Disclaimer: Although I am clearly the most good looking of my colleagues, I might not be the most knowledgeable in the company regarding some particular technologies mentioned in this article. My analysis is also not comprehensive; IAM solutions such as One Identity, One Login, NetIQ IDM, BeyondTrust, Thycotic and SAPs IAM (which will be featured in a future blog post) are not mentioned. The opinions laid forth in this article are solely my own. Don’t go around making billion dollar business decisions based on what I wrote here; consult with us first. Here’s a link to the contact form.
This post will provide you with a very high-level overview of the landscape of what can be surmised under the moniker of “Identity and Access Management” (IAM). More concretely, we’ll be looking at IAM from more of a business perspective:
- Why IAM?
- What are the key differentiators of existing IAM solutions?
- Concrete Solutions
- Amazon Cognito
- Microsoft Azure AD
- Ping Identity
- SAP Customer Data Cloud
- Open Source & Do it yourself solutions
- Building your own solution
- Blockchain, Distributed Ledger Technologies and self sovereign Identity
- What solution is right for you?
When the Web was young, IAM was restricted to Active Directory or LDAP domains on the employee side and simple user databases for users/customers on the website. Single-Sign-On (SSO) was provided by AD using Kerberos (now considered a legacy protocol). AD to this day dominates the market for on-premise “IAM”. However, through increasingly heterogeneous cloud app landscapes and software-as-a-service-solutions, the utility of modern Identity & Access Management is skyrocketing. Whatever you, your employees or your customers do, it requires their identity. All these different SaaS applications you may be using (like box, aws, workzone, salesforce, SAP) require seamless authentication and authorization. You do not want the IAM part to be a bottleneck, unless you want to burn in unproductivity-hell. The industry has developed several identity and authorization protocols like SAML 2.0, OAuth, Open ID Connect and FIDO2 to mitigate the rising complexity of IT systems. Modern IAM in itself may be a cloud SaaS app but it is the gateway to all the others. The IAM part of your architecture is where you can generate the biggest value per dollar spent. Seamless IAM makes your employees more productive and your customers more willing to buy; all while plugging the biggest security hole exposed by your company.
What are the key differentiators of existing IAM solutions?
In practice, the most important differentiator is whether the IAM System is focused on Customers or Employees/Partners. This is also how the IAM solution marketplace and products are structured. Customer and workforce IAM requirements obviously differ quite starkly. Here are some key differences:
- Employees access a lot of different software (from other companies than yours) during their working hours whereas your customers need seamless access to your software, services and shop
- GDPR is different and generally less strict because you have employment contracts with your employees. GDPR for customer data is a breeding ground for mistakes, making the possession of such material “toxic” in a business sense if improper methods are used to take care of this data
- Employees have licenses to software
- Employees need different lifecycle management (promotions, changing departments, termination of contract)
- There might be special regulations in your industry regarding what your employees should be able to do e.g. Separation-Of-Duty (SoD) or Separation-Of-Concerns (SoC) – concerns 🙂
- Customers‘ identities and preferences are not fully known but are highly valuable to know. You don’t want to kill your conversion rate by trying to figure out these preferences via a giant contact form. A modern IAM solution can help you build profiles of your customers‘ progressive through multiple interactions. This will be the topic of an upcoming blog post.
- Multi factor Authentication (MFA) is useful for both employees and customers. Adaptive or risk-based authentication balances the trade-off between user experience and security by requiring a second authentication factor only if there is some particular risk (e.g. the login takes place from a new location or the resource to be accessed is especially sensitive). Nowadays, modern MFA solutions include a whole bunch of different factors such as
- Physical RSA tokens that display a changing number that has to be entered to authenticate
- Authenticator apps such as Google Authenticator which also display a changing number that has to be entered to authenticate
- USB sticks that you plug into your hardware such as Yubikey that don’t require the tedious manual entry of some random number
- “Magic” email links
- Windows Hello and other face & fingerprint recognition software
Many enterprises already have some kind of historically developed legacy IAM or other architectural lock-in. This can make a particular solution more sensible due to higher switching costs to the best solution in a “greenfield project” case. But if you are in the luxurious position of being able to choose a completely new IAM system, here is how I would tend to rank them:
The size of the logos makes some of the differences more pronounced than I would like them to be. I left it like this for aesthetic reasons and in order to stress the “roughness” of the evaluation. Here’s some extra info about the technologies in this graph:
Auth0 is a pure Customer IAM solution that focuses on a frictionless login experience that can sustain heavy loads. Its SDKs are very developer-friendly and the implementation is comparatively easy. But the implementation is still done through writing actual code and not some kind of UI. This is both a blessing and a curse. The upside is that it provides tremendous versatility; anything that can be expressed in code is possible. The downside is that the devs need to spend their time on this. However, this time investment and the total cost of ownership is still way lower if you use Auth0 instead of building your own solution.
Auth0 is probably the best solution if authenticating customers is literally all you need.
Cognito is a CIAM solution by amazon which integrates quite well with software in the aws suite; it does, however, lack features and is rather cumbersome and programming-heavy to implement. It is definitely better than a DIY-solution but is still quite bare-bones. Being backed by aws, it could be claimed that its strength lies in its great scalability. This is quite the weak differentiator as most of the other cloud IAM solutions mentioned in this blog post are also built on top of hyperscalers such as aws and Azure.
Microsoft Azure AD
Azure AD focuses mainly on Workforce Identity. License costs look cheap but that is mainly due to the fact that a lot of the interesting features are sold in more expensive bundles. Integrations with other Microsoft products are excellent and out-of-the-box. However, it seems like Microsoft is making the integrations with non-Microsoft systems a little bit cumbersome in order to facilitate vendor lock-in. Customer identity is currently not the focus of Azure AD; it shines at workforce identity. Furthermore, some interesting B2B scenarios are made possible conveniently (letting your partners log in to your platform). More on this in an upcoming blogpost.
Cyberark is very different from the other workforce IAM solutions presented in this article, to the point that it’s like comparing apples and oranges. Still, it’s useful to know what is an apple and what is an orange, so here we go: Cyberark is dedicated to Privileged Access Management (PAM), i.e. the question of how to specifically deal with those few super duper important accounts inside your organization that, if compromised, might deal exorbitant damage. It’s raison d’être is the cybersecurity challenge that such privileged accounts present. It does not offer identity governance per se but you can get the best of both worlds by using the Cyberark-integrations that other IAM solutions offer to achieve optimal results.
Forgerock was founded by Ex-Sun Microsystems employees (the company that developed the Java programming language and was later acquired by Oracle). Forgerocks started as a fork of an open source IAM solution by Sun Microsystems under a commercial license. Its features are very comprehensive and a lot is possible. The drawback is that it feels fairly dated – a lot of the codebase is decades old, it feels antiquated as much has changed in the IAM space in the course of the last few decades. It focuses on Workforce IAM and is primarily an on-premise solution but has recently started to put forward a cloud offering.
Okta currently dominates the IAM market; their cloud based IAM is excellent both for workforce and customer use cases.
They feature out-of-the-box Single Sign-on and provisioning integrations with an absolutely huge number of applications. What I personally value most in Okta is its excellent administrator experience: managing identities, setting up Active Directory, connecting new applications, whether in the cloud or on premises, can be done in no time. No coding necessary. They also have some interesting features such as “advanced server access” (which basically acts a secure and user-friendly authentication mechanism to your infrastructure on aws, Google cloud etc.). They also have a solution for managing identity and access for APIs, both the ones that you consume and those that you expose yourself.
The biggest drawback of Okta is its premium price compared to other solutions; the features and technology stack makes it more than worth it though. As you can tell, I am an Okta fan.
They are fairly new in the European Market and looking to establish themselves there.
Omada is very much focused on employee identities (of natural persons, i.e. no technical accounts). Privileged access management is also one of its specialties. If you work in a sector with significant regulations regarding what a single employee should be able to do (such as SOX in the financial sector), then Omada will really help you in the audit process. It only makes sense with more than 500 employees, however.
Omada is quite useful when dealing with the implementation of Separation-of-Duty (SoD) policies, which are a very common audit requirement. SoD policies ensure that there are no “toxic” capabilities of an employee, e.g. that he can’t issue quotes and also pay them in order to prevent fraud and satisfy certain compliance requirements.
Oracle IAM’s biggest benefit is that it integrates quite well with the Oracle ecosystem and might be the best choice if you are a large enterprise whose IT is heavily Oracle based. It’s complex, cumbersome, bloated and feels dated.
Ping Identity is a great IAM solution that tackles both the customer and workforce use cases in large enterprises. The CIAM part is similar to Auth0 but with a steeper learning curve. The workforce IAM part is quite comprehensive but going completely cloud-based with Ping requires significant involvement by your IT side.
Sailpoint is specialized on the governance side of Workforce IAM. Its strengths lie less in actually authenticating or giving access to users in a frictionless way but more in controlling, monitoring and designing said access.
SAP Customer Data Cloud
SAP Customer Data Cloud resulted from the acquisition of Israelian company Gigya in 2019. SAP Customer Data Cloud is included in the C4/HANA Suite, focuses on effective customer data management and includes features such as progressive profiling. It integrates excellently with other SAP systems such as SAP Commerce Cloud / SAP Hybris.
The workforce identity management offering by SAP will be discussed in a further blog post.
Open Source & Do it yourself solutions
Keycloak is the most advanced open source solution in the IAM space. It supports SSO, Saml and OIDC flows and is focused on workforce identity. The catch is that it’s rather difficult to set up and run; it requires significant developer effort.
Building your own solution
It might be tempting to roll your own solution for IAM. This might make sense for the workforce IAM use case as the utility of such a system rises with the number of employees. So if you’re a small company with less than 50 employees that does not use SaaS solutions running in the cloud, then you might do very well with your own solution (i.e. a good old Excel Spreadsheet or the functionality offered by your HR solution). This, however, is certainly not the case for the CIAM use case.
Even if you are a small startup, it does make no business sense to roll your own CIAM solution.
If you’re a technology company, then the success of your company depends on how you use the time of your most precious resource, your developers. Burdening them with the plentiful pitfalls involved in the development of a seamless Identity and Access management system instead of a tried and true solution might very well make Total Cost of Ownership (TCO) go through the roof! CIAMs provide you with ready made login/registration flows that can be easily added to your code. Social Sign-in (Google, Facebook etc.) can be added in no time. From a UX perspective, ready-made CIAM solutions are optimised for fast loading times and the best conceivable UX, presenting the user with flows that he easily understands. Furthermore, those CIAM solutions are thoroughly checked for their security characteristics so that you don’t end up making headlines in the next data-leak scandal. Dealing with phishing, man-in-the-middle attacks and passwords (hashing/salting/storing/resetting) is a big hassle where you don’t want to start from scratch. Why reinvent the wheel?
To recap: a CIAM allows you to focus on your core competencies, speeds up development as well as prototyping, ensures that you comply with data privacy regulations and delivers the best UX to your users, maximizing conversion rates.
Blockchain, Distributed Ledger Technologies and self sovereign Identity
The hype around Blockchain Tech, which is a subset of Distributed Ledger Technologies (DLT), has been quite enormous these past few years. Nevertheless, no DLT has managed to achieve significant market penetration in the IAM space yet. By applying DLT to your IAM, you can make your IAM happenings more auditable. Records that are added to the DLT can’t be messed with/altered afterwards (the data can be fake in the first place though; there is nothing preventing the addition of fake data to the DLT). This allows you to prove certain properties.
The main benefit of applying DLT in your business at this point in time mostly amounts to marketing purposes (“Hey look at us, we’re so innovative using this fancy new tech”). Nevertheless, there might be certain use cases where a DLT-based approach might already be warranted. So called permissioned DLT (e.g. Hyperledger developed by the Linux foundation and driven by IBM) are not completely open to the public; they work by using a set of trusted nodes as opposed to being completely open to the public and are already employed by some companies in the financial sector.
Nevertheless, the potential of DLT in the IAM space is huge. The idea of so called “Self Sovereign” Identity (SSI), which is DLT-based, is the most important trend in the IAM space as it represents a complete paradigm shift; instead of storing identities and user credentials at a centralized identity provider, like all solutions described in this blog post do, SSI would enable a user to store his identity in his own digital wallet, without it being stored anywhere else. This is only now becoming possible through advances in DLT and cryptography. SSI is difficult to wrap one’s head around but I personally think that it’s the future of identity, although it feels more like science fiction right now. SSI will be discussed in more detail in an upcoming blog post.
What solution is right for you?
Companies of all sizes turn to amiconsult GmbH in order to leverage the quick wins that a streamlined Identity & Access Management architecture offers. Our customers value that we pave the way for achieving IAM excellence at ALL stages of the process: planning, implementation and maintenance while being independent of particular IAM vendors; the selection of the IAM technology is tailored to your particular needs. Do not hesitate to contact us to discuss what solution is the right one for your company.