Selecting the right IAM solution

There are numerous reasons why you might be in the market for a new Identity & Access Management (IAM) solution. Start-ups often aim to have professional account and access management in place from the get-go, whereas many established organisations are looking to replace their now outdated “IAM system”. These systems are frequently constrained on-premise solutions, sometimes partly developed in-house due to the limited options available at the time. Today, these systems are not only expensive to maintain but also lack user-friendliness and future-proofing. This is particularly critical as the digital landscape evolves and the demands for information security intensify. Previously, IAM solutions were primarily focused on streamlining user management. Nowadays, IAM is pivotal in ensuring information security and adhering to regulatory compliance. What considerations should guide your selection of a modern IAM solution? In this blog post, we highlight 10 crucial considerations.

IAM on-premise or as a cloud-based service?

As with other IT systems, many IAM systems today offer cloud-based solutions. This cloud-based approach is becoming increasingly popular, especially for those transitioning their wider IT infrastructure to the cloud. However, it is crucial to scrutinise how these cloud-based solutions are developed. Solutions that merely transplant an existing on-premise system onto a cloud platform, through methods like re-hosting, often fail to deliver a genuinely improved solution. Make sure to select an IAM solution that is ‘cloud-native’, meaning it is designed from the ground up to leverage the full potential of cloud technology. This intention is often evident in the solution’s ‘delivery model’. Does it only offer a single-tenant solution, or does it offer a true multi-tenant Identity-as-a-Service (IDaaS) solution?

A single-tenant solution provides each customer with their dedicated, independent platform, containing their own customer data and integrations with other systems. This setup allows customers significant control over platform configurations, management, updates and product development. However, the downside is the relatively high management complexity and associated costs. While there might still be a solid business case here for large enterprise organisations, it seems more sensible for medium-sized and smaller clients to opt for a multi-tenant environment right from the start.

Functionality and flexibility of the IAM solution

It is crucial to also take a close look at the functionality offered by IAM solutions. While many place a strong emphasis on authentication functionality – indeed, authentication plays a key role within Identity and Access Management, especially with the growing significance of Multi-Factor Authentication (MFA) and innovations like biometric access – authentication is far from being the only key feature of an IAM system.

Access management for single sign-on and multi-factor authentication

We notice that many organisations now outsource the authentication element to third-party Identity Providers (IDPs) like Microsoft (Azure) Active Directory or Google Workspace, or are at least routing primary authentication through these platforms. However, it is important to keep the needs and requirements of the entire user population in mind. Special user groups, such as guests or clients, often are not included in the standard IDP, and due to high costs, it might not be desirable to do so. In these instances, an access management solution with a cloud directory and extensive MFA capabilities can provide a secure authentication process for these user groups. After primary authentication, single sign-on offers a user-friendly way for users to access their applications. To this end, an easy-to-navigate application dashboard, potential integration with your existing portals and comprehensive support for your application ecosystem are essential.

Provisioning for automated user and authorisation management

Many organisations aim to fully automate the issuance and management of user accounts and associated access rights. Nearly all user tasks can be streamlined with an advanced provisioning module, from account issuance upon the onboarding of new employees to automatic rights adjustments as people transition to different roles. The user provisioning functionality also ensures proper handling when employees leave, preventing issues such as costly licenses unnecessarily remaining active or data breaches due to ‘forgotten’ user accounts. It is vital that the IAM environment incorporates an authorisation model like Role Based Access Control (RBAC) and/or Attribute Based Access Control (ABAC) to automatically keep someone’s rights aligned with their current situation and role.

Service automation for self-service in exception cases

With the above provisioning and RBAC/ABAC functionality, you ensure and automate your organisation’s account and access policy. At the same time, an IAM solution must offer sufficient flexibility for exceptions. For example, if someone temporarily needs a Visio license for the duration of a project, this should be easy to arrange. A modern IAM solution should therefore provide extensive capabilities for further process automation and self-service. In addition to basic matters such as password resets (often handled via the IDP), this also includes name changes and the online application for (temporary) application licenses, and the automated workflow to ask the involved managers for approval. Hence, modern IAM solutions are about much more than just Access Management; they also manage the complete account and rights lifecycle, from onboarding all the way through to departure from the organisation. And this applies not only to in-house staff but also to, for example, temporary workers, clients, patients, students and partners.

Flexibility to adapt the IAM solution to your IT environment

Pay close attention to the flexibility of the platform. Even with a multi-tenant platform based on a standard application, there should be sufficient possibilities to fine-tune the IAM to your specific circumstances and desires through configuration scenarios, options and APIs. You do not want to end up in a situation where you have to adapt your environment to fit the IAM solution rather than configuring the IAM solution to suit your environment. In developing HelloID, this is why we consciously consider where we need to maintain the possibility of using commonly known scripting languages like JavaScript and PowerShell, despite our focus on standardisation and graphical interfaces. This ensures there is always a fall-back for specific customer desires. Although there are many similarities between organisations, the differences must not be overlooked.

Integration capabilities with both on-premise and cloud-based applications

These days, an IAM solution must also be linked to a variety of third-party systems. Besides connections with HRM and other source systems, the IAM solution must also work with the target applications within which the IAM will manage users and rights. And even if you opt for a cloud-based IAM solution, it is still important to be able to connect with on-premise systems. In particular, network systems and physical security systems (such as key safes) often still run locally. In these cases, you want to avoid having to use two separate IAM solutions. Especially if the IAM solution supports both, it can be a valuable tool during your organisation’s transition to the cloud. Additionally, connections with service management, security and reporting applications are needed. And if you choose a separate access management solution, integration with the customer’s own user portal or intranet should be a given.

The selected IAM solution must therefore have extensive capabilities to make these connections without having to adjust the surrounding IT landscape. It must support more than just the open standards like SCIM (the application of which is still very limited). Also, any specific product connections must be available or capable of being quickly developed. A wide set of existing and, where possible, certified connectors is important to establish reliable, simple and fast connections with commonly used applications. In addition, an open architecture and the necessary agility to add new connections are essential. This prevents dependency on your IAM provider on the one hand, and on the other hand, it also ensures you are not limited in connecting with, for example, self-developed applications or exotic systems.

A solution like HelloID offers an extensive connector catalogue through which hundreds of common applications can be easily connected. If a connector is not yet available, Tools4ever develops it free of charge. But also, each customer has the opportunity to develop connectors (possibly using example templates). This can be done using a wide variety of technologies like SCIM, REST/JSON, SOAP/XML, ODBC, SQL, CSV, XML, etc.

Good user experience for both users and support staff

In today’s world, employees often have access to dozens of applications, on their computers as well as on tablets and smartphones. Customers, partners and external staff often also have direct access to applications and data. The benefits of this digitalisation and hybrid working are evident, but they make the role of your IAM system even more important. Not only must access security be watertight, but the IAM solution must also be completely intuitive and user-friendly. This applies not only to regular authentication and access verification (including SSO and MFA) but also to requesting additional applications or resetting a password. The IAM software should allow for a frictionless user journey at every turn.

This requirement goes beyond the experience for end-users. Sometimes software is very user-friendly for end-users, but administrators are still stuck working with text screens, scripts and custom code. This is often a key point of attention when selecting an IAM system. Management teams also deal with a much more powerful IAM platform with numerous management options, settings and expansion possibilities. Only an intuitive, graphical management interface allows administrators to truly utilise these possibilities. In case of questions, it is important to be able to refer back to documentation. To this end, it is crucial to check if said documentation is indeed available and sufficiently up-to-date for any IAM system you consider.

Moreover, it is important to keep in mind that IAM is more than just a technical solution. IAM extends beyond your IT department alone and impacts key organisational processes throughout the organisation. To really get the most out of an IAM solution, it is therefore important that there are sufficient training opportunities that cover not only the software but also the business side. At Tools4ever, we offer both certification courses for the software modules, as well as so-called business impact (or business consultancy) trainings completely free of charge. Many software companies offering training do so exclusively through an online platform. We choose to have our monthly free training sessions conducted by experienced business and implementation consultants. This approach allows us to tailor each training session to the knowledge level of the participants and provides ample space for personal interaction.

An easily managed IAM solution

A common requirement is that the core platform requires little maintenance and that updates are carried out automatically and smoothly. Moreover, as a customer, you will want to be able to easily manage your own settings and data, but also configure and activate optional features and connections yourself. Does the provider facilitate this through accessible and clear documentation and training? Do they ensure that customers can exchange knowledge and experiences among themselves? And if a customer is unable to resolve an issue, is there a support team that can step in with issues and possibly also provide onsite support? As a customer, you want to have control, but also that reassurance that there is a fall-back if needed.

Additionally, as a customer you should also have the option to outsource the management to a system integrator or managed service provider, including connections between the IAM platform and the service provider’s management systems. This again reduces dependency on any one specific vendor. Moreover, it does not limit you in potential future and unforeseen choices regarding outsourcing. On our partner page, you will find dozens of service providers who are certified in the design, implementation and management of the IAM solution HelloID.

Reliability, performance and scalability

An IAM solution acts like a hub in the web of your IT landscape and plays a role in virtually all IT processes. Therefore, the IAM functionality must always function and perform optimally, without delays and with sufficient capacity to seamlessly handle peak moments. In the case of a cloud-based solution, the responsibility for this lies entirely with the IDaaS service provider. Ensure that the service provider offers clear guarantees in this regard. Planned maintenance must also be clearly communicated and cannot result in unexpected or prolonged interruptions. Naturally, the solution must be able to automatically scale up or down with changes in usage and/or user numbers.

At Tools4ever, we utilise reliable infrastructure such as Microsoft Azure and Google Cloud. This enables us to offer an uptime guarantee of 99.9%. The current uptime and status of the HelloID services can be transparently viewed on the HelloID status page. Additionally, we follow a clear monthly release process through which all customers are timely informed about upcoming changes, we publish videos and organise webinars about the new functionalities, and the releases are rolled out without disrupting production.

Manageable and transparent cost structure

If an IAM solution can scale smoothly alongside usage and user numbers, you naturally want this to be reflected in the cost structure. The advantage of a cloud-based multi-tenant approach is that it often offers a transparent ‘Pay per Use’ or ‘Pay as You Go’ model without significant investments and without long-term financial commitments. If you as a customer have clarity on the current costs of your IAM platform and the time spent on manual activities, you are in a position to establish a strong IAM business case.

HelloID has a modular setup where you only pay for the modules you use. Every day, HelloID calculates the number of licenses in use per module. These are then billed monthly, with a clear overview provided. Through the HelloID portal, you also easily keep track of the number of licenses used. As we aim for complete transparency, the current license costs can be calculated easily using our HelloID price calculator.

Security and compliance

IAM is one of the pillars of your information security. It is the central point for issuing and managing user accounts, associated rights and authentication systems. Naturally, this means that all necessary security measures must be implemented in the development and management of the platform used, and any and all security risks must be identified and mitigated. This includes, of course, topics such as access security and data encryption. But for a cloud-based solution, it should also be clear whether the data is stored within the EU, for example. Apart from technical design guidelines, product development and further service provision must be ISO 27001 certified and compliant with GDPR guidelines. Additionally, you want the solution to contribute to meeting sector-specific standards like the Baseline Information Security Government (BIO) and NEN 7510 (information security within healthcare). To that end, it is important that the IAM solution automatically records all actions and is auditable, enabling you to easily generate reports.

Tools4ever is fully ISO 27001 certified as an organisation, meaning we have our processes well managed. Nevertheless, we also believe in the principle of multiple eyes. This means that Deloitte Risk Services periodically audits the HelloID software through penetration testing. This ensures that we do not miss any potential security risks and our customer data is safe. Want to learn everything about the security measures within HelloID? Or how HelloID contributes to compliance with information security guidelines such as ISO 27001, BIO or NEN 7510? Then read one of our whitepapers, in which we extensively discuss both the security of HelloID and its contribution to each certification.

Rollout and migration support

IAM is a central platform with connections to sometimes dozens of systems. As a result, even a greenfield introduction requires good rollout planning. The migration from an existing IAM to a new solution is naturally even more significant. Even with a standard multi-tenant solution where the customer’s own IT team can perform a lot of the configuration work, it is important that sufficient migration tools are available in the form of step-by-step plans, blueprints and migration tools. Always check if a service provider is prepared for this. This will help avoid an additional cost item afterward, due to lots of additional support being needed during the rollout and migration.

At Tools4ever, we have carried out thousands of IAM implementations and have developed a clear implementation approach based on these experiences. This enables us to estimate the duration of our implementation projects with great precision. But this also means that you as a customer already have a good idea of what to expect beforehand. In this blueprint, we summarise the most important steps and points of attention.

Last but not least: A customer-focused roadmap

This blog post has already examined many considerations that will help you select an IAM that meets your needs from day one. But is the solution also future-proof? Does the platform grow with changing requirements and desires on your end, as a customer? Does the provider listen to the input of customers and users, and is there a transparent roadmap? Is the provider truly focused on identity management developments, or do they have a vast portfolio with different product lines? Discuss this with your provider and make sure to check the experiences other customers have had. Ultimately, you are not just looking for a good IAM solution; you are looking for an IAM partner.

Want to know more about the roadmap of our IAM solution HelloID? Or do you have requests or ideas for the further development of our IAM solutions? Then visit our roadmap and the associated feedback portal.

• HelloID
• IAM
• cloud