Learn More About Identity and Access Management (IAM) Software
What is Identity and Access Management (IAM) Software?
Companies use identity and access management (IAM) software to both enforce their security controls regarding who has access to corporate assets and to promote worker productivity with ease of access to the tools they need to do their jobs. IAM software achieves this by allowing only authorized and authenticated users, such as employees, contractors, and devices, to access corporate resources at their appropriate permission level based on predetermined policy-based controls.
Using IAM software, company administrators can quickly provision, deprovision, or change user identities and access rights to corporate assets at scale. Each user is granted the right level of access permissions based on their user or group membership type. This makes it easier for security teams to manage who has access to what accounts at scale, and for end users to quickly gain access to the tools they need to do their jobs instead of waiting for their individual accounts to be provisioned one by one. For example, a newly promoted departmental leader at a company may need permissions to fully access the proprietary data stored within an application. This can easily be granted to them due to their management group membership, while a junior-level employee would not need that kind of granular access, so they would only be permissioned to view non sensitive data stored within the application. IAM software also tracks user activity, enabling administrators to confirm that users are accessing corporate assets in compliance with company policies.
Using IAM software and utilizing policy-based controls to enforce least privilege strategies, companies can protect against unauthorized access from both external actors like hackers and non permissioned internal users (insider threats) who have insufficient access level permissions. IAM software is used as an important component of a company’s zero-trust, least-privilege security model, where all users’ identities are verified prior to granting access to corporate resources. This is different from prior security models that enforced perimeter security where once a user is inside the corporate network, they are granted free access and movement across the network, and not required to be authenticated again to use other applications.
What Does IAM Stand For?
IAM, sometimes also listed as IdAM, stands for identity and access management. IAM software is sometimes also referred to as workforce identity or employee identity management. Other acronyms related to IAM include CIAM for customer identity and access management (CIAM) software which is used for customer-related identity management. Similarly, for government-related identity products, the acronym ICAM stands for Identity, credential, and access management. Another acronym, IDaaS, stands for identity as a service.
What are the Common Features of Identity and Access Management (IAM) Software?
The following are some core features within IAM software:
Authentication: IAM providers offer multi-factor authentication (MFA) methods for users to prove their identity prior to being granted access to corporate resources. MFA requires more than a single authentication factor, such as only a username and password. Authentication factors can include one-time passcodes (OTPs), software tokens, mobile-push, hardware tokens, and more. More advanced authentication methods include biometric authentication and passwordless authentication.
More recently, IAM providers are utilizing risk-based authentication (RBA) methods, also known as contextual authentication, intelligent MFA, or adaptive MFA, which analyzes real-time information about users, such as their IP addresses, devices, and behaviors to continually verify their identity.
Identity lifecycle management or user provisioning and deprovisioning: IAM software providers offer administrators the ability to manage the lifecycle of an identity—from quickly provisioning to deprovisioning, along with user changes including attributes, roles, permissions, and other entitlements. Some IAM providers also offer a universal directory.
Directory: IAM providers will either integrate with existing directory providers or offer a universal directory service.
Single sign-on (SSO): IAM software provides SSO functionality to enable end users to access their business applications all in one place and requiring them to authenticate once.
User activity monitoring: IAM software enables administrators to track user activity, including anomalous activity. This kind of auditing is to ensure compliance with secure access control policies. IAM solutions often provide standard reports for this.
What are the Benefits of Identity and Access Management (IAM) Software?
Security: The main benefit of implementing identity and access manager software is for improved security. IAM software manages access governance, allowing only verified, authorized, and permissioned users to access company assets. This helps mitigate risks from external hackers or insider threats.
Productivity or enabling the workforce: In addition to improved security, companies that deploy IAM software to streamline the login experience, may lead to productivity gains with users. Having a simple to use security product with SSO requiring only one login and that also organizes the user’s corporate applications and accounts all in one place can save the user time and frustration.
Regulatory compliance: Many global governmental or industry regulations require companies to have security controls to be in place. Identity management is a major component of a well-rounded information security program.
Who Uses Identity and Access Management (IAM) Software?
Information security (infosec) professionals: Infosec professionals use IAM software as a foundational component of their security program.
IT Administrators: IT admins may be responsible for managing IAM software, especially as it relates to provisioning and deprovisioning users.
End users and devices: End users such as employees or contractors use IAM software in their day-to-day work activities to access corporate assets needed to do their jobs. Devices such as internet of things (IoT) devices require the validity of their identity in order to access corporate resources, including other IoT devices.
What are the Alternatives to Identity and Access Management (IAM) Software?
Alternatives to IAM solutions can replace this type of software, either partially or completely include:
Single sign-on (SSO) software: SSO software, which is a component of a complete IAM software solution, is an authentication tool that allows users to sign into multiple applications or databases with a single set of credentials. SSO software will not have identity governance and user lifecycle management features that an IAM solution would provide.
Multi-factor authentication (MFA) software: MFA, which is a component of a complete IAM software solution, is used to have users prove their identity in two or more ways before granting them access privileges to corporate accounts. There are many types of authentication factors above the standard single factor of login credentials like usernames and passwords, including something the user has like a mobile device or security token, something the user is, such as a scan of their faceprint or fingerprint, or somewhere the user is, like their geographical location and IP address. Newer forms of MFA include risk-based authentication and passwordless authentication.
Password manager software: Password manager software, or password management software, stores a user's individual passwords through either an encrypted vault downloaded to a user’s computer or mobile device, or digitally through browser plugins or extensions. The passwords stored in this software are managed by the user, not by a corporate administrator.
Software Related to Identity and Access Management (IAM) Software
Related solutions that can be used together with IAM software include many types of identity management software:
Customer identity and access management (CIAM) software: CIAM software is similar to IAM software, but used for customer identities instead of workforce identities like employees, contractors, and corporate devices.
Privileged access management (PAM) software: PAM software helps companies protect the most critical IT resources by ensuring the credentials of their privileged accounts, such as admin accounts are only accessed by those with proper permissions to do so. When users access these privileged accounts, they must check in and check out and are often monitored during the time they are using the privileged account. PAM solutions are used in conjunction with IAM software, which provides authentication of general user identities; PAM software, however, provides more granular control and visibility of administrative or privileged user identities.
User provisioning and governance tools: User provisioning and governance tools enable companies to manage user account identities throughout their lifecycle, including provisioning and deprovisioning. These solutions are often deployed on-premises, but many tools are offering cloud-based solutions, as well.
Cloud directory services software: Similar to user provisioning and governance tools, cloud directory services software enables companies to manage user identities throughout their lifecycle, including provisioning and deprovisioning, in a cloud-deployed manner. Companies use these tools as they transition away from traditional on premises or locally operating identity management software to cloud services and SaaS applications.
Challenges with Identity and Access Management (IAM) Software
Identity management solutions and IAM systems can come with their own set of challenges.
Policy and group management: Managing corporate access policies and group management is a company policy-related issue, not necessarily a technical one. It can get overwhelming for IAM administrators when companies have undefined or even conflicting policies as to which users have access to what resources. Administrators may be asked by leadership to provide users with much higher levels of access than their policy or group access control would normally allow, thus introducing risks into the environment.
Identity for cloud vs. on-premises applications: Depending on the company’s technology stack, businesses may have a mix of both on-premises and cloud-based applications and resources. Companies must ensure that their IAM solution has connectors to the types of systems they need support for, especially for hybrid IT environments.
Insufficient MFA methods: It is important that the MFA component of the identity program is strong to prevent unauthorized use which can lead to data breaches. Many IAM providers are moving away from less secure MFA methods, such as email one-time-passcodes to stronger authentication methods like risk-based authentication or contextual authentication.
How to Buy Identity and Access Management (IAM) Software
Requirements Gathering (RFI/RFP) for Identity and Access Management (IAM) Software
When gathering and prioritizing the company's requirements, it is important to consider the following factors.
Ease for end users: In order for IAM software to be effective, end users have to actually use it. The IAM solution must be easy to use by the end user and become part of their everyday routine.
Authentication methods: Are there limitations on the types of authentication factors that the company’s employees, contractors, and devices can use? For example, employees may be able to use authentication methods such as hardware tokens and biometrics, while temporary contractors might rely on in-app mobile pushes or OTPs sent via email, SMS, or phone. Additionally, if employees in a manufacturing facility or healthcare unit cannot carry a mobile phone with them, authentication factors requiring a mobile device may not be suitable.
Regional considerations: Is the company global? Does the IAM solution need to support multiple languages, use cases, and adhere to local data protection regulations? Businesses must ensure the IAM provider can accommodate the company’s geographic and regional-based needs.
Integrations: Companies should determine which integrations are important to them. The most critical integration would likely be the user directory solution, such as an HR system, if a directory is not provided by or being used within the IAM solution.
Timeline: The company must decide how quickly they need to implement the solution.
Level of support: Buyers should know if they require high-quality support or if they prefer implementing the solution in house.
Compare Identity and Access Management (IAM) Software Products
Create a long list
There are many providers of IAM software. The best way to begin narrowing the search for products that would work well for the company would be to start by company segment size, such as small, medium, or enterprise-size businesses. By visiting the Identity and Access Management (IAM) software page on G2.com, buyers can filter solutions by market segment using the left-hand filter radio buttons.
Create a short list
After looking through IAM solutions for particular company size, buyers should ensure it meets the authentication and regional needs. If a specific language is a requirement, buyers can filter solutions by language by visiting the Identity and Access Management (IAM) software page on G2.com. For other requirements, such as how easy it is to use, the “Easiest to use” section of the Identity and Access Management (IAM) software page on G2 helps compare options. Users can further narrow the selection by reading user reviews, checking the product’s ranking on the G2 Grid® report for the Identity and Access Management (IAM) software category, and reading other related IAM-related resources.
Conduct demos
At each demo, buyers must be sure to ask the same questions and use case scenarios to best evaluate each product. Potential buyers can contact many vendors directly on g2.com to request demos by selecting the “Get a quote” button.
Selection of Identity and Access Management (IAM) Software
Choose a selection team
The selection team should include the day-to-day administrator of this product, who is likely an information security or related cybersecurity professional or an IT administrator professional. Companies may also consider having someone from HR join the selection committee to provide context regarding new hire onboarding and employee offboarding, as it relates to the user provisioning or deprovisioning aspect of IAM software. And lastly, it is important to include a typical day-to-day end user to ensure that the end user experience is easy to use and can be widely adopted by the workforce.
Negotiation
When negotiating the contract, buyers must consider pricing, implementation, and support. Typically longer length contracts and larger license counts can improve price discounting.
Final decision
The final decision maker should likely be the day-to-day administrator of the solution, likely an information security professional or an IT administrator professional, with input from other stakeholders on the selection team. Prior to purchasing an IAM solution, buyers should check if they can get a trial period to test with a small number of users before going all in on the product. If the tool is well received by end users and administrators, businesses can feel more confident in their purchase.
