4 Questions to Consider Before Selecting an Identity and Access Management (IAM) Solution

Questions to Consider Before Selecting an Identity and Access Management (IAM) Solution

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Joseph Carson, the Chief Security Scientist and Advisory CISO at Delinea, explains why companies should ask the following four questions before purchasing an Identity and Access Management (IAM) solution.

In many IT environments—even relatively mature ones—once an admin has logged onto a system or application, they’re given complete authority. And that’s a significant problem and risk. Attacks frequently start with one “low-value” endpoint or user account, with the attacker’s end goal being exfiltrating data, holding it to ransom, or data poisoning. And it all starts a user’s identity has been compromised. 

In simple terms, Identity and Access Management (IAM) ensures that the right people and machines are correctly identified, verified, and given access to specific resources that they require for a given length of time. IAM predominately refers to managing human users’ identities—typically customers or employees accessing a company’s infrastructure and services online. 

IAM solutions equip admins with the tools and technologies needed to manage a user’s role, track user activity, generate reports, and enforce company policies. IAM solutions focus on administering proper and secure user access across the entire enterprise while enforcing compliance with corporate policies and government regulations. 

Users need to understand that while IAM tools can help regulate access for users, they can also leave significant gaps that expose vulnerabilities to cyber-attacks if not used in conjunction with Privileged Access Management (PAM) solutions. PAM solutions assist in locking down and monitoring all types of privileged access automatically, enabling users to implement a proper “Continuous Verification,” which is the foundation of Zero Trust and the Principle of Least Privilege strategies. IAM is designed for every user account within an organization, whereas PAM can be directed to secure critical business and technical system access.  

Like most other segments in the technology industry, identity and access management software has evolved over the past few years. Cloud-based services dominate today’s world, which has rendered traditional IAM approaches that revolved around a username and digital identifiers less effective. Cloud and mobile computing have dissolved the traditional boundaries of the cybersecurity perimeter, and any organization taking the journey with IAM should do so in conjunction with a PAM strategy. 

An effective IAM solution can help reduce risk, cut costs, and save time, but choosing the right solution for your organization requires careful consideration.Here are some top questions to ask before selecting an IAM solution.  

What Are Your Identity and Access Management (IAM) Goals?  

This may seem like an obvious question, but what do you want to achieve by implementing an IAM solution? The answer to this will vary, depending on many factors from company size to industry and location. But ultimately, the answer to this will determine whether you opt for a point solution or a full-service platform. Point solutions help address fundamental and current IAM needs.

Often, buyers focus on addressing their immediate needs first and ignore the long-term security strategy and goals. As a result, companies are left trying to manage and use several single-point solutions (i.e., EMM, MFA, SSO, etc.), causing a wave of complexities, including too many logins and integrations. The advantages of having an integrated platform should not be overlooked. Organizations should work with an IDaaS provider that offers integrated technologies and the ability to provide secure access for all users and solve actual problems, not just provide more tools. 

Is the Solution Hybrid?  

Before researching the functions and features of any IAM solution, it is critical to determine whether a prospective vendor can provide a truly hybrid solution with control and access across both on-premise environments and SaaS-based applications. Undoubtedly, SaaS-based applications are valuable, but large enterprises will require more mature solutions to handle the complex challenges of hybrid domains, legacy systems, and on-premise apps.

In the absence of on-premise IAM capabilities, companies will be forced to deal with disparate solutions. At the very least, a solution should provide a single identity to access all apps and from all end-user platforms (i.e., desktops, laptops, and mobile devices). Meanwhile, a Privileged Access solution should ensure the proper security controls are applied, and authorization is verified, which will help reduce risks. 

How Vigorous Are The Access Controls?  

In today’s complex and highly interchangeable threat landscape, passwords alone cannot be trusted to protect, secure, and identify users. A prospective IAM solution must incorporate strong multi-factor authentication (MFA) and a common multi-factor experience across SaaS, cloud, mobile, and on-premise applications. Prospective IAM vendors should be asked if they can support various authentication methods, like support for the password or mobile device authentication. Using IAM combined with a PAM strategy will help move passwords into the background and enhance automated security controls that help employees do their job without creating friction.  

How Easy is Remote Access to the Hybrid Cloud?  

Today, cloud and working remotely go hand in hand, and identity must be about the user and the verification. Secure access must revolve around contextual trust and security—is your device known, managed, and secured? If your organization has opted for a Bring Your Own Device (BYOD) policy or even a bring your own office (BYOO), does the IAM solution presented support hybrid working environments? Prospective buyers should look for vendors that can provide means to ensure that access is verified and secure. 

Selecting the right IDaaS platform is no easy feat, but asking yourself these basic questions can help you understand your specific requirements. Once you have identified a solution that you think can address your particular IAM and PAM needs that address many pain points, ensure that vendor claims and solution capabilities are thoroughly investigated and validated. You can accomplish this by looking through independent review websites, listening to customer videos, and reading case studies.


Joseph Carson