Workforce Trends Demanding a Reimagined Approach to IAM
As the business landscape rapidly evolves, organizations are faced with industry specific and broader workforce trends that demand a reimagined approach to identity and access management (IAM).
1. Remote and Hybrid Work
In today's dynamic work environment, employees operate from diverse locations, including the office, home, and other remote setups. This paradigm shift presents several challenges for businesses, such as equipping employees with the necessary technology for seamless remote and hybrid work while fostering a culture of trust and collaboration in a distributed workforce.
2. Employee Experience
Employee experience (EX) encompasses every interaction an employee has with their employer, spanning from the initial job application to the farewell party. A positive digital EX translates to higher employee engagement, productivity, and retention rates. Enterprises must prioritize the creation of a positive digital EX for their workforce to retain job satisfaction and attract top talent.
3. Zero Trust Security Model
The growing interest and adoption of the Zero Trust security model requires organizations to explicitly verify users, devices, and access at each stage of the user journey. Traditional perimeter-based security approaches are no longer sufficient in defending against today’s threat landscape.
4. Cloud Adoption
As organizations migrate to cloud services, integrating and managing access across hybrid and multi-cloud environments presents significant challenges. The growing number of applications essential for business-critical tasks increasingly reside across the enterprise.
5. Partner Ecosystems
To foster growth and capitalize on new opportunities, enterprises are developing partner value-added services and delivered through integrations and partner ecosystems. This new way of doing business necessitates capabilities that extend organizational IT infrastructures and integrate applications and services.
6. Organization-wide Attacks
Cyber attacks that include phishing, account takeover (ATO), fraud, and ransomware continue to advance in sophistication, frequency, and severity. Proactive measures to safeguard valuable systems and data are needed. Enterprises must make strategic investments in robust identity security technology to protect their assets from cyber threats.
7. Artificial Intelligence and Machine Learning
Employees are increasingly leveraging AI/ML to automate routine tasks and improve productivity. While specific policies around generative AI are still being formed, AI is reshaping how organizations operate and engage their workforce, driving efficiency and innovation.
8. IT and Security Fatigue
Security and compliance demand the human element for appropriate organizational control, which extends across all employees, IT, and security teams. Employees are increasingly fatigued with unnecessary MFA prompts and cumbersome IT policies, while IT and security professionals are at record levels of burnout. The rapid pace of technological change and the need for constant vigilance contribute to high stress and overwhelmed employees.
9. Mergers and Acquisitions
Mergers and acquisitions (M&A) activity is on the rise as organizations seek to expand their market presence, diversify their offerings, and gain a competitive edge. In a rapidly changing business landscape, M&A provides a strategic avenue for growth and consolidation. However, M&A also presents IT security and organizational challenges, such as disparate systems, networks, and data.
10. IoT Expansion
The adoption of Internet of Things (IoT) devices in the workplace is experiencing significant growth, revolutionizing how organizations operate and interact with their environment. From smart sensors to connected devices, the increasing integration of IoT in the workplace offers transformative possibilities for organizations across various industries.
A modern, enterprise-grade workforce identity platform is needed to address the challenges of today’s rapidly evolving digital workplace. A modern workforce identity platform enhances security, while improving workforce productivity, operational agility, and regulatory compliance, making it a critical investment for any forward-thinking organization.
How to Evaluate IAM Providers for Today’s Workforce Requirements
Unfortunately, meeting today’s workforce and organizational demands presents real challenges to current IT architectures and legacy IAM systems. What’s needed are digital identity capabilities purpose-built to meet not only today’s challenges, but also tomorrow’s. However, not all IAM platforms are the same. This makes the selection process more difficult.
When evaluating IAM providers, Ping Identity recommends a three-step evaluation process organized by basic, intermediate, and advanced capabilities.
This evaluation guide lists key basic, intermediate, and advanced digital identity components and provides definitions and request for proposal (RFP) questions to help you differentiate solutions during your evaluation process.
Step One: Basic Workforce IAM Capabilities
As a first step in your evaluation process, compare providers for each basic component using the included RFP questions.
Single Sign-On (SSO)
SSO is a user authentication service that allows users access to multiple apps, services, and systems with one set of login credentials.
Standards used for SSO include SAML, OpenID, and OpenID Connect (OIDC). These standards facilitate the exchange of user authentication and authorization data across secure domains.
SSO helps provide a frictionless user experience, resulting in stronger business growth and a competitive advantage.
Questions to Ask Providers:
- Does the provider offer single sign-on (SSO) based on SAML and OpenID Connect?
- Does the platform enable integration with legacy applications that do not support modern identity standards?
- Does the platform enable Windows Single Sign-On using Kerberos?
- Does the platform mandate the installation of agents?
Federated SSO
Based on trusted relationships between organizations, federated SSO gives users secure access to an organizations’ web properties and applications using a single account; it also enables organizations to conduct business securely with third parties. Federated SSO uses open standards such as OAuth, WS-Federation, WS-Trust, OIDC, and SAML to pass authentication tokens between the organizations’ identity providers.
Federated SSO helps organizations know who is interacting with them, what they’re enabled to do, and trust that the interaction is secure. This results in improved security and compliance.
Questions to Ask Providers:
- Does the provider offer federated SSO based on open standards such as OAuth, WS-Federation, WS-Trust, OIDC, and SAML?
Multi-Factor Authentication (MFA)
MFA is a method of validating a user’s identity through multiple authentication mechanisms. MFA asks for additional credentials when authentication takes place under centrally defined risky or suspicious conditions. Authentication mechanisms include something the user knows, something the user has, and something the user is. For example, access is only granted after a user enters their password (what the user knows) and a numeric code sent by text to their phone (something the user has).
MFA helps organizations know who is interacting with them, what they’re enabled to do, and trust that the interaction is secure. This results in improved security and compliance.
Questions to Ask Providers:
- Does the provider offer MFA?
- What MFA mechanisms do they offer?
Authorization
As part of access control within a digital identity solution, authorization is the function of determining if a user has permission to access a specified resource(s), such as a website(s), record(s), document(s), and so on.
Authorization helps organizations know who is interacting with them, what they’re enabled to do, and trust that the interaction is secure. This results in improved security and compliance.
Questions to Ask Providers:
- What types of authorization methods and access controls are offered by the provider?
Identity Store
As part of directory services, an identity store is a repository for identity (user or connected thing) attribution data. Stored identity data should be encrypted both while at rest and in transit. Also, as a best practice, it is good to have an embeddable repository that can easily share real-time employee, device, and user identity data across multiple environments. Additionally, from a hosting perspective, identity stores should include high availability, performance, and security.
Importantly, the identity store should be fully compliant with LDAP v3 and should integrate seamlessly with any directory. This allows organizations to easily share real-time employee, device, and user identity data across multiple environments, enabling organizations to integrate that data into their existing application environment securely and easily, allowing for a seamless user experience.
Questions to Ask Providers:
- Does the platform’s identity store encrypt data both at rest and in transit?
- Does the platform offer fractional and multi-master replication?
- Can the identity store scale to support data from hundreds to millions of identities, including devices and things?
- Does the platform’s identity store comply with LDAP v3 and integrate seamlessly with any directory?
Provisioning
A part of authorization, provisioning is the process of managing roles and entitlements that are assigned to specific users, devices, or things based on organizational policy and structure (such as job function, title, and geography), as well as assigning and removing entitlements and resources.
Importantly, more sophisticated workforce IAM platforms will offer automated provisioning and workflow-driven provisioning. See the Strategic Components table below for details.
Questions to Ask Providers:
- Does the provider offer provisioning capabilities?
- Can the platform manage previously disparate data repositories, network applications, and user data stores anywhere in the infrastructure stack?
- Can the platform provision and assign relationships to users, devices, and things?
- Does the platform support a “least privilege” security model by decentralizing control with delegated administration?
Workflow-Driven Provisioning
Workflow-driven provisioning is based on a set of steps within a business process that need to be done during the creation, update, or deletion of a user’s account. These workflows could involve simple manager approval to grant new access or a complex multi-step process that involves pulling information from other systems to verify the user and perform multiple levels of approvals.
Within workforce IAM, workflows visually organize identity synchronization, reconciliation, and provisioning into repeatable processes with logging and auditing for reporting purposes. This ensures that a standard policy is followed for granting or removing any access to users without having to perform email or paper-based approvals.
Importantly, within identity management, workflows are part of the provisioning process. The key to any workforce identity management solution is the ability to provide workflow-driven provisioning activities.
Questions to Ask Providers:
- Does the provider have the ability to integrate simple and complex workflow operations into user provisioning, deprovisioning, and access requests?
- Does the provider incorporate best practices in workflows by offering standard templates?
- Does the provider offer the ability to customize the workflows easily to meet business needs?
Step Two: Evaluate Providers for Intermediate Capabilities
IAM platforms should go beyond the basics and incorporate intermediate workforce IAM capabilities. For Ping’s answers to these questions, please request a copy of the Workforce IAM RFP Workbook.
Workforce Passwordless Authentication
Passwordless authentication for workforce eliminates the user interactions with passwords and reduces the attack surface for malicious actors. It is easy to provide passwordless capabilities to web based applications with modern standards. Organizations, however, have workstations, servers, databases, VPNs, and other legacy infrastructure that need the same passwordless experience. Delivering passwordless authentication to both modern applications and legacy infrastructure seamlessly is critical to reducing risk and lowering operational costs.
Questions to Ask Providers:
- Does the platform support multiple passwordless authentication methods (e.g., biometrics, tokens, mobile push notifications, FIDO)?
- Does the platform support integration with Windows, macOS, and Linux for workstation passwordless login?
- Does the platform integrate with legacy applications (RADIUS, Kerberos, mainframe, non-standard apps)?
Governance Administration
Governance administration is the process that allows organizations to monitor and ensure that user access rights are accurate and securely managed. This is typically done by allowing a manager or application owner to review the access of users in the system and then letting them certify that individual users should continue to have that access or deny that access so it can be immediately removed. This helps ensure that the right people have the right access to the right services at the right time.
Many regulations like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) mandate that access review be part of the organization's standard security practice.
Questions to Ask Providers:
- Does the provider offer the ability to review and certify user access periodically to ensure that users have the right access?
- Does the provider have the ability to perform access reviews on an ad-hoc or event-driven basis, such as when a user changes roles?
- Does the provider offer the capability for a multi-step access review process so that more than one reviewer can verify the user access?
- Do governance administration capabilities integrate tightly with the provisioning solution so that any access that is denied is immediately revoked?
Delegated Administration
Delegated administration allows identity administrators to give selected individuals the capability to create, manage, and delegate the management of employee accounts and access rights, as well as other fine-grained administrative tasks on managed objects. This delegation of administrative duties allows individual lines of business to efficiently manage their own teams without having to depend on the central IT team, significantly improving their agility.
Questions to Ask Providers:
- Does the provider offer delegated administration?
Self-Service
Self-service refers to allowing users to manage their accounts on their own rather than relying on an organization’s support staff. Examples of self-service include managing login preferences, password management, updating contact information, searching for and requesting additional access, and so on. Self-service not only reduces support costs, it also improves user experience.
Self-service empowers users by giving them more control and choice and reducing their dependency on central IT teams.
Questions to Ask Providers:
- Does the provider offer self-service?
- What self-service capabilities does the provider support?
- Does the provider allow users to search and request additional access for themselves?
- Does the provider allow users to request access on behalf of others?
No-Code Identity Orchestration
Traditional authentication and authorization methods include usernames and passwords, as well as third-party validated data elements, such as social security numbers and birthdates. Yet, in a Zero Trust security model, it is assumed that these authenticators may be compromised. Additionally, traditional methods hinder good user experience.
To provide secure, effortless user journeys, an IAM provider should provide organizations with a no-code identity orchestration tool. With a drag and drop workflow interface, the no-code tool allows administrators to easily assemble and adjust workflow for steps such as registration, authentication, authorization, self-service, etc. in the users’ journeys. This capability means users will receive highly tailored and personalized user experiences across channels and brands.
No-code identity orchestration also gives administrators the ability to build authentication workflows that easily configure, measure, and adjust user login journeys using digital signals including device, contextual, behavioral, user choice, analytics, and risk-based factors. Administrators can also quickly consume out-of-the box authenticators, utilize existing authenticators, and integrate with other cyber security solutions.
Questions to Ask Providers:
- Does the platform offer a single orchestration engine across registration, self-service, and authentication, or does the administrator need to learn multiple tools to build user journeys?
- Does the platform allow registration, authorization, and authentication journeys to be easily created, viewed, and changed with no-code drag and drop functionality through workflows?
- How does the platform pre-identify a user’s digital signal such as location, IP address, device type, operating system, browser type, and more before a username is even collected?
- Does the platform include transactional authorization for high-risk transactions within a session?
Support for a Single View of Identities
Most employees, contractors, partners, and vendors interact with an organization across many different apps for things like HR, marketing, accounts payable, and so on. There may be user data integration between some apps, but, on the whole, each app and its data about a user is siloed across an organization. This presents difficulties in fully understanding a user from a 360-degree view. This includes knowing all their access rights, preferences, usage, potential risks, and more.
In order to gain a complete picture of your users and how they interact with your organization, modern IAM uses identity management and directory services products to synchronize, migrate, and manage identity data across an organization’s system environment. With a single view of a user, you can:
- Consolidate user identities and increase their security with behavioral, contextual, and risk-based authentication and authorization policies.
- Standardize and unify the user experience across the organization on any app and any device (omnichannel).
- Conduct analytics on users to better understand their access and associated risks.
Questions to Ask Providers:
- Can the platform integrate with other systems in order to consolidate identity data silos to create a single view of the user organization-wide?
- Can the platform provide live, bidirectional synchronization and reconciliation of identity attributes between data stores?
Availability and Scale
It is important to ensure that a user’s access and session remains undisrupted should something happen, such as a server going down.
IAM providers should support both ‘service availability’ and ‘session availability’. Service availability ensures that users can access an application when a server goes down. Session availability preserves and keeps a session running if a server goes down.
IAM providers should also support a variety of scale scenarios. This includes a shifting number (often millions) of users, devices, and things that need to be stored in a database, as well as changing frequencies and lengths of simultaneous and concurrent sessions. Support for a stateless protocol using JWT session tokens is also advisable.
Availability and scale allow organizations to save administrative and IT resource time, resulting in reduced costs.
Questions to Ask Providers:
- Does the platform scale elastically? For example, does it have the ability to scale the identity synchronization, authentication, and authorization service by many orders of magnitude to respond to predicted peaks, such as during a high-profile event, or to unpredicted events?
Open Standards Support
Open standards are established, uniform technical norms used by developers. Each standard has specified capabilities and functionality. Identity security relies on the OAuth2, OpenID Connect (OIDC), and SAML standards. Going beyond these basic identity standards, leading digital identity providers are integrating standards that are needed to support emerging workforce trends. These include OAuth 2.0 Proof-of-Possession, which ensures that the presenter of a bearer token is the real and original token owner, and OAuth2 Device Flow, which is designed for client devices that have limited user interfaces.
Support for both basic and advanced open standards, such as OAuth2, OIDC, SAML, UMA 2.0, OAuth2 Device Flow, and OAuth 2.0 Proof-of-Possession, allows organization to secure data and transactions with outside entities, including third-party APIs, devices, and IoT things. This enables secure business growth and increases competitive advantage.
Questions to Ask Providers:
- Does the platform support both basic and advanced open standards, such as OAuth2, OIDC, SAML, and OAuth 2.0 Proof-of-Possession?
Standards-Based Onboarding for Applications
In the early days of IAM, access management was controlled and administered by central teams. The teams onboarded new applications as point-to-point integrations, which created a bottleneck for organizations that wanted applications integrated with access management. Additionally, the entire process was time-consuming and expensive.
Today’s modern approach is to publish a set of standards centrally and allow application owners to onboard their own application using an API-driven, standards-based approach. With the standards and API based approach, the application owners can integrate their own applications and set access policies without having to depend on an expert who knows how to configure access management. This modern approach is faster, more cost-effective, and more scalable from a roll-out perspective.
Questions to Ask Providers:
- Does the platform provide a full set of standards-based APIs for onboarding applications into the access management framework?
- When an application doesn’t support modern standards-based APIs, how can your platform translate legacy API calls into modern standards-based API calls?
Contextual Access
Most identity providers only protect at the initial authentication. To ensure the authenticity of users, devices, things, and services at all times, and to mitigate risk whenever an anomaly is detected (even during existing sessions), contextual access should be applied.
As part of a Zero Trust security model, contextual access builds context-based intelligence into policies to assess risk and protect resources at the time of access as well as at any point during a digital session. Contextual access applies fine-grained authorization policies, adaptive risk, MFA, and push authorization, yet only requires these stronger authentication mechanisms when necessary. This makes it easier for users while maintaining system security, enabling organizations to provide a more frictionless and secure experience for users, resulting in improved competitive advantage.
Questions to Ask Providers:
- Does the platform leverage contextual authentication and authorization factors at any point during a session to assess risk – invoking stronger authentication mechanisms only when necessary by evaluating who the user is and their context?
- Can the platform detect and aggregate a user’s basic digital risk signals such as location, IP address, device type, operating system, and browser type?
- What types of authorization methods and access controls are offered by the provider?
Login Analytics and Decision Logic
The only way to continuously improve user experience is to have data-driven insight. As part of next-generation authentication and authorization, user login analytics offer metrics and timers that analyze user interactions and their devices across all channels and lines of business. IAM platforms should be able to monitor the performance of third-party fraud and analysis services that impact login journeys.
IAM platforms should also allow administrators to optimize the employee login experience with contextual and behavioral analytics that investigate what devices and browsers people use, where people log in from, the length of login journeys across the user population, and more. From this, organizations can discover correlations between existing login methods to improve employee, contractor, and partner experiences.
Login analytics and decision logic allow organizations to save resources, time, and money, resulting in reduced costs.
Questions to Ask Providers:
- Does the platform assess average time for call-outs to third party services or data sources?
- Does the platform monitor performance of service level agreements (SLAs) that impact login journeys?
- Does the platform determine if shorter login journeys result in fewer help desk calls?
System Integrations
As a vital part of the solution ecosystem, identity platforms store identities and perform data collection and analytics. This solution ecosystem includes IAM, mobile device management (MDM) systems, human relationship management (HRM) systems, and enterprise resource planning (ERP) systems, among others.
Unfortunately, this broad ecosystem results in fragmented views of users. Advanced IAM platforms have the ability to integrate and connect with these systems to create a single view of the user across the organization. This aggregated data provides a much more robust data set with which to make important workforce and business decisions.
System integrations allow organizations to utilize all of their systems and investments, resulting in increased ROI and reduced costs.
Questions to Ask Providers:
- Does the platform integrate with other systems and enable the consolidation of multiple identity silos to create a single view of a user across the organization?
Data Residency
Data residency and data sovereignty are related concepts covering the legalities of where user data resides, and the legal authority over the data, regardless of where it resides. Generally, data residency requires that a citizen’s personal data be collected, stored, and processed only within their country’s borders.
To address the GDPR concept of data residency, IAM providers should enable privacy-bound user data storage and fractional replication of personal data. This allows the processing of user data that is context-sensitive to a particular jurisdiction.
Questions to Ask Providers:
- Does the platform support data residency by enabling privacy-bound user data storage and fractional replication of personal data?
Application Programming Interface (API) First Model
The API First Model is a developer-centric method of creating a solution. Within this model, a provider first creates the API and then builds the platform around it. This results in less complexity for external developers and organizations. For ease of use, scalability, and flexibility, digital identity providers should apply this API first development model to create one common REST API framework across the entire platform to provide a single, common method to invoke any identity service. The result should be a simple and secure way to extend identity to all realms, including social, mobile, cloud, and IoT.
Questions to Ask Providers:
- Does the provider use an API first development model to create one common REST API framework across the entire platform to provide a single, common method to invoke any identity service?
Identity Platform Software as a Service (SaaS)
Maintaining and upgrading identity solutions is complex and labor intensive. With a comprehensive IAM platform delivered as Software as a service (SaaS), organizations can leverage the latest capabilities without having to be responsible for things such as hosting, maintenance, upgrades, and more. Identity SaaS also allows IT resources to focus on other important initiatives, such as innovation.
Security concerns – including data sharing and data sovereignty – are among the major reasons many large organizations have shied away from moving to a complete cloud IAM platform. This is because many SaaS vendors combine multiple customers (tenants) into a single instance. This outmoded approach to multi-tenancy results in elevated risk because one organization's activities could impact other organizations. For this reason, the ideal IAM SaaS platform offers full tenant isolation so data and workloads are never commingled with others. Tenant isolation also eliminates common challenges related to scaling and storing sensitive and regulated identity data in the cloud. Identity SaaS should also provide data sovereignty and compliance, and maximum availability with individual backups. And, it should also include a high-availability architecture with transparent failover to meet strict service level agreement (SLA) requirements and tenant-specific backup and restore. This enables organizations to recover quickly and efficiently from any accidental or malicious data corruption issues.
Questions to Ask Providers:
- Does the provider offer their entire identity platform as a service?
- Do the provider’s platform as a service and software offerings share feature parity?
Strong Partner Ecosystem
The strongest IAM providers and platforms are those that work well with a wide variety of other technologies, software, and industry leaders in order to solve the unique goals of each organization. As such, IAM providers must have a strong ecosystem of respected consultancy, technology, and integration partners. Further, this partner ecosystem should be designed to immediately and easily support today’s needs, as well as serve as a source of collaboration and innovation for the future.
A strong ecosystem of respected consultancy, technology and integration partners enables organizations to easily add the latest security capabilities and save resources, time, and money.
Questions to Ask Providers:
- Does the provider have a strong ecosystem of respected consultancy, technology, and integrations partners?
- Does the provider offer out-of-the-box technology partner integrations included with purchase?
Step Three: Evaluate Providers for Advanced Capabilities
Enterprise-grade IAM platforms include advanced, future-built capabilities and act as the main differentiators between IAM providers. Comprehensive IAM platforms are built to handle the complexity of the world’s largest enterprises.
For Ping Identity’s answers to these questions, please request a copy of the Workforce IAM RFP Workbook.
AI and ML Powered Threat Detection
Cybercriminals are becoming more sophisticated, leading to an increase in cyber threats, such as account takeover. Account takeover (ATO) occurs when a bad actor gains unauthorized access to a user’s digital identity account. ATO is often the source of data breaches, theft, and other fraudulent activities that lead to lost revenue, damaged brand reputation, and significant mitigation costs.
To provide legitimate users with the seamless, secure access experiences they demand, enterprise organizations require a modern security solution that removes unwanted friction while strengthening security. An AI and ML powered threat protection solution helps to prevent account takeover and fraud at the identity perimeter by treating each login request differently based on a risk score. This enables organizations to fast-track trusted users with options like passwordless authentication, while stopping attackers.
Questions to Ask Providers:
- Does the IAM provider offer a threat detection platform that leverages artificial intelligence (AI) or machine learning (ML)?
- Does the platform utilize learning algorithms to bolster threat detection services?
- How does the platform leverage AI or ML to prevent known threats?
- How does the platform leverage AI or ML to prevent emerging or unknown threats?
- Does the platform support a multi-layered intelligence security approach?
- Does the platform’s threat detection services require custom integration?
- Does the platform support enterprise-grade scalability?
Identity Verification
Identity verification is the process of confirming that a person is who they claim to be, typically using credentials such as ID documents, biometrics, or digital certificates. It is crucial for maintaining security, preventing fraud, and ensuring regulatory compliance. Accurate identity verification protects sensitive data, minimizes risks, and builds trust in digital and physical transactions.
Questions to Ask Providers:
- Does the IAM provider offer an identity verification service?
- Does the identity verification service perform live selfie matching?
- Does the platform support live government document verification?
Artificial Intelligence (AI) and Machine Learning (ML) Informed Identity Management and Governance
Many organizations are increasingly supporting an all-remote workforce. This shift is putting pressure on their current employee IAM systems, as well as the IT staff, administrators, and managers who need to ensure that the right people have the right to access the right systems and applications while working from home. Additionally, the risk of breaches, hacks, fraud, and other malicious activity also intensifies with the sudden increase in the number of remote employees.
Identity governance and administration (IGA) helps manage and provision user access, as well as reduce the risk that comes with employees having excessive or unnecessary access to applications, systems, and data. AI and ML take IGA to the next level by quickly identifying outliers within a huge volume of data. These technologies also produce confidence scores to assist managers and approvers who conduct access reviews and approvals.
All-inclusive modern IAM platforms that offer identity and IGA powered by AI and ML increase efficiency and provide more time for IT staff and access approvers to focus on access rights that have been identified as risky or anomalous. The result is improved security and reduced administrative burden.
Questions to Ask Providers:
- Does the provider offer AI and ML capabilities to extend the governance functionality?
- Is the platform’s AI and ML explainable?
- Can the AI engine consume data from other sources? Is it flexible enough to work with other IAM solutions and data sources, or is it limited to the provider’s platform only?
- Is the platform limited to peer group analysis?
Automated Provisioning and Deprovisioning
Provisioning is the registration and on-boarding of employees, contractors, partners, or vendors into multiple applications based on specific attributes, such as their title, location, or manager in order to give them access to what they need from day one.
Deprovisioning automatically disables or deletes all accounts associated with an identity when employees or partners leave an organization, eliminating so-called zombie accounts.
Automating the granting of additional access and the removal of excess and high-risk access with an AI- and ML-powered governance solution saves administrative time, resulting in increased productivity. Automated deprovisioning also improves security hygiene and saves money by removing unneeded accounts from applications and reducing the associated licensing costs.
Questions to Ask Providers:
- Does the platform allow for automated provisioning and deprovisioning of users?
- Can the platform integrate with an existing HR system or other sources of truth for user information to onboard, update, or remove users?
Distributed Scope Design with Least Privileged Access
Scopes enable the principle of ‘least privileged access’, which means only granting access that is essential to perform an intended purpose. For example, employees are only permitted to access the exact information and resources necessary for
a particular and legitimate purpose.
A first step towards achieving this fine-grained authorization is developing a mechanism to distribute and assign strongly typed scopes to applications, API endpoints, and other protected resources. Scopes must then be coupled with real-time context at policy-enforcing gates throughout the identity ecosystem. Scopes for fine-grained, actionable rules that can be used to make authorization decisions should also be applied.
Distributed scope design with least Privileged Access helps organizations prevent fraud and malicious activity resulting in improved security and compliance.
Questions to Ask Providers:
- Can the platform enable least privileged access to only grant access that is essential to perform an intended purpose?
Multi-Brand / Omnichannel / Cross-Channel (UI Theming)
Each user is unique and must be treated accordingly. An organization with multiple brands or channels (suc as branches) needs to recognize each user and give them a personalized experience, directing them to the appropriately branded access experience. Additionally, organizations within multi-party ecosystems with partners need to manage different business units or groups of users within their identity hierarchy separately and discretely. They may need to extend some privileges to partners to better manage their end customers (B2B2C).
A workforce IAM solution should include multi-brand UI theming that enables organizations to define unique journeys that connect users with the appropriate channel or brand. It should also support hierarchical tiers of users and delegated administrators.
Questions to Ask Providers:
- How does the IAM platform customize end user UI themes?
- Can the IAM platform dynamically select a theme based on a language input?
- Can the IAM platform detect the organization of which user is a member and then present a themed interface that matches the organization?
- Can the IAM platform support users that have visual impairment or other accessibility needs?
Hierarchical, Multi-Brand, and Complex Organization Design
Most enterprise organizations create a hierarchy of departments or Lines of Business (LOB) to fit their needs around how they structure their business (e.g. multiple brands). These hierarchies inform how they then delegate administration as well as access rights to users within those organizations.
The hierarchical, multi-brand, and complex organization design feature gives enterprises the flexibility to set up unique identity and access management configurations, like password policies and access permissions, for different audiences. It does this by allowing for the creation of hierarchical tiers of users and delegated administrators so organizations can set up and manage discrete groups of users to meet their business requirements.
Hierarchies can be nested within other hierarchies as needed. Owners and admins are assigned to each hierarchy, who have the ability to manage the fine-grained access and authorization privileges of the users within their tier. An administrator of one organization might have full access to the users within that organization, but no access to the users in an adjacent organization. This empowers each admin in the hierarchy to make the changes they need to accommodate the security, usability, and convenience needs of their users.
This approach saves organizations time and money by allowing them to consolidate multiple identity types into a single system.
Questions to Ask Providers:
- How does the IAM platform support unique identity and access management configurations for different hierarchies or lines of business (LOBs)?
- How does the IAM platform administrator set up the IAM platform to support multiple brands or online properties of the same parent client organization? Demonstrate account linking.
Zero Trust Security and Continuous Adaptive Risk and Trust Assessment (CARTA)
The Zero Trust and CARTA security models are based on the idea that no network, individual, thing, or device can be trusted.
IAM platforms should be able to determine whether an entity requesting an action is authorized to do so, and if they have proven they are the entity they claim to be with a sufficient level of assurance based on the risk of the specific action.
Within a Zero Trust Security and/or CARTA model, every action taken must be properly authenticated and authorized. To do this, authentication and authorization decisions leverage contextual information and become risk-based rather than binary, taking into consideration a rich set of information.
Zero Trust and CARTA helps organizations prevent fraud and malicious activity resulting in improved security and compliance.
Questions to Ask Providers:
- Does the platform provide Zero Trust Security and CARTA models of risk and/or value-based authentication (adaptive authentication), enabling people, devices, things, and applications to have different levels of credentials to authenticate against a common identity store?
- Can the platform be used to capture authentication and authorization context upon login and re-examine this continuously upon subsequent access events?
- Can this context be used to dynamically vary the response to allow or alter content redacting or masking data in real time?
Next-Generation Authentication and Authorization
Traditional authentication and authorization methods include usernames and passwords, as well as third-party validated data elements, such as Social Security numbers and birthdates. However, in a Zero Trust model, it is assumed that these authenticators may be compromised.
Therefore, digital identity providers should offer next-generation authentication and authorization, consisting of continuous assessment for authorization and authentication. This includes transactional authorization and authentication, which requires users to perform actions and provide additional factors, often multiple times, for each high-risk transaction within a session.
Authentication trees are an integral part of next-generation authentication and authorization. As a visual, drag-and-drop workflow, authentication trees allow administrators to easily configure, measure, and adjust login journeys using digital signals including device, contextual, behavioral, user choice, analytics, and risk-based factors. With an intuitive drag-and drop interface, administrators can also quickly consume out-of-the-box authenticators, utilize existing authenticators, and integrate with other cybersecurity solutions.
Next-generation authentication and authorization allows organizations to know who is interacting with them, what they’re enabled to do, and helps them trust that the interaction is secure. This results in improved security and compliance.
Questions to Ask Providers:
- Can the platform easily configure, measure, and adjust authentication journeys using factors and digital signals (context, risk, behavior, choice, analytics) to determine risk, improve the user experience and inform downstream applications of the accumulated knowledge gained during the authentication journey?
- Does the platform pre-identify a user’s digital signal, such as location, IP address, device type, operating system, browser type, and more, before a username is even collected?
- Does the platform provide out-of-band authenticators (OOBA), the ability to custom build authenticators, and rapid integration with third-party authentication, fraud, and risk providers in a centralized location?
- Does the platform allow authorization and authentication workflows to be easily viewed, created, changed, and managed centrally with drag-and-drop functionality through workflows and trees?
- Does the platform include authorization for high-risk events within a session?
Data Aggregation of People, Things, and Their Relationships
To create secure, accurate employee access, IAM providers must allow organizations to aggregate relational data between people and their things to create a comprehensive, single view of the employee. This is achieved by meeting several technical requirements, including establishing a common identity data model, connecting a broad range of data sources, implementing simple synchronization and reconciliation logic, and allowing access to user data in an appropriate format.
Importantly, with billions of digital relationships to support and manage, the most future-looking digital identity providers are developing identity graph engines. These relationship-focused engines represent and query complex and interconnected webs of identity relationships that cross organizations, systems, people, services, devices, business agreements, and more.
Aggregating identity and access data is especially important in mergers and acquisitions, where identity stores and IAM systems from different organizations have to be integrated rapidly, so users can have seamless access to the resources they need to do their work.
Questions to Ask Providers:
- Does the platform include identity relationship modeling at a granular level based on employees and their relationships to applications, locations, policies, and employee devices?
- Does the platform support identity management among those relationships?
Software Development Kits (SDKs)
An SDK is a toolkit that consists of prebuilt software components, tools, and documentation that enable developers to build applications for a specific platform more quickly and effectively. SDKs help speed time-to- market by eliminating the need for developers to build code for specific capabilities themselves. They also help to standardize the development of applications.
Questions to Ask Providers:
- Does the platform provide SDKs for rapid integration with mobile and web applications?
Legacy Application Support
Most organizations support many systems and applications. Many of these store user data and credentials and are critical for business. Yet they have limited or no built-in capabilities for user registration, authentication, authorization, or federation. Therefore, the ability to connect and extend to legacy systems and applications with a contemporary identity system is an important feature of IAM platforms. This is done through an identity gateway, which allows both legacy and contemporary systems and applications to fluidly and securely communicate with each other.
Legacy application support allows organizations to extend their current investments, resulting in increased ROI and reduced costs without having to perform a huge rip and replace project.
Questions to Ask Providers:
- Does the platform have the ability to connect and extend to legacy systems and applications through an identity gateway?
DevOps Friendly Architecture and Microservices
DevOps enables software development and deployment to run in a continuous cycle, allowing organizations to roll out new capabilities faster by reducing time to production. IAM providers should provide a DevOps-friendly architecture with the ability to leverage DevOps tools, such as automating and orchestrating push-button deployment and continuous delivery. They should also use containerized images for rapid automation, with Docker and Kubernetes support. DevOps needs an intelligent architecture that separates configuration from binaries to easily leverage version control for DevOps artifacts. Additionally, IAM providers should provide command-line tools for remote configuration.
Microservices is another important development method that focuses on building and deploying applications as groups of modular, composable services within an application. The benefit of microservices is the ability to singularly modify a service without impacting the others.
The DevOps approach to deployment using containerization and orchestration technologies such as Docker and Kubernetes allows organizations to accelerate projects 3-6 months and save 25% on implementation.
Questions to Ask Providers:
- Does the platform support modern deployment DevOps approaches with containerization and orchestration technologies, such as Docker and Kubernetes?
- Can the platform secure microservices?
Multi-Cloud and Hybrid-Cloud
Multi-cloud environments have become a recent trend due to their increased flexibility, availability, and scalability. These environments allow organizations to eliminate vendor lock-in and speed time to market while reducing complexity and saving both time and money.
Hybrid environments include both on-premises and cloud environments. Cloud environments support needs at scale, while on-premises environments are a more secure option for storing sensitive data. The advantage of hybrid environments is the flexibility to support any deployment, anywhere, at any time.
IAM providers that support multi-cloud and hybrid-cloud environments allow organizations to avoid vendor lock-in and reduce costs.
Questions to Ask Providers:
- Can the platform be deployed within any cloud environment, including multi-cloud, bring-your-own-cloud, or hybrid cloud within minutes in a highly available and production-ready configuration?
System Auditing and Analytics
System auditing and analytics capabilities are mission-critical functions. IAM platforms must be able to conduct audits for system security, troubleshooting, usage analytics, and regulatory compliance. They should also support a wide range of monitoring and logging capabilities. Audit logs should gather operational information about events occurring within a deployment to track processes and security data, including authentication mechanisms, system access, user and administrator activity, error messages, and configuration changes. Additionally, IAM platforms must provide auditing and analytics for the systems they work with, such as partner systems.
System auditing and analytics help secure your enterprise, from client-facing applications all the way to the edge, resulting in improved security and compliance.
Questions to Ask Providers:
- Is the platform able to conduct audits for system security, troubleshooting, usage analytics, and regulatory compliance?
- Can the platform also support a wide range of monitoring and logging capabilities?
Flexibility for UI
The user interface (UI) for things like login boxes, profile pages, password reset interfaces, and so on, are an important part an IAM strategy that supports ease-of-use as part of a great digital experience. Digital identity UI's should be folded into an organization's overarching corporate UI strategy. It is natural for such strategies to evolve.
Questions to Ask Providers:
- Can the IAM platform allow organizations to build a bespoke UI, meaning the ability to call REST APIs?
- How does the IAM platform use SDKs to more easily embed identity?
- Does the IAM platform include flexible hosted UI options?
Quickly Support Requirements with Ping Identity
Ping Identity is the leading enterprise-grade IAM provider, helping enterprise leaders to manage, secure, and govern their businesses. Global leaders use Ping Identity to modernize and accelerate digital transformation, support their digital initiatives, and secure their users, partners, and organization.
Ping Identity radically simplifies identity and access management (IAM) with the industry’s only full-suite platform, featuring unmatched intelligence capabilities delivered as a modern cloud service or deployable anywhere with the push of a button.
Meet Modern Identity Demands Without Ripping and Replacing Legacy IAM
Today, time is of the essence when it comes to implementing modern IAM capabilities. Unlike most providers, with Ping Identity you don’t need to suffer the pain, risk, and expense of ripping out existing legacy identity platforms to get the features and benefits of IAM modernization needed to support your workforce initiatives at scale.
Ping Identity provides a flexible approach that enables you to augment first, then coexist, so you can consolidate or retire disparate, legacy identity management systems, like CA Single Sign On (SiteMinder), Oracle, IBM, and even homegrown identity systems.
Ping Identity also includes a pre-integrated ecosystem of partners with a no-code identity orchestration engine, allowing organizations to add third-party authentication and authorization capabilities, such as biometrics or contextual signal collection, with just a few clicks. This enables low-risk, rapid deployment of the latest innovative technologies without the risks associated with adopting new technology and working with startup companies – all while reducing cost and complexity.
Learn More About Ping Identity for Your Organization
Contact us for a conversation to learn how Ping Identity can help your organization.
At Ping, we make it possible to trust every digital moment—moments with customers, employees, partners, and non-human identities. Whether you're securing millions of users, fighting sophisticated fraud, simplifying third-party access, or embracing passwordless experiences and verifiable credentials, establishing trust shouldn’t slow you down. Our enterprise-grade identity platform is built for scale, speed, and flexibility—and works seamlessly with your existing tech stack across cloud, hybrid, and on-prem. We help innovators like you accelerate growth and confidently leverage AI—making life easier for your developers, users, IT teams, and partners. With Ping, all your digital experiences start with trust. Learn more at pingidentity.com.