With remote work becoming so commonplace, Identity and Access Management software has grown in importance in recent years. Solutions need to be able to function on-premise, in the cloud and in hybrid environments. Here is our list of the best IAM solutions.
According to the Identity Defined Security Alliance, 84% of organizations experienced an identity-related security breach during 2021-2022, and 96% said they believe those breaches were preventable with correctly implemented identity-related security measures. That’s why the global cloud IAM market is projected to reach $13.42 Billion by 2027 and grow at an annual rate of 22.71%, according to a report from Research and Markets.
What is an IAM tool?
Identity and Access Management software and solutions are used to verify identities and only permit authorized users to access organizational resources. Such tools typically reside between systems and target resources. They establish a framework of security policies and technologies to prevent unauthorized access. They form the backbone of user authentication and access and are used in both local and remote scenarios.
With remote work becoming so commonplace, IAM has grown in importance in recent years. Solutions need to be able to function on-prem, in the cloud and in hybrid environments.
According to the Identity Defined Security Alliance, 84% of organizations experienced an identity-related security breach during 2021-2022) and 96% believe those breaches were preventable with correctly implemented identity-related security measures. That’s why the global cloud IAM market is projected to reach $13.42 Billion by 2027 and grow at an annual rate of 22.71%. While
Top IAM software comparison
There are many features in common among top IAM solutions and some others that differentiate the different players. Almost all now include multi-factor authentication and zero trust. But privileged access management and workflows are not offered by some vendors.
|Pricing||Offers multi-factor authentication||Offers privileged access management||Provides workflows||Provides zero trust|
|Microsoft||$6-$9 per user, per month||Yes||Yes||Yes||Yes|
|JumpCloud||$15-$29 per user, per month||Yes||Yes||Yes||Yes|
|CyberArk||$2-$5 per user, per month, plus various add-on fees||Yes||Yes||Yes||Yes|
|OneLogin||$2-$8 per user, per month||Yes||Yes||Yes||Yes|
|Ping Identity||Essential plan $20k per year; Plus plan $40k per year; Premium plan – contact sales||Yes||Yes||Yes||Yes|
|Oracle||Contact sales for pricing||Yes||Yes||Yes||Yes|
|Okta||$15 per server, per month||Yes||Yes||Yes||Yes|
|ManageEngine||Contact for IAM pricing||Yes||Yes||Yes||Yes|
SEE: What is cloud security?
Microsoft: Best for Windows-based Enterprises
If the business runs almost exclusively on Microsoft tools and Windows operating systems, Active Directory is a no-brainer. It stands as the foundation for Windows-based identity management. To extend its reach beyond local networks, Microsoft Entra tools are needed for multi-cloud and multi-network needs running Microsoft Azure.
- Active Directory is included as part of many Microsoft subscriptions.
- Azure AD and Entra pricing starts at $6 per user per month with premium versions costing $9.
- Azure AD includes centralized, cloud-based IAM and governance
- Options for SSO, MFA, passwordless, and conditional access
- Privileged access management
- Continuous permissions monitoring
- Mature product that has been decades in development and broad use.
- Entra Verified ID treats apps and workloads as users to be verified
- Basic identity management is included with many Microsoft subscriptions
- Manages over a billion identities
- Microsoft AD alone does not reach outside of local networks.
- Multiple tools needed to achieve basic IAM in the cloud.
- The full Entra suite of tools may be needed by many users
- Can be complex to use and difficult to troubleshoot
JumpCloud: Best for SMBs
JumpCloud’s zero trust approach to identity offers granular policies to manage identities, devices and locations suites. Its vendor-independent approach is enhanced by its comfort with multiple protocols. It is used by large and small organizations alike, but is particularly user friendly for small businesses that don’t have a strong grounding in IT.
- JumpCloud is complex as there are so many ways to bundle services and so many add-ons.
- It is free for up to 10 users and 10 devices.
- Paid versions are in the $15 to $20 range per user per month with extra fees for parts of the suite, depending on what the user needs.
- Active Directory, Google and Microsoft productivity suite integration
- Device and patch management tools are available as part of a larger toolset.
- Zero-trust policy implementation options.
- Centralized identity control and lifecycle management through its Cloud Directory tool
- Cloud-based LDAP and RADIUS services
- MFA, SSO, conditional access, and password management
- API services for workflow customization
- Mobile device management and patch management for Windows, macOS and Linux endpoints.
- Pricing is complex and difficult to gauge.
- Users may think they are getting IAM for one price when they actually need to pay more for tools like Cloud Directory and other services.
- Some users complain of occasional customer support response times delays.
SEE: JumpCloud vs Okta review
CyberArk: Best for IDaaS
Identity-as-a-Service is a way to take the effort out of IAM. CyberArk is one of several vendors offering IDaaS. The company is also big in the privileged identity management (PAM) market. It has steadily added to its initial PAM offerings with IAM, IDaaS and analytics capabilities.
- Pricing for individual products appears to range between $2 to $5 per user but it is unclear which elements a user must purchase and what other fees are included.
- The company offers a wide-ranging portfolio covering IAM, PAM, secrets management, endpoint security, cloud privilege, and workforce/customer access.
- Marries PAM with IDaaS.
- Comes with SSO and endpoint MFA
- Includes passwordless and self-service options.
- Strong analytics capabilities can be integrated with overall security analytics and metrics programs.
- Risk-based authentication helps administrators determine IAM risk tolerances.
- Can cope with multi-cloud environments.
- Pricing is above average for some use cases.
- Some users note occasional performance issues.
- Confusing price structure that isn’t openly available.
- Those only needing IAM may end up buying far more than they need.
SEE: CyberArk vs BeyondTrust review
OneLogin: Best for Social Media
Those organizations that are social media centric will appreciate how OneLogin’s IAM product integrates with social media logins as well as regular enterprise logins for endpoints. It takes a narrower focus than others. But those wanting a good IAM tool should consider OneLogin.
- Like many vendors in IAM, pricing gets a little complex based on the version and features.
- Different versions and capabilities vary from around $2 to $8 per user per month.
- Some are bundled with a collection of offerings, others enable you to pay for specific features only.
- Offers a dedicated identity and access management solution for workforce and customers.
- Some versions include single sign-on, advanced directory and multi-factor authentication and others add identity lifecycle management and HR identity features.
- Centralized management.
- OneLogin has a narrower IAM focus than competitive offerings so is a good option for those that don’t need PAM and other related capabilities.
- Support for developers integrating IAM into applications.
- Social media login support.
- Doesn’t venture into PAM.
- Users with multiple roles may end up with too many logins.
- Opaque pricing with multiple options that can soon add up.
SEE: OneLogin vs Okta review
Ping Identity: Best for Financial Services
Ping Identity is another largely pure-play IAM vendor. But within that, it delivers a range of identity and access solutions that can be bought together or separately. It has traditionally had a strong user base among financial services companies though doesn’t specialize only in that market.
- Ping is one of the few companies directly citing numbers on its website such as a starting price of $20,000 for its Essential package (includes identity orchestration engine, SSO,
- authentication policies, and more) and $40,000 for the Plus package (adds features like adaptive MFA, embedded MFA for mobile apps, device management, API management, LDAP and
- passwordless authentication).
- Highly scalable IAM
- SSOs, MFA and dynamic authorization
- Monitors risk and API traffic
- No-code, drag & drop workflows and pre-built templates for ease of use.
- Many pre-built integrations
- Detection of anomalous behavior
- Hosted, container, on-premises and private cloud versions available.
- Some complexity apparent in role management and entitlement creation
- Multiple licenses required for IAM.
- Pricing structure means it may be too expensive for SMBs.
SEE: Ping vs Okta review
SEE: Okta vs Duo review
Oracle: Best for Multi-Cloud Environments
Oracle offers a range of cloud infrastructure identity and access management and access governance tools to help manage identity and access in cloud and on-premises. These can either be self-managed or managed by Oracle. Oracle’s enterprise cloud experience and capabilities make it a good choice for those with multi-cloud environments
- Oracle posts pricing on its website, but there are so many products, tools and options that it is difficult to follow.
- Approximate pricing is a cent or two per user for IAM but it isn’t clear what else has to be purchased such as Oracle Cloud Infrastructure services and governance capabilities for additional fees.
- Cloud-native access management that supports hybrid and multi-cloud needs
- Strong governance features
- Oracle owned a network of dozens of data centers around the world for ease of scalability and low latency.
- Embedded IAM for Oracle Fusion Application Cloud users which simplifies provisioning and role management.
- Strong automation capabilities
- Delegation of provisioning to user segments to lessen the IT workload.
- Zero Trust
- OCI customers will find this add-on easy to implement with attractive pricing bundles available.
- SMBs may find it too much and too complex
- Steep learning curve.
- Integration is focused across Oracle tools and platforms and is spotty elsewhere.
Okta: Best for Ease of Management
Okta’s single pane of glass approach helps to simplify deployment,management and administration. They are also made easier as Okta integrates with thousands of applications. It comes. Okta integrates well, too, with Microsoft products, making it a good choice for Office 365, Azure Active Directory, Sharepoint, Intune and Windows-based access.
- Pricing goes from a couple of dollars a month per user for one feature to $15 or so per server per month.
- But there is a long list of options and capabilities and the total soon adds up.
- There are also plans for large organizations that bundle capabilities together. These tend to favor larger deployments in terms of cost per user.
- Automated provisioning and deprovisioning.
- Password-less authentication
- PAM options are available
- No-code and low-code options
- Massive library of pre-set integrations available
- Centralizes all administration
- One directory manages all users, groups, apps, devices, and policies
- SSO and MFA
- SaaS platform
- Limited customization
- No direct on-premises option
- Complex licensing and pricing to achieve full IAM capabilities
- May be expensive for SMBs
ManageEngine: Best for in-house IAM
Several of the products included here can be run in-house. But ManageEngine is probably the best – and it can also run in the cloud. The company offers a set of tools that once assembled provided comprehensive IAM.
- Standard and professional tiers start at around $3000 and $5000 respectively, based on domains, number of help desk users, domain controllers, file servers, workstations and users.
- It gets a little complex and is quite different in terms of structure to other vendors so apples to apples comparisons are impossible.
- Automated IAM
- Includes MFA and SSO
- Threat protection
- Behavioral analytics are available to spot IAM-related anomalies.
- On-premises capabilities keep local administrators in control of access.
- Fast installation and relatively smooth implementation.
- Also offers PAM active directory management and key management.
- Occasional performance and uptime issues commented on by some users.
- Demands in-house experienced administration.
- Several tool installations are required to provide complete IAM capabilities.
Key features of IAM software
Those interested in Identify and Access Management should expect to see features such as multi-factor authentication, zero trust and workflows integrated into the products they deploy. Privileged access management, though, may be needed by some and not by others. But if you need it, make sure to select an IAM package that includes integrated PAM.
Multi-factor authentication is now becoming so commonplace that IAM vendors typically provide it. MFA greatly reduces the risk inherent in using only a single password or passcode for access. Users must use at least two methods to authenticate their identity.
Privileged Access Management is another capability that is often integrated with IAM. PAM deals with who should be granted what access privileges such as admin privileges or the right to review certain types of organizational information. In its simplest form, it enables a manager to access the files and systems of those under his or her care, but prevents them from viewing the data and systems of their superiors.
Identity and access management workflows control the actions that can be done by authenticated users. It is based on pre-set IAM policies and templates that lay out approval processes for access, restrictions of certain assets, onboarding, offboarding, alerting and more.
Zero Trust is a security philosophy that eliminates the principle of implicit trust, thereby minimizing the possibility of a cyber-attack. Rather than being a product or tool, zero trust is a framework that is applied across the entire range of cybersecurity. It plays a key role in enhancing IAM effectiveness.
How do I choose the best IAM software for my business?
There are a great many choices out there for IAM. Those listed above are among the strongest candidates. But the selection process must be done independently by every organization to ensure the toolset chosen is the right fit for the organizational culture, IT capabilities, infrastructure and user base. There are many different approaches to account verification, role and privilege assignment and access control. Some are more stringent than others, some have better governance and reporting, others are easy to implement or aimed at large or small businesses, or are better in the cloud or on-premises.
Thus, there are many factors to consider. For some businesses integration may be key. IAM must be able to comfortably fit into the existing infrastructure, interact seamlessly with related security tools and business applications, and should align with platform preferences. If the organization is an AWS or Microsoft Azure shop, this helps to narrow down the IAM options by selecting a tool that is designed for those environments.
For others, the user experience will be front and center. They either want an approach to IAM that does not place a severe authentication burden on users and places undue delays on their actions. But on the other side of the coin, some will demand the tightest security with multiple authentication and verification steps.
To create the pool of candidates for this year’s top IAM solutions, we reviewed a variety of analyst sites, user review compilations and vendor websites. Each one chosen was able to deliver enterprise-class capabilities for identity management as well as access management. We looked at each solutions’ approach to account verification, role and privilege assignment and access control. We also considered how each fit into an organization’s existing infrastructure, and if they can integrate with existing business tools and applications. Finally, we looked to see if each solution offers a comprehensive user experience and interface as well as whether they offered reporting, threat detection and any automation including installation and provisioning.
SEE: Checklist: Network and systems security (TechRepublic Premium)
This post originally appeared on TechToday.