IAM Technology Group Limited

IAM Cloud

IAM Cloud is a cloud-based identity and access management platform that helps organisations to manage the access and security of their users and the cloud. IAM Cloud also has a cloud storage integration system 'Cloud Drive Mapper', and a cloud migration software service.


  • Identity Management and User Lifecycle Management
  • Access Management and Login Control
  • Single Sign-On and Identity Federation
  • Password Management and Self-Service Password Reset
  • Drive Mapping and Desktop Integration of Cloud Storage
  • Session Timeout Control
  • Email, File and Directory Migrations
  • MIS Integration and automated identity attribute workflows
  • TouchPoint - our unique pluggable authentication service
  • Multi-Factor Authentication (MFA) for any cloud or on-prem application


  • Automation saves time, reduces costs & eliminates data errors
  • Our migration service makes porting between cloud services easier
  • Identity management ensures better security compliance
  • Access management and MFA increased security
  • Single sign-on improves user productivity and reduces wasted time
  • Identity management enables better service deprovisioning
  • Self-service password reset reduces costs and improves user experience
  • Off-premises authentication removes single point of failure improving uptime
  • TouchPoint ensures user compliance eg EULA agreements signed
  • Cloud Drive Mapper saves huge costs on network file storage


£500 per licence per year

Service documents


G-Cloud 11

Service ID

6 5 1 6 2 4 0 3 4 5 0 9 9 4 1


IAM Technology Group Limited

Leon Mallett

0118 324 0000


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints IAM Cloud's identity management platform has no notable constraints. The Migrations Service works with Office 365, Google G-Suite and Active Directory. Cloud Drive Mapper is a Windows 7, 8, 8.1 and 10 client that works with OneDrive for Business and SharePoint Online.
System requirements
  • IAM Cloud Agent requires Windows Server 2012/2016
  • Cloud Drive Mapper requires Windows 7-10 or WindowsServer2008+ (VDI)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times SLA = within 4 hours, but our average response time is under 60 minutes.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Our standard support model covers most customers, and includes onboarding, set-up, a customer success program, ongoing maintenance, ongoing support, ongoing configuration, feature requests, and service audits.

Our enhanced support is custom to customer requirement, but can included dedicated resources, enhanced SLAs, weekly updates, face-to-face support and training and consultation.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We onboard customers to our platform ourselves, and for tasks that require customer involvement we provide a Knowledge Base, user guides, and direct web-conference and screensharing sessions to offer real-time assistance.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Data is synchronised from the customer systems - so there is typically no need to 'extract' data at the end of a contract. We've never encountered this scenario before, but custom data retrieval is technically achievable through either connecting to a customer SQL database or via CSV.
End-of-contract process If a customer contract comes to an end and isn't renewed, we normally retain data for 12 weeks unless otherwise requested by the client. The off-boarding process doesn't normally require our intervention, but we sometimes we are asked to support it due to our general expertise in identity and access management. The client would simply reconfigure their applications to point to a new identity management service at their own convenience. They can then uninstall our Agent software from their network servers, and if they are using Cloud Drive Mapper they can de-provision it using Active Directory GPO in the same way as they would have deployed it in the first place.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Windows
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The only difference is with domain-joined devices and non-domain joined. Both are serviced with federation, but the authentication flow is slightly different.
Service interface No
What users can and can't do using the API API is primarily used by IAM Technology Group Ltd for the purposes of integration with third party services. Normal users are not granted access to our API. We have built several frameworks that selected technology partners may work with.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation IAM Cloud is an identity management platform - so it is designed to be customised to each customer's requirements. Customisations include a rules engine, which allows organisations to classify and group users based on any available attribute (e.g. department name). Each classified group can then have different security features applied to them.

The login UI can be customised to look like the customer's website, alert email notifications can be customised, and the federation URL is CNamed to the customer domain to give a fully custom feel.


Independence of resources Our platform is built in Microsoft Azure and uses highly performant Azure Functions and Service Fabric (the Azure micro-service architecture) to be able to scale to enormous levels far exceeding the maximum demand.

Our platform also has been designed to maximise interoperability to avoid consumption of one resource to have a knock-on affect to others.


Service usage metrics Yes
Metrics types We provide service status metrics and dashboards, logging of all user activity which can be extracted via an API or Webhooks, and custom service reports on demand.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data is typically synchronised from a customer's source system in the first place - so there is normally no need to export data. However a data export could be achieved through integration with a desired destination SQL database or via CSV export.
Data export formats
  • CSV
  • Other
Other data export formats SQL
Data import formats
  • CSV
  • Other
Other data import formats
  • Active Directory
  • SQL

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We provide a 99.9% up-time SLA. Additional days of free usage - up to 14 days per month - is provided as service credit if we don't meet the SLA. If we fall below 99% service in a month then 14 days is offered, if we fall between 99-99.9% in a given month, then 7 days credit is offered.
Approach to resilience Our platform runs across two Azure data centres with interoperability and no single points of failure to enable true fail-over. Our platform has been designed to scale intelligently with micro-services to ensure that load and peak demand don't impact service performance.
Outage reporting We have a public dashboard www.iamcloudstatus.com and customers can subscribe to email and/or text message alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Our admin interfaces all use RBAC - role-based access control, as does our support channel. The levels of this are defined by the Master Administrator of each customer.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 13/5/2016
What the ISO/IEC 27001 doesn’t cover ISO 27001 covers the full scope of our technology and main UK-based team. There are no teams, infrastructure or processes ungoverned by ISO27001.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are ISO 27001 certified, and run a monthly Security Group meeting to ensure compliance with the ISO 27001 standard is adhered to and continual business improvement around information security is achieved. This meeting is chaired by the IAM Technology Group Ltd Chief Operating Officer, Leon Mallett.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We document all security changes at a monthly Security Group meeting, and undertake internal security audits in compliance with ISO27001. We also have a stringent change-control for all updates to our technology, and a strict acceptance path for quality-assured software releasing.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a number of advanced monitoring services detecting anomalous activity with our system and alerting systems to highlight them to our team.

Security threats are treated as the highest possible priority, and we have adopted a model of continuous integration cloud-releasing model which means that releases can be pushed out to our whole cloud infrastructure in minutes.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our monitoring systems detect a range of different threats and our own internal logging system provides rich audit data for diagnostic threat analysis. If a thread is discovered it is registered in our Technical Service system as an 'urgent' bug, and development on lower priority tasks is suspended until the threat is fixed. We also conduct our own internal penetration testing as well as period tests from a third party pen testing specialist.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach In accordance with ISO 27001, we have pre-defined process for both incident management and business continuity. We have a customer support system that has pre-defined escalation paths for issues that fit a pre-defined 'incident'. We have several service-events that constitute an incident. If one of these events should occur, our Chief Customer Officer would assemble the incident management team.

After an incident, such as a service outage, we provide a full RCA report to customers to describe the issue, the cause, the resolution and associated timelines.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Joint Academic Network (JANET)


Price £500 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We provide our storage integration service Cloud Drive Mapper free for a limited time period, typically 7 days but extendable on request.
Link to free trial https://www.iamcloud.com/cloud-drive-mapper-trial-signup

Service documents

Return to top ↑