IBM Cloud Identity Review (2024)

IBM is to enterprise computing what NASA is to space travel: essentially synonymous for decades, not years. While it could be argued that IBM is playing from behind the likes of Amazon, Microsoft, and Google in the cloud wars, they are always a legitimate contender for enterprise software regardless of the platform. As such, it's no surprise that IBM Cloud Identity doesn’t merely address the identity management (IDM) product category, IBM brings a variety of mature tools and features into a package that compares favorably to every IDM competitor we’ve reviewed, and it does so without breaking the bank.

More specifically, IBM's Cloud Identity pricing starts at a very friendly $2.50 per user per month with MFA support setting you back another $2.50 per user each month --even combined, that's a good value. Provisioning, user self-service, and access request workflows are an additional $4 monthly. But IBM sweetens the deal further by including Cloud Identity for users of Maas360, which is Big Blue's mobile device management (MDM) solution. That begins at $4 monthly per device or $8 monthly per user.

Identities and Directories

It’s no surprise that IBM supports a variety of methods to bring in identities from existing corporate directories. Support exists for both a lightweight directory integration tool (IBM Verify Bridge for Directory Sync) as well as the appliance-based IBM Security Access Manager, which is IBM’s on-premises IDM solution (for which licensing is included as part of IBM Cloud Identity). The solution which best fits your enterprise depends largely on the level of sophistication required, such as how many directories you need to incorporate identities from and how much control is required over these attributes.

One complaint I have is that IBM doesn’t offer a directory integration solution that is truly user friendly and intuitive. Most IDM solutions in my testing (and certainly all of the top competitors) offer an agent-based solution that a part-time administrator with minimal technical qualifications could have running in under an hour. IBM Verify Bridge is close to being that tool, but after installation a user isn’t even provided a shortcut in the Start Menu, much less a configuration wizard. Rather the configuration process is handled using a JSON (JavaScript Object Notation) file located in the installation directory of the tool. This is fine for developers or seasoned admins (which is in line with IBM’s target customer) but is a lot to ask for from less technical users.

IBM’s capabilities in managing how attributes flow between directories is not quite at the level of Editors' Choice winner, Okta, which provides full scripted control over attributes, but you can perform basic transformation such as modifying case (force to upper or lower), appending or prepending a string, or encoding or decoding the value. Attributes may also be mapped between different identity sources, providing control over how the firstName attribute from your LDAP directory relates to the first_name attribute from a cloud identity provider.

Apps and Authentication

Like most of its IDM competition, IBM Cloud Identity supports single sign-on (SSO) authentication into web applications using SAML and OAuth 2.0, and provides an application catalog to facilitate enabling and configuring authentication into these web applications. As with any IDM suite, this app catalog is largely dependent on the third party application including support for a strong authentication protocol, and is constantly being updated as applications mature or even change hands. A typical application will require some configuration on both ends (Cloud Identity and the web application) in order to enable SSO authentication, and will usually include configuration of various URLs, certificates, and attributes required for the authentication process.

Once an application has been configured for authentication the next step is to manage Entitlements, or which users have access to the application. IBM Cloud Identity offers a few options in this arena. Access to applications used company-wide can be provided quickly and easily to all users and groups using a single checkbox. Most applications will require more fine-grained access control and/or license management, which can be handled either by an administrator manually assigning access to individual users or groups. Alternatively, applications approvals can be enabled to let users request application access through their SSO portal and have approval requests go through the application owner, the user’s manager, or both (approval request notifications come to both the approver’s email and the IBM Cloud Identity notification).

The real power of an IDM comes when you leverage authentication policies. Authentication policies at their most basic are rule-based, allowing administrators to define a set of conditions and actions that, in turn, define what authentication hoops a user must navigate in order to gain access to an application based on things like their group membership, geolocation, or device registration status. Authentication policies that have adaptive access enabled gain the ability to apply actions based on a risk level, which is a machine learning (ML) based score calculated using the massive amount of authentication data IBM has at their disposal.

Authentication policies that leverage machine learning are becoming increasingly popular in IDM suites, and are offered by several of the top competitors in the category including Editors' Choice winners, Microsoft’s Azure AD, Okta as well as up-and-comers, like Idaptive. The major caveat for machine learning of any kind is that the analysis is only as good as the data available to analyze. IBM’s footprint makes them a legitimate option in this arena, as they have a wide range of services from which they can aggregate authentication data.

Authentication policies are a major tool in enhancing your security posture, but they provide limited benefit without incorporating multi-factor authentication (MFA). IBM Cloud Identity (along with the Verify add on) supports a number of MFA factors including one-time passwords sent through email or SMS message, time-based one-time passwords using an authenticator app, and IBM Verify mobile app. The IBM Verify app is worth calling out as it can additionally require a user to confirm their identity using device-based sensors to confirm biometric information such as the user’s face or fingerprint. The Verify mobile app also provides some detail into the authentication request being confirmed, helping the user confirm the legitimacy of the authentication request.

Holistic and Enterprise-Ready

Cloud Identity has all the features we've come to expect from an IBM solution, including the integration with its MDM, which is a key point for many customers, as the combination of IDM and MDM is required to build an effective mobile security platform. IBM’s MaaS360 integrates tightly with IBM Cloud Identity (in fact they can be bundled, as mentioned earlier). However, disappointingly, IBM Cloud Identity can't right now integrate with third-party MDM suites like VMware's AirWatch, MobileIron, or Microsoft Intune, though IBM states that this functionality will be available in the near future.

IBM offers tooling to help support IDM authentication for on-premises applications using Application Gateway (which has the added benefit of handling authentication prior to user requests reaching your application or even your corporate firewall and can be deployed in an on-premises or cloud-based container environment). Overall, while it's certainly not the easiest solution we tested in the identity management space, it ticks all the boxes businesses are looking for and manages to do it at a very attractive price point.