8 things to consider when acquiring an IAM solution
A dynamic work day with home offices, cloud services and staying compliant with regulatory requirements, increase the company's need for a solid tool to provide, secure and manage access to their IT systems. In other words, they need an Identity and Access Management solution (IAM). Before starting the procurement process, you should be familiar with the various areas within IAM, and also identify important issues that should be addressed.
Alexander Friedensburg
19. August 2021
1. Is the target group externals, employees or both?
Prior to the acquisition, one should review who is the target group for the platform. If you have external users, such as B2C or B2B customers, you should consider purchasing a Customer IAM solution (CIAM), with features particularly suitable for self-service user registration, obtaining consent and user-friendly login features.
On the other hand, if you need a solution for employees, you are often more concerned with integration capabilities with the company's HR system, productivity and professional systems. As well as the possibility of self-service ordering and authorization when more access is needed.
An increasing trend is that companies want to combine access control for both external and internal users in the same platform. This is first and foremost cost effective - one platform is cheaper than two after all. It simplifies application management, and is basically a given if both user groups are to have access to the same application.
2. Purely cloud, a little cloud or on-premise?
With this question, we aim at the delivery model. IAM services are provided as public cloud services based on a microservice architecture (Public cloud / Software as a Service). But also as privately available cloud services (Private cloud) based on a monolithic architecture. Both are often referred to as "cloud services", but it is good to be aware of the differences.
A public cloud service is often cheaper to operate and renews more frequently (without downtime), while a private cloud service can be adapted to a greater extent. The latter is based on on-premise solutions, which have so far been the most common delivery model for the most feature-rich and flexible solutions.
It should be said that as container technology has also become relevant for IAM platforms, this is expected to combine the benefits of the aforementioned cloud variants. What ultimately is the best choice for your company depends entirely on the requirements for functionality, the need for adaptation, as well as the preferred management model.
3. Secure login, identity management or both?
In order to be able to choose a suitable solution, one should be familiar with the different functional areas the solutions cover. For example, if you want to simplify and secure login to cloud services, then you are looking for a different basic functionality than that for handling ordering, authorization and revision of application access.
All suppliers in this industry have "Identity" in their product description. This can be confusing, as the term covers a large subject area and few of the solutions cover everything.
If it is desirable that the solution offers Single Sign-On, then you are probably looking for an IAM, IAMaaS or simply an AM solution. The A in these abbreviations stand for Access as in Access Management, ie. access control.
On the other hand, the A in the abbreviation IGA stands for «Administration» as in Identity Governance and Administration. An IGA solution does not offer functions such as Single Sign-On or multifactor authentication, but has its strengths in identity management, and especially Identity Governance. It may be confusing, but it’s important to be aware of, so that you know exactly what you are looking for.
4. Login with BankID, Vipps or Meta?
When customers, partners or suppliers are to log on to the company's services, this should be taken into account in the requirements specification. Through integration with external identity services such as BankID, Vipps and Meta, the login is simplified. Some identity services are also well suited for verifying the identity of new users.
Recently, we have seen a significant increase in the demand for such solutions in both B2C and B2B, but also for businesses themselves.
5. Automating manual processes
All IAM solutions offer automation, although to different extents. In their simplest form, they provide for the automatic creation and removal of user accounts. However, sometimes this may not be sufficient. Perhaps you want the access to be created on an employee's first day or 24 hours in advance, and not the same day the employee was registered in the HR system.
There are many other examples where automation saves time. For example, it may be appropriate to automate the license assignment in MS Office 365 or save licensing costs by removing access to applications for users who have not logged in within the last 180 days.
The need for logical operations and manipulation of identity attributes, such as name, position or username in associated applications, is another important area that is often overlooked. An IAM solution moves identity information between different systems and then sooner or later the need arises to adapt information along the way.
Support for automation varies greatly between IAM solutions. Some offer great freedom, some offer a "no-code" interface, meanwhile others are limited to built-in automation features.
6. Integrations
An IAM solution is integrated with a company's applications. Implementation and management are simplified if necessary integrations accompany the solution, but often they do not cover all the company's systems. Then it is important that the solution supports expansions with third parties or in-house developed integrations.
One piece of advice in this context is to prioritize which applications should be integrated, as it is rarely appropriate to connect to absolutely all applications. Here one should weigh the gain against the effort, and consider dropping applications that are only used by a few.
It is also important to be aware of the need for integration depth: Should the IAM platform only create user accounts, or should it also assign and reconcile rights in the associated application? The requirements specification should therefore at least include an overview of the company's relevant applications, preferably also the functionality expected of the integration.
7. Create an identity strategy
Identity projects may have quite different levels of ambition. Introducing Single Sign-On to a pair of cloud applications is a far simpler initiative than a program for introducing role-based access control, self-service application ordering and access audits. The initiatives can range from relatively simple to more demanding IT projects, some also with elements of organizational change projects.
The possibilities are many and therefore the best recommendation is to prepare an identity strategy in advance of the acquisition. The strategy is made based on the company's needs, framework conditions and priorities. It can also include an "Identity Roadmap" if there is a need to spread the Identity initiatives over time. The process helps the company to define a realistic level of ambition and thus the requirements for the IAM solution.
8. Access to professional consultants
An IAM product is a tool, and the success of an Identity initiative depends on the proper use of this tool. All IAM solutions must be adapted, both to the organization, processes and the company's other systems. It is as important that this work is done correctly, as that you choose the right tool for the job.
In many cases, an IAM solution will also have to be adapted, and probably also expanded during the platform's life cycle. Most companies' application portfolio is more or less in constant change, and organizational structures and work tasks change from time to time.
When choosing an IAM solution, one should therefore consider the availability of professional and product competence in various integrators in the market, since it is very likely that one will need it sooner or later. Whether or not it is desirable that this expertise is available locally, it can in principle be delivered from anywhere, and is governed by the company's preferences and guidelines.
Proof of Value: How much does your business save by investing in an IAM solution?
An IAM solution streamlines and secures the organization, but how big are the actual savings?With this is quantified, your company can decide whether an investment is appropriate and whether it should be prioritized.
