More users than ever are accessing applications remotely, so limiting access for remote employees, partners and customers is critical. A static single sign-on (SSO) or multi-factor authentication (MFA) product isn’t going to cut it at the enterprise level, where the cost of a breach is high. Those costs can include lost data, stolen intellectual property, damaged customer trust and reputation, incident response costs, downtime, and steep fines from compliance regulations like GDPR and CCPA if personally identifiable information (PII) is involved.
With all that at stake, a good IAM product is an essential security tool, especially one with advanced features like continuous, adaptive monitoring that can spot suspicious activity and shut it down or alert security staff. We’ll highlight the best IAM products based on our analysis of product features, user feedback, and other data sources.
Jump ahead to:
Standard features of a good IAM product include adaptive and contextual authentication, SSO, MFA, access policy management and enforcement, session management, logging and reporting, and integration with applications and security products like CASB, endpoint and web access firewalls. Gartner notes that support for identity protocols like SAML, OAuth and OIDC are also essential, as is standards-based federation instead of password vaulting wherever possible.
Cloud-based SaaS products are becoming an increasingly important part of the IAM market. Some cloud-based tools have been custom-built for the cloud and some share DNA with on-premises tools. In a few cases, cloud IAM tools from a vendor may not have all the functionality of the vendor’s on-premises offerings, so check the roadmap to make sure feature parity is part of the plan.
Visibility is also important, the ability to see across an entire IT infrastructure, including the cloud, who has access to what, what they can do with that access, if it’s appropriate to their relationship with the organization, and to understand where security and non-compliance risks exist related to user access.
IAM also provides a way to streamline the on-boarding and off-boarding of users and their access to systems and applications automatically as relationships change over time. Done correctly, it provides the means to dispense with commonplace phenomena such as inadequate or missing audit logs, privilege creep, privilege escalation attacks, and general identity chaos and password chaos.
The rise of zero trust security products
One trend to watch is the rise of zero trust security products. These new access control tools restrict access to just the data and applications users need rather than granting them access to the entire network, reducing the risk of lateral movement within the network. The market is still new, but Gartner expects sales of these products to begin to gain traction in 2021. IAM vendors are already developing their own approaches to zero trust and will continue to.
There are many challenges to overcome in setting up an identity and access management system. One of the principal ones is gaining control over islands of identity. In a typical organization, it’s tough to know where all the identity repositories exist due to shadow IT, consumerization of IT and more SaaS applications steadily coming into the fold. Organizations have to gain visibility into all parts of the IAM puzzle. Once you have visibility, you can effectively manage identity from a centralized view that helps minimize risk.
Another challenge concerns the assignment of risk to users, applications and systems. That demands prioritization of people and data according to sensitivity and importance in order to focus on protecting what matters most, first.
Additionally, management can be slow to provide input in defining roles and designations to organizational systems, applications, and its central identity repository. Privileged access management (PAM) can help with the most sensitive accounts.
How to set up an IAM system for your network
The setup of IAM security is project-specific. But here are a few guidelines to follow for successful implementation.
- Assess the current IT architecture and future requirements
- List standard versus in-house applications, with version details, that have to integrate with IAM
- Ensure compatibility between the current OS, third-party applications, web servers, and identity and access management tools
- Integrate access control devices (including card readers and other access hardware) with IAM solutions
- Clearly designate user roles and define each individual’s or group’s access privileges and restrictions
- Assess the required level of customization so IAM fits the enterprise
- Verify that the system complies with any laws or regulatory requirements from local or national governments
Top IAM products
Key takeaway: Duo is one part of Cisco’s zero trust approach, and the IAM tool boasts some of the happiest users.
- Simple secondary authentication method is easy to use and effective
- Cisco is an early leader in zero trust, giving customers room to grow with a single vendor
- Perhaps best for Cisco shops, but those willing to learn will be rewarded
Cisco’s acquisition of Duo Security in 2018 gave the networking giant a strong presence in both IAM and zero trust. With its Tetration microsegmentation technology, SD-Access fabric and Identity Services NAC solution, Cisco may be the only vendor to span IAM, zero trust, microsegmentation and network access control. The company’s broad portfolio makes it uniquely positioned to be a player in the evolving access management and zero trust market if its combined Zero Trust Security platform catches on.
Duo may be a smaller IAM player, but its users are among the happiest, giving the product high marks for product capabilities, management, support and value, and it’s easy for end users too. It operates as a secondary authentication method so it doesn’t store user credentials. Duo offers identity verification, device visibility and posture assessment regardless of where users and applications are located.
Key takeaway: Behavior analytics and adaptive access set this market-leading IAM product apart.
- Behavior analytics and adaptive access management
- CyberArk merger could make it a zero trust player
- Fine-grained authentication and API protection could be better
Idaptive was acquired by CyberArk in May 2020, creating a very interesting marriage between a top IAM vendor and a top privileged access management (PAM) company (a rather strange twist as Centrify, another PAM leader, spun off Idaptive in 2018). CyberArk is positioning the products for the emerging zero trust market too.
Idaptive offers SSO, MFA, and identity lifecycle management across workforce, third-party, endpoints, mobile devices and consumer users. Behavior analytics set a baseline for users and can trigger alerts and access changes when anomalous behavior is detected. Idaptive gets solid marks for capabilities, value, ease of deployment, and support. It’s one of the best products on the market for adaptive access control. Not much in the way of quibbles, but fine-grained authentication and API protection could be areas for improvement.
Key takeaway: A full-featured access management suite that gets high marks from users.
- Ease of deployment, SSO, and authentication and access management are standout features
- A good value
- Behavioral features aren’t as robust as other leading solutions
Oracle has put together a strong identity and access management product suite spanning the cloud and on-premises: the Oracle Identity Cloud Service, the Oracle Cloud Infrastructure Identity and Access Management Service, Oracle Access Management (SSO), Oracle Identity Governance, and Oracle Directory Services. The context-aware access products integrate with a wide range of applications, servers and systems, including custom applications. It gets high marks for ease of deployment, authentication and access management, single sign-on and support, and user perceptions of value are above average. Behavioral features are one area where Oracle could catch up to other market leaders.
Key takeaway: An access management leader with an early stake in zero trust too.
- An easy and simple way to get into IAM and zero trust
- Multiple authentication options
- Behavioral tracking
- Not the cheapest or most sophisticated product on the market
Okta has long been a leader in access management, authentication and single sign-on. The company is also becoming an early leader in zero trust security, which gives Okta customers a path forward as access technology changes. With a simple and easy-to-manage SaaS-based approach, the Okta offers users a way to implement IAM and zero trust without a lot of complexity. Behavioral tracking is a plus, and the product offers a number of authentication options, including multi-factor, single sign-on and biometric. Some users would like better reporting and more advanced functionality, but Okta is a good choice for SMBs in particular. Support is about average.
Key takeaway: High marks from users and better than average pricing may make any complexity worth it.
- Advanced features and value
- Some complexity in management and deployment
IBM Security Verify Access users are generally a happy lot. They praise the product’s advanced features, while complexity has been one area they’d like to see improved. The software product generally offers greater functionality than the SaaS product, but IBM gets solid marks across the board from users, even on price, where it ranks in the top half of IAM products. Deployment times can take longer than average, but all in all, a strong IAM offering with a solid roadmap.
Key takeaway: A range of offerings make Ping an option for just about anyone.
- Wide range of offerings
- Strong product development efforts
- Deployment times can be above-average
- Some management complexity and reporting limitations
Ping Identity offers a range of access management solutions: software, cloud-based, hybrid, enterprise-grade and passwordless are among the options. Deployment, management and reporting could be improved, but otherwise the Ping lineup gets solid marks just about everywhere, and the company’s continuous development efforts ensure that it will be a contender for a long time. Ping has an option for just about everyone.
Key takeaway: Strong product capabilities and ease of deployment and use are standout features for OneLogin
- Solid, well balanced product
- Ease of deployment and use
- Reporting could be improved
OneLogin is a remarkably well balanced product, with ease of use and deployment and capabilities all strong. Onboarding and offboarding are quick, and the IAM product boasts more than 6,000 application integrations and endpoint functionality too. The product offers a solid value, with some users reporting flexibility in pricing. Reporting is one of the few weak areas noted by users.
Key takeaway: The only vendor on our list that is a leader in PAM and zero trust too.
- Broad access management offerings
- Good reporting
- Adaptive access and policy management could be a little better
Broadcom’s Symantec is the only vendor on our list that’s a leader in privileged access management and zero trust too, giving customers a breadth of offerings now and some future protection too. IAM is part of the broader Identity Security suite, which includes the SaaS-based VIP and Advanced Authentication solutions. VIP Access Manager gets strong grades from users, and it’s one of the few solutions that gets reporting right. Adaptive access and policy management could be improved, but we’re quibbling.
The access management market is a competitive one, so other vendors may also offer products that fit your needs. Here are a few other noteworthy IAM vendors:
- Micro Focus
- Microsoft Azure Active Directory
- Thales SafeNet