7 criteria for an identity and access management solution that suits you

Publié :

07/2021

| Mis à jour le

-
Articles
>
IAM
Do you have an idea in mind for your solution? Have you thought of everything? We give you food for thought to make the right choice of an identity and access management solution. Hosting, budget, internal skills, deadlines, etc. will be scrutinized.

Summary

If you are reading this article, it is because you are wondering about reconciling your users and their accounts.

The problem is simple: on one side, we have the users (natural persons, permanent or fixed-term employees, contractors, temporary staff, etc.) and on the other, an astronomical number of accounts on the company's various applications.

These 2 lists are very difficult to "reconcile" because they are updated daily.

One solution is to use Excel to identify users and their accounts to check that everything is consistent, but if you try to do it regularly, you quickly realize that the task is tedious, very time-consuming and that you are constantly behind on the actual status of authorizations.

User management is a relatively recent problem for IT departments, which until now have been organized around account management.

When we talk about user management, here are the issues:

  • user identification,
  • User authentication
  • Access rights or authorizations
  • The use and allocation of licenses
  • activating and deactivating access accounts

We then turn to solutions such as implementing a SSO (Single Sign-on) system such as Okta or Azure AD in order to reduce the risks associated with multiple passwords and their poor security and to improve the user experience.

All these tools help strengthen your security, your employer brand and the feeling of employees, but they will not help you synchronize information between HR and IT information in order to know who has left, who has changed jobs, what are the necessary authorizations for such people...

Youzer links HR and IT tools.

Initially, you will certainly be tempted to try to develop an internal tool or even scripts to address this problem of user and account management, but you will face classic difficulties:

  1. Skills are required to define the specifications and design an IAM tool.
  2. Development resources are required to code such a tool.
  3. It is difficult to maintain this type of in-house development because new applications are implemented regularly, so the connections with these applications must be updated.
  4. Unless you invest a huge amount of energy and man-hours, it is very difficult to obtain new functionalities on an internally developed tool, which will therefore be quite static and probably eventually abandoned by users.

If you choose to turn to identity and access management solutions on the market, there is a pitfall to be aware of: most of these solutions are extremely complex to handle, requiring expert consultants for implementation and administration. But first of all, if you are not familiar with the IAM concept, please read this article.

1. A “SaaS” or “On-premise” tool?

SaaS solution versus on-premise solution

When choosing an IAM software, you will have to decide between two types of solutions: 'SaaS', which is a hosted mode, 100% maintained by the vendor with a monthly or annual subscription, or 'On-premise' mode, which requires the use of part of your server infrastructure to operate.

SaaS
With a SaaS solution, i.e. hosted by the publisher, you don't have to manage the hosting or all the security and maintenance that goes with it. This avoids adding to your infrastructure with yet another new software to deploy. So ask the provider what measures are taken to secure its platform, and whether it complies with the GDPR. Generally speaking, as the provider specializes in this type of hosting, it will have put in place a number of measures to ensure maximum security, such as strong two-factor authentication (2FA), the implementation of an application firewall (WAF), etc.
Another major point of a SaaS IAM solution is the maintenance of the solution. This will always be up to date without any action on your part. The solution publisher will make improvements, strengthen security and apply all this to all its customers' instances without impacting your business.
A SaaS solution also requires less human investment to maintain and manage it.
The SaaS solution has the great advantage of not having to be installed: it is generally operational in a few minutes.
Finally, even if you choose a "SaaS" solution, you can connect it to your legacy "on-premise" software (Active Directory, Microsoft Exchange, proprietary CRM, etc.) because some platforms like Youzer allow interconnections between SaaS and On-Premise.

On premise
If you choose "on-premise" software, you host the software yourself within your infrastructure. However, the implementation is much longer: it is necessary to have a list of prerequisites for the infrastructure to be prepared (number of servers, CPU, RAM, disk space, etc.), and to acquire this infrastructure.
The integration of proprietary on-premise software is also often an argument for moving to an on-premise solution.
On-premise software can address a problem of confidentiality and trust for companies that are sometimes reluctant to outsource certain data to a third-party company. However, today, new laws such as the GDPR or security certifications make it possible to be confident about the use of SaaS solutions.

Key takeaway
SaaS offerings that were not mature a few years ago are now much more attractive than traditional software. The TCO (Total Cost of Ownership) is more attractive in SaaS mode than in "on-premise" mode, and this is increasingly evident with the increasingly rapid developments in technologies or functionalities of the various software.

Investing in a SaaS solution that is less expensive than an on-premise solution

2. Implementation

This is one of the main advantages of a SaaS IAM solution: the implementation is done remotely, the publisher's teams guide you through the steps of the initial configurations. It is also possible to start in complete autonomy if the IAM software allows it. In a few minutes, your instance is created on the platform and you can start managing your users and their entitlements.

On the other hand, if you choose an on-premise solution, you are generally supported by a team of consultants who intervene for the implementation of the software on your site. The configuration is lengthy, and the overall familiarization can take several months.

Key takeaway
Setting up an IAM in SaaS is very quick, responsiveness is key, unlike IAM software to be installed on-site. Setting up a POC is generally easier in SaaS.

3. Support on the solution

Support for the solution is a very important step. Whether the solution is SaaS or on-premise, there will always be a learning and adaptation period that varies in length.
You need to learn how to install and configure the first connectors (which will interact with the company's various applications to import and manage entitlements), how to configure the solution for your company, and how to understand the main features.
Upstream, it will be very important to identify the people who will be the main users / administrators of this solution. For example, you will need to involve people from IT as well as the HR department so that the IAM solution is adopted and used by everyone. If you want managers to use it (which is a success factor for the IAM project), you should also consider inviting someone who will be in charge of training the managers. This could be someone from HR, IT, or a manager referent within your company.

Support for getting started with IAM is not always included in the pricing. Many providers offer support and training as an add-on. It will also be important at this point to ask how this training is conducted. Does it take place all at once or in several sessions? It may be beneficial to have support in several small sequences to properly assimilate the product. Indeed, we have all noticed that a lot of information is difficult to retain at once. Support over a month allows you to use the solution and have regular check-ins to understand elements that seemed logical but that you can't seem to replicate.

Key Takeaway
Always opt for guidance when taking your first steps with your IAM solution. Clearly define the main initial users so they can familiarize themselves with it and receive support.

4. Ease of use

It is really very important that the first impression that the IAM solution leaves on you during a demo is simplicity and accessibility for all. Indeed, this tool must be used by IT teams but also by HR and managers. Ask yourself if all these players are ready to join the project. Imagine that an IT person does a demo but even they say to themselves, 'I'm lost'... How can you promote this tool internally? Of course, everyone will not have the same use of the platform; IT will be in a more technical part of the tool, HR in a workflow process, and managers in a team management approach.

It will be tempting for some IT experts to want to configure the solution in a very technical way. Remember, however, that this product should save you time, that it should be intuitive and easy to use (a bit like the 'no-code' tools that are starting to become fashionable). It is therefore really important that it is visually and interactively simple and pleasant, otherwise you will not get buy-in to the project. Multiple menus, a technical interface and a raw look will put off a good number of users and the solution may quickly lose interest.

Just because it is an IAM solution does not mean that it needs to be ultra-technical; on the contrary, you and your users are entitled to expect the same quality criteria from your solution as from a consumer tool, with a graphical interface that makes the user experience enjoyable!
The simplicity index correlates with the adoption rate.

Key takeaway ▶
Above all, choose a solution to save you time. It must be clear, intuitive, configurable and effective.

product adoption curve based on its ergonomics

5. Connector/integration addition

What is a connector? A connector allows your IAM solution to import or perform actions on the accounts of each of your business tools or applications that your teams use daily. You will therefore have an Active Directory connector, a connector for your CRM, a connector for your messaging system (Exchange, Office 365, GSuite...) ...
SaaS connectors are easy to integrate with a SaaS solution because they are designed to connect easily with other solutions. For this, we use an API key, a token or logins/passwords to connect. The IAM solution will then launch the automatic imports or creations of accounts on the software concerned.

In general, IAM solutions integrate well with similar types of platforms: SaaS IAM solutions will easily connect to SaaS software (Office 365, GSuite, etc.) but will have difficulty connecting to on-premise systems (Active Directory, proprietary CRM, etc.). The opposite is true for on-premise IAM solutions.
Pay attention to your proprietary applications: it would be dangerous not to include them in the integrations with your IAM solution under the pretext that they are proprietary. That's why at Youzer we have developed a 'universal' connector that allows you to connect to any on-premise business applications.

Each IAM provider will display (or not) a more or less exhaustive list of connectors that are already present in its catalog.
Then each has its own operation:
some will charge for adding a new connector
others consider that it completes their catalog and they will add it for free.

Also inquire about this point before choosing an IAM solution.

all applications
Key takeaway ▶
Connectors in SaaS are quite easy to integrate. On the other hand, on-premise and/or proprietary applications can be complicated to integrate for some IAM solutions.

6. Autonomy

Once you have chosen and implemented your IAM software, don't stop there! It is important to be autonomous in your use of the product: do you need to call on your service provider to perform regular operations?
Do you need to call on the publisher or integrator to add new connectors?
You should be as independent as possible with your tool; it should save you time, so your actions should be carried out as simply as possible. You should only call on your service provider in the event of very specific operations and perhaps a very particular request.
The solution you have chosen is certainly very good at a given moment, but the needs (your needs) evolve. Is the product constantly evolving, or is the product 'finished'? A good IAM tool is never 'finished'; your needs evolve, your expectations are high and different from one company to another. Your service provider must be able to meet these new expectations. The tool must constantly evolve, and new functionalities must be accessible to everyone so that it is beneficial and without additional financial burden.

Even if autonomy is encouraged, do you have someone available to respond quickly if you get stuck?
The customer service must be easily reachable and responsive. Do you have direct access to an online chat tool on your IAM tool, a telephone number, or even an email for your exchanges or to contact support?

Key takeaway
You must be autonomous in your use of the tool but also be able to request responsive customer support. The IAM application must also evolve regularly to keep up with technological developments.

7. HRIS connection

This is also a very important point: Your IAM tool must be able to connect to your HRIS to build your exhaustive list of users (internal employees, service providers, etc.). Your provider must be able to connect to the main HRIS on the market and even to your HRIS that you have developed internally (Lucca, ADP RH, Cegid RH, Eurecia, Nibellis, etc.).

This connection to your HRIS enables the HR/IT alignment for your employees and their accounts.
In addition, it is important that your software can also be fed from sources other than your HRIS, such as the list of temporary workers, service providers, etc., who are required to have authorizations on your IS.

Key takeaway ▶  
Your IAM solution must be able to connect to any HRIS in order to automatically connect your employees and report errors and reconcile them with their accounts.
Universal connector for Youzer

While not having an IAM software is unthinkable today, making a choice is difficult because you have to find the perfect solution: it must be compatible with all your tools, collaborative, and allow you to have total application supervision, plus the various elements that are important to you.
[Spoiler alert] Unfortunately, this perfect solution does not exist, and you will have to define your priorities, needs, and budget.

The easiest way is to test the different solutions on the market that you like.
We have a 30-day free trial without requiring a credit card 😉.
If you would like to compare and test Youzer, please contact us for a demonstration of our platform.

Besoin d'évaluer le coût d'un projet d'IAM ?

Téléchargez ce livre blanc sur le coût de l'inaction dans l'IAM :

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

Recommended Articles

L'Identity Lifecycle Management : clé de la sécurité et de la productivité
10 points for successful entitlement management
Identity and Access Management: What is it?