3 Factors to consider while selecting the right Identity & Access Management (IAM) tool for your business
Selecting the right IAM tool for your business can be a confusing & cumbersome process, especially if you are doing it for the first time. Given the recent spurt in the plethora of IAM products in the market, organizations are now flooded with more choices than ever. This makes it difficult to choose the right vendor. Thus, organizations usually take the ‘product feature comparison’ route to arrive at the right IAM tool for their businesses.
However, the catch here is that 90% of the IAM products/solutions have the same features, more or less. While tool features are definitely an important part of your evaluation process, focusing only on features or the product brand is not the most optimal approach for evaluating IAM tools.
So the question naturally arises–what is the correct approach to selecting the right IAM vendor for your business?
Ideally, your business should be the starting point of your evaluation process. Depending on your business needs, put down your requirements. Using these requirements, you should create a framework; not necessarily something complex like the Zachman Framework. A simple framework mapping your IAM needs would suffice. I have found it useful to keep the following 3 factors in mind while creating this framework:
1. Portfolio–This refers to the portfolio of applications and users that compose your IT ecosystem. IAM requirements will differ depending on whether you are using customized applications, or off-the-shelf proprietary applications from SAP, Microsoft, etc. It will be completely different if you are using a mix of native applications and customized desktop applications. Similarly, you must also consider the users using these applications. Do you want to cover both employees and partners under IAM? What about consumers? IAM needs for customers differ from employees and are covered under Customer Identity Access Management (CIAM). Cognizance of your organization portfolio should be the starting point for jotting down your IAM requirements.
2. Application parameters–This covers the various modules or methodologies that you require in your IAM setup and includes parameters such as Single Sign-On (SSO) requirement, authentication workflows, etc. To give an example - most companies erroneously assume that their Active Directory (AD) functions as SSO. But, AD is a directory service, while SSO is an authentication methodology which includes various capabilities such as Multi-factor authentication (MFA), taking automated actions based on abnormal entity behavior, etc. If ease of login is your primary objective, AD is sufficient and you don’t need SSO. Thus, simply noting that you need SSO is not enough. You must also highlight your requirements under SSO.
3. Objectives-What are your IAM objectives? Do you need it for governance to share with governing bodies for regulatory compliance? Or are you expecting to create an identity store of your users to automate onboarding & off-boarding of employees? Or do you want to provide easy access to applications for your remote workforce without compromising on security?
There are various pitfalls you must avoid in your IAM tool selection journey - using generic features list from Google, evaluating vendors based on how big or small they are, or even choosing ‘super’ products that cover all solutions under IAM but limited in capabilities, etc. Setting up your IAM ecosystem is a labor-intensive process and discovering that the product doesn’t fit your organization, 6 months after deployment can be a nasty shock. Hence it is important that you create a framework derived from your applications & users portfolio, which clearly calls out the ‘what and why’ of your requirements, and highlights your objectives. Armed with this framework, you will be better prepared to understand what the various products offer and which one of those will be the best-fit for your organization.