Identity & Access Management (IAM) Product Evaluation and Dilemma

Selecting an IAM product has always created a confusion for organisations globally. This is just because many organizations failed to realize what they need in an IAM product and whom to reach out for getting the right insight.

The standard approach for many organizations is to involve their IT team to go through white papers or reach out to top product companies or get information from the web/public domains, and then finally form an opinion on choosing their product.  Based on my varied industry experience this approach has caused many implementation issues and hence I am sharing my observations here for a better evaluation.

 To narrow down the need let us quiz ourselves:

·     Is IAM understood as a product, project & process in your organization?   

ü  Why is it important to know - IAM implementation is a complex process involving extensive due diligence for getting the relevant requirements.

·     Who are the stake holders (internal/external)?

ü  How does that matter - Whether you have an existing expertise to handle the requirements created; if so, are they adaptable enough with the changing environments.

·     What is the budget & how are we going about it?

ü  How Important is the budget - Fixing a right budget that is flexible enough to accommodate the right product, so that there is no compromise on the function and quality.

Once that is clear, obviously there is a go ahead for implementation.

Based on 13 plus years of learning & experience in IAM domain I thought of sharing some key points that will help organizations to evaluate and select an IAM product.

To start with, we need to understand that IAM products are available as licensed and open source. In addition, IAM solutions are categorized to on premises and SaaS (IdaaS)IAM.

The parameters that help an organization in Product Evaluation are as follows:

  

Clarity on requirement gathering 

IAM requirement gathering covers both technical and functional requirements. This includes the understanding of what type of applications need to be integrated ( whether  they are  standard /customized / legacy applications), the number of applications and the number of end users that are going to use it .These  will clarify whether to go for an On-premises or SaaS  implementation.

Scalability

Whether a Start-up or a big business house, every entity will have an expansion plan. So, the IAM solution should be capable of accommodating the increase in users and addition of new applications.

Connectivity

Most of the IAM products can connect with primary and critical applications such as – SAP HR, Workday, Active Directory, Ticketing systems etc; however, there is a need to evaluate whether it can be done seamlessly.

Database licensing

Most of the IAM products rely on third party database such as Oracle database to store PII Information. Many a times the database license cost is not discussed, so getting a clarity on this is very important. As organizations can end up only with lifetime free IAM licensing and database licensing will cost a fortune.

Available IAM features

IAM products has various set of features. Evaluators should validate whether these features match their requirement, what it comprise of and how the features are bundled as a package. Also, validate if there are any hidden costs.

ROI & Total cost of ownership

This is critical and needs to be approached sensibly with below pointers

• Is there an immediate need for an IAM product
• Whether to opt for an open source OR licensed IAM
• Whether to opt for IdaaS OR on premises IAM implementation
• Whether to opt for implementation with IAM Product company OR IT Service company
• Maintenance and support costs

Customisation & its Support

Every organization will look for customisation capability in IAM so that it can meet 100 percent of their requirement. IAM functions best with lesser customization considering its limitations and therefore getting any support for customization is a challenge.

Choice of product

The choice of the product should be based on the need and the budget should be flexible enough to accommodate it as the ROI is huge. In short choose an IAM product that meets your requirements, not because it is economical.

Compliance requirements

It is incumbent to involve the Information Security audit team in the evaluation process as they will be verifying the products based on compliance standards.

Use Cases

It helps to analyse and evaluate the promised IAM product features to confirm its capabilities

User experience

A good User experience provided by IAM will help in making the implementation and usage of IAM solution effective.

The above recommendations are based on my experience in working with IAM . Organizations planning to implement or upgrade their current IAM environment can benefit from these  insights and work towards a more efficient IAM implementation journey.