Choosing the Right Provider

As is already clear from the list of vendors in the examples above, many companies supply platforms suitable for SMEs. Depending on your specific requirements, though, you might need to turn to large-scale, leading IAM providers. Where companies develop digital services of high complexity, ForgeRock [6] is an interesting option, especially in terms of CIAM requirements. For complex regulatory requirements, market-leading IGA vendors such as SailPoint [7], One Identity [8], or IBM are relevant options, even for the smaller midmarket.

In addition to the target image is the matter of defining your own requirements, both in terms of the required functionality and the target systems to be connected. This dataset can then be used to compare providers. Taking a closer look at the products and having them demonstrated is also important to understand whether they meet the requirements and what the internal IT team can do to help.

In essence, the providers can be divided into five categories (Figure 2):

Figure 2: The focal areas of use of different types of IAM tools, looking at criticality and complexity of requirements.

• Cloud-integrated solutions from the major cloud providers: Both Microsoft and Google offer IAM functionality in tight integration with their respective Office platforms. These platforms can also provide the foundation for organization-wide IAM, especially in the case of Microsoft with its coverage of all major IAM functional areas.
• Plain vanilla identity as a service (IDaaS) (i.e., IAM products from the cloud). These solutions are now offered by almost all IAM vendors and have the advantage that the overhead required for setup, customization, and operation is significantly lower than for traditional local tools. This solution also makes applications that were previously considered too complex for the midmarket as on-premises variants an option in this market segment.
• IAM systems in the various sub-segments that can be used locally and that bundle multiple functions or are generally comparatively simple and lean in use.
• Complementary solutions for managing Azure AD and Entra and on-premises AD, where the vast majority of target applications interact with these systems anyway.
• Specialized IAM with a midmarket focus, often characterized by the fact that it also has many interfaces to typical business applications in the midmarket.

The IAM market is very large, so I can only list the vendors by way of example at this point. In any case, I recommend doing detailed research, whether on the Internet or by calling in an analyst to identify suitable providers.

Different applications are required as a function of the complexity and criticality (i.e., the regulatory requirements in particular). Where regulatory pressure is high and environments are complex, (e.g., in KRITIS-relevant companies), classic IAM or IDaaS from established providers is more in demand; otherwise, cloud-integrated or specialist products for SMEs, for example, might be the better choice.

The two most important criteria for selection are defining your own requirements and taking the time to ensure a good overview of the market. You can then select the products, check them against your requirements, view demos, and, if necessary, perform a proof of concept.

Conclusions

Because IAM projects are costly, IT managers need to invest both time and money to identify the right product. One thing is certain: Mistakes in terms of product selection are far more time-consuming and expensive than well-planned and -executed product selection. When defining requirements, it is important to have realistic goals. What is really needed and what is manageable? Simple authorization models and a simple recertification instead of sophisticated functions are usually the better choice. Also important is for manufacturers to include standard features, such as predefined processes and reports. References in the SME sector are also an important criterion.

Additionally, those responsible for IT should be supported, both in the selection of products and in project implementation, by suitable partners, who – depending on the phase – offer market knowledge or implementation expertise, especially in SMEs. If you get it right and the setup is carefully considered, IAM is feasible and controllable even for medium-sized businesses, where IAM is more important than ever.