A Guide to Identity and Access Management Solutions
By ,
1. Identity and Access Management: Key Features Explained

Third-party identity and access management tools can help close some of the gaps left by Active Directory, keeping your organization more secure and your IT shop more efficient. Here are the four key problems that third-party user management tools can solve and four solutions to consider.

In many ways, users form the core of Active Directory. Without user objects there would be little purpose to standing up and using Active Directory in an enterprise environment. Whereas Active Directory group membership largely defines the relationships between a user and her various job roles, many of the changes to a user's account mirror changes to the user's status within the company.

As with the management of groups, Active Directory falls short in some key areas for user management in the enterprise. Many of the shortcomings discussed in this article relate to efficiency, a critical topic in the arena of user management. Inefficient user account management can impact everything from user productivity to corporate security.

MORE: Active Directory Security with Group Management Tools

Let's examine some main considerations when it comes to identity and access management tools, including self-service, automation, policy management and enforcement and more. These will be helpful in determining what you should look for in tools that offer identity and access management capabilities.

1. Self-Service

Active Directory doesn't really offer a way for users to perform common tasks in a true self-service manner. Corporations which have embraced the cloud are probably aware that some self-service functionality is provided when an on-premises Active Directory forest is synchronized with Azure Active Directory and Office365, but for many businesses an enterprise-wide Office365 deployment is cost prohibitive.

Traditionally, large organizations have a dedicated staff with the permissions to manage users in the drectory. These administrative users often fall into one of two categories. Either they are entry-level IT Pros given the bare minimum of permissions needed to accomplish their daily tasks, or they are administrators qualified to perform a wide range of tasks. In either case, self-service tools can be leveraged in order to make more efficient use of the technical expertise available within your company.

In a perfect world, users would be able to perform some of the most common management tasks without having to contact a help desk. Many self-service features common to web applications such as password resets, account unlocks, and even account creation are nowhere to be found on the average corporate intranet. Through proper policy enforcement such as two-factor authentication, security questions, and other means, these tasks should be secured in order to ensure only the actual user can gain access to their account through these automated methods.

2. Automation

As employees are hired, placed on leave, suspended, or even terminated, the status of their Active Directory account must reflect these changes in a timely manner. The initial creation of a user object allows the user to more quickly begin contributing to the company. Likewise taking the appropriate action when a user's employment status changes is crucial to prevent the potential for destructive actions by a disgruntled former employee.

Any tool that allows you to automate repetitive steps in a process has the potential for both cost savings and a higher level of accuracy, in the case of user management often resulting in security benefits. While Active Directory does offer some automation through the use of bulk user edits and the duplication of users, there is certainly room for significant growth in this area.

CHECK OUT : Best InfoSec Certifications

In many corporations a major need is the ability for human resources personnel to initiate the creation or removal of a user. Typically these users don't possess the level of technical capability as an IT Pro, so this process should involve a web-based form or even an email.

3. Policy Enforcement

Security is increasingly becoming the primary concern for user creation and lifecycle management. In environments where security is paramount, simply managing password complexity and change frequency is no longer enough. Having the ability to enforce policies in a more controlled way is potentially game changing for highly secure corporations.

A tool that allows administrative users to create custom policies and apply them to specific groups of users would be incredibly useful in corporations spanning multiple industries. Often certain departments or career fields will involve users with increased access or permissions to sensitive data. Having the ability to disable a user within a certain department if their account is inactive, or even unused from within the corporate network, for a predefined number of days can be the difference in preventing corporate data loss. An additional feature many corporations would benefit from is the ability to either enforce or simply monitor policies, allowing administrators to determine if they want to prevent something from happening, or merely be notified in the event of a policy breach.

4. Reporting & Auditing

The word audit will send shivers down the spine of many experienced IT Pros, but the benefits cannot be denied. Several industries, most notably healthcare and government, have an absolute requirement for comprehensive audit procedures. Active Directory has become more robust in this segment, but the complexity in properly configuring and managing auditing is an insurmountable hurdle for many corporations. Even the task of aggregating event logs from domain controllers across a large Active Directory forest can be a nearly impossible task.

Many third party tools for managing Active Directory users provide a greatly increased level of reporting and auditing over native Active Directory, and simultaneously provide a more intuitive interface for accessing audit logs or managing auditable events. Organizations wishing to take their audit process a step further could look for a solution that provides the ability to perform a set of actions when an auditable event occurs; sending a notification email, alerting the user to a possible audit violation, or whatever rule set best fits the scenario.

Choosing an Identity and Access Management Solution

Regardless of the size of your organization, there are numerous ways to tackle the complexities involved with managing users throughout their corporate tenure. While the importance of individual requirements may vary by industry, each of the areas of concern mentioned here are real for any enterprise. IT Pros in particular must use their expertise and leverage available technology in order to realize cost savings, as well as cost avoidance, for their corporation.

In an upcoming article, we'll delve into some of the tools available to help you close some of the gaps left by Active Directory, making your IT shop more efficient, secure, and cost effective. We'll focus specifically on the needs identified in this story, and how these third-party tools can make your job easier, and your enterprise more secure, when dealing with identity and access management.

Editor's note: Looking for an SSO solution for your business? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to be contacted by vendors with additional information:

 

2. Identity and Access Management Solutions: Top Picks

Active Directory, like many enterprise-level software products, is designed to be a one-size-fits-all solution. As such, there are several gaps out of the box that can make management of your organization's users problematic.

Now that you're aware of some of the deficiencies found in AD and how third-party identity and access management tools can solve them, let's take a look at some great third-party tools your company can leverage in order to improve efficiency and accuracy in managing your users' access.

1. Zohno Z-Hire & Z-Term

Not all of the tools we'll discuss fill every single need we've identified or have all the necessary features to solve the many identity and access management problems. However, the third-party tools featured here can remediate key problem areas for many organizations.

Z-Hire and Z-Term from Zohno provide limited automation when compared to some of the other competitors in this arena, but their focus is on streamlining the two major steps in the lifecycle of a user object: creation and de-provisioning of users.

Where many Active Directory tools require a management server, or at least a client install, Z-Hire and Z-Term are both essentially front-end applications backed by PowerShell. The end result is an application that doesn't even require a client installation, however is tied to domain-joined Windows computers.

Z-Hire, intended to simplify the process of creating users, uses a template-based approach to Active Directory administration. Templates can be created and saved manually, or created from an existing user and then modified as needed. Multiple templates can be created in order to accommodate your organizational needs, and are defined primarily using standard fields found in Active Directory such as the user's name, contact information, and group membership. Z-Hire also allows you to define a custom script to be run when a user is created using a template, bringing the full weight of PowerShell to the equation.

Z-Term has many similarities to Z-Hire, such as the use of templates, though most organizations will be able to limit themselves to a few types of account de-provisioning. User objects can be disabled, moved to a specific Organizational Unit, their group membership revoked, or even their password reset. De-provisioning can be triggered immediately or can be scheduled for a later date.

Pricing & Licensing: Zohno Z-Hire and Z-Term are licensed together and start at $250 for a perpetual license for up to 1,000 users.

2. Softerra Adaxes

Softerra has managed to put together a feature complete tool for automating identity management and providing secure user control over your Active Directory-based identities. From an automation standpoint, Adaxes features the ability to ensure properties meet corporate standards, such as computer or user names. Softerra also provides the tools to automatically perform actions at various points in the identity creation process through business rules. A sample business rule shows the ability to automate the creation of a user's home directory, Exchange mailbox, and Office 365 account after the user is provisioned.

In addition to excelling at automation, Softerra Adaxes provides highly customizable web portals for use by administrators, help desk personnel, and end user self-service. Each portal can be branded with a corporate logo and colors, and configured to provide only the desired options to each type of user. Account management requests can then be routed through a workflow process to ensure each request is validated and receives the appropriate level of approval.

Pricing & Licensing: Softerra Adaxes perpetual license begins at $1,600 for up to 100 users. Annual maintenance and support is available for $480 (also for 100 users).

Editor's note: Looking for an SSO solution for your business? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to be contacted by vendors with additional information:

 

3. Cayosoft Administrator Suite

Cayosoft's Administrator Suite includes several modules which allow you to perform a variety of tasks related to managing the lifecycle of user objects and enforcing corporate policies.

Admin Assistant, the core application, handles many of the automation and reporting features. The Suspend module is primarily used for managing user objects which have reached the end of their lifecycle, giving you a streamlined method of disabling or deleting the user account. Some of the features offered by the Suspend module, such as scheduled reactivation or retention periods, also require Policy Manager. While each of these modules are included in Administrator Suite, they can also be licensed individually.

The de-provision workflow offered by the Suspend module makes handling temporary or permanent account suspensions intuitive. Temporary account suspensions can be configured to automatically re-enable an account or to wait for administrator approval.

Admin Assistant provides several default rules which can be scheduled and enforced in order to manage default policies within your domain such as automatically disabling inactive accounts. In addition to the normal software update, Cayosoft provides regular updates to their default rule sets, known as extensions. These rule sets can be easily downloaded and imported into Admin Assistant with just a few clicks.

Pricing & Licensing: Cayosoft perpetual license is $2.50 per user (Admin Assistant), and $2 per user (Suspend). Includes one year of support/maintenance (additional years are at 20 percent of license cost). Look for an announcement of a free year of Suspend (coming soon).

4. Dell Active Administrator

Active Administrator from Dell Software is a comprehensive toolset for managing various aspects of Active Directory to include replication, trusts, and Group Policy. Because Active Administrator is an enterprise-level tool, its feature set has a focus on large businesses.

Managing inactive user or computer accounts is fairly straightforward within Active Administrator. Inactive objects can be disabled, moved to a specific OU, or have their passwords reset. Along the same lines, notifications can be sent for users approaching their account’s expiration date, or that of their password.

Where Active Administrator really excels is in the area of reporting and auditing. Rather than simply monitoring a single event log, or compiling a history of actions performed within the Active Administrator management console, each domain controller is monitored in order to maintain a comprehensive audit trail. In order to handle communication to remote domain controllers, a software agent is deployed in order to forward auditable events to Active Administrator. In addition to simply compiling an audit history, Active Administrator can be configured to immediately notify an administrator in the event of a critical audit event.

Pricing & Licensing: Dell Software Active Administrator perpetual license starts at $15.30 per user, and includes one year of maintenance. Additional maintenance can be purchased as well.

Summary

A clear takeaway from this article is that each organization should carefully evaluate their business needs when it comes to third-party identity and access management tools that tie into Active Directory administration. Each of these products offers a completely different set of features, and there are dozens more like them that offer a diverse set of tools.

Once some thought and discussion have been invested in a prioritized list of your requirements, you can then begin the process of evaluating the available solutions in order to determine which product best meets the needs of your company.

RELATED: