Identity Management solutions have evolved dramatically over the last 10 years, with numerous new entrants into the marketplace. The good news is that cost conscious and proprietary-wary companies have several mature and emerging choices available both via the Cloud and Open Source solutions. With these newer options, the question becomes a bit larger than just picking a platform; it also is a decision about operations, support, control, and security. The bad news is, when organizations invest to change and/or standardize IAM platforms, the size and cost of the effort will impose some level of lock in for the next 3-5 years.
These decisions should not be made lightly.
As competition increases in the Identity Management space there are, perhaps, too many vendors. Established IAM platforms such as Oracle, CA, and NetIQ find themselves surrounded by maturing solutions and a bevy of niche products. The question is, are the established players just dinosaurs watching the first mammals scurrying around, unaware that these niche entrants will unseat them as new IT realities unfold and organizations move to the Cloud? At this point, it’s too soon to know with any certainty. The exploding number of entrants in this market has been creating confusion among architects and buyers alike. In such a muddled market, executives are hard-pressed to sort out reality from vendor hype, and resort to product bake-offs: comparing products against long lists of features, requirements, and specifications.
As a result, IAM offerings are difficult to evaluate, expand in scope rapidly and, increasingly, fail to deliver business value on reasonable time lines and within budget. IT leaders must change their evaluation criteria to focus on well-defined use cases, producing measurable business value or significantly improving provisioning processes, otherwise IAM projects will fail to meet business objectives. An additional challenge is that there is a growing tendency to cobble together a patchwork of technologies that don’t work well together; leaving IT administrators with a set of automated reports to reconcile the differences between products. Needless to say, this is less than ideal.
5 Challenges to Selecting an Identity & Access Management Vendor
1. Magnitude of financial investment and the cost of making a wrong selection
2. Discomfort with vendors
3. Lack of consistency & consensus within the organization
- Internal business challenges/ Lack of consensus between business and IT
- Buy-in from organizational stakeholders (HR, CISO, CIO, Operations)
- Which requirements are top priority/most impactful?
4. State of commercial technology vs. emerging architectural trends (Cloud and Open Source)
5. Changing needs
- Regulatory/Compliance requirements
- Move to Cloud
- Growing scope of identities that need to be managed
So how can you do a better job picking the right IAM solution for your organization? Stay tuned for our next blog: A Better Process for IAM Vendor Evaluation.
Signup to receive our biweekly Identity Management & Cybersecurity newsletter.
Photo credit: IBM Research
3 thoughts on “Mastering Identity Management: Challenges in Selecting an IAM Solution”
Excellent article I must say! Identity management provides the tools for auditing and the privacy required by information security. Managing customer identities helps businesses to understand their customer base and provide personalized experience to audience thereby resulting in more profit.
This has an all to familiar ring to it. I have been helping Organisations select the right Vendor for their environment for many years now and it is not an easy task. Most Companies do not have a clear vision of where they want to take their expensive IAM solution after the first phase. As we all know, these projects are not a big bang solution, you need to understand the various stations along your journey and what they have to offer (it is so important to get the stakeholders to buy a ticket to the end of the line so they get back on the train to enjoy what the next station has to offer). However, knowing what each point of interest has for the stakeholder is the fruit of good consultancy. I have come across so many Companies which have endured the initial pain of Vendor Selection of tight scoped blinkered first phase only to end up with provisioning 1 account (most likely AD) and then stagnating as they did not have a well defined plan to take them forward. IAM and in particular Provisioning is no longer an automated administration tool but a significant part of anyone’s Cyber Security solution. You should be able to go into the dashboard of a Provisioning Solution, put in an Identity and see what they access to across the estate (in seconds) and this information should tie in with any SIEM products being used. I hope your series will cover the need for a 5 year plan for those embarking on this journey or just simply trying to rekindle their investment in IAM.
Regards Jeff Davis, CISSP
Jeff, having a IAM Roadmap/Plan is a key component of developing and delivering a successful IAM implementation. It’s not possible to understand the dependencies between workstreams, the downstream trade-offs between projects, or ‘what it will take’ to actually build capabilities for provisioning, access, security, and workflows/processes. I’m glad that you enjoyed our post and hope you continue to contribute your thoughts on our blogs. -Hanno