Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

A Guide to Identity and Access Management Solutions

A Guide to Identity and Access Management Solutions
By

Third-party identity and access management tools can help close some of the gaps left by Active Directory, keeping your organization more secure and your IT shop more efficient. Here are the four key problems that third-party user management tools can solve and four solutions to consider.

In many ways, users form the core of Active Directory. Without user objects there would be little purpose to standing up and using Active Directory in an enterprise environment. Whereas Active Directory group membership largely defines the relationships between a user and her various job roles, many of the changes to a user's account mirror changes to the user's status within the company.

As with the management of groups, Active Directory falls short in some key areas for user management in the enterprise. Many of the shortcomings discussed in this article relate to efficiency, a critical topic in the arena of user management. Inefficient user account management can impact everything from user productivity to corporate security.

MORE: Active Directory Security with Group Management Tools

Let's examine some main considerations when it comes to identity and access management tools, including self-service, automation, policy management and enforcement and more. These will be helpful in determining what you should look for in tools that offer identity and access management capabilities.

1. Self-Service

Active Directory doesn't really offer a way for users to perform common tasks in a true self-service manner. Corporations which have embraced the cloud are probably aware that some self-service functionality is provided when an on-premises Active Directory forest is synchronized with Azure Active Directory and Office365, but for many businesses an enterprise-wide Office365 deployment is cost prohibitive.

Traditionally, large organizations have a dedicated staff with the permissions to manage users in the drectory. These administrative users often fall into one of two categories. Either they are entry-level IT Pros given the bare minimum of permissions needed to accomplish their daily tasks, or they are administrators qualified to perform a wide range of tasks. In either case, self-service tools can be leveraged in order to make more efficient use of the technical expertise available within your company.

In a perfect world, users would be able to perform some of the most common management tasks without having to contact a help desk. Many self-service features common to web applications such as password resets, account unlocks, and even account creation are nowhere to be found on the average corporate intranet. Through proper policy enforcement such as two-factor authentication, security questions, and other means, these tasks should be secured in order to ensure only the actual user can gain access to their account through these automated methods.

2. Automation

As employees are hired, placed on leave, suspended, or even terminated, the status of their Active Directory account must reflect these changes in a timely manner. The initial creation of a user object allows the user to more quickly begin contributing to the company. Likewise taking the appropriate action when a user's employment status changes is crucial to prevent the potential for destructive actions by a disgruntled former employee.

Any tool that allows you to automate repetitive steps in a process has the potential for both cost savings and a higher level of accuracy, in the case of user management often resulting in security benefits. While Active Directory does offer some automation through the use of bulk user edits and the duplication of users, there is certainly room for significant growth in this area.

CHECK OUT : Best InfoSec Certifications

In many corporations a major need is the ability for human resources personnel to initiate the creation or removal of a user. Typically these users don't possess the level of technical capability as an IT Pro, so this process should involve a web-based form or even an email.

3. Policy Enforcement

Security is increasingly becoming the primary concern for user creation and lifecycle management. In environments where security is paramount, simply managing password complexity and change frequency is no longer enough. Having the ability to enforce policies in a more controlled way is potentially game changing for highly secure corporations.

A tool that allows administrative users to create custom policies and apply them to specific groups of users would be incredibly useful in corporations spanning multiple industries. Often certain departments or career fields will involve users with increased access or permissions to sensitive data. Having the ability to disable a user within a certain department if their account is inactive, or even unused from within the corporate network, for a predefined number of days can be the difference in preventing corporate data loss. An additional feature many corporations would benefit from is the ability to either enforce or simply monitor policies, allowing administrators to determine if they want to prevent something from happening, or merely be notified in the event of a policy breach.

4. Reporting & Auditing

The word audit will send shivers down the spine of many experienced IT Pros, but the benefits cannot be denied. Several industries, most notably healthcare and government, have an absolute requirement for comprehensive audit procedures. Active Directory has become more robust in this segment, but the complexity in properly configuring and managing auditing is an insurmountable hurdle for many corporations. Even the task of aggregating event logs from domain controllers across a large Active Directory forest can be a nearly impossible task.

Many third party tools for managing Active Directory users provide a greatly increased level of reporting and auditing over native Active Directory, and simultaneously provide a more intuitive interface for accessing audit logs or managing auditable events. Organizations wishing to take their audit process a step further could look for a solution that provides the ability to perform a set of actions when an auditable event occurs; sending a notification email, alerting the user to a possible audit violation, or whatever rule set best fits the scenario.

Choosing an Identity and Access Management Solution

Regardless of the size of your organization, there are numerous ways to tackle the complexities involved with managing users throughout their corporate tenure. While the importance of individual requirements may vary by industry, each of the areas of concern mentioned here are real for any enterprise. IT Pros in particular must use their expertise and leverage available technology in order to realize cost savings, as well as cost avoidance, for their corporation.

In an upcoming article, we'll delve into some of the tools available to help you close some of the gaps left by Active Directory, making your IT shop more efficient, secure, and cost effective. We'll focus specifically on the needs identified in this story, and how these third-party tools can make your job easier, and your enterprise more secure, when dealing with identity and access management.

Editor's note: Looking for an SSO solution for your business? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to be contacted by vendors with additional information: