A lot has changed in the two years since we last examined the identity and access management (IAM) market. Some vendors have disappeared. New ones have emerged. The once-great security giant Symantec is now a division of Broadcom. Idaptive, too, is gone, acquired by Cyberark.
The big trends, though, remain the incorporation of behavior analytics and zero trust. These technologies have become an increasingly important part of access management products. And of course, the work-from-home (WFH) movement has put even greater pressure on access security. We’ll discuss the top solutions in depth, along with important trends in identity management and features to look for in IAM products.
Top Identity and Access Management (IAM) Software
Twingate helps fast-growing companies easily implement a Zero Trust secure access solution without compromising security, usability, or performance. We believe that “Work from Anywhere” should just work. Twingate’s secure access platform replaces legacy VPNs with a modern Identity-First Networking solution that combines enterprise-grade security with a consumer-grade user experience. It can be set up in less than 15 minutes and integrates with all major cloud providers and identity providers.
A PAM solution that gives system administrators complete visibility into each endpoint’s access privileges. With this convenient setup, admins are able to view user requests, check request history, block elevations, and approve or decline escalation requests on the go from either the dashboard or mobile app. Enable Zero-trust execution or revoke local admin rights with a simple click. This effectively stops malicious insider threats from taking over your network and boosts your security.
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches, and operational errors. Expose blind spots. Paralyze attackers. Minimize downtime. Semperis.com
Dashlane Password Manager provides companies with everything they need to onboard new employees, manage permissions and monitor security issues all from one place. It also includes advanced features such as SAML-based single sign-on (SSO) and the company's security architecture has never been hacked. Try Dashlane Business for free for 14 days
ADManager Plus is a unified AD, Exchange, Teams, Google Workspace, and Microsoft 365 management solution to simplify tasks such as provisioning users, cleaning up stale accounts, and managing NTFS and share permissions. It offers 200 built-in reports, including reports on inactive user accounts, Microsoft 365 licenses, and users' last logon times. You can build a custom workflow for ticketing and compliance, delegate tasks to technicians, automate AD tasks such as restore and backup AD objects.
IAM Evolves with Zero Trust
With more users than ever accessing applications remotely, limiting access for remote employees, partners, and customers has become as complicated as it is critical. A static single sign-on (SSO) or multi-factor authentication (MFA) product isn’t going to cut it at the enterprise level, where the cost of a breach is high. Those costs can include lost data, stolen intellectual property, damaged customer trust and reputation, incident response costs, downtime, and steep fines from compliance regulations like GDPR and CCPA if personally identifiable information (PII) is involved.
The best IAM solutions incorporate the concept of zero trust, giving users only the access they really need, and use artificial intelligence to identify anomalous behavior that could indicate a breach or stolen credentials.
What are the Key Features of Identity and Access Management (IAM) Software?
Most IAM products offer the following features:
- The creation, management, and deletion of identities
- Control of permissions for who can access what information, typically on a least-privilege and zero-trust basis
- Providing users with personalized, role-based, access and services
- Identity federation that authenticates users across compatible applications within and outside the organization
In most cases, the identity and access functions are combined into one application. The identity management side is all about the creation, administration, and deployment of identifiers, credentials, and attributes. Access management, on the other hand, focuses on the control of permissions assigned to users and evaluating those permissions against identity whenever information access is requested.
The Future of IAM: Decentralized Identity
Gartner sees the IAM market eventually becoming about decentralized identity. Instead of a user-focused system of identity and verification, an “identity trust fabric” will provide a layer of security between users and applications. That evolution will take time, however, as it is based on Blockchain technology and tied to the emerging concept of the cybersecurity mesh, itself an evolving strategy that attempts to tie together the vast distributed networks and resources of enterprises into a centralized policy management and orchestration layer. For more on these concepts, see Cybersecurity Mesh, Decentralized Identity Lead Emerging Security Technology.
For now, identity is already being tied into more advanced cybersecurity strategies like zero trust, microsegmentation and behavioral analytics. Identity is no longer a static concept, and IT buyers should look for IAM solutions that reflect that complexity and offer a roadmap to the future.
Comparison of the Top 10 Identity and Access Management (IAM) Tools
Acquired from Idaptive in 2020, CyberArk offers SSO, MFA, and identity lifecycle management across workforce, third-party, endpoints, mobile devices and consumer users. Behavior analytics set a baseline for users and can trigger alerts and access changes when anomalous behavior is detected. The IAM solution gets solid marks for capabilities, value, ease of deployment, and support. It’s one of the best products on the market for adaptive access control.
- Lets users in while using artificial intelligence (AI) to help keep threats out
- Protects against compromised identities and credentials
- Continuously monitors behavioral signals to make sure users are who they say they are
- Single sign-on and multi-factor authentication
- Consolidate key security technologies and simplify policy enforcement
- A privilege-centric approach to securing identities
Twingate helps fast-growing companies easily implement a zero trust secure access solution without compromising security, usability, or performance, saying that “Work from anywhere should just work.” Twingate says its secure access platform replaces legacy VPNs with a modern Identity-First Networking solution that combines enterprise-grade security with a consumer-grade user experience. It can be set up in less than 15 minutes and integrates with all major cloud providers and identity providers.
- Rapidly implement a modern zero trust network that is more secure and maintainable than VPNs
- Delivered as a cloud-based service
- Set up a software defined perimeter without changing infrastructure
- Centrally manage user access to internal apps, whether they are on-premises or in the cloud
- The network is invisible to the internet
- Scale from 10 to 10,000 resources
- Resource-level control means hackers don’t gain access to the entire network when one user is compromised
Cisco’s acquisition of Duo Security in 2018 gave the networking giant a strong presence in both IAM and zero trust. With its Tetration microsegmentation technology, SD-Access fabric and Identity Services NAC solution, Cisco may be the only vendor to span IAM, zero trust, microsegmentation and network access control. The company’s broad portfolio makes it uniquely positioned to be a leader in the evolving access management and zero trust market.
Cisco IAM features
- Cisco Identity Services Engine (ISE) enables a dynamic and automated approach to policy enforcement
- Simplifies the delivery of secure network access control
- Empowers software-defined access
- Automates network segmentation within IT and OT environments
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches, and operational errors while exposing blind spots.
- Semperis Directory Services Protector (DSP) continuously monitors Active Directory and Azure Active Directory for indicators of exposure and provides a single view of activities on-prem and in the cloud
- Discover vulnerabilities and risky configurations in Active Directory and Azure Active Directory before attackers do
- Get prioritized guidance from a community of security threat researchers
- Reduce the attack surface and stay ahead of the ever-evolving threat landscape
- Shine a spotlight on attackers moving laterally through your network unchecked
- Use multiple data sources, including the AD replication stream, to gain uninterrupted visibility into advanced attacks that bypass agent-based or log-based detection
Oracle has put together a strong identity and access management product suite spanning the cloud and on-premises. The context-aware access products integrate with a wide range of applications, servers and systems, including custom applications. It gets high marks for ease of deployment, authentication and access management, single sign-on and support, and user perceptions of value are above average.
Oracle IAM features
- IAM services can be self-managed, co-managed in the cloud, or fully managed via SaaS
- The Oracle OCI Identity and Access Management solution is a cloud-native approach to enterprise access management that supports heterogeneous and multi-cloud needs
- Oracle also offers the Oracle IAM Suite 12c (Access and Governance), which provides both a software delivered/self-managed model for managing on-premises and cloud resident identities, as well as running as microservices
- 33 global data centers provide the capability, scalability, and flexibility to manage access and governance needs
- Oracle embeds OCI IAM capabilities into its Fusion Application Cloud services to simplify the provisioning and role management
- Blends with existing cloud frameworks from Azure, AWS, GCP and others
Okta has long been a leader in access management, authentication and single sign-on. With a simple and easy-to-manage SaaS-based approach, Okta offers users a way to implement IAM and zero trust without a lot of complexity. Behavioral tracking is a plus, and the product offers a number of authentication options, including multi-factor, single sign-on and biometric. Okta is one of the easiest paths to zero trust and advanced identity management.
- Tailor Okta using no-code, low-code, or pro-code options
- Connect to third-party apps and systems to enhance security and user experience
- Directories securely store users and attributes at scale
- Okta Insights aggregates, analyzes, and disseminates data from the IAM tool
- Identity Engine offers customization of authorization, authentication, and registration
IBM Security Verify Access users are generally happy with the solution’s capabilities. The software product generally offers greater functionality than the SaaS product, but IBM gets solid marks across the board from users, even on price, where it ranks in the top half of IAM products. Its advanced features are also highly regarded by users.
IBM Security Verify Access features
- Ensures that the right people have the right access
- Discreetly verifies user identities when they log in and throughout the session
- Uses AI to uncover outliers and toxic combinations of entitlements
- Enables access to resources and applications, whether in the cloud, on-premises, or in a hybrid cloud
- Centrally manages access certifications, on- and off-boarding, and separation of duties violations
- Makes logging in easier for users and secure with single sign-on and risk-based multifactor authentication
- Protects and manages access to privileged accounts with enterprise-grade password security and privileged access management
- Discovers, secures and manages privileged account passwords to protect from abuse and misuse
- Admins can securely grant access rights and entitlements
- Provision, audit and report on user access and activity
Another perennial on our list, Ping Identity offers a range of access management solutions: software, cloud-based, hybrid, enterprise-grade and passwordless are among the options. The Ping lineup gets solid marks just about everywhere, and the company’s continuous development efforts ensure that it will be a contender for a long time. Ping has an option for just about everyone.
Ping Identity features
- The PingOne Cloud Platform makes it easy to administer IAM across any cloud or user
- Confirm the identity of users
- Deliver consistent sign-ons and multi-factor authentication
- Protect access to resources, data and sensitive actions
- Continuously monitor risk signals and API traffic
OneLogin is a remarkably well-balanced product, with ease of use and deployment and capabilities all strong. Onboarding and offboarding are quick, and the IAM product boasts more than 6,000 application integrations and endpoint functionality too. The product offers a solid value, with some users reporting flexibility in pricing.
- OneLogin Access extends the reach of the OneLogin Trusted Experience Platform to applications hosted on-premises and in public or private clouds
- Eliminates aging Access Management tools that are disconnected from SaaS environments
- Consistent experience with single-click access to SaaS and on-premises applications from any device
- Manage access for all your apps from a centralized platform with a single UI
- Offers Federation, single sign-on, and OneLogin SmartFactor Authentication
- Eliminates the need to recall dozens of passwords to individual apps
- Balances usability and security with adaptive authentication for dynamic, multi-factor authentication (MFA)
10. Micro Focus
CyberRes, a Micro Focus line of business, provides NetIQ Identity and Access management. Its adaptive identity-centric approach offers an integrated platform for identity, access, and privilege management.
Micro Focus features
- The NetIQ Risk Service consumes contextual and behavior risk metrics to adapt the user authentication experience while tuning their session’s authorization levels as needed to protect sensitive resources
- Provides visibility and control of privileged user activities to deliver actionable security intelligence to address evolving threats
- Allows you to manage and enforce configuration policies across critical systems on-premises and in the cloud across Unix, Linux, Windows, Azure, O365, and non-domain joined services
- Edit, test, review and compare changes before implementing environmental changes to prevent security gaps
- With NetIQ Identity Governance and Administration, you can automate and streamline access requests, access certification, identity lifecycle management, provisioning, and compliance reporting
eSecurity Planet Editor Paul Shread contributed to this report