IAM Tools

Security is at the fore of every business’s online presence; it is at the core of every organization’s network administration strategy. They always need to know who has access to their digital resources.

It is, therefore, within their interest to leverage every solution available to them – be it software, hardware, or service – to ensure the safekeeping of their data and networks. Among these options, one of the best ways to ensure network security is with the help of Identity Access Management (IAM) tools.

Here is our list of the best IAM tools:

  1. SolarWinds Access Rights Manager EDITOR’S CHOICE An AD interface that also provides security features, such as data loss prevention and threat hunting. This tool also provides logging and auditing tools for data standards compliance. Start a 30-day free trial.
  2. ManageEngine ADManager Plus (FREE TRIAL) This software package offers a way to unify the management of many AD instances, across utilities, such as file systems, Microsoft 365, and Skype. Runs on Windows Server. Start a 30-day free trial.
  3. ManageEngine ADAudit Plus (FREE TRIAL) This is a system activity logging service for user activities in environments that implement sensitive data protection by interfacing with Active Directory. Runs on Windows Server. Start a 30-day free trial.
  4. Microsoft Azure Active Directory – From the makers of the most used operating system platform, which means it can easily be implemented on most networks and integrates well with existing access control systems.
  5. Oracle Identity Cloud Service – A cloud IAM is from another major technology company that specializes in database software and middleware and knows the importance of securing its products and the data on it; it comes with advanced features.
  6. IBM Security Identity and Access Assurance – another major IAM that works well in on-premises, cloud, and hybrid networking environments; it works well in the background without monopolizing resources.
  7. SailPoint IdentityIQ – an identity management solution that works in both cloud and on-premises environments which also uses AI and machine intelligence to ensure future-proof security.
  8. Ping Identity – a popular choice, this IAM is an advanced solution that works for any device and can handle millions of accounts making the favorite among financial and banking institutions.

What are IAM tools?

IAM is short for Identity Access and Management. As the name suggests, these tools are used to administer the access rights management of an organization’s employees and customers.

They basically handle three main aspects of a connection attempt:

  • Access – determine if the user trying to log in is actually allowed to do so.
  • Permission – if access is granted, they are assigned an authority that determines what part of a network, which application, or what database they will be allowed to access.
  • Roles – the user account will be assigned a specific role that will determine what they will be able to do with the allowed asset: read, write, execute or all.
  • Tracking – finally, the tools keep an eye, and report, on account activities across the system to make sure no one is misusing their privileges or abusing the rights they have been granted.

Of course, these are the overall tasks that are undertaken by an IAM. There are tools that come with many more functionalities and security features. They may also have different, proprietary ways of tackling the same issue.

IAM tool Advantages of using

An organization that uses an IAM tool can expect the following advantages:

  • Minimized risks of data breaches
  • Enhanced control over their user accounts’ accesses and privileges
  • Access control that drills right down to individual applications, APIs, and services
  • Cloud-based access and control over users and applications located anywhere in the world
  • Better user experience with features like SSO and customized interfaces
  • Cross-organization onboarding made seamlessly – even when they have disparate systems in place
  • Creating a brand trust by securing the organization for a better reputation as a compliant, reliable, and trustworthy business

What to look for in an IAM tool

Basically, a good IAM tool should be able to answer three questions:

  • Who is allowed access? All accounts need to be verified before they are granted any access.
  • Which account should have access to what? It should be able to allocate the correct roles and privileges to each user account and allow them the exact required rights and nothing more.
  • How are they using that access? Once users are allowed access, they need to be monitored to see if there are any problems with accessing resources or if accounts are being used with malicious intent.

An IAM should also offer the following features:

  • Cross-application and cross-network authentication
  • Enforce password and use policies with ease
  • Ease of implementation and administration of the tool
  • Reduce IT costs by cutting time spent on administering user accounts or completely replacing manpower by taking the job to the cloud
  • Ability to work with all systems on a network including legacy ones
  • The capability of handling thousands – if not millions – of accounts spread across the globe, and without a glitch
  • Help achieve compliance with regulations like HIPAA and GDPR which require strict security rules

The best IAM tools

What criteria should you have in mind when choosing identity access management tools?

We reviewed the market for identity access management software and analyzed the options based on the following criteria:

  • A service that can interface with Active Directory or LDAP implementations to improve user account management
  • A system that is able to analyze device permissions to improve security
  • A single point of access to manage several access rights management instances
  • User activity monitoring
  • Tight access controls to the IAM itself.
  • A free trial for a risk-free assessment period or a money-back guarantee
  • Value for money in the toolset offered for the price

1. SolarWinds Access Rights Manager (FREE TRIAL)

SolarWinds ARM Analyze

SolarWinds Access Rights Manager checks all of the boxes for a top-drawer IAM tool. This package doesn’t just manage access rights, it also categorizes resource sensitivity, audits resource access, and identifies vulnerable accounts. It is a data loss prevention system and data compliance auditing tool as well as an access rights management system.

The main function of the Access Rights Manager is to deliver greater control over user credentials than the standard interface of Active Directory can provide. Although the Access Rights Manager isn’t able to force Active Directory to perform more functions than its interface allows, it is able to extend its capabilities beyond those of AD by examining the relationships between resources and users and examining user account activities.

SolarWinds Access Rights Manager Accounts

The Access Rights Manager runs on Windows Server and its main focus is on Active Directory, so it manages all of the systems that AD creates access rights for. This includes OneDrive, file servers, Microsoft 365, SharePoint, and Exchange Server. It is also able to manage Azure AD (see next section).

Key Features:

  • Front-end for AD object management
  • Domain controller replication
  • Compliance reporting
  • Password management
  • Credentials distribution

SolarWinds Access Rights Manager is suitable for businesses that need to show compliance to data security standards, including:

  • GDPR
  • HIPAA
  • PCI DSS

An analysis module in SolarWinds Access Rights Manager adds cybersecurity threat hunting features. These include insider threat detection through the identification of anomalous account behavior. The service will also identify dormant/abandoned accounts, overlooked, inactive accounts give hackers a better chance of breaking into the system and should be eliminated.

The service logs failed log-in attempts to identify hacker activity and reports on the illogical mapping between account usage and the account holder’s physical location to spot user account that may already have been compromised.

The features in the SolarWinds Access Rights Manager save time and reduce demands on technicians, thus squeezing greater efficiency out of specialist human resources. The tool enables tech management to be centralized and creates a comprehensive enterprise-wide view of all identity-related issues.

Pros:

  • Provides a clear look into permission and file structures through automatic mapping and visualizations
  • Preconfigured reports make it easy to demonstrate compliance
  • Any compliance issues are outlined after the scan and paired with remediation actions
  • Sysadmins can customize access rights and control in Windows and other applications

Cons:

  • SolarWinds ARM is an in-depth platform designed for sysadmin which may take time to fully learn

SolarWinds offer the Access Rights Manager on a 30-day free trial.

EDITOR'S CHOICE

The SolarWinds Access Rights Manager is out top choice for an identity access and management tool because it centralizes Active Directory management and simplifies AD usage. This tool is also an important security system for a business because it includes data loss prevention and insider threat protection.

Start 30-day Free Trial: solarwinds.com/access-rights-manager/

OS: Windows Server

2. ManageEngine ADManager Plus (FREE TRIAL)

ManageEngine ADManager Plus

ManageEngine ADManager Plus is a system that can provide a front end for multiple instances of Active Directory. Those AD implementations can cover different services, such as NTFS storage, Microsoft 365, and your network permissions system.

Key Features:

  • Domain controller coordination
  • Bulk account actions
  • Password policy enforcement
  • Account cleanup

Unifying all of your AD systems into one console enables you to create consistent user accounts across environments and keep control over who has access to what. This is a particularly useful requirement for businesses that need to prove data privacy standards compliance.

Centralizing the management of Active Directory in your enterprise enables you to ensure that there is consistency in IAM across environments and resources and ADManager Plus includes guides to support the creation of a meaningful access management strategy.

ManageEngine ADManager Plus Reports

The ManageEngine ADManager Plus system is offered in three editions and the first of these is Free. The Free edition is limited to managing 100 objects and it will give you full user account and device permission coordination across instances, just like the paid versions. You also get more than 200 report templates with this edition.

All versions of ADManager Plus run on Windows Server. Those who want cloud services can get this system in the Marketplace of AWS and also Azure. The two paid editions are Standard and Professional. While the Standard edition gives you all of the instance coordination services you need to centralize all account management functions in one console. The higher plan, which is the Professional edition, includes workflow automation, server management, and GPO control.

Pros:

  • Coordinates between several AD implementations through a single console
  • Manages Microsoft 365, Exchange, Skype, file servers, and Google Workspace accounts
  • Automatically identifies stale accounts and also enforces password policies

Cons:

  • No ManageEngine-hosted cloud version

You can assess ManageEngine ADManager Plus with a 30-day free trial.

ManageEngine ADManager Plus Start a 30-day FREE Trial

3. ManageEngine ADAudit Plus (FREE TRIAL)

ManageEngine AdAudit Plus

ManageEngine ADAudit Plus is a system control service that enforces data privacy and shows compliance with data security standards, including GDPR, GLBA, HIPAA, PCI DSS, and SOX. The service checks on all activity on a network, servers, and applications with specific attention paid to data access.

Key Features:

  • User behavior analysis
  • File integrity monitoring
  • Compliance reporting

The tool is able to identify possible insider threats and account takeover incidences through a user behavior analytic module. This logs all activity for each account and spots changes in behavior. As well as writing findings to file for reporting, the service will raise an alert to notify technicians of an ongoing data breach event.

The name of ADAudit Plus can be a little confusing. This service isn’t about auditing Active Directory. Instead, this is a system activity auditor that uses Active Directory as a user account reference. The tool will track any changes made in AD to ensure that hackers or disgruntled technicians can’t weaken account controls.

ManageEngine ADAudit Plus Alerts

ManageEngine ADAudit Plus is an on-premises software package that installs on Windows Server. There is also a cloud version available on the AWS Marketplace and on the Azure Marketplace. The system is offered in three editions: Free, Standard, and Professional. The Free edition is not a free trial – it is free forever. It is not a full copy of the Standard edition, however – it has fewer functions. This free tool is limited to monitoring activities on 25 workstations.

The Standard edition gives you full data protection controls, including USB controls and file integrity monitoring. The package tracks activities on servers, workstations, and file systems. It also includes extensive activity logging and compliance reporting.

The Professional edition has all of the functions of the Standard plan but adds on GPO controls, AD change tracking, and account lockout analysis.

Pros:

  • Alerts for suspicious activity
  • Controls on access to sensitive data
  • Compliance reporting

Cons:

  • No ManageEngine-hosted cloud version

ManageEngine ADAudit Plus is available for a 30-day free trial.

ManageEngine ADAudit Plus Start a 30-day FREE Trial

4. Microsoft Azure Active Directory

Microsoft Azure AD dashboard

Microsoft joined the IDaaS (Identity as a Service) market in 2014 and it eventually led to Azure Active Directory. The fact that it is a Microsoft product makes this the IAM tool perfect for its operating system and the servers that run them; it offers best-in-class integration with Windows Server Active Directory.

Key Features:

  • Cloud based
  • Integrated with Microsoft SaaS products
  • Manages large volumes of accounts

Azure Active Directory is Microsoft’s cloud-based comprehensive IAM cloud solution. It can manage the access rights of thousands of login accounts with ease. It also allows for one authorization credential which allows all members of an organization to access and launch their cloud apps, without any restrictions from the operating system of their choice.

Microsoft Azure AD Users Performing Consent

Because it is a Microsoft product, Azure AD smoothly integrates with existing, on-premises AD domain and any applications running in the cloud and remote users that connect via the internet.

With Azure Active Directory users can log in and access resources in:

  • External resources: this IAM provides a robust set of capabilities to manage users and help them securely access cloud applications and services like Microsoft Office 365, the Azure portal, and thousands of other SaaS applications as well as numerous other non-Microsoft SaaS applications.
  • Internal resources: it also manages access of local applications on a corporate LAN or intranet as well as private cloud apps that have been developed in-house

Azure AD is for:

  • IT administrators: they can use it to control access to apps and resources, based on internal business requirements.
  • App developers: they can use it as a standards-based approach for adding single sign-on (SSO) authentication to their apps, allowing it to work well with a user’s pre-existing credentials; this IAM tool also provides APIs that can help build personalized UI experiences with existing organizational data.
  • Microsoft 365, Office 365, Azure or Dynamics CRM Online subscribers: anyone using one of these applications or SaaS is already using Azure Active Directory by default; this means, they can immediately start managing access to other integrated cloud apps.

You can purchase it as a stand-alone application, but it is also an integral component of Microsoft 365, Office 365, Azure, and Enterprise Mobility + Security.

Microsoft offers Azure Active Directory for free as well as premium with additional features.

Pros:

  • Designed to work and integrate with other Microsoft products and on-premise AD environments
  • Uses the same format and similar permission structure as other Microsoft products
  • Designed to scale – can manage thousands of user accounts

Cons:

  • Only offers cloud-based hosting

5. Oracle Identity Cloud Service

Oracle Cloud - add Identity Provider

Oracle’s Identity Cloud Service (IDCS) is an IAM that comes as part of Oracle Public Cloud (OPC) – Oracle Cloud, for short – which is its free cloud service catering to businesses’ needs ranging from data storage and networking services to application testing space and much more.

Key Features:

  • Cloud based
  • Cross-platform
  • Interfaces to AD instances

IDCS helps organizations get better, centralized control of users’ access to their local digital assets, PaaS, and SaaS.

The IDCS is a highly scalable IAM service because it is built on micro-services that run their own processes when connecting to assets or while working with data. This makes it an ideal choice for businesses that are always transforming or growing.

When IDCS is combined with Oracle Identity Manager (OIM)which oversees the lifecycle of identities from start to finish – they form the ultimate IAM solution for any environment – cloud, on-premises, and hybrid.

Oracle Identity Cloud Service - Logion Attempts

The need for IDCS becomes apparent when, for example, an organization has Oracle PaaS as well as other custom-built, on-premises applications that need to be provided with SSO functionality. With this IAM they get one that caters to any device: mobile, tablet, laptop, or desktop on any network architecture.

And that’s not all; Microsoft operating systems are everywhere – it is the most used operating system in the world. A business that needs to integrate such a system into Oracle Cloud, or vice versa, can use Microsoft Active Directory (AD) Bridges to, well, build a bridge between AD and ICDS.

This means ICDS synchronizes with AD – and whenever there is a new, updated, or deleted user or group record in AD, the change is updated in the ICDS records.

And it’s not just with AD; this IAM platform offers innovative scalability with a suite of industry-leading platforms, applications, and services – including identity management solutions – like:

  • Social media platforms: Facebook, Twitter, Google
  • SaaS: AWS, Google Suite, Slack
  • Web or native apps: by using SDKs for Android, iOS, JAVA, Python

Finally, IDCS is a joy to work with and it makes the life of administrators easier with features like:

  • Customizable UIs: apart from simply sending out notifications and password policy messages, admins can customize the interfaces of sign-in pages and even the IDCS console itself.
  • Self-service password, profile management: administrators can create separate self-registration profiles, approval policies, or applications in IDCS.
  • Easy syntax and GUIs: human-readable role, access, and rights assignments make it easy to manage accounts and assets.

This IAM service is enabled, for free, and works seamlessly across the whole Oracle Cloud infrastructure.

Pros:

  • Simple interface that provides insight into user permissions, inherited rights, and access controls
  • Offer options for cloud, on-premise, or multi-cloud environments
  • Can sync/integrate with a wide variety of products and services

Cons:

  • Is specifically designed for enterprise use – not the best option for smaller organizations

There is a free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Oracle Cloud Infrastructure only.

6. IBM Security Identity and Access Assurance

IBM Cloud Identity My Apps

IBM Security Identity and Access Assurance is a “silent” IAM that works in-sync with an organization’s processes and operations so users on the network won’t even notice it is running in the background.

Key Features:

  • Access rights for accounts and groups
  • Multi-factor authentication
  • Single sign-on

This service controls access to multiple platforms, including cloud and on-premises systems. The tool will also manage VPN credentials. The IBM system is good for compliance reporting and threat intelligence because it tracks all activity per user, protects sensitive data stores, and spots anomalous behavior, which could indicate account takeover. Account lifecycle management is taken care of through on-boarding, inactive account detection, and notifications for removal at the point of an employee’s departure.

This is in contrast to other approaches to IAM that put security in the face of the user. With “silent security” identity and access management are done quietly, in the background, without interfering with systems’ performance or a good UX on a network.

A feature that stands out with this IAM is its ability to protect privileged accounts. It allows for the protection and management of privileged accounts in an organization with enterprise-grade password security and privileged access management.

IBM Cloud Identity Dashboard

It also discovers, secures, and manages these “super” accounts’ passwords to protect them from abuse and misuse.

For organizations that want to take their security to the next level, this IAM also offers password-less authentication by supporting login methods like using biometrics, Face ID, Touch ID, email, or SMS one-time-passwords, and soft tokens.

The story doesn’t end with logging and monitoring, this IAM goes on to monitor user accounts. It can discreetly verify users’ identities when they log in and as they remain in session. It uses AI and analytics to make smarter, better-informed decisions to modify users’ access, in case there are outliers or accounts with conflicting privileges.

Pros:

  • Provides a multitude of services designed for frictionless IAM
  • Offers SSO, MFA, and access control from a single dashboard
  • Generous 90-day trial

Cons:

  • Many features cater to larger businesses – smaller organizations may not use all features and tools

You can try IBM Cloud Identity for 90-days on a free trial.

7. SailPoint IdentityIQ

SailPoint IdentityIQ Data Resources

SailPoint’s IdentityIQ is its flagship IAM solution. IdentityIQ is well-regarded for its strong identity governance and provisioning capabilities. It can be used as both a stand-alone, on-premises installation or as an Identity-as-a-Service (IDaaS) solution.

Key Features:

  • Cross-platform access management
  • Onboarding automation
  • Compliance reporting

The IDaaS option would be the better choice for organizations that prefer their IAM to be handled by professionals without hiring cyber-security experts of their own.

SailPoint IdentityIQ Dashboard

IdentityIQ is able to interface to a long list of applications to manage access to them and it also has control over data stores. Systems that the tool manages access to include Microsoft Azure, Google Cloud Platform, Amazon Web Services (AWS), SAP, and Salesforce. It is possible to import objects from Active Directory, Azure AD, and Ping Identity.

User onboarding can be set up as an automated workflow, which removes the risk of administrators overlooking important steps or keeping new employees off the system through the pressure of work. That onboarding process creation is guided by a wizard.

IdentityIQ is a particularly good choice for businesses that work in sectors that have very strong scrutiny over sensitive data management. For example, it is suitable for use in the health care sector and it can interface with medical industry, such as Cerner Device Connectivity and Epic systems. The IAM can protect access to devices and patient data, even during the movement and exchange of data between applications, securing electronic health records (EHR).

Compliance enforcement and reporting is tailored towards the specific requirements of a standard that you specify in the settings of the IAM. Choices include CCPA, FISMA, GDPR, HIPAA, and SOX.

You can add on another SailPoint package, called Predictive Identity to improve the performance of the IdentityIQ’s access control services through the use of artificial intelligence.

Pros:

  • Offers an on-premise version or IAM as a subscription service
  • Features highly customizable and easy to navigate dashboards
  • Integrates with numerous enterprise platforms

Cons:

  • No free version available – must ask for a demo

Although SailPoint offers no free version of IdentityIQ, they do have a link where interested clients can ask for a demo.

8. Ping Identity

PingIntelligence Dashboard

With Ping Identity we have another market leader in the IAM domain. Its solution is an ideal choice for organizations looking to enhance the security of their cloud-based assets without compromising on its customers’ UI. The tool can also be used to control access to on-premises and hybrid systems.

Key Features:

  • Multi-factor authentication
  • Single sign-on environment
  • Controls many types of devices

Ping Identity can be used to authenticate any type of device – mobile, tablet, laptop, or desktop. The tool can integrate with other IAM systems, including Active Directory, Azure AD, CA Technologies, Oracle, and IBM.

Onboarding can span multiple networks, even integrating the user accounts of associated businesses, while enabling separate administration. This could be a useful tool for managed service providers to create user management for client companies.

Companion security tools from Ping Identity include PingAccess for API security, PingDirectory to store user profile information, PingOne to seamlessly integrate applications, and PingDataGovernance for data access management.

Ping Identity dashboard

The best thing about Ping Identity is that it can be used to manage millions of identities. This is probably why it is one of the most-used IAM systems in the banking and finance worlds.

Pros:

  • Options for on-premise, cloud, or hybrid environments
  • Supports SSO, MFA, and authentication enforcement
  • Simple and intuitive dashboards

Cons:

  • Focused on enterprise companies – not the best choice for smaller networks