The days of perimeter security acting as the core of cybersecurity defenses are long gone. No organization would be caught without firewalls and antivirus scanners to catch low-sophistication attacks, but the real battle to protect the network has moved to the realm of identity and access management (IAM).
Perimeter security has lost importance because organizations no longer have much of a hardware perimeter. Most have moved to the cloud and are rapidly adding apps and services as needed to support their employees and customers in the new world of always on, always available connectivity. While this situation has made most organizations more agile and efficient, it has also exposed them to considerable risk.
Without tight IAM controls, it’s easy to lose track of the thousands of identities operating within a modern company’s network. Each user can have multiple identities, and non-human entities like apps and programs also hold various identities and permissions. According to one study, most organizations oversee an average of 40,000 permissions spread out across the four major cloud platforms: Amazon Web Services, Google Cloud Platform (GCP), Microsoft Azure and VMware. Many of those accounts are over-permissioned, requiring only about 10% of the permissions they currently hold. Other identities may not be in use at all because they belong to employees who have left the organization or applications that are no longer used.
Attackers have taken notice, with most advanced attacks now actively trying to compromise unused or over-permissioned accounts to circumvent security. In fact, Verizon’s 2020 Data Breach Investigations Report found that more than 80% of hacking-related breaches that year involved the use of lost or stolen credentials. Many of the most recent high-profile breaches, like the SolarWinds attack, used compromised identities and elevated privileges to bypass cybersecurity defenses.
How IAM tools work
IAM tools identify and confirm users, applications and devices. They then grant the appropriate authorities and permissions. They form the backbone of modern cybersecurity, especially in the cloud. Advanced IAM tools analyze privileges that provision or orchestrate cloud-based and network-based capabilities. They also establish and enforce policies and procedures that apply to user groups that include roles, responsibilities, and details of their access attempts.
In fact, IAM is the key to zero-trust networking, where users and devices are not trusted by default. Zero trust can’t function without solid identity and access management. Identity has become a new kind of perimeter security, because no matter where an asset exists, accessing it requires an identity with the correct permissions. Locking that down with solid IAM tools can keep assets safe regardless of how many clouds make up an organization’s network or how many identities it manages.
The IAM field is changing rapidly. Companies want to implement IAM but are looking for solutions that are compatible with their existing assets, including legacy systems alongside modern cloud deployments. They also want all the IAM features in one place, able to be managed from a so-called single pane of glass.
This has led to lots of consolidation in the market, with Okta buying Auth0 and SailPoint purchasing ERP Maestro. So, either by further developing their platforms or acquiring features from former competitors, most IAM packages offer more robust features today than they did just a few years ago.
The following are some of the top companies working in the IAM field, the special features of their IAM tools and platforms, and why organizations rely on them to protect their sprawling, cloud-based networks and the massive amount of identities and permissions that requires.
8 top IAM tools
- CloudKnox Permissions Management Platform
- Microsoft Azure Active Directory
- OneLogin Trusted Experience Platform
- Ping Identity Intelligent Identity Platform
CloudKnox Permissions Management Platform
The CloudKnox Permissions Management Platform was built to manage identities within clouds. At the core of the platform is the Activity-based Authorization engine that uses machine learning to collect and analyze the activity of both users and non-human entities in real time across all cloud platforms.
In addition to looking for anomalous activity that might indicate a threat or compromise, all that data is also fed into the platform’s Privilege Creep Index. The index collects information about identities across an entire enterprise and scores them based on how many permissions they have versus how many they need to perform their jobs or functions. This makes it easy to identify risky identities and take action to trim their permissions before they can be exploited.
CyberArk has quickly become a leader in the IAM field. It breaks down the identity management and access management sides of IAM into multiple offerings so that customers can deploy exactly what kind of IAM they need without having to install and maintain anything that is not useful for their organization. For example, identity and privilege management is offered through Privileged Access Manager, Vendor Access Manager, Cloud Entitlements Manager and the Endpoint Privilege Manager products. Access control is offered through the Workforce Identity Platform to manage internal employees and the Customer Identity Platform for organizations with external users or those running something like an ecommerce site.
In addition to tailored IAM platforms for production environments, CyberArk also brings that protection to devsecops. Tools like Conjur Secrets Manager Enterprise, Conjur Secrets Manager Open Source and Credential Providers enable organizations to control how identities will access applications and company databases while the code is still being written. That way, by the time applications are released into a production environment, they are already protected from exploitation by any IAM vulnerabilities.
While ForgeRock offers traditional IAM deployments, they were also one of the first companies to provide full identity management as a service through its Identity Cloud Platform. The services work in any hybrid or cloud environment. In fact, while the platform is designed to work in the cloud, ForgeRock also makes it easy to extend that same protection to any physical assets, or assets that might exist in many different places. The platform can be used to protect assets like internet of things (IoT) devices, APIs and other services.
The platform can also check compliance issues within various industries. Not only are identities fully secured but also checked to ensure regulatory compliance. It offers additional security options for users through a single sign-on program or by adding multifactor authentication.
Microsoft Azure Active Directory
A core of Microsoft’s offering in the IAM field is Azure Active Directory (Azure AD), which works in the cloud and can be extended to physical devices. It’s also designed to be deployed across an entire data center if necessary. According to Microsoft, more than 200,000 customers are using Azure AD to protect 425 million users. The platform processes an average of 30 billion authentications every day, making it one of the largest in the world. Microsoft has created many templates of popular use cases for the tool so that most organizations can drag and drop an existing IAM configuration into place and be ready to go with only minor customizations.
Azure AD automates workflows and can provide authenticated users access to the data and applications they use from anywhere in the world, regardless of what device they are using. It also supports single sign-on (SSO), conditional access and just-in-time access as the basis for zero-trust networking.
Okta recently purchased its key rival in the IAM space, Auth0, for a reported $6.5 billion, so it’s safe to say that they are serious about improving their platform. Okta divides up its IAM tools into a lot of different offerings that can come together under a single platform customized to customer needs. Individual products include Single Sign-On, Authentication, User Management, B2B Integration, Advanced Server Access, API Access Management, Universal Directory and Lifecycle Management.
The Okta IAM platform is known as one of the best at taming the identities of companies acquired through mergers and acquisitions. When one company buys out another, they inherit all the over-permissions, inactive users, and legacy IAM tools of the other organization. The Okta tools can consolidate and centralize directories, automate IT processes, and quickly secure identities at recently acquired companies so that no critical vulnerabilities tag along as part of the sale.
OneLogin Trusted Experience Platform
The Trusted Experience Platform from OneLogin is designed to provide IAM to companies or organizations as inexpensively as possible. Even though they are self-billed as the budget option within IAM, the tools they offer, including the ability to manage internal, partner, and customer identities, have been tested and proven in evaluations by third-party research firms like Gartner.
One key to the success of the platform is that its functionality is separated so that customers can add whatever components of IAM they need in exactly the numbers they require using a la carte pricing. This makes IAM accessible to, for example, small firms with just a few employees that need to protect their data internally. They can then grow over time as they add new employees, customers, technology, and partners.
Ping Identity Intelligent Identity Platform
The Ping Intelligent Identity Platform is designed to move organizations toward a more secure environment all the way up to true zero-trust networking. The platform consists of a bundle of both generalized tools like SSO or multifactor authentication (MFA) as well as highly specialized ones that perform tasks like improving the security of the Zoom, Slack, and Concur platforms.
One of the most innovative aspects of the Ping Identity Platform is Ping Zero, which is designed to help eliminate most passwords from an organization without compromising security. Ping Zero can evaluate risk policies, biometrics, device settings, and other factors to determine if a user is who they claim to be, whether they are an internal employee, a partner or a potential customer. Based on the generated risk score and what the user is attempting to do, they can be challenged to further prove their identity, allowed access, or even kicked out if Ping Zero determines that they are invalid.
SailPoint takes a business and enterprise-centric approach to all its IAM offerings. Programs like its SailPoint Predictive Identity Platform combine tools such as access management, identity governance, SSO and privileged access management (PAM) under a single umbrella. Another part of its IAM offing includes making sure that access management policies for its business customers also comply with relevant regulatory statutes like the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR).
As a major differentiator from many of its competitors, SailPoint also applies IAM to advanced business needs such as separation and segregation of duty requirements (SoD). Many businesses require more than one person to approve changes to certain programs, like those involved with enterprise resource planning or financial platforms. Many IAM platforms don’t consider this. SailPoint’s solution checks every access request to critical systems for SoD violations. In fact, SailPoint recently acquired ERP Maestro to further its capabilities in this area.