What to look for in an IAM solution

Posted by Edward Killeen on Fri, Aug 10, 2012

IAM solutionsNow you've done it, you have decided to look into an Identity & Access Management (IAM) solution.  There aren't a lot of these IAM solutions out there so it's pretty easy to narrow down the list of IAM vendors.  But, now you have to think, what am I looking for?  What am I trying to solve?

Gartner says that, "IAM ensures the right people get the right access to the right resources at the right time, enabling the right business outcomes."  I trust Gartner so you want to be sure that your IAM solution is doing those things.  Let's break it down:

  • The right people: to know the right people you have to have access to all of the identity repositories in your network (HRIS, Active Directory, ERP, line of business apps, etc).  You need to know everything about these users and have a way to "join" the disparate user accounts.  You need to synchronize attributes and provision/deprovision.  You need to constantly inventory all of these systems for any change immediately.  An enterprise directory, or metadirectory, that joins these users and creates what we call a "person object" that links all user accounts gets you to the "right people."
  • The right access to the right resources: you could call this identity and access governance or role based access control or even attribute based access control.  We call it all three.  This is the tricky part of all IAM, which is why we built our role engine into everything we do.  Role based provisioning, giving that "right person" the right user accounts.  Hybrid RBAC & ABAC, allowing you to get to an even finer level of granularity by not only looking at the user's role but also looking at attributes to define it further.  Role mapping to ensure that your IAM roles match your application roles (and you only have to manage them in one place).  Polyarchical role structures so that you can mix and match business and system roles for finer granularity.
  • At the right time: On average, 20% of your users change jobs every year, that's called internal turnover.  You need to have all of your roles, provisioning jobs, synchronization jobs, and group memberships be dynamic.  This means that they are constantly inventorying every system for changes and kicking off a workflow to make changes to everything to ensure that the "right person" has "the right access to the right resource" right then and there.  It has to be dynamic, all of it has to be dynamic.  Think of it this way, automate automate automate!
  • The right business outcomes: this is all about workflow.  Your IAM processes should map into your business, you shouldn't have to map your business process to your IAM solution.  A visual workflow designer that easily (this means without an army of consultants) creates business policy approvals, user approvals, and rights based approval makes all of these IAM changes map to what you need.  Think of it this way, when you are designing your business process, you draw it on a whiteboard.  Shouldn't your IAM process match that and not be lines of code.  Visual IAM workflow.

When you are looking for your IAM solution, this is what you want to look for.  EmpowerID has a pretty amazing solution to all of this and the track record to back it up.  Tell us what you want out of Identity and Access Management and we'll show you how to map it and get all of those bullet points right!

Demo & Evaluate EmpowerID

Tags: Identity and Access Management (IAM)