,

If you don’t have IAM(Identity Access Management system) get one!

,

Identity Access Management is a simple tool that appears difficult even though there are standards to help guide the authentication protocols. This post is for anyone needing help producing a way to get their organization to adopt an IAM tool. Not all IAM tools are equal, so research and reach out to any communities to gather feedback from potential users. One community I am part of is localhost; join if you want to chat with me there.

Identity Access Management (IAM) is an essential technology for all companies, especially Series A and B companies. It allows organizations to securely manage user access and authentication for applications and data, making it easier for employees to access the necessary resources. IAM also enables single sign-on (SSO), which reduces the complexity and time spent logging into multiple applications. In addition, IAM helps maintain a single user profile across numerous cloud-based applications, reducing administrative overhead. Finally, IAM ensures compliance with privacy regulations, such as GDPR or SOC, by encrypting user data and ensuring it remains secure. Series A, B, or C companies are well-funded to an extent. All companies commonly spread the message of being well funded, with start-ups living month to month or year to year. Well-funded is valid as security is usually the last thing truly invested. Everyone cares about security, but what you fund and how you fund it matters. For instance, SaaS tools support SAML/OCID/API provisioning. Still, because SaaS companies charge more for that feature, it becomes too expensive for the organization. While I understand that feature could cost 50-100% more for the service, how much is your organization's security worth?

What are the options IAM systems use to manage user access?

Most IAM systems offer a few authentication methods:

  • SAML
  • OICD
  • API
  • Bookmark

What do all of these authentication methods mean?

SAML (Security Assertion Markup Language) is a critical component of identity management, providing secure access to applications and data. SAML enables single-user sign-on (SSO), making it easier for employees to access the information they need quickly and securely. SAML can help improve productivity and reduce security risks. Additionally, SAML allows companies that use multiple cloud-based applications to maintain a single user profile across various providers, reducing administrative overhead. SAML also helps ensure compliance with privacy regulations, such as GDPR, by ensuring that user data is encrypted and secure. OpenConnect ID(OICD) is a protocol built on OAuth 2.0. OICD explains supplies more information about the user during authentication. Here is a bit of light reading from openid.net https://openid.net/connect/. The API endpoint uses a script, workflow, or insert your tool here to connect to an endpoint to manage user accounts programmatically. While all of these options are ones in Series A, B, or C companies could utilize, they are not all equal. SAML, while pretty straightforward, could be complex depending on how the SaaS company implemented the protocol. OCID is straightforward but falls into the same boat as SAML applications. API does require someone who knows APIs. These could be significant hurdles for companies that want to implement an IAM solution without the technical resources to guide the company. A bookmark app is an application that doesn't offer SAML, OCID, or API endpoint to manage user access. Bookmark apps are the standard way people are used to working all of their SaaS applications. The IAM tool will store the URL used to log in, so the user lands on the exact page to login into the tool instead of having to search for the login URL. While this may seem a bit archaic, all these authentication methods, especially the bookmark, are essential.

All of these methods provide a digital footprint of what your users access. More importantly, when your users hit the lotto and leave your organization, you have a roadmap for what needs to be de-provisioned.

Here are a few reasons you want to pick up an IAM system.

  • Centralized User management
  • Simplified User Provisioning & Deprovisioning*
  • User blueprint
  • Secure authentication(SAML/OICD/API)
  • Network Access Control
  • One Identity per user

While these advantages sound great, there are some challenges with implementing the IAM system:

  • Human Resources Information System (HRIS) compatibility
  • System Architecture
  • An administrator who understands SAML/OICD/APIs
  • Log management

While there are more advantages and disadvantages, these are some key ones. The internal user experience is a complex set of processes designed to allow users to complete tasks with less friction. Less friction because no process or experience is frictionless. Think of everyday things you do, open your phone, log into your computer but need a passcode or Biometric, or log into any web application. There is always another step you must take to complete the process. While these processes seem relatively straightforward, at one point in time, folks might think signing into your computer, email, or insert application here took a lot of work. With the implementation of the IAM system, many of these frictions cease to exist. User experience matters significantly in helping to improve how employees feel about the set of software at the company. The more comfort people have with their tools, the more effective they can be in their role. That is why selecting an IAM system early during the company's growth is very important.

Most companies have a stack that looks similar to this:

  • Google Workspace/Microsoft Suite
  • Slack/Teams
  • Notion/Confluence
  • Jira/Notion/Airtable/Smartsheet/Github
  • Zoom/Hangouts/WebEx
  • Salesforce/CRM
  • Sales Tools(Gong/Bombora/SEMrush)
  • Marketing Tools(Marketo/Hevodata/Google Ads)
  • Finance Tools(Coupa/Quickbooks)
  • HR Tools(BambooHR/Justworks/Ultipro)

For example, what happens if this list is around 25-50 applications? Users must store and keep all the users and passwords, hopefully securely, and remember all the URLs. The IT must keep the same information, license count, user access list, and account administration list, to mention a few. How long would it take to onboard or offboard someone in 50 different applications? Each application takes five minutes to provision or de-provision; hiring a single person will take four hours. Even if you cut this number in half, handling user creation or deletion would take two hours. Another question is how IT keeps track of who has access to what system. This example is why the advantages of an IAM system are worth the time and effort. An IAM system could automatically provision based on someone's role or responsibilities, called role-based access controls (RBAC), which we will cover in another article. In this scenario, an IAM system could solve time and effort and create an outstanding user experience for both the end-user and IT. The system will help reduce the friction when accessing applications and provisioning them. Most importantly, there will be a source of truth for the user and application database.

While the previous example might make it seem like an IAM system is a no-brainer, I want to focus on some of the challenges. Before procuring an IAM system, you want to verify the compatibility of your HRIS or future HRIS with the IAM system. It is essential because you can connect your HRIS and IAM systems to allow HR to influence the onboarding & offboarding experience. HR no longer waits for someone to create an account or find an IT person for any last-minute offboarding. Because the systems integrate via an API, the tedious task of creating and performing account cleanup can have reduced time. Another task is finding the right person to think through how to structure the applications, application groups, and user attributes. Attributes determine what you can source from your HRIS: title, location, department, and even team. All the previously listed items need to be thought through thoroughly and explained how the HRIS and attributes affect downstream applications. Lastly, log management is essential. Because every login, change, application assignment, etc., are logged, being able to store those logs in another location is vital. A SEIM, ELK Stack, Splunk, etc., is critical to audit system access. All of the items above are difficult and require a bit of thought, which means you must get your IT to hire right to avoid turning your IAM system into a nightmare.

should note this only works if the SaaS applications support provisioning and de-provisioning. SSO is a massive issue in the industry today as many SaaS apps charge the SSO Tax or don't see many of these features as part of their offerings. Check out this website to learn about the SSO Tax - https://sso.tax/

I've given you a lot of information about IAM, authentication methods, advantages, and challenges. Still, I want to close out with more practical thought. Onboarding, offboarding, and application management depending on the company, without an IAM system, can easily consume someone's day or at minute 6 hours of the work day. With an IAM adequately set up with HRIS, attribute sorting, and documented applications for roles/teams, an organization could reduce this time to 2 hours a day. Think what your IT resources could do with four hours of their day not being dedicated to user lifecycle management. These extra hours could enhance better IT security, update an ERP system, or support any other part of the organization. What would the team do if they had an extra twenty hours a week due to the IT system performing tedious tasks in an automated fashion?

Identity Access Management (IAM) is a crucial technology for companies to manage user access and authentication for applications and data securely. IAM enables single sign-on (SSO) and maintains a single user profile across multiple applications, reducing administrative overhead. It also ensures compliance with privacy regulations such as GDPR by encrypting user data. This blog post is for anyone needing help implementing an IAM solution in their organization. Not all IAM tools are the same, and it's essential to research and gather feedback from potential users. Authentication methods offered by most IAM systems include SAML, OICD, API, and bookmarks. SAML and OICD are straightforward but can be complex depending on the implementation. API requires technical resources to guide the company. Bookmarks are a standard way for users to access their SaaS applications and provide a digital footprint of what users access. Implementing an IAM system brings advantages such as centralized user management, simplified user provisioning and de-provisioning, user blueprint, secure authentication, and network access control. However, there are challenges such as HRIS compatibility, system architecture, and an administrator who understands SAML/OICD/APIs. Selecting an IAM system early in the company's growth is essential to improve the internal user experience and make employees more effective in their roles.

Here is a list of IAM tools to investigate if you are in the market for an IAM solution.

  • Okta
  • Ping Identity
  • Jumpcloud
  • Google Workspace
  • Azure Active Directory
  • Active Directory
  • Onelogin
  • Rippling
  • Auth0
  • YeshID (a new one coming to market soon)

If you have any questions or want to chat about this, please do not hesitate to contact me or leave a comment.