9 top identity and access management tools

Identity and access management (IAM) has long been a key proving ground of security leaders’ careers, with many a make-or-break decision made over identity technology deployments. Assuring secure access and managing identities is at the very foundation of cybersecurity postures. At the same time, the ways people, applications and systems log in and integrate with one another are also visible touchpoints for the business stakeholders. Security pros walk a tightrope of usability and security.

Weak IAM controls and authentication mechanisms put the company at risk of attack, account compromise, and limited security visibility. At the same time, strict ones disrupt the flow of business.

How IAM tools have changed

The good news/bad news scenario for organizations shopping around for IAM technology is that the space has grown significantly more nuanced and capable, especially over the last half-decade. The tools have made it much easier to manage identity in hybrid and multi-cloud environments, get a handle on privileged accounts, gain greater visibility into login patterns, authenticate based on risk factors and automate provisioning and other user lifecycle elements.

“We’ve seen compelling market segmentation among IAM solutions. Whether solutions can streamline user experience via AI, integrate with cloud service providers for improved workload management, or offer better insights into IAM operations via advanced analytics, there are just so many more functionalities available today than ever before for organizations to leverage to build strong programs,” says Naresh Persaud, a managing director in Cyber Identity Services, Deloitte Risk and Financial Advisory.

At the same time, as the market has seen an explosion in new capabilities, it’s created a dizzying number of submarkets, with features that are sometimes standalone products and sometimes part of a broader platform. The latter becomes increasingly more likely as vendors rapidly converge within this space, creating a high degree of cross-pollination of submarkets and crossover functionality. In short, there are tons of options that can lead to IAM analysis paralysis.

“Many product companies focus entirely on identity governance and administration (IGA), while others focus on privileged access management (PAM), both of which are two critical elements of an effective Identity program. Authentication is probably the area with the greatest distribution of products, with many players in the industry providing multi-factor authentication (MFA) technologies,” explains JR Cunningham, CSO at managed service provider Nuspire. “It’s important for an organization to define their current capabilities and requirements to ensure they choose the products that meet their needs.”

Building an identity program

Cunningham explains that building an identity program and choosing a platform is a series of platform decisions, one that generally sees greatest success if an organization takes them in the right order. Organizations that don’t have strong basic authentication capabilities—such as multi-factor authentication (MFA) and single sign-on (SSO) capabilities—will struggle with PAM, for example.

“Likewise, an organization that doesn’t have those two components, as well as good employee identity management processes defined, is not going to get the full value from an Identity Governance and Administration platform,” says Cunningham. “Successful organizations go ‘in order:’ Authentication, PAM/PIM, IGA.”

As organizations evaluate authentication technologies, Persaud also recommends considering the issue of scaling deployments across an organization’s application portfolio, lines of business and user bases. “One of the biggest challenges when deploying an IAM platform is doing so at scale. While IAM tools can absolutely provide more value when integrated and connected to more applications, such value is tough to achieve unless the organization takes a predictable, repeatable approach to scale operations,” he says. “In particular, it helps when they use a service-oriented operating model to scale IAM platform use so that application owners, stakeholders and line of business leaders are all supported as they work to scale IAM use and realize its value.”

What are the top IAM tools?

The following vendors are some of the top contenders from across the identity maturity range for CISOs to evaluate as they take their IAM game to the next level.

Avatier

With a long history in the IT service management (ITSM) and help-desk world, Avatier leans on its strong roots in automated user provisioning and password management to deliver its IGA platform. Of late, the company has invested heavily in modernization efforts that have built out its Identity Anywhere platform as a containerized solution that can be cloud-hosted or non-hosted. Its most recent update added passwordless SSO support and a universal user experience across mobile, cloud, and collaboration platforms that include Slack, Teams and ServiceNow. It supports connectors to more than 90 enterprise and 5,000 cloud applications and platforms, as well as a generic low code/no code connector for customized integrations. This is a platform that often flies under the analyst radars, billing itself as a more affordable solution to the market leaders in matrices like Forrester Wave or Gartner’s Magic Quadrant.  

BeyondTrust

A mainstay in the PAM niche, BeyondTrust has continued to bolster its capabilities for managing privileged accounts, cloud entitlements, and IT secrets with added functionality via strong M&A action and internal innovation. In addition to PAM, the company’s platform provides central management for remote access, endpoint privilege management across Windows and Mac, as well as Unix and Linux via its Active Directory Bridge Technology.

It’s also now a player in the cloud infrastructure entitlement management (CIEM) field—a natural offshoot of PAM—through its newer Cloud Privilege Broker technology, which manages entitlements across multi-cloud environments. This is a vendor with a strong tie to the compliance and audit world and one of its differentiators is in its reporting and visualization capabilities, according to Gartner analysts; customers can layer in advanced analytics via the company’s BeyondInsight analytics package. One place where the analysts do caution customers is in the company’s weakness in integrations, both externally and even within some of its overlapping product functionality.

CyberArk

The largest PAM vendor by revenue according to Forrester Research, CyberArk marries PAM with identity-as-a-service (IDaaS) delivery. It bolstered its SaaS street cred in 2020 with the acquisition of Idaptive, which led to the rollout of workforce SSO and endpoint MFA, customer identity management features, passwordless options and self-service capabilities for account management. Gartner analysts note that pricing can be well above average for some workforce use cases. It has strong analytics capabilities to feed into more mature security metrics programs. It also offers risk-based authentication (RBA) that administrators can fine-tune for high-medium-low risk tolerances.

CyberArk also provides mature CIEM functionality, including risk scoring of permissions exposure, via its Cloud Entitlements Manager, suited for large-scale and multi-cloud environments. On the IDaaS front, Forrester says CyberArk is a serious contender for those that want to “apply a risk-based approach to IDaaS” and sync that up with the privileged identity management capabilities. On the other hand, its analysts warn that ‘performance can be an issue,’ citing recent service degradation events and the “lack of a proven track record for product scalability.”

ForgeRock

A poster child for the value of converged identity products, ForgeRock brings together access management for workforce, customers, and IoT device identities in a product set that can be bundled or decoupled via its identity platform as a service (IDPaaS) delivery model. The platform includes strong identity governance components for those seeking IGA capabilities such as identity lifecycle management. It’s a particular favorite among the forward-thinking developer and DevOps crowd not only for its cloud-first mentality but also its strong REST API framework, developer tools, community and API access control. Gartner analysts lately dinged Forgerock for its below-average analytics capabilities compared to the rest of the access management crowd, largely due to its inability so far to serve up the User and Entity Behavior Analytics (UEBA) capabilities that have been promised on its roadmap since 2020.

Microsoft Azure Active Directory

According to Forrester analysts, Microsoft is quickly coming into its own in the IAM contender list with its Microsoft Azure Active Directory product, which sports the largest IDaaS install base at over 300,000 paying customers. Gartner chalks up Azure AD’s rapid growth on this front to its bundling with Microsoft 365 and Microsoft Enterprise Mobility and Security (EMS) in 2020, which it says doubled the product’s install base. Its bread and butter is in workforce IAM, most obviously within Microsoft-dominant IT environments. It’s also rapidly coming up to speed with PAM and IGA capabilities through internal innovation—both of which the company rolled out late last year and CIEM capabilities that they picked up through the acquisition of CloudKnox Security that summer. One weak spot that Gartner analysts note is in customer IAM, for which it says Azure AD’s capabilities still lag the other leaders in the access management crop.

Okta

Despite the recent black eye suffered by Okta in its public data breach disclosed last month, the company remains one of the gold-plated Cadillac options in the IAM world. Okta has been a cloud-centric company since its founding in 2009—back when cloud deployments were still edge cases at many enterprises. Its SaaS platform provides a full range of bundled or standalone features that work across hybrid and complex multi-cloud environments, including SSO, MFA, API access management, lifecycle and user management, and identity automation and workflow orchestration. It has one of the most robust API and connector ecosystems on the market, and its acquisition of Auth0 last year put it firmly on the map in the customer IAM space. It also crossed over into the PAM world with its release of Okta Privileged Access last year. Customers pay dearly for all that market-leading innovation, with Gartner noting that its clients “consistently mentioned the high cost of Okta’s solution.”

One Identity

Before it acquired OneLogin last year, One Identity was a PAM and IGA vendor with a rich feature set of enterprise-friendly functions but a heavy rooting in the on-premises IAM world.

Meantime, OneLogin was one of the leading lightweight, pure-play IDaaS choices for price-sensitive small- to mid-size organizations that didn’t require a lot of administrative or governance functionality.

According to a Forrester take on the deal, bringing OneLogin into the fold gives One Identity the chance to jump into the IDaaS fray and differentiate itself from vendors that don’t have native PAM or IGA capabilities. They say the combo will most closely resemble what CyberArk did with its Idaptive acquisition. It’s still early days of the marriage, though, so it remains to be seen how well the company can integrate OneLogin technology and cross pollinate each side’s feature strengths, nor is it clear what the merger will mean for OneLogin pricing and focus on smaller organizations.

Ping Identity

Aimed squarely at enterprises with complex hybrid environments, Ping Identity straddles the world between SaaS and on-premises IAM with the combination of Ping One (IdaaS platform) and PingFederate (federated SSO). On top of standard workforce and customer IAM features like SSO, MFA, and cloud identity capabilities, PingOne recently layered in decentralized identity features through a spate of acquisitions over the last two years. Ping has also most recently developed a low-code flow designer and strengthened RBA, as well as more robust analytics including API visibility and intelligence. It isn’t a complete IAM one-stop platform—as Gartner explains, Ping is light on identity administration features, making it less useful for smaller organizations or those seeking embedded IGA or PAM capabilities.

SailPoint

A powerhouse of the IGA market, SailPoint is purpose-built for distributed enterprises with complex environments that need sophisticated automation and integration capabilities to help take identity program maturity to the next level with improved provisioning, analytics, and risk-based governance of identity portfolios. Forrester says the SailPoint platform performs best in user lifecycle management, compliance management, strong integration with applications and support for IAM systems. It’s pushed to build out its SaaS offering to keep aligned with shifting customer needs, and its customer ratings are high—it was voted as one of the top IGA vendors in the Gartner Peer Insights Customers’ Choice 2021 ratings.