurity Planet Lead Writer Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Latest articles

Top Cybersecurity Companies

Related articles