Best Practices In Evaluating Identity & Access Management Solutions

Originally published at Ping Identity

At the risk of exposing my age (and...ahem...deep maturity), I've been working in the IT industry for more than 26 years. For the bulk of my career, I've worked with software providers in a pre-sales capacity--with a short stint in technical support and a few years as a consulting enterprise architect.

To say I've been through some Proof of Concept (PoC) engagements is a tremendous understatement. During my career, I've survived--and won--more PoCs than I can count. And, man, have they changed.

Enterprises can no longer stomach IAM projects that take 12-36 months, cost tens of millions of dollars and fail to deliver on their original goals. Today's decision makers require better and faster implementation and more reassurance that the chosen solution will deliver as promised.

PoCs of the Past

If you've ever gone to market for an IT solution, you know the process. Before you even release the request to the marketplace, you spend countless hours just reviewing and documenting your requirements. And you still have to prepare the Request for Quotation/Information/Requirements/Tender documents.

Then come the responses—all of them. And there may be many. The responses are dreadfully long, unnecessarily repetitive and sound surprisingly the same. And you're still not confident that you'll get what you bargained for. How do you make a good decision, let alone tell them apart?

The PoC of Today

To overcome problems with PoCs of the past, many enterprises are moving to a competitive PoC. Instead of going to the open market, they limit the field to 2-5 vendors to evaluate the "real" state of the solutions.

But vendors typically try to reuse as much previously configured functionality as possible for a PoC to minimize their time and effort. Since you don't see the scale of effort required to really create and implement the solution, you could ultimately end up surprised or disappointed.

To remedy this, some organizations have started requiring vendors to install their solutions from scratch at the PoC stage. It makes sense when you think about it. The time, skills and effort to install an Identity and Access Management (IAM) solution--as well as the configuration of the functional use cases--are all important factors to evaluate during the PoC process. But how many IAM providers can really deliver?

A Best-in-class PoC that's Surprisingly Fast

Recently, Ping Identity's Australian team was asked to PoC our IAM solution for a large financial services company. No surprise, part of the process was to install our solution from scratch on a virtual machine (VM) supplied by the company. We also configured their scenarios for a consumer-facing service of more than one million users.

Tam, our resident implementation expert, went on-site to configure the PoC. Here's what the customer required:

• Install the IAM suite behind a forward proxy.

• Walk the customer through a detailed product overview and deep dive.

• Configure authentication against the customer LDAP service.

• Configure authentication via Facebook.

• Configure a SAML 2.0 SSO connection to a SaaS application.

• Configure SSO to an internally hosted web application via HTTP header injection via the access management service.

• Configure step-up authentication using a one-time passcode delivered via email, for some parts of the internally hosted application.

• Enable risk-based access control using geolocation.

• Enable user self-registration via the social media connection and provision the user's identity data into the LDAP service.

• Show a sample native mobile application developed using OAuth 2.0 and OpenID Connect.

• Configure access management protection (including the step-up authentication) for a web API, to be used by native mobile applications, using the same policies configured for the web application.

• Enable user-initiated account recovery for the "forgotten password" use case.

• Enable the user to delegate application permissions to trusted third parties (e.g., allow the user's spouse to delegate the right to transfer up to $1,500 from the user's account to another account).

• Enable role-based access to the products' administration consoles for company admins.

• Enable impersonation for company helpdesk personnel, so they can switch user profiles "on the fly" to troubleshoot a customer's problem.

That's a challenging—and lengthy—set of requirements for an evaluation. As a vendor, it gets even more interesting when you can't pre-configure everything on your own VM.

Look again at the list of 15 requirements. How long do you think this would take with your current IAM suite? A week or 10 days? Maybe longer?

It took Tam only two-and-a-half days to install the Ping Identity software and configure all of the use cases listed. He also stopped along the way to discuss the many configuration options, explain Ping's open standards approach to authentication and authorization for native mobile apps, web apps/APIs and user managed access.

Not Typical, but Still Impressive

Now, since this was a PoC, many requirements of a true production deployment were not implemented. For instance, no high-availability configurations were requested. Also, only one instance of each product was installed. There was no auto-scaling of instances or load testing. All TLS certificates were self-signed. It was deployed in a development environment where minimal firewall changes were needed.

Even so, the Ping solution was installed more quickly and efficiently than many could anticipate or be able to replicate. Plus, the entire solution was installed on a single Windows Server VM with 6GB of RAM. Quickness aside, some vendors would struggle to simply install their kit on a server environment of that size.

Rapid PoCs like this are not uncommon for Ping Identity. We regularly deliver complex PoCs for customers in a day or two--often before others have even finished installing their cumbersome IAM suite, let alone configuring any of the use cases.

More than once, I've had a customer say that "It seems too good to be true" when I discuss our PoC timeframes. But as you can see from this story, we make it entirely possible.

Why is Ping So Awesome?

When a Ping product is installed, it doesn't create a major imposition or upset your current data flows and user experiences. On the contrary, Ping's solutions are engineered to act as the "glue" in your architecture. While the products themselves have a small footprint, they deliver huge value, including a full range of employee, partner and customer-facing use cases, open standards support, integration options, and complex authentication and authorization policies.

We believe this is exactly how an IAM product suite should behave in 2016, don't you?

You need to deliver that new mobile app or web service. You want to fix audit issues for your employees and partners, and improve your end users' experiences when they access your company's assets. Plus, you have a complex IT environment to integrate, with security and audit requirements to meet.

When you partner with Ping Identity, you can do all this and more, with minimal disruption and in the timeframe your business needs.

Interested in learning more about how to define the right consumer identity and access management (CIAM) solution and navigate the vendor review process? Download our CIAM Buyers Guide.