Bitium (which begins at $3 per user per month for a minimum of 50 users) is the result of two Software-as-a-Service (SaaS) users at a development company identifying a need in their own organization, namely a tool to tie multiple disparate cloud apps into a single, manageable platform. With this need identified, the coworkers realized they had the development chops to build it and Bitium was born. Its roots give it a solid focus on two core use cases: administrators (admins) requiring manageability and oversight as well as users looking for increased productivity and efficiency. The result is an innovative identity management (IDM) solution, and while it still lags behind Editors' Choice winners, Centrify and Okta Identity Management, Bitium has seriously stepped up its game since the last time we reviewed it, especially in regards to connecting with on-premises Microsoft Active Directory (AD) stores.
New Setup Arrangement
The initial setup process for Bitium is similar to other IDM solutions, requiring a business email address (meaning that users of popular personal email providers, such as Gmail, Hotmail, or Microsoft Outlook accounts, need not apply) and some other basic contact information. Once your email address is confirmed, the Bitium account becomes active and you can begin configuring users and applications.
Bitium can connect to the usual third-party identity suspects such as AD, Lightweight Directory Access Protocol (LDAP) directories, or leverage Google G Suite as a user source. You can also import identities from Namely and BambooHR, two SaaS-based human resource (HR) apps. Integrating with an HR application is the ideal solution in terms of streamlining user management, because it reduces the administrative workload and often allows for additional automation based on user attributes.
In our previous review of Bitium, we dinged the service for not offering an agent-based solution for customers needing to integrate with AD. Since then, Bitium continues to allow you to connect by using LDAP over SSL (LDAPS), while also offering agent-based connectivity for Microsoft Windows, various flavors of Linux, and Apple's OS X. Both options have their place: software agents offer simple connectivity, but require a high level of trust with the vendor. LDAPS provides a direct link to your directory. But, they require firewall rules in order to let Bitium reach AD, though they give you a bit more control over the security aspects of the directory connection. The key point isn't that one option is better than the other (that'll depend on your organizational needs) but that Bitium gives customers the ability to choose whatever method they need. Though they require a bit more configuration, AD shops also have the ability to integrate into Bitium using Microsoft Active Directory Federation Services (ADFS) or Azure Active Directory (Azure AD). In both cases, you enable connectivity using a Security Assertion Markup Language (SAML) connection and walking through a set of well-documented steps on both sides of the connection.
Having configured the AD agent or other synchronization method, your corporate users and groups will be synchronized into Bitium, along with group memberships. Once synchronized, apps can be assigned to users or (ideally) groups. As is common with most identity management suites, once the relationship between an application and an Active Directory-based group is established, users will automatically gain access to the app when they are placed in the appropriate group.
Using Bitium to let your users authenticate to third-party SaaS applications is just a matter of searching for the app in Bitium's app catalog (in most cases) and performing a few basic configuration steps. There may be applications that aren't listed, in which case an email to Bitium's support team will get things rolling in terms of getting the application added to the catalog. For SaaS applications that support automated user provisioning using standards or an API, Bitium can handle creating users, assigning licenses, and managing permissions in the app. That minimizes the manual effort that admins need to shoulder and saves the organization money. Bitium even offers provisioning to a select few SaaS applications (specifically HubSpot) that don't offer automated provisioning by emulating the form-based data entry process you'd normally use to create individual users.
While Bitium does offer support for multiple directories, its focus isn't on combining identities from multiple sources and managing the flow of complex attribute-based data. Bitium's focus is squarely on the most common identity management use case: pulling user information from a HR management system, provisioning users in the SaaS apps they need, and even de-provisioning these accounts once an individual has left the company. These administrative tasks may only take minutes for an individual user, but when you're considering hundreds or thousands of users the task quickly adds up to a full-time job. In addition to the time and money concerns, security and compliance are a major Bitium focus, especially in preparation of IT and security audits.
One other labor and cost-saving capability Bitium offers is the Mobile Password Recovery option. Using a registered mobile device (currently limited to Android devices) users with the Bitium Mobile app can reset their Active Directory password using their mobile device rather than having to interface with corporate IT. That sounds minor, but it can have a big impact on decreasing lost productivity and reducing helpdesk calls.
Single Sign-On (SSO)
Like many IDM solutions, Bitium offers a Single Sign-On (SSO) portal for users, along with browser plug-ins and mobile apps that extend the SSO experience. Within the SSO portal, Bitium not only includes a separate area for users to store credentials for personal web apps (those outside the purview of corporate IT), but this personal section must be associated to a personal email account. That lets a user retain these credentials once she separates from the organization.
Bitium offers a handful of features that you won't find in the other IDM solutions we've reviewed. One example is offering SSO bookmarks to specific locations in third-party SaaS apps. Most IDM providers allow you to automatically authenticate users to their applications, and Okta even breaks out individual apps from a single provider such as Gmail, Google Calendar, and Google Drive (for Work). What Bitium offers is the ability to create bookmarks to locations within the SaaS app and expose that in the user portal. This process requires the browser plugin and some know-how, but once you master the process it's fairly straightforward to knock out a handful of bookmarks in just a few minutes.
Another innovation is the ability to leverage Google G Suite SSO to SaaS apps that don't offer SAML authentication. That gives you a more secure alternative to simply configuring apps with saved passwords. The general idea here is that many SaaS apps offer Google as an authentication method, and Bitium can be used to perform SSO authentication using Google as a go-between. Bitium can also manage password changes for password vault-based SaaS apps, using randomized passwords to maintain strong security. Finally, Bitium offers KeyVault, which allows you to store and share things like WiFi or VPN credentials and software keys—things that don't fit the standard username and password modality. Many of these features are fairly commonplace in password managers, but don't seem to be popular features in IDM solutions.
We've consistently identified security policies and multi-factor authentication (MFA) as critical security features for IDaaS solutions. Bitium offers both of these critical features, but its implementation doesn't compare favorably with those of competitors like Okta Identity Management and OneLogin. Bitium supports one-time passwords from Google Authenticator (or a compatible service such as Twilio Authy or Microsoft Authenticator) or Duo Security. While additional support for multifactor providers is certainly a plus, and lack of such may well be a deal breaker for some organizations, the existing options are perfectly sufficient for most. Meanwhile, Bitium's security policies are becoming a strength. IP-based policies can be configured organization-wide or can be tied to a specific user, group, app, or to an MFA policy. Additionally, these IP policies can be by an actual IP address range or be based on a geo-location data point, like the user's country, and even as a whitelist or a blacklist.
Two areas where Bitium doesn't offer the same level of functionality as competitors like Azure AD, Okta, and Ping Identity PingOne are consumer identity management and authentication to on-premises applications. The latter refers to applications still hosted on-site in the corporate network. Bitium offers two ways to integrate with such apps: First, its core SAML and password vaulting SSO functionality, or the Bitium Application Services Endpoint (B.A.S.E) set of developer tools that help you create custom authentication services for on-premises or B2B apps with corporate partners. While both of these options are viable, they'll require significant know-how in the case of the B.A.S.E APIs, and additional networking configuration to support SAML. Consumer identities aren't currently a focus area for Bitium, meaning companies with customer-facing apps may want to look at options such as Centrify or Azure AD. But Bitium's priorities are largely dictated by its customers, so it's not completely off the table for the future.
One area we miss from Bitium is its App Spend feature, which is now deprecated. App Spend gave you a set of tools to monitor the cost of your SaaS applications and identify areas where your business was potentially overspending. It's hard to knock Bitium for choosing to drop a feature that was a differentiator in the IDM space, and truthfully there are other ways to track the same sort of information, but it seemed like an obvious win for companies looking to keep their spending efficient.
Bitium has several feature areas that fall under the category of reporting. The organizational insights dashboard, for example, rates your organization on major security categories, helping administrators identify areas for improvement. The administrative section labeled reports has a handful of dashboard-like canned reports, showing data such as app usage, password duplication or weakness, and other similar data points. The event log shows more of the audit-level information, which can be exported to CSV.
Though it's not a traditional reporting capability, Bitium implements a slick feature called "Tasks." Essentially, Bitium attempts to identify administrative actions you need to take and places them in a to-do list for you to knock out as time permits. It's a low-impact way of fixing configuration problems that doesn't generate a bunch of email traffic you eventually tune out. One weakness of the Tasks feature, however, is that there doesn't appear to be a way to perform bulk actions. That means using it as a management tool can become repetitive and cumbersome.
The Mid-Level Price Is the Sweet Spot
With pricing tiers ranging from $3 to $8 monthly per user, Bitium is right in line with much of the competition in terms of raw numbers. The issue is that the entry-level Business tier precludes integration with Active Directory, and only offers basic provisioning support. For $5 monthly the Business Plus plan adds AD-integration and group and policy management. The Unlimited level gives you everything, including full provisioning, KeyVault, and integration with HR systems.
Bitium is a solid product that covers most of the key features identity-conscious IT managers seek, accompanied with competitive pricing. That makes it perfectly fine for small to midsize businesses (SMBs). However, its key shortcomings, notably support for multiple directories and limited value-added for on-premises apps, mean that larger businesses will probably need to keep looking.