We just raised a $30M Series A: Read our story

Top 8 Access Management Tools

Azure Active DirectoryOkta Workforce IdentityForgeRockSymantec SiteminderAuth0Oracle Access ManagerOneLogin Workforce IdentityUserLock
  1. leader badge
    The user functionality enables us to provide different levels of access, across many applications, for each user. We can customize the access level and set a security level in connection with that access. For instance, we can require MFA. That is a feature that helps enhance our security posture a lot.
  2. leader badge
    The solution so far has been very stable. The product requires very little maintenance.
  3. Find out what your peers are saying about Microsoft, Okta, ForgeRock and others in Access Management. Updated: September 2021.
    542,029 professionals have used our research since 2012.
  4. The solution is very scalable. We have a lot of users that have been increasing over the years that we have been using it. We have approximately 20,000 users.
  5. It's quite scalable.The solution is easy to use for our managers.
  6. The most important thing for me is compliance. Everything that they have developed in Auth0 is already certified by many regulators such as ISO. So, we do not need to take care of that. We have the shared responsibility model to share assets with other products we are using in the cloud.
  7. From a technical perspective, the solution is very good we can operate and control the user by ourselves.Once it is set up, it is easy to use and it integrates with most of the products on the market.
  8. report
    Use our free recommendation engine to learn which Access Management solutions are best for your needs.
    542,029 professionals have used our research since 2012.
  9. The solution's ability to save and manage of all my passwords is great.Ease of integration with AD.
  10. The most valuable features are two-factor authentication and real-time logon monitoring.Detecting and responding to security threats by blocking the user is a valuable feature.

Advice From The Community

Read answers to top Access Management questions. 542,029 professionals have gotten help from our community of experts.
Rony_Sklar
Hi peers, What role does IAM play in preventing data breaches? What are the risks associated with not using an IAM solution?
author avatarAhmad Zuhdi
Real User

Absolutely! IAM is so important to prevent a data breach. With IAM we can make sure only the right user can access the right DATA. If there is a privilege abuse or lateral movement action, IAM will inform us and we can take an action to investigate, block or prevent it.

author avatarAmimesh Anand (Cognizant)
Real User

There could be 2 types of action that can be taken to measure the data breach


1) Proactive, where management decides the policy and a team implements those policies to avoid a data breach. Like DlP, Firewall along with IDAM.


2) Passive: where you take action to avoid as much data loss you can. Here the management is mostly interested in who, from where and why tried to brach data. Documentation and announcement is an important role here.


Now coming to IDAM :


IDAM makes policies, where an admin has control to implement who, when and how will access your data and at what level.


IDAM also segregates the duties of each employee so that everyone has accountability for work done.


If we look at the access part, IDAM will ensure that only authorized people have access to your application including the level of access decided by an admin.


In short, IDAM is a solution to all the actions a user or employee can take on your data and how they can view your data. it will help you to clearly divide the threat and real user( either outsider or insider)

author avatarSteveAndrews
Real User

Since cybercrime is on the aggressive rise, and our organizations working practices have evolved from on-premise with some VPN to full remote workers - the security perimeter around physicals buildings with firewalls has moved down the list of importance. No the security perimeter is around your individual users, and the key foundation security elements are Identity & Access Management.  To determine and confirm a user is who they say they are! Identity & Access Management feeds into all other security products which are layered on top so it's critical to have one that addresses all your needs and is somewhat future proofed - as this landscape is constantly changing.


Couple of question to ask yourself - 


What is your current security landscape related to identity?


What are your greatest security concerns related to identity?


What are your top three desired improvement areas?



Cheers!



Steve

Rony_Sklar
Insider data breaches can be a real problem in businesses. One way to address this issue is by implementing an identity and access management solution.  What tips do you have for ensuring that one's identity and access management solution is effective?
author avatarChris Bunn (IS Decisions)
Vendor

The simplest and most common activity for every insider threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.


Remember also that almost every external attack eventually looks like an insider. The use of compromised internal credentials is the most common threat action in data breaches.


To ensure the best out of any access management solution, think around five primary functions – all working in concert to maintain a secure environment. 




  • Two Factor Authentication – Regulating user access involves authentication to verify the identity of a user. But authentication using only a strong user name and password doesn’t cut it anymore. Two-factor authentication combines something you know (your password) with something you have (a token or authenticator application).


  • Access Restrictions – Policies can be added on who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as console- and RDP-based logons).


  • Access Monitoring – Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.


  • Access Alerting – Notifying IT - and users themselves - of inappropriate logon activity and failed attempts helps alert on suspicious events involving credentials.


  • Access Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.


The potential insider threat scenarios that are now thwarted include:



  • It protects exploited users (from phishing attacks or malicious colleagues) with controls that make genuine but compromised employee logins useless to attackers.

  • It out-rightly restricts certain careless user behavior such as password sharing, shared workstations left unlocked, or logging into multiple computers.

  • Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously, ensures a quick response to suspicious activity, offers evidence to address violations that do occur, and makes all users more careful with their actions.

author avatarEnrique Leon, CISA
Real User

With experience in both IT and Audit, I can say the answer most often leads to a tried and true combination of preventative and detective mechanisms/controls. These two methods though very different help with achieving the goal of minimizing breaches and detecting them so the right action is triggered when a breach does occur. Since every business has to place on a scale cost vs risk, unless the business has endless monies, there will be some risks too expensive to prevent so you must have the means to detect and then react with the goal of minimizing the exposure and learning from it.


A ridiculous example but proves my point: Every employee has a second or third employee watching and validating every action carried out by the first employee to ensure no data breaches. So the risk is minimized and maybe even eliminated but the cost is more than most companies will ever contemplate. I will leave alone the topic of collusion since that is more than we can explain in this short answer. Now remove the 3rd watcher person and reduce the 2nd by 50% to save money but scope the first person's actions. If the first employee's actions are limited by the roles assigned (in a system or manual), the activity carried out by the employee is controlled and scoped which in turn limits risk. The remainder is added to detective mechanisms such as DLP in a system or even a human reviewing (maybe sampling) the first person's activities.


It is a roundabout way to say, you need a combination of both types of controls where access is scoped and monitored. Where the availability of the data is limited to the degree cost-effective and then the less costly but less reliable detective means are used.

author avatarJoeValero
Real User

The premise of any effective Identity and Access Management solution is that 100% "Trust" exists.  Unfortunately, trusting someone to the "keys of the kingdom" is best left to Hollywood, while ensuring the business stays afloat in the real world requires that a robust zero trust mechanism be implemented.  New employees, whether experienced or fresh out of school,  do not have the luxury of developing the level of trust that can be deemed "100%".  

author avatarEnrique Leon, CISA
Real User

There are easily a dozen low hanging fruit and I would start with the none tech vector: data owners and stewards. Then comes the education and policy dissemination of the company’s stand on data loss. After a move to the tech implementation to detect common signs such as DLP identifying when large and frequent data transfers via email, copy to external drives which include cloud and thumb. 

author avatarMark Adams
Real User

Once you've selected the right solution for your business, you need to make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks. Identify all of your information assets, classify them based on sensitivity and criticality (e.g. Public, Internal Use Only, Confidential, and Restricted), then create rules for the granting, revocation and modification of access to those assets. Once that is done and everyone is aware of the policies and procedures governing access, you can implement the solution accordingly. Post-implementation you will want to have a process in place for periodic review of access based on applicable regulatory, audit and security requirements. You may have to create custom reports if the canned reports are not sufficient. Data owners should be involved in the review since they are usually in a better position to determine if individual's access is still legitimate. 

author avatarJoeValero
Real User

Bearing in mind that 100% trust is impossible, it is best to get to zero trust as soon as possible within the confines of your company's risk appetite and with the best tools your company can afford.  There are many Identity and Access Management products and services out there - choose wisely and carefully. 


Access Management Articles

Rony_Sklar
IT Central Station
Members of the IT Central Station community are always happy to take a few minutes to help other users by answering questions posted on our site. In this Q&A round-up, we’re focusing on our users’ answers about SIEM, Identity and Access Management, and the Differences between Hyper-converged… (more)


Members of the IT Central Station community are always happy to take a few minutes to help other users by answering questions posted on our site. In this Q&A round-up, we’re focusing on our users’ answers about SIEM, Identity and Access Management, and the Differences between Hyper-converged Infrastructure vs Converged Infrastructure.

Which is the best SIEM tool for a mid-sized enterprise financial services firm: Arcsight or Securonix?

One of our users was looking for SIEM recommendations, and was specifically looking at ArcSight and Securonix. As always users were very helpful, and suggested possible tools based on their own experience.

ArcSight appeared to be the popular recommendation between the two tools; One user, Himanshu Shah, suggested that Securonix may be better suited for a mid-sized business as ArcSight “works on EPS (Events per second) costing”, which can become costly. Users also suggested looking at other options, such as QRadar, Splunk, and LogRhythm.

However, Consulta85d2 responded, “Neither, or both. Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn’t the most important choice. The critical choice is in the resources and commitment to manage and use the system.”

Aji Joseph held similar sentiments and highlighted the key role that the SoC team plays: “The success of SIEM solutions depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.” He also suggested evaluating the forensics capabilities of the various solutions before buying.

What are some tips for effective identity and access management to prevent insider data breaches?

Insider breaches can be a real issue in businesses. Users gave advice on how to effectively implement Identity and Access Management to tackle this issue.

Mark Adams, a Senior Manager, IT Security and Compliance / CISO at a large construction company, gave great advice for implementing a solution, noting that it’s important to “make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks.” He gave practical tips, including identifying and classifying all information assets and creating rules for access to those assets. He also highlighted the importance of reviewing access periodically. He stated, “Data owners should be involved in the review since they are usually in a better position to determine if individuals’ access is still legitimate.”

What are the key differences between converged and hyper-converged solutions?

Users helped to clarify key differences between hyper-converged (HCI) and converged infrastructure. Based on the users’ answers, the key differences revolve around ease of use, flexibility, and price.

HCI solutions are typically more expensive, but have significant advantages. Steffen Hornung pointed to the scaleout nature of HCI, noting that “add more nodes to the system to support new workloads without losing Performance because you add all types at once (compute, storage and networking).”

Dan Reynolds summarised the appeal of HCI really well, pointing out that it’s a complete solution: “Hyper-converged is typically an “all in one box/rack” solution. It consists of compute, storage & network resources all tied together physically (and through software)….You don’t have to architect it. All you have to know is how much “power” you need (what you want to do with it).” In contrast, he noted that “with converged infrastructure (which can still be ‘software defined’) you have to match and configure the components to work together.”

Thanks, as always, to all the users who are taking the time to ask and answer questions on IT Central Station!

IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

Do you have a question that you’d like to ask our IT Central Station Community? Ask now!

(less)
Rony_Sklar@Himanshu Shah ​@Consulta85d2 ​@Aji Joseph ​@Mark Adams ​@Steffen Hornung ​@Dan… more »
Find out what your peers are saying about Microsoft, Okta, ForgeRock and others in Access Management. Updated: September 2021.
542,029 professionals have used our research since 2012.