IAM for midmarket companies
Spoiled for Choice
Up to now, identity and access management (IAM) has mainly been the domain of larger organizations, but it is important for organizations of all sizes to manage digital identities (not only of their employees) and their access authorizations in an efficient and effective way. However, a chronic shortage of personnel in the midmarket makes it crucial to define their own IAM requirements precisely and select the right providers.
IAM has the reputation of being complex; this opinion is sometimes justified, but by no means always true. This rumored, presumed, or perceived complexity, together with what are typically small IT teams in the midmarket, often make organizations reluctant to venture into the discussion. However, IAM is important for many reasons: security; regulatory compliance; more efficient processes for employees, business partners, and customers; simple yet secure access to systems and applications; and, last but not least, administrative efficiency.
The popular definition of the midmarket includes medium-sized companies with 51 to 1,000 employees and larger medium-sized companies with 1,001 to 10,000 employees. In the larger midmarket, genuine IAM infrastructures are very often already in place for managing users and access authorizations (IGA, identity governance and administration), for access control (access management with authentication and identity federation), and in some cases, for monitoring and controlling access by highly privileged users (PAM, privileged access management).
Smaller companies, on the other hand, often have only technical administration tools, for example, the Quest Active Roles server for Microsoft Active Directory (AD). IT managers then tend to manage permissions in applications interlocked with Active Directory in AD groups while managing other applications manually. Sometimes specialized solutions for business applications show up, like SAP (e.g., SAP Access Control).
New Requirements Make IAM Essential
However, these products are not up to the task in most cases, not least because requirements are growing and IT environments are changing. To begin with, every organization is a potential target for cyberattacks. Attackers are always looking to gain control of user accounts to steal data, distribute malware, or carry out attacks. However, that is only one aspect, because IT landscapes are changing in small and mid-sized enterprises (SMEs) because of the increasing use of cloud services with a tendency to use more services overall – often for specialized tasks. For each of these services, managing users and permissions securely is important.
Additionally, the role of Active Directory, used in most midmarket companies, is changing. After the introduction of Microsoft 365, companies started using Azure Active Directory (AAD) and Microsoft Entra [1], which meant that, for what is often a long transition period, two central services are combined and managed, increasing the complexity that IAM can help reduce.
One issue that no midmarket company in any sector can afford to underestimate, but especially in the manufacturing industry, is the demand from important customers for certification in line with the ISO 2700x standards. These standards also include working IAM. Even if the requirement can be covered in a basic way with manual processes, certification can be achieved more easily if organizations use suitable IAM applications.
This situation is even more true for companies in the critical infrastructure sector, where the requirements for IT security management, and therefore also for user and authorization management, have been significantly tightened. Following the German KRITIS (critical infrastructure) revisions, the focus has also increasingly shifted to medium-sized companies, where working IAM has become practically mandatory.
The topic of Industry 4.0 (convergence of information and operational technology systems for seamless generation, analysis, and communication of data) is also directly related to IAM – on the one hand for access control in the manufacturing sector and on the other hand to secure business systems that interface with and reduce the risk of attacks on production systems.
Most importantly, it's not just about employees, but also access by (and applications for) business partners and, especially, customers and consumers. Virtually all organizations are facing growing demand to provide more digital services, which are increasingly at the core of business models. The digital identities of customers and consumers need to be managed, as does employee access to these services.
The Right Amount of IAM for the Midmarket
How much IAM is feasible for the midmarket and which aspects of IAM are genuinely needed? IAM is very diverse, as a look at reference architectures shows (Figure 1), but what parts of it do SMEs really need?
IGA includes tools for user lifecycle management for technical identity provisioning, with the creation, modification, and deletion of user accounts in target systems, complemented by support for access governance (e.g., the recertification of authorizations). These are core areas of IAM. Within IGA, however, it is primarily about having standardized processes for the essential tasks (e.g., creating and changing departments and deleting users), supporting a simple authorization request, and checking and being able to connect to critical target systems. For midsize companies in particular, connecting can turn into a challenge because many vendors support common business applications for large enterprises but not midsize solutions. Providers specializing in SMEs (e.g., Tenfold) can be an alternative.
Access management for centralized control of authentication; support for multifactor authentication and, if possible, login without passwords; and interaction with target applications is also a must. This integration requires not only support for common identity federation standards such as OAuth, OpenID Connect [2], and security assertion markup language (SAML), but also web access management for legacy applications.
In addition to these building blocks, admins also need to think about a suitable customer IAM (CIAM) application, especially where companies are developing many of their own digital services. Which products are best suited here depends heavily on the application scenarios. Where many custom applications are created, developer-focused tools that provide APIs for identity functions such as user registration and authentication make the most sense (e.g., Okta [3] and Auth0 [4]).
The use of PAM in SMEs is also important, although nowhere near as widespread. However, some of today's IAM offerings offer integrated PAM features, at least for basic functions. Some PAM providers are in the market, such as Delinea, but also smaller specialists who have comparatively lean and easy-to-implement products in their portfolio. Some of the vendors in the market, such as Microsoft or EmpowerID [5], offer several of these functional areas from a single source in an integrated platform.
Planning IAM Carefully
Each of the topics mentioned above is a project in its own right, which makes it important to plan the introduction or modernization of IAM carefully and not take on too much. Of course, the only way to ensure that a sensible overall solution is created is to make a roadmap – a precise definition of where the company wants to go and which projects are part of the IAM program.
The first step for IT managers is to consider whether individual solutions or a suite of products are more suitable to cover as many areas as possible from a single source. Microsoft and Okta, but also EmpowerID or N8 Identity, are some of the vendors that cover multiple functional areas in a comparatively lean application.
On the other hand, specialists in each of the sub-segments are highly suitable for SMEs. When it comes to access management in particular, many cloud services beyond Microsoft and Okta can be easily implemented. In addition to One Identity and OneLogin or Ping Identity are European providers such as Nevis, Ergon, United Security Providers, or Ilex. A number of IGA manufacturers with many references in SMEs include European providers such as Omada or Beta Systems, on top of SME specialists such as Tenfold or OGiTiX.
In terms of sequence, the typical starting points are either access management to enable secure user access by multifactor authentication and identity federation or IGA for basic lifecycle and authorization management functions. Both are fine as long as the IT manager has a clear plan for the step-by-step implementation of the other functions, too.
Buy this article as PDF
(incl. VAT)