With record numbers working remotely during the COVID-19 crisis, CIOs and CISOs must look at how to maintain identity and access securely across a dispersed network
The coronavirus pandemic has overturned normal ways of working. Many office workers will be based at home for the coming weeks, if not months, and are already having to reassess how they accomplish their daily tasks. While staying connected to colleagues is now easier than ever, remote working brings more challenges than just bored children and over-excited pets - especially when it comes to cybersecurity.
We are long past the days when an office was the extent of a secure network. Today, security experts agree that identity management is the true digital perimeter, ensuring that only trusted parties can enter the corporate network.
Identity and access management (IAM) tools tend to be embedded in a business, and changing them is not as easy as switching between Skype and Zoom as a preferred platform. However, making sure you have the right solution for your needs is critical, and there has never been a more appropriate time to reassess your existing supplier.
In this article we cover some of the most popular IAM tools in the UK today. They cover a variety of areas and while most have the same basic functionality, many will specialise in a certain area or be more suitable to a certain type of business.
We will assume that your company has already laid the groundwork for remote working, with policies to support the practice and an analysis of expected traffic and risks - such as freezing password expiry limits and establishing a VPN if needed.
After getting the basics in place, it is time to look at IAM tools themselves. Requirements will vary depending on factors like company size, and others like solution price and vendor support will also come into play. Here are some of the elements to consider when looking for a new IAM solution.
Features to consider
Product features: multi-factor authentication (MFA), single sign-on (SSO), role-based access control, etc.
Ease of use
Compatibility with existing IT
Management of on- and off-boarding
Deployment options - on-prem, cloud, hybrid, hosted
Data migration ability
Identity data consolidation from multiple sources
Protection of identity data (and, related, the end-to-end security of the solution)
Supported standards/membership of standards bodies
Integration with third-party applications
Extensibility and scalability
Delta is Computing's technology market intelligence service, which distills the opinions and experience of thousands of IT leaders. We have put together a special three-month trial for access to all research to help with business continuity at this challenging time, for the price of a cup of coffee per team member per day. Click here to request a demo.
Microsoft's Active Directory (AD) is widely adopted for IAM, even though it is not a traditional IAM tool; rather, it is a collection of services that help administrators manage users and devices on a network.
AD integrates with nearly 3,000 business apps, including Salesforce, Box, Workday and Office 365. Customers can run AD on-prem, in the cloud (Azure AD) or in a hybrid deployment.
The cloud version of the app has several important differences to standard Active Directory: for example, it doesn't include Microsoft's Group Policy or DNS. Customers often use standard AD and Azure AD together to extend an on-premises AD solution to the cloud.
AD features a directory called the data store, which contains information about network objects like servers and user accounts. It uses logon authentication and access control to these objects to manage security. Through this architecture, AD enables single sign-on to data store objects (including for external users), multi-factor authentication, privileged access management, identity governance and other methods of IAM.
As well as the data store, AD includes many more ways to work with objects in the directory, including rules to define their classes and attributes; a catalogue of information; and a replication service to distribute data across a network.
Microsoft splits Azure AD into four pricing tiers: free, Office 365 Apps edition, Premium P1 and Premium P2. The Office Apps edition is bundled into O365 E1, E3, E5 and F1 licences, explaining AD's massive user base. Price for the Premium editions starts at £4.47 per user per month.
Delta respondents said that AD had many areas of strength, especially its password and employee lifecycle management. They praised its integration into existing infrastructure, and added, "Seamless user experiences are key, and Microsoft does this so well at present." They also felt that Microsoft's resources would enable further development. However, costs were a weak point and said to add up "very quickly." Microsoft shows little flexibility in this area.
Google's Cloud Identity and Access Management (Cloud IAM) enables users to create and manage permissions. It is designed specifically to work in Google's own environment, controlling granular access to Google Cloud Platform (GCP) resources with a zero-trust, role-based approach.
Cloud IAM's access management relies on three elements: policies, roles and members. Policies define member roles, and are attached to a resource. Cloud IAM checks the policy every time an authenticated member attempts to access said resource. A ‘member' can be a Google account, service account, Google group, G-Suite domain or Cloud Identity domain.
Administrators can define custom roles to assign to members, setting up specific permissions to access different resources. This is not done on an individual basis; instead, every developer will share the same role, as will every member of the sales team, every analyst and so on.
Cloud IAM is free to all GCP users and it is popular among SMEs. A user said, "Google does work well for small businesses. I find…if you've only got ten people in your business or something, invariably I will be like, ‘OK, let's do Google. Let's move everything across to there, everyone can log in and do that', and the whole system can run from it."
Delta respondents, however, said that Cloud IAM is more geared towards consumer users than businesses, with one saying, "You can use Google if you're prepared to be a bit more consumerist about your business IT." They also criticised its licensing models and integrations with third party systems.
AWS Identity and Access Management (AWS IAM) is a pure cloud offering, which administrators can use to control access to AWS services and resources. They are also able to create and manage users and groups, as well as assign permissions.
After creation, admins can assign security credentials like access keys and passwords on an individual or group (role-based) level. They are also able to add and enforce AWS MFA protection. Alternatively, users can have temporary credentials with a defined expiration period.
An IAM role is similar to a user, but instead of being assigned to an individual, anyone who needs to use its permission policies can access it. In AWS IAM, roles do not have long-term credentials; rather, users who assume a role receive credentials for that session. This makes roles useful to grant access to users, apps and services that cannot normally use your AWS resources.
Admins have a variety of ways to access IAM, including the Management Console, Command Line Tools, SDKs and an API.
AWS IAM is included by default and for free on an AWS account; charges only apply to the use of other AWS services.
Amazon's major strength, like Microsoft, is in its resources and investment in its IAM tool. The solution has a clear roadmap and provides a full IAM technology stack. Its cloud-based ecosystem makes it highly scalable, although this may also be a weakness as IAM normally operates in the same environment as the resources it is protecting - making AWS IAM difficult to use for companies with on-prem or hybrid infrastructure.
A Delta user said, "You can't manage your cloud resources without a cloud-based identity management system or capability, and equally your on-prem resources will need an on-prem."
Based in Bedford, MA, USA, RSA is one of the most mature vendors in IAM: established in 1982 and a long-term supplier of a token-based multi-factor authentication system. It is best-known for its SecureID Suite, which includes SecurID Access and Identity & Governance Lifecycle.
SecurID Access builds on RSA's background, providing MFA for various network resources. These can be on-prem or in the cloud, and the tokens used can be physical, software or mobile (i.e. a smartphone app). The product is available on a variety of operating systems, including Windows, Mac OS X, Android and iOS, and has out-of-the-box integration with around 500 applications.
Identity & Governance Lifecycle is an identity management solution. It provides access visibility for every user, application and entitlement in a firm, as well as analytics for teams to combine identity data with business context to spot anomalies.
RSA breaks pricing down into three tiers, on a per-user, per-month basis, varying based on the number of users covered. The Base Edition ($1 - $3) covers on-prem and cloud apps and can be deployed on-prem, in the cloud (via AWS), in hybrid or hosted environments. The Enterprise Edition ($1 - $5) adds more scalability, as well as bulk provisioning and self-enrollment. The Premium Edition ($1 - $5) adds features such as advanced risk analytics and machine learning. Local pricing is only available from resellers.
RSA is a mature vendor with a solid base in the market, although perceived to lack innovation. Its technical support and training are well-liked, as is its platform-agnostic approach. However, agile competitors making use of technologies like NFC and mobile apps are threatening RSA's position in the market.
Software giant Oracle's Oracle Identity Management (OIM) covers the full IAM technology stack, including single sign-on, multi-factor authentication and role-based access control. These are handled through a variety of modules, such as Identity Federation, Single Sign-On Suite and Privileged Account Manager.
The core of the suite of tools is Oracle Identity Manager: a governance platform to manage identities and access privileges across a variety of enterprise applications, on-premise and in the cloud. Administrators can synchronise identities and access privileges from a variety of trusted sources, including HR applications.
An uncommon feature of OIM is its Segregation of Duties facility, which helps to avoid compliance violations. OIM can detect and remediate violations once SoD policies are in place.
Oracle makes some pricing information available, but there is little clarity around it and it appears to be a case of obfuscation through transparency. However, prices are clearly higher than those for competing products. This contributes to the widespread negative feeling towards Oracle in the IAM industry: customers picked out hidden costs, commercial flexibility, initial/ongoing costs and licensing models as some of Oracle's weakest areas. They also said that the product itself was "overly complex" and that people were increasingly moving to other options.
Okta is an IAM specialist, producing a full end-to-end modular suite of products under the name Workforce Identity. The company is based in San Francisco, with European offices in London, Amsterdam, Paris and Stockholm.
Many of IAM's most common features, such as single sign-on, multi-factor authentication and automated employee lifecycle management, are enabled through modules. They plug into the Universal Directory management console, which can store data from a variety of sources - including Active Directory and HR systems.
Because Okta is modular, customers can adjust prices based on what they need: a major strength, although Workforce Identity does have a $1,500 annual contract minimum. Volume discounts are available for customers with 5,000+ users.
Okta is an independent vendor so does not lock customers in to a specific cloud, and boasts of its integrations with multiple systems. One user said, "Everything they do works on other peoples' stuff, so they have to get it right because they don't have any of their own [cloud] products" - meaning no cloud platform of Okta's own, like AWS or Microsoft Azure. Customers also praised the company's consulting and sales staff, but rated technical support and training as areas of weakness.
Auth0 is an identity-as-a-service provider headquartered in Seattle, USA, with an office in London.
The company produces an authentication and authorisation platform for web, mobile and legacy applications. Auth0 features single sign-on (orchestrated through universal login to skip subsequent logins to linked apps), MFA, breached password detection and a user management console.
Auth0 provides developer pricing, focusing on the ability to build apps with integrated IAM. However, it does not provide public list prices for non-developer customers.
Published prices start at $23 per month for the basic developer edition with 1,000 external active users, scaling to $1,700 per month for 7,000 external active users and 100,000 machine-to-machine credits. There's also a limited free tier. Other pricing is available on request.
Delta respondents favoured the comprehensive documentation and out-of-the-box usability of the Auth0 product from a developer point of view. However, the UX and pricing structure for large businesses came in for some criticism.
San Francisco-based ForgeRock has European offices in the UK, France, Germany and Norway.
The various modules that make up the ForgeRock Identity Platform are based on open standards: Access Management is based on the OpenAM project and Identity Management on the OpenIDM project, with Directory Services and Identity Gateway modules based on the OpenDJ and OpenIG projects, respectively. Delta respondents said this open-source, modular format makes deployment especially simple.
The developers designed the platform to connect to any digital service, including IoT devices. One of the modules, Edge Security, is specifically designed to close the IoT security gap.
Delta respondents praised the technical support, training and integrations with third-party products. However, the modules were said not to all have the same level of sophistication.
Pricing is available on request.
IBM follows a ‘silent security' approach for its IAM products, working with business operations to hide access management from the everyday user. The firm produces several IAM solutions: Cloud Identity, Security Access Manager and Security Identity Governance & Intelligence (SIGI).
Cloud Identity delivers SSO, MFA and identity governance through the IBM cloud, and features connectors to popular enterprise applications. It is available as a free edition, with paid versions starting at £2 per user per month.
Users can deploy Security Access Manager on-premise, in a virtual or hardware appliance or in a Docker container. As well as SSO and MFA through IBM Verify, it features risk-based access, integrated access management control and identity federation. Pricing is on request.
SIGI is an end-to-end lifecycle manager, enabling Segregation of Duties (SoD) controls and data governance. It enables the collection and analysis of identity data to support compliance and supports the automation of manual tasks, including access certifications, access requests, password management and provisioning. Pricing is on request.
Among Delta respondents, IBM's IAM products are considered robust with good costing models. However, for admins usability and documentation is sometimes lacking.
OneLogin develops a cloud-based IAM platform aimed at enterprise-level firms called Trusted Experience Platform (TEP). The core of the platform is the cloud directory: a single source of truth for access management, which can integrate with existing directories such as Active Directory and LDAP.
TEP includes standard IAM functionality such as SSO, various authentication methods (MFA, biometrics, etc) and lifecycle management. Authentication can also cover endpoints. An AI system called Vigilance analyses traffic from endpoints, the OneLogin portal and other sources to build a profile of typical user behaviour in order to identify threats.
Online list pricing is only available in Euros. Prices start at €2 per user per month, with a minimum of 25 users. This Starter Plan features the cloud directory, SSO and single directory integration. The Enterprise Plan costs €4 per user per month and requires a minimum of 10 users; it adds integration for multiple directories, SIEM integrations, custom reports and MFA. The Unlimited Plan (€8 per user per month, five minimum users) extends functionality to user provisioning, HR provisioning and more.
Delta respondents spoke highly of OneLogin's cost and flexibility but described the firm as poor at customer communications.
Ping Identity is a US company with European offices in London, Paris and Switzerland. It provides federated and self-hosted IAM solutions, enabling single sign-on across a variety of web identities using SAML 2 and OpenID Connect protocols.
The company has several tools under the Ping Intelligent Identity Platform umbrella. It is designed for hybrid environments and can be used in the cloud or on-premises, and provides typical IAM features like MFA, SSO and data governance. Admins can link the authentication to mobile, web or on-prem apps, as well as SaaS services using APIs and integration kits.
Ping's use in and integrations with apps like Salesforce and Oracle CRM On Demand are its major strength. Delta respondents cited its links with major technology vendors as a reason for its adoption. On the negative side, high costs and a lack of innovation were seen as a reason not to adopt. One former customer said that their firm had abandoned the platform due to licensing costs.
Sailpoint's Predictive Identity platform promises to use machine learning to automate role-based identity activities. It is an identity-as-a-service platform, delivered through the cloud as multi-tenant SaaS with microservices. Areas covered are access certification, access insights, access modelling, access requests, cloud governance, password management, provisioning, recommendations and separation-of-duties.
In March 2020, SailPoint announced a collaboration with RPA firm Blue Prism to extend identity management in Predictive Identity to software robots. The companies say this is because robots routinely request access and manage identities, sensitive business data and applications, just like their human counterparts.
IdentityIQ provides the full IAM technology stack for on-premise deployment, and Delta respondents described it as a leader in attestations, authorisations and governance. They named SailPoint's experience in the market and customer support as areas of strength. Users can also integrate Predictive Identity features with IdentityIQ
Pricing is not publicly available, but third-party listings put the starting price for IdentityIQ at between $50,000 and $100,000.
Delta respondents were enthusiastic about SailPoint's offerings, particularly for their integrations with a large number of applications and ease of deployment. On the negative side, SailPoint's product roadmap was deemed to lack clarity.
US-based Thycotic Software specialises in password management and privileged account management.
The company's main product is Secret Server, a cloud or on-prem solution to manage privileged access. Credentials are stored in an encrypted, centralised vault, with full account visibility and management.
Related privileged access and password management products are: Account Lifecycle Manager for controlling and governing service (non-human) privileged accounts that access services, applications, data and network resources; Privileged Behaviour Analytics to spot anomalies in privileged account usage; Password Reset Server for password enforcement and user self-service for Office 365 and Active Directory; DevOps Secrets Vault; and Connection Manager for managing multiple remote sessions from a single screen.
There are also two tools in the least privilege & application control area: Privilege Manager and Unix Protection.
Thycotic provides free trials for Secret Server, Account Lifecycle Manager, Privileged Behaviour Analytics, Password Reset Server and Privilege Manager. Pricing is on request.
Some Delta respondents felt the solutions were overly complex, with a complicated deployment model. On the other hand, they also said that the company had a "comprehensive" solution and a "clear focus on access management."
Ubisecure Identity Platform
Ubisecure is a European IAM provider, previously owned by GlobalSign but independent since 2016. Its Identity Platform connects digital identities to customer-facing SaaS and enterprise applications as-a-service, in the cloud or on-premise, using middleware and APIs. It is a member and contributor to several identity industry associations, including OAuth 2.0, Token Binding, OpenID Connect, SAML, WS-Federation, Mobile Connect, CIBA & FAPI, FIDO, WebAuthn and CISWG Consent Receipt.
Ubisecure provides three main products in this space:
Managed Identity-as-a-Service (IdaaS) is a managed cloud-based service designed to enable the easy addition of SSO, MFA and Identity Provider connections for customers, partners and suppliers. It is aimed at enterprises and SMEs that lack the capability to deploy, configure and maintain the solution, or who simply need to roll out something fast. Prices are not published.
Identity Server is the on-premises version of the same software. It is deployed by a certified reseller.
Identity Cloud is the hosted Identity Platform deployment. Certified partners host the solution and provide service SLAs.
Ubisecure deploys large-scale Identity Cloud and Identity Server solutions through its certified partners.
A range of options are available, including subscription licensing. Pricing is on a per quote basis.
Much of the above information comes via Delta: Computing's market intelligence tool that covers enterprise IT in all its forms. We have just launched a discounted business continuity package to aid companies struggling to deal with the effects of the coronavirus pandemic; get in touch to find out more.