Identity and access management (IAM) is quickly becoming one of the foremost focal points for security teams. Boundaries are shifting and disappearing, at the same time, services are becoming more interconnected than ever. This trend is underscored along with all of the market discussion around zero trust.
Permissions guide access to data and resources. Permissions are attached to an identity, whether either human or machine. There are a number of solutions that can support security teams in a better IAM posture. This article will explore various questions that security teams should ask themselves in evaluating IAM tools.
Are the Devices We Use Supported by IAM?
We’re a Windows shop. We’re a Mac shop. We’re all developers and use Linux. Some organizations leverage a BYOD model. Some use mobile devices as part of their standard operations. Some have rigorous system images that are managed and issued across the user base.
Having an IAM solution that can integrate with device management solutions can open up new opportunities for the application of certain security policies, such as “user X can only log into service Y if they are using a managed device.”
How Does the Cost Scale Over Time?
The pricing options of each solution are going to differ. You might find pricing by the tier of features, the number of active users, or the number of integrations. The most important thing to consider here is how your organization looks today and how it will grow over the coming 3-5 years.
If you’re signing up for a per-user pricing model, that needs to be considered alongside all the other solutions that do it the same way. The cost for every employee or contractor can steadily creep upwards on a monthly or annual basis if you’re not mindful.
Does IAM Support Adaptive Authorization Decisions?
Depending on the conditions of a user’s session, their authorization capabilities change. Traditionally, authorization and permissions have been a very static concept: a user is placed in a group and, from there, they have access to certain things until they’re no longer in that group. If a user logs in from a new device, like a notably different location, perhaps you don’t want them accessing some of what they normally do.
Zero trust frameworks often discuss this notion of a policy or risk engine that makes decisions on whether a user should get access to a particular resource depending on a number of factors. Some solutions have productized these capabilities, others should simply be flexible enough to be incorporated into a broader IAM tools ecosystem.
What Kind of Authentication Options are Available?
Solutions should ideally be capable of moving beyond username and password authentication methods. This is especially true considering the wide range of multi-factor authentication (MFA) modes available, from FIDO to push-based apps.
There’s a very positive trend around making security easier for end-users—making the secure way to do something, the easy way. IAM solutions should be ready to support this trend by supporting options like passwordless authentication, FIDO-based MFA, and more.
What’s the Availability of the Service Like?
An IAM service that has availability issues can be crippling to an organization where people need to access things to do their work. Seeking out solutions with a solid track record of solution availability is important. But because things can and do happen with outages, especially if there’s a supplier of theirs which has an issue, it’s important for you to consider the contingency plan.
For some organizations, blips in downtime may be acceptable and normal. However, for others, it may be extremely damaging. Can you switch to an alternative means of access in the event of an emergency? How long could you or would you want to sustain that?