How Do I Select an IAM Solution
For many reasons, it may be necessary to select a new Identity and Access Management (IAM) solution. Startups often want to set up account and access management professionally from day one, while many existing organizations are looking to replace their now-outdated "IAM system." Such a system is often a limited on-premises solution and sometimes partly custom-built because the options available at the time were limited. By now, such a system is expensive to maintain, far from user-friendly, and not future-proof. This is especially true because ongoing digitization and the importance of information security have increased the requirements. Earlier IAM solutions were often developed primarily to improve user management efficiency. Today, IAM also plays a key role in information security and compliance with laws and regulations. What should you look for when selecting a modern IAM solution? In the blog below, we compile ten points to consider.
IAM, On-Premises or As A Cloud Service?
Like other IT systems, many IAM systems are now available as a cloud solution. Many customers prefer a cloud approach, especially when migrating the rest of their IT landscape. It is important to verify how the cloud solution was created. Solutions in which an existing on-premises system is rehosted to a cloud platform often do not deliver a structurally better solution. Look for an IAM solution that is cloud-native and fully aligned with cloud technology principles. You often see this reflected in the IAM solution's delivery model. Does it only offer a single-tenant option, or does it provide a true multi-tenant Identity-as-a-Service (IDaaS) solution?
In a single-tenant solution, an independent platform is assembled and hosted for each customer with its own data and integrations to other systems. This gives you significant control over platform settings, administration, updates, and product development. The drawback is the relatively high management complexity and associated costs. For large enterprises, there may still be a viable business case, but for mid-sized and smaller customers, it is more sensible to adopt a multi-tenant environment.
A multi-tenant platform such as HelloID is built to maximize the advantages of the cloud. In a cloud-native solution, customers share a single IAM platform that is centrally managed and continuously improved. On that platform, every tenant has the same standard functionality and immediate access to the latest updates and new features. The service provider handles capacity planning, performance management, and redundancy so that functionality is always available to all customers. The architecture and extensive security measures ensure that each customer only has access to their own data and settings.
Functionality and Flexibility of the IAM Solution
It is also important to evaluate the available functionality critically. In some IAM software, the focus is still primarily on authentication features. Authentication plays a significant role in Identity and Access Management, especially as Multifactor Authentication (MFA) and access innovations such as biometrics gain greater importance. However, it is not the only important IAM component.
Access Management for Single Sign-On and Multifactor Authentication
We see that many organizations increasingly place the authentication component with third-party Identity Providers (IdPs) such as Microsoft Azure Active Directory or Google Workspace, or at least route primary authentication through these platforms. Even then, it is important to consider the needs and requirements of the entire user population. We often see that special user groups, such as guests or clients, are not included in the regular IdP, and this is also undesirable due to high costs. An access management solution with a cloud directory and extensive MFA capabilities can provide a secure authentication path for these user groups. After primary authentication, Single Sign-On offers a user-friendly way to grant access to applications. A clear application dashboard, optional integration within your existing portals, and support for your application landscape are therefore crucial.
Provisioning for Automated User and Authorization Management
Many organizations want to fully automate the issuance and management of user accounts and associated access rights. With an advanced provisioning module, nearly all user tasks can be streamlined, from account creation during onboarding of new employees to automatic rights adjustments when people move to other roles. User provisioning can also ensure correct processing when employees leave, so that costly licenses do not remain active unnecessarily and data leaks do not occur through forgotten accounts. The IAM environment must include an authorization model, such as Role-Based Access Control (RBAC) and/or Attribute-Based Access Control (ABAC), so that a person’s rights remain automatically aligned with their current role and situation.
Service Automation for Self-Service to Handle Exceptions
With the provisioning and RBAC/ABAC functionality above, you enforce and automate your organization’s account and access policies. At the same time, an IAM solution must provide sufficient room for exceptions. If someone temporarily needs a Visio license during a project, this must be easy to arrange. A modern IAM solution must therefore offer extensive options for additional process automation and self-service. Beyond basics such as password resets, which the IdP often handles, this includes name changes, online requests for temporary application licenses, and automated workflows to request approval from the relevant managers. In modern IAM solutions, it is about much more than access management; it also includes managing the full account and access rights lifecycle, from onboarding through departure from the organization. This applies not only to employees, but also to contractors, clients, patients, students, and partners.
Flexibility to Adapt the IAM Solution to Your IT Environment
Pay close attention to the platform's flexibility. Even in a multi-tenant platform based on a standard application, there must be sufficient configuration options, choices, and APIs to fine-tune IAM to your circumstances and requirements. You do not want to end up in a black box where you must adapt your environment to the IAM solution instead of configuring the IAM solution to your environment. We deliberately design HelloID with this in mind. Despite the focus on standardization and graphical interfaces, we retain the option to use well-known scripting languages such as JavaScript and PowerShell. This provides a fallback for specific customer requirements. There are many similarities between organizations, but we must not ignore the differences.
Integration Capabilities with Both On-Premises and Cloud Applications
Today, an IAM solution must integrate with many third-party systems. In addition to integrations with HR and other source systems, the IAM solution must also work with target applications where users and access will be managed. Even if you select a cloud-based IAM solution, it is still important to connect with on-premises systems. Network systems and physical security systems, such as key cabinets, often still run locally. In these cases, you do not want to deploy two separate IAM solutions. If the IAM solution supports both, it can be a valuable tool during your organization’s transition to the cloud. Integrations are also needed with service management, security, and reporting applications. If you choose a separate access management solution, integration with the customer’s own user portal or intranet must be a given.
The selected IAM solution must therefore offer extensive options for implementing these integrations without requiring changes to the surrounding IT landscape. Support must go beyond open standards such as SCIM, which are still applied only in a limited way. Specific product integrations must be available or be developed quickly. A broad set of existing, and, where possible, certified, connectors is important for connecting reliably, easily, and quickly to widely used applications. An open architecture and the agility to add new integrations yourself are also essential. This prevents reliance on your IAM vendor and avoids limitations when connecting to custom-built applications or niche systems.
A solution like HelloID offers a comprehensive connector catalog that lets you easily integrate with hundreds of common applications. When a connector is not yet available, Tools4ever develops it at no cost. Each customer can also develop connectors, optionally using template examples. This can be based on a wide variety of technologies, such as SCIM, REST/JSON, SOAP/XML, ODBC, SQL, CSV, and XML.
Strong User Experience for Users and Support Staff
Employees today often access dozens of applications on their computers, tablets, and smartphones. Customers, partners, and external staff also often access applications and data directly. The benefits of digitization and hybrid work are clear, but they underscore the importance of your IAM system. Access security must be airtight, and the IAM solution must be fully intuitive and user-friendly at the same time. This applies to routine authentication and access verification, including SSO and MFA, as well as requesting additional applications or resetting a password. At no point should the IAM software disrupt the user journey.
This requirement goes beyond end users. Some software is very user-friendly for end users, while administrators must make do with text screens, scripts, and custom code. This is often a critical consideration in an IAM selection. Administration teams also work with a more powerful IAM platform that offers many management options, settings, and extensions. Only an intuitive, graphical administration interface enables administrators to leverage these capabilities. When you do not understand something, it is important to consult the documentation. It is therefore important to verify that documentation is available and sufficiently up to date.
It is also important to remember that IAM is more than a technical solution. IAM reaches beyond IT and affects core business processes. To get the most from an IAM solution, there must be sufficient training that covers not only the software but also the business side. Tools4ever provides certification programs for software modules and business-impact or business-consulting training, completely free of charge. Many software companies deliver training fully through an online platform. We choose to deliver our monthly free training through experienced business and implementation consultants. This allows us to tailor each session to the participants’ knowledge levels and provide room for personal interaction.
An IAM Solution That Is Easy to Manage
It is often a requirement that the core platform requires little maintenance and that updates are applied automatically and seamlessly. You also want the ability to manage your own settings and data easily, and to configure and activate optional features and integrations yourself. Does the vendor facilitate this with accessible and clear documentation and training? Do they enable customers to exchange knowledge and experiences? If you cannot resolve an issue, is there a support team that can step in and provide on-site assistance when needed? As a customer, you want control and the assurance of a fallback when necessary.
It must also be possible to outsource administration to a system integrator or managed service provider, including integrations between the IAM platform and that service provider’s management systems. This again reduces reliance on a single vendor. It also does not limit you in future and unforeseen decisions to outsource. On our partner page, you will find dozens of Dutch managed service providers certified in the design, implementation, and administration of the HelloID IAM solution.
Reliability, Performance, and Scalability
An IAM solution sits at the center of your IT landscape and plays a role in nearly all IT processes. The IAM functionality must therefore always operate optimally, without delays, and with sufficient capacity to absorb peak loads. In a cloud solution, responsibility for this lies fully with the IDaaS provider. Ensure the provider offers clear guarantees. Planned maintenance must also be communicated clearly and must not cause unexpected or prolonged interruptions. The solution must scale up or down automatically in response to changes in usage and/or user counts.
At Tools4ever, we use reliable infrastructure such as Microsoft Azure and Google Cloud. This enables us to provide a 99.9% uptime guarantee. The HelloID status page shows the current uptime and status of the HelloID services transparently. We also follow a clear monthly release process in which all customers are informed in time of upcoming changes, we publish videos and organize webinars about new capabilities, and we roll out releases without disrupting production.
Manageable and Transparent Cost Structure
If an IAM solution can scale seamlessly with usage and user counts, you want to see that reflected in the cost structure. A cloud-based multi-tenant approach often offers a transparent Pay-per-Use or Pay-as-You-Go model without large upfront investments or long-term financial commitments. If you have insight into the current costs of your IAM platform and the time spent on manual activities, you can establish a clear IAM business case.
HelloID has a modular design, so you only pay for the modules you use. HelloID calculates the number of active licenses per module daily. These are then invoiced monthly with a clear breakdown. Through the HelloID portal, you can easily track the number of licenses in use. Because we strive for full transparency, you can easily calculate current license costs through our HelloID pricing calculator.
Security and Compliance
IAM is one of the pillars of your information security. It is the central point for creating and managing user accounts, associated rights, and authentication methods. This means the platform’s development and operations teams must implement all required security measures and identify and mitigate all security risks. This includes access security and data encryption. In a cloud solution, it must also be clear, for example, whether data is stored within the EU. Beyond technical design guidelines, product development and service delivery must be ISO 27001 certified and compliant with GDPR requirements. You also want the solution to help meet sector-specific standards, such as the Baseline Informatiebeveiliging Overheid (BIO) and NEN 7510, for information security in healthcare. It is important that the IAM solution automatically logs all actions and is auditable so that you can generate reports easily.
Tools4ever is fully ISO 27001 certified as an organization, which means our processes are in order. We also believe in a multiple-eyes principle. Deloitte Risk Services periodically audits the HelloID software through penetration testing. This ensures that we do not miss potential security risks and that our customer data remains secure. Want to learn everything about security measures in HelloID? Or how HelloID supports compliance with information security frameworks such as ISO 27001, BIO, or NEN 7510? Read one of our whitepapers, where we explain both HelloID security and the contribution to each certification in detail.
Deployment and Migration Support
IAM is a central platform with integrations to sometimes dozens of systems. Even a greenfield introduction then requires a solid deployment plan. Migrating from an existing IAM to a new solution is even more impactful. Even with a standard multi-tenant solution where the customer’s own IT team can perform much of the configuration, sufficient migration aids must be available, including step-by-step plans, blueprints, and migration tools. Check whether a service provider is prepared for this. Avoid unexpected costs by accounting for extra support needed during deployment and migration.
At Tools4ever, we have carried out thousands of IAM implementations and developed a clear implementation approach based on this experience. This allows us to estimate the duration of our implementation projects with high precision. As a customer, you also know what to expect in advance. This blueprint summarizes the key steps and considerations.
Last But Not Least: A Customer-Driven Roadmap
The points above help you select an IAM solution that meets your needs from day one. Is the solution also future-proof? Does the platform evolve with your changing customer requirements? Does the vendor listen to customer and user input, and does it provide a transparent roadmap? Is the vendor truly focused on identity management, or does it have a broad portfolio with multiple product lines? Discuss this with your vendor and review other customers’ experiences. You are not only looking for a strong IAM solution; you are ultimately looking for an IAM partner.
Want to learn more about the roadmap for our HelloID IAM solution? Do you have requirements or ideas for further development of our IAM solutions? Visit our roadmap and the accompanying feedback portal.
What are the benefits of a cloud-native IAM solution compared to an on-premises solution?
A cloud-native IAM solution is designed to take full advantage of the cloud. This means it is flexible, scalable, and always accessible. In addition, updates and new features are available to all users immediately. In contrast to on-premises solutions, which are often expensive to maintain and not always future-proof.
What are the key considerations when selecting a new IAM solution?
When selecting a new IAM solution, you must consider several factors. This includes your organization’s needs, the usability of the solution, the costs, and how well it fits within your existing IT infrastructure. It is also important to assess how the solution can support regulatory compliance.
How can an IAM solution make user management more efficient?
An IAM solution can make user management more efficient by automating processes such as account creation, access assignment, and password management. This can help reduce IT team workload and increase productivity.